Marketplace · Secrets

Deploy Vaultwarden in one click.

The lightweight, Bitwarden-compatible password server. We review it, secure it and run it in production for you. Pick a region in Switzerland, France or Germany, or bring your own machines through a secure tunnel. We keep it patched, backed up and online. Your team just unlocks.

See how it works ↓

★ 60k stars · AGPL-3.0 · Rust · tested versions · shipped with a runbook

LicenseAGPL-3.0 Stars59,939 LanguageRust CategorySecrets Source github.com/dani-garcia/vaultwarden ↗ Website github.com/dani-garcia/vaultwarden ↗

What is Vaultwarden?

An unofficial Bitwarden-compatible server written in Rust. Light enough to run anywhere, serious enough to hold everything.

Vaultwarden is an unofficial, open-source server implementation compatible with Bitwarden clients. Written in Rust and light enough to run on small hardware, it serves the official Bitwarden browser extensions, mobile apps and desktop clients your team already uses, pointed at your own server instead of a third-party cloud. Vault data is encrypted end-to-end by those clients; the server only ever stores ciphertext.

Passwords are the last data you want on someone else’s terms. Self-hosting Vaultwarden puts your organization’s credentials on infrastructure you control, in a country you chose. End-to-end encryption means even your own server can’t read the vault. But where that server runs, and under whose laws, is still a decision worth making deliberately.

The catch: self-hosting a password server raises the stakes. Bitwarden clients require proper TLS, the admin panel needs locking down, patches need applying promptly, and the backup story has to be flawless, because the vault is the one system your team can’t afford to lose. That someone who handles all of it is usually you, at the worst possible time.

Vaultwarden, without the ops.

Everything below is what you’d otherwise build and babysit yourself.

Residency

Your vault stays where you put it.

Deploy to ch-zh1 (Zurich), fr-pa1 (Paris) or de-fr1 (Frankfurt). Your team’s encrypted vault stays in the region you choose, under Swiss or EU law and in line with GDPR.

Secured

Reviewed before it ships.

Our Vaultwarden package is reviewed, secured and locked to versions we have tested, and it ships with a runbook. We track CVEs upstream and patch them fast. Speed matters when it’s a password server.

Encrypted

We can’t read your vault. Nobody can.

Vault data is encrypted end-to-end by the Bitwarden clients before it ever reaches the server. Pilae runs the infrastructure. It never holds your master password and can’t decrypt or recover vault contents.

Managed

TLS, upgrades, scaling: handled.

Certificates issued and renewed (Bitwarden clients insist on valid TLS), rolling zero-downtime updates, instant rollback, health checks. Your team keeps unlocking while we keep it current.

Backups

Backups you can actually restore.

Offsite backups of the encrypted vault database. We run restore drills, not just snapshots. A password server is the one deployment where the backup story can’t be an afterthought.

No lock-in

Leave whenever you want.

Vaultwarden is open source and your exit runs through the same Bitwarden clients you already use: your data leaves with you, in usable form. Pilae runs it for you. It never owns it.

Self-hosting Vaultwarden: DIY vs Pilae.

Both paths end with Vaultwarden in production. Only one of them ends there this afternoon.

Self-hosted DIY On Pilae
Initial setup Docker, reverse proxy, DNS, auth. An afternoon if nothing fights back One click, live in minutes
TLS certificates Issue, wire up, remember to renew Issued and renewed automatically
Upgrades Frequent releases to track, test and apply yourself Tested versions, rolled out with instant rollback
Security patching You watch the CVE feed Upstream tracked, CVEs prioritized
Backups cron + object storage + hope Offsite, verified with restore drills
Data residency Wherever your VPS happens to be You pick: Zurich, Paris, Frankfurt, or your own racks
3 a.m. failures Yours Ours
Admin panel Exposed until you remember to set the admin token Locked down as part of the secured package
Exposure A password server on the open internet, firewalled by you Secured package, encryption in transit, dedicated VLANs

From catalog to production in three steps.

No servers to set up, no configuration to write. The platform work is already done.

01

Pick Vaultwarden.

Find it in the catalog: reviewed, secured, locked to tested versions, runbook included.

02

Choose where it runs.

A Pilae region in Switzerland, France or Germany, or your own machine connected through a secure tunnel. Same console either way.

03

Deploy and point your clients at it.

One click to production with TLS and backups from day one. Point the official Bitwarden apps and extensions at your server’s address, invite your team, done.

Passwords deserve the shortest leash. Keep them close.

Every Vaultwarden deployment is pinned to the region you choose. Encryption, dedicated VLANs, and the option to hold your own encryption keys for regulated workloads. Or skip our regions entirely and run it on-prem.

ch-zh1 ready
fr-pa1 ready
de-fr1 ready

Deploying Vaultwarden: the questions we get.

If yours isn’t here, reach out and we’ll answer it, usually the same day.

Is Vaultwarden compatible with the official Bitwarden apps?

Yes. Vaultwarden is an unofficial server implementation that works with the official Bitwarden browser extensions, mobile apps and desktop clients. You point them at your own server’s address instead of Bitwarden’s cloud. It isn’t affiliated with or endorsed by Bitwarden.

What’s the easiest way to self-host Vaultwarden?

Deploying it through a managed platform. On Pilae you pick Vaultwarden from the catalog, choose a region, and click deploy. TLS, backups, patching and upgrades are handled for you from the first minute. You get self-hosting’s control without its ops.

Can Pilae see the passwords stored in my Vaultwarden vault?

No. Vault data is encrypted end-to-end by the Bitwarden clients before it reaches the server. Pilae never holds your master password and cannot decrypt or recover vault contents. That cuts both ways: keep your master passwords safe, because no one, including us, can restore access without them.

Where does my Vaultwarden data live?

In the region you choose: Zurich, Paris or Frankfurt, or on your own infrastructure. The encrypted vault stays there. For regulated workloads you can hold your own encryption keys.

How do Vaultwarden updates and security patches work on Pilae?

We track upstream, prioritize CVEs, and ship updates locked to versions we have tested, rolled out with zero downtime and instant rollback. For a password server, patch speed is the point. You stay current without watching the release feed.

What happens to my Vaultwarden vault if I leave Pilae?

It leaves with you, and that’s by design. Vaultwarden is open source, your vault exports through the standard Bitwarden clients, and your data exits in usable form. No proprietary formats, no lock-in.

Runs well next to.

Build your stack from the same catalog. One console, one click each.

Vaultwarden, without the ops.

Deploy it in minutes, keep your data in the country you choose, and leave whenever you want. Your data goes with you.

Explore the catalog →