Is Vaultwarden compatible with all Bitwarden clients?

Vaultwarden is designed to be Bitwarden API-compatible. It works with: Bitwarden browser extensions (all major browsers), Bitwarden Desktop app (Windows, macOS, Linux), Bitwarden Android app, Bitwarden iOS app, and the official Bitwarden web vault. Some enterprise-only Bitwarden features require the official Bitwarden server (not Vaultwarden). For personal and small team use: Vaultwarden provides all necessary features.

What happens if my .onion Vaultwarden server goes offline?

Bitwarden clients cache the vault locally when online. If the server is offline, the local cache allows reading stored credentials but does not sync new changes. When the server comes back online, the client syncs pending changes. For extended server outages: export a backup of the vault before the outage if possible. The local cache in the Bitwarden apps (Desktop and mobile) persists until the client is explicitly logged out, providing offline access to cached credentials.

Can I use passkeys with a self-hosted Vaultwarden?

Vaultwarden supports passkey storage (saving passkeys in the Bitwarden/Vaultwarden vault). Passkey creation and authentication require WebAuthn, which needs a secure context (HTTPS or .onion). For passkey support in Tor Browser accessing the .onion Vaultwarden: .onion is treated as a secure context, so WebAuthn should work. For passkeys in mobile clients: HTTPS is required on the Vaultwarden endpoint, necessitating TLS certificate configuration.

What is the RAM and CPU requirement for Vaultwarden?

Vaultwarden is extremely resource-efficient (written in Rust): minimum 64MB RAM, typical operation 100-200MB RAM. A single CPU core is sufficient for personal or small team use. The Romania VPS Mini ($19.99/mo) comfortably handles Vaultwarden alongside Tor with significant resources left over for other services. No need for a larger plan unless running additional services on the same VPS.

How do I import my existing password manager data into Vaultwarden?

Export from your current password manager: LastPass, 1Password, Dashlane, and Keeper all have export features (usually CSV or proprietary format). In the Bitwarden web vault (accessed via Tor Browser at the .onion URL): go to Tools > Import Data, select the source format, and upload the export file. Bitwarden supports importing from 50+ password managers. After import: verify the import is complete, delete any sensitive export files from local storage (they contain plaintext passwords), and update the master password if you plan to change it post-import.

Self-Hosted Password Manager as a Tor Hidden Service

Password managers are security infrastructure - they hold credentials for every account. Trusting a cloud password manager (LastPass, 1Password, Dashlane) means trusting that company's servers with access to your credential vault. Cloud password managers have suffered breaches (LastPass breach in 2022 exposed encrypted vaults), and they centralize credential storage in a way that makes mass theft possible. Self-hosting Bitwarden (or its lightweight Rust reimplementation Vaultwarden) gives you full control over your credential vault, stored on your own infrastructure. Running it as a Tor hidden service adds protection: the server is not internet-accessible, meaning brute-force attacks against vault encryption cannot target your specific vault, and your credential syncing is not visible to your ISP.

Need this done for your project?

We implement, you ship. Async, documented, done in days.

Start a Brief

Why Self-Host a Password Manager

Cloud password managers have a fundamental security tradeoff: the convenience of cross-device sync requires storing your vault on the provider's servers. The provider protects vault data with your master password's hash - if the provider is breached, attackers obtain encrypted vaults they can decrypt offline with dictionary attacks. The 2022 LastPass breach demonstrated this risk: encrypted vaults were stolen and attackers have been cracking weaker master passwords offline. Self-hosting eliminates the centralized breach risk: your vault exists only on your server. An attacker would need to compromise your specific server (not just any cloud provider) to access your encrypted vault. Vaultwarden is a Bitwarden-compatible server written in Rust that is resource-efficient (runs on 256MB RAM) and feature-complete for personal and small team use.

Vaultwarden .onion Deployment

Install Vaultwarden via Docker: docker run -d --name vaultwarden --restart unless-stopped -v /vw-data/:/data/ -p 127.0.0.1:8090:80 vaultwarden/server:latest. The -p 127.0.0.1:8090:80 flag binds only to localhost, not the public interface. Configure Tor: HiddenServiceDir /var/lib/tor/vaultwarden/ and HiddenServicePort 80 127.0.0.1:8090. Vaultwarden requires HTTPS for browser clients (browser extension's Web Crypto API requires secure context). For .onion deployments: configure a self-signed TLS certificate and expose on port 443, or use a reverse proxy (Nginx) with self-signed TLS. Alternatively: Tor Browser treats .onion as a secure context, so the web vault interface works without HTTPS for browser access. For mobile clients: HTTPS is required - configure Nginx with a self-signed cert and distribute the CA certificate to client devices.

Bitwarden Client Configuration for .onion Server

Configure Bitwarden clients to connect to the .onion Vaultwarden: Browser extension (in Tor Browser): change the server URL in the extension settings to http://youraddress.onion. Browser extension (in standard browsers): configure SOCKS5 proxy in browser settings to point to Tor, then change server URL to the .onion address. Desktop app: Bitwarden Desktop app supports custom server URL - configure SOCKS5 proxy in app settings, then set server URL to the .onion address. Mobile app (Android): use Orbot VPN mode, then configure the Bitwarden Android app's server URL to the .onion address. Mobile app (iOS): use Orbot for iOS with VPN mode. The Bitwarden clients authenticate with the Vaultwarden server and sync the encrypted vault. The vault content is end-to-end encrypted (even Vaultwarden cannot decrypt it without the master password).

Vault Security and Master Password Configuration

Vaultwarden security configuration: disable user registration (SIGNUPS_ALLOWED=false environment variable in Docker) after creating your accounts - prevents unknown users from creating accounts on your private server. Enable 2FA (Vaultwarden supports TOTP, WebAuthn) for all accounts. Configure vault item access logs (Vaultwarden's admin panel provides access logging). Master password requirements: use a strong, unique master password of at least 16 characters (the master password is the only thing protecting your vault if an attacker obtains the encrypted vault data). Consider using a passphrase (5+ random words) rather than a complex password - passphrases are harder to brute-force and easier to remember. Store a recovery key (Bitwarden generates this during account creation) in secure offline storage (encrypted USB, physical paper in a safe).

Backup and Recovery for .onion Vaultwarden

Vaultwarden backup: the /vw-data/ directory contains the SQLite database and attachments. Backup this directory regularly. Automate with cron: tar czf /backup/vaultwarden-$(date +%Y%m%d).tar.gz /vw-data/ runs a daily backup. Transfer encrypted backups offsite: gpg --symmetric /backup/vaultwarden-$(date +%Y%m%d).tar.gz before transferring via torsocks scp to a backup server. Bitwarden's export feature: export vault from the web interface (encrypted JSON format) periodically as an additional backup. The encrypted export is decryptable only with the master password and can be imported to any Bitwarden-compatible server. Keep exported files encrypted and stored securely - they contain all credentials in encrypted form.

Related Services

Offshore VPS from $17.90/mo Dedicated Servers DevOps Services

Why Anubiz Host

100% async — no calls, no meetings

Delivered in days, not weeks

Full documentation included

Production-grade from day one

Security-first approach

Post-delivery support included

Bulletproof Hosting Providers

DMCA-Ignored Servers

Offshore VPS Hosting

Anonymous Hosting Solutions

Ready to get started?

Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.

Start a Brief Romania VPS Mini - $19.99/mo