Install a Self-Hosted Bitwarden/Vaultwarden Password Vault on Debian 🌱

What is Bitwarden?

Bitwarden is a free and open-source password management service that stores sensitive information such as website credentials in an encrypted vault. The Bitwarden platform offers a variety of client applications including a web interface, desktop applications, browser extensions, mobile apps, and a CLI. Bitwarden offers a cloud-hosted service as well as the ability to deploy the solution on-premises. - https://en.wikipedia.org/wiki/Bitwarden

Install Bitwarden/Vaultwarden

  1. Log into the Linux device
  2. Run the following commands in a terminal window
    # update software repositories
    sudo apt update
    # install available software updates
    sudo apt upgrade -y
    # install prerequisites
    sudo apt install git curl build-essential pkg-config libssl-dev openssl libssl1.1 libmariadb-dev-compat libmariadb-dev -y
    # add nodejs software repository
    curl -sL https://deb.nodesource.com/setup_16.x | sudo bash -
    # install nodejs
    sudo apt install nodejs -y
    # install rust, enter 1 at the prompt
    curl https://sh.rustup.rs -sSf | sudo sh
    # configure the shell
    source $HOME/.cargo/env
    # clone vaultwarden from git
    git clone https://github.com/dani-garcia/vaultwarden.git ./vaultwarden
    # cd into the new directory
    cd vaultwarden/
    # checkout latest version
    git checkout "$(git tag --sort=v:refname | tail -n1)"
    # build vaultwarden with mysql support
    cargo build --features mysql,sqlite --release
    # cd back one directory
    cd ..
    # clone web from git
    git clone https://github.com/bitwarden/web.git ./web
    # cd into the new web
    cd web/
    # checkout the latest version
    git checkout "$(git tag --sort=v:refname | tail -n1)"
    # update submodule
    git submodule update --init --recursive
    # download web patch
    wget https://raw.githubusercontent.com/dani-garcia/bw_web_builds/master/patches/$(git tag --sort=v:refname | tail -n1).patch
    # apply patch
    git apply $(git tag --sort=v:refname | tail -n1).patch --verbose
    # clean npm cache
    npm cache clean --force
    # initialize npm
    npm run sub:init
    # install npm dependencies
    npm install
    # fix npm vulnerabilities
    npm audit fix
    # build web vault
    npm run dist:bit:selfhost
    # copy the build directory into vaultwarden/web-vault
    cp -a build ../vaultwarden/target/release/web-vault
    # cd into vaultwarden
    cd ../vaultwarden/target/release/
    # create a data directory
    mkdir data
    # run vaultwarden
    ./vaultwarden
  3. Open a web browser and navigate to https://DNSorIP:8000
  4. Click the Create Account button
  5. Complete the form by entering an Email Address, Name, Master Password and Password Hint (optional) > Click Submit
  6. Login with the account created in the last step
  7. Welcome to your self-hosted Bitwarden password vault

Run Bitwarden/Vaultwarden as a Service (Optional, but recommended)

  1. Press CTRL + C to kill the running Vaultwarden process
  2. Continue with the following steps to run Vaultwarden as a service
    # cd to vaultwarden/target/release
    cd ~/vaultwarden/target/release
    # copy the .env template
    sudo cp ../../.env.template /etc/vaultwarden.env
    # copy vaultwarden executable
    sudo cp vaultwarden /usr/bin/vaultwarden
    # make vaultwarden executable
    sudo chmod +x /usr/bin/vaultwarden
    # create vaultwarden user
    sudo useradd -m -d /var/lib/vaultwarden vaultwarden
    # copy existing data directory
    sudo cp -R data /var/lib/vaultwarden/
    # copy web-vault directory
    sudo cp -R web-vault /var/lib/vaultwarden/
    # set ownership permissions
    sudo chown -R vaultwarden:vaultwarden /var/lib/vaultwarden
    # create service file
    sudo nano /etc/systemd/system/vaultwarden.service
  3. Paste the following configuration into vaultwarden.service

    [Unit]
    Description=Vaultwarden Server

    # Only sqlite
    After=network.target

    [Service]
    User=vaultwarden
    Group=vaultwarden
    EnvironmentFile=/etc/vaultwarden.env
    ExecStart=/usr/bin/vaultwarden
    PrivateTmp=true
    PrivateDevices=true
    ProtectHome=true
    ProtectSystem=strict
    WorkingDirectory=/var/lib/vaultwarden
    ReadWriteDirectories=/var/lib/vaultwarden
    AmbientCapabilities=CAP_NET_BIND_SERVICE

    [Install]
    WantedBy=multi-user.target

  4. Press CTRL+O, Enter, CTRL+X to write the changes to vaultwarden.service
  5. Continue with the following commands to enable the site and start vaultwarden:
    # reload systemd services
    sudo systemctl daemon-reload
    # start vaultwarden service on boot and now
    sudo systemctl enable vaultwarden --now
  6. Refresh the open web browser to verify Bitwarden is accessible