By the HushVPS team · Updated 2026 · 8 min read
Your password vault is the single most sensitive account you own. Crack it and an attacker inherits your email, your bank, your identity providers — everything downstream. So the question of where that vault lives is not academic. If you want to self host Bitwarden on a VPS with no KYC, you are choosing to keep the encrypted database on hardware you control, paid for anonymously, instead of on a third party's cloud tied to your legal name. This guide walks through why that trade-off makes sense, how the setup actually works at a high level, and where anonymous hosting closes a gap that ordinary self-hosting leaves open.
Bitwarden's hosted service is genuinely good, and its clients use zero-knowledge, end-to-end encryption, so the company never sees your plaintext passwords. For most people that is a reasonable default. But hosting the server yourself changes three things worth caring about:
The catch is that you inherit the responsibility too — patching, backups and access control are now your job. Most of this guide is about doing those three things properly.
There are two ways to self-host the Bitwarden ecosystem. The first is the official self-hosted server from Bitwarden, which is feature-complete but heavier — it expects several containers and more RAM than a small VPS comfortably gives you. The second, and the one most privacy-minded self-hosters pick, is Vaultwarden, an unofficial, Rust-based server that speaks the same API as the official clients. It runs happily in a single container on a 1 vCPU / 2 GB box, so it fits our entry-level plan with room to spare.
The important detail: because Vaultwarden implements the Bitwarden API, you still use the official, audited Bitwarden apps and browser extensions on your devices. You are only replacing the backend. Your vault stays end-to-end encrypted; the server merely stores and syncs the encrypted blob. That is the whole appeal — official client security, self-hosted control.
The requirements are modest. You need a small Linux VPS with root access, a domain name (or subdomain) pointed at its IP, and about twenty minutes. Vaultwarden's resource footprint is tiny, so our smallest Phantom plan — 1 vCPU, 2 GB RAM and 30 GB of NVMe is more than enough for a personal or family vault. Storage barely moves; a vault with hundreds of entries and attachments is measured in megabytes.
Deploy the server, note the IPv4 and IPv6 addresses we hand you, and create an A (and AAAA) record for vault.yourdomain.tld pointing at them. That is the only external dependency. Everything else lives on the box.
Do not expose Vaultwarden's container port directly to the internet. The standard, safe pattern is a reverse proxy terminating TLS in front of it. Here is the shape of it, without turning this into a copy-paste script you shouldn't trust blindly.
Before installing anything, update the system, create a non-root user, and disable password SSH in favour of key-only login. Enable a firewall (ufw or nftables) that allows only ports 22, 80 and 443. This is baseline hygiene and takes two minutes; skipping it is how self-hosted boxes get owned.
Install Docker, then run the official Vaultwarden image with its data directory mounted to a persistent volume on the host. That volume — typically /vw-data — holds the SQLite database, attachments and RSA keys. It is the one thing you must never lose, which is why backups get their own section below.
Use Caddy or Nginx as the public-facing layer. Caddy is the easy path: it fetches and renews a Let's Encrypt certificate automatically, so your vault is served over HTTPS with no manual cert wrangling. Point the proxy at Vaultwarden's internal port and you are done. A password manager should never be reachable over plain HTTP — the browser extensions will refuse to talk to it anyway.
Once your own account is created, set SIGNUPS_ALLOWED=false so nobody else can register on your instance. If you want family members, invite them explicitly or use the admin page (protected by its own token) to manage users. An open registration endpoint on a public vault is an invitation you don't want to send.
Self-hosting means you are now the backup department. The good news is that Vaultwarden's entire state is that one data directory, and the database is a single SQLite file. A sound routine looks like this:
.backup command rather than copying the live file, so you never capture a half-written database.Because the vault itself is already encrypted with your master password, an off-site copy is not a new exposure as long as you encrypt the transport and storage too. Belt and braces.
A few habits keep a self-hosted vault boring, which is exactly what you want it to be:
Vaultwarden fits our smallest plan. No ID, no card — pay in Monero and get root access on a server that isn't tied to your name.
Here is the part ordinary self-hosting guides leave out. Moving your vault off a managed provider onto your own server improves the software side of privacy. But if you rented that server with your real name, a credit card and a home address, you have simply relocated the identity link one layer down. The hosting company beneath your vault now knows exactly whose passwords those encrypted blobs belong to.
An anonymous, no-KYC host closes that last gap. When there is no identity verification, no card on file and Monero settles the invoice, the provider running the metal cannot tie the server holding your most sensitive data back to you through a billing record. There is nothing in the account to subpoena, sell, leak or hand over — because it was never collected. That is the difference between privacy in the app and privacy across the whole stack. Our broader write-up on running your own private services on an anonymous VPS covers the same logic for mail and cloud storage.
To be clear about what this does and doesn't do: anonymous hosting protects you from the hosting layer becoming a paper trail. It does not make you invisible or excuse anything illegal — HushVPS is offshore-legal and data-minimising, and our acceptable-use policy still forbids malware, spam and network attacks. The goal is straightforward: keep your password vault yours, on hardware nobody can trivially connect to your identity, backed up and hardened so it stays boring for years.
Self-hosting Bitwarden — in practice, Vaultwarden — puts the most important account you own on a machine you control, running the same audited clients you already trust. Do it right: lock the box down, terminate TLS with a reverse proxy, disable open signups, back the data directory up off-site with encryption, and keep everything patched. Do it on a no-KYC, Monero-paid VPS and you also remove the billing trail that would otherwise link that vault to your name. Privacy on both ends of the stack, which is exactly where a password manager deserves to live.