Self-Hosted Vaultwarden in Romania for Bitwarden Clients

Romania transposes GDPR through Law 190/2018 and the supervisory authority is ANSPDCP. Data demands from non-EU governments need an MLAT, the country sits outside the Five/Nine/Fourteen Eyes intelligence arrangement, and there is no key escrow or backdoor mandate. For a vault the practical effect is simple: the only realistic compulsion path is a Romanian court order, which we honour but cannot pre-empt. Latency to most of Europe and the Middle East is 20-60 ms which is fine for a tool you open a few times an hour. Pick at least our Anonymous VPS tier with 1 vCPU and 1 GB RAM so you have headroom for the Rocket workers plus a reverse proxy plus restic during backup windows.

Use the official vaultwarden/server:latest image. Mount ./data:/data, set DOMAIN=https://vault.example.org, SIGNUPS_ALLOWED=false after creating your account, ADMIN_TOKEN as an Argon2 hash (run vaultwarden hash). Force Argon2id on the client by setting PASSWORD_HASH_ITERATIONS and have each user switch KDF from PBKDF2 to Argon2id with memory 64 MiB and iterations 3 in the account settings panel. PBKDF2 is the Bitwarden default and is weak compared with Argon2id on modern attacker hardware; the migration is one click and re-encrypts the protected symmetric key.

Run Caddy or nginx in front. Caddy is one line: vault.example.org { reverse_proxy vaultwarden:80 }. nginx needs the WebSocket upgrade block for the notifications hub on /notifications/hub and /notifications/hub/negotiate. Enable HTTP/2, HSTS with a one year max-age, and OCSP stapling. Disable TLS 1.0 and 1.1. If you front with Cloudflare turn off email obfuscation, rocket loader and minification on the vault hostname; they break the encrypted attachment uploader.

Vaultwarden stores vault items end to end encrypted: the master password derives a stretched key client-side, that derives a symmetric key, and the cipher blobs in the SQLite database are AES-CBC with HMAC. Even with database root access we cannot decrypt your vault. What we can see and what an attacker with disk access can see: which Bitwarden organisations and collections exist, item timestamps, attachment sizes, your email and 2FA configuration. Treat the email and the 2FA secret as the protected metadata they are; do not reuse the email for low value signups.

The vault is one SQLite file plus the attachments directory. Use vaultwarden backup via the admin token or stop the container, restic snapshot /data to an offshore secondary (another Anubiz Host region, never to a US S3 bucket), then bring it back. Schedule three snapshots a day, keep 14 daily, 8 weekly, 12 monthly. Test restore monthly on a throwaway VPS; an untested backup is a wish list.

Official Bitwarden iOS, Android, Chrome, Firefox, Edge, Safari, Linux, macOS, Windows desktop clients all work against Vaultwarden because it implements the same API surface. The only gaps are paid Bitwarden Business policies (some SSO flows) and a couple of admin endpoints. Premium features like TOTP code generation, attachments, send and emergency access work on the server side without any licence key.