Vaultwarden vs Bitwarden (self-hosted)

Vaultwarden — strengths

• Runs comfortably on a Raspberry Pi or a cheap $5/month VPS
• Unlocks premium features (TOTP generator, file attachments, Emergency Access) at no cost
• Minimal attack surface — single Rust binary, fewer moving parts
• Easier to back up and migrate (SQLite file + data volume)
• Straightforward reverse-proxy setup; works well with Caddy/Traefik/NPM

Vaultwarden — weaknesses

• No enterprise SSO, SCIM, or directory sync
• Not officially affiliated with Bitwarden — no vendor SLA
• You own the security posture entirely

Bitwarden (self-hosted) — strengths

• Official vendor with commercial support and SLAs
• Enterprise SSO (SAML, OIDC), SCIM, and directory sync built-in
• Established compliance certifications (SOC 2, HIPAA, GDPR at the vendor level)
• Predictable upgrade path and detailed release notes
• First-party mobile and desktop apps have the full weight of a commercial support team behind them

Bitwarden (self-hosted) — weaknesses

• Heavy footprint (multiple containers, ~2 GB RAM)
• Some features are gated behind paid tiers even when self-hosted
• Licensing changed to BSL for the server — read the terms before commercial use

When Vaultwarden fits

• Homelab running on a Raspberry Pi 4 with 4 GB RAM, already hosting five other services: Vaultwarden uses ~50 MB idle and leaves plenty of headroom for everything else. Official Bitwarden would consume half the Pi's RAM on its own.
• Family of five that wants shared vaults for streaming and utility logins: Vaultwarden supports sharing, TOTP codes, and emergency access for free — features that are paid tiers on Bitwarden.com and require a licence key even on self-hosted official Bitwarden.
• Developer on a $5/month VPS who just needs a password manager for themselves and one collaborator: Vaultwarden fits comfortably next to a reverse proxy and maybe a small database, whereas Bitwarden's multi-container stack would not.

When Bitwarden (self-hosted) fits

• Mid-size company with 200 employees and an Okta tenant: Bitwarden Enterprise integrates SSO, SCIM provisioning, and directory sync so onboarding is automatic. Vaultwarden's lack of SCIM makes this a hard no-go.
• Organisation subject to SOC 2 Type II audit that requires a vendor attestation: Bitwarden provides signed documentation; Vaultwarden, as a community project, cannot.
• Team that already pays for Bitwarden cloud and wants self-host as a disaster-recovery site or for air-gapped networks: the licence and support model extends to self-hosted, so the operational familiarity transfers cleanly.

Vaultwarden gotchas

• Backing up SQLite is trivial but you must use the WAL-checkpoint approach or a stop-before-copy; naïve file copies during active use can produce corrupt backups
• Not officially affiliated with Bitwarden — if Bitwarden changes its API in a breaking way, Vaultwarden maintainers have to reverse-engineer the change
• No enterprise SSO, SCIM, or directory sync; this is a hard blocker for many businesses
• You are fully responsible for the security posture — HTTPS, fail2ban, firewalling the admin page, and keeping up with upstream are all on you

Bitwarden (self-hosted) gotchas

• Licensing: the official server moved to the Bitwarden Source Available Licence (SAL/BSL)-style terms in 2023. Read it carefully before commercial deployment — some clauses restrict offering it as a hosted service
• Multi-container stack (~8 containers including MS SQL Server) has operational overhead — upgrades require coordinating several images
• Some features that work out of the box on Vaultwarden (TOTP generator, file attachments, Emergency Access) are paid tiers on Bitwarden even when self-hosted and require a licence key
• Resource-heavy: expect ~2 GB RAM minimum, closer to 4 GB under real load, which rules out small VPS and Pi-class hardware

Choose Vaultwarden when

Pick Vaultwarden if you are a single user, family, or small team running on modest hardware (Pi, cheap VPS, or alongside many other homelab services) and you do not need SSO, SCIM, or a vendor SLA. It is also the right pick if you want Bitwarden's premium features without paying for them.

Choose Bitwarden (self-hosted) when

Pick official Bitwarden if you need enterprise SSO, compliance certifications, directory sync, or a paid support contract — or if you are already a paying Bitwarden customer and want self-host as a DR or air-gapped site. The operational overhead is worth it when the organisation actually needs what the enterprise tier provides.

Migration

Both servers speak the same API, so Bitwarden clients work with either. Migration is a one-way export-to-encrypted-JSON from one server, followed by import into the other. Keep both running briefly in parallel to verify every folder, organisation, and shared item round-trips correctly — organisations do not always import cleanly without manual adjustment. Export the JSON with an export password, not plain JSON, so the file on disk is never in cleartext. After successful migration, revoke all active sessions on the old server before shutting it down.

Frequently asked questions

Is Vaultwarden safe for production use?

Yes, it is used in production by many small teams and individuals. Keep it up to date, back up the data volume, restrict access to the admin page, and put it behind HTTPS with a reverse proxy. For family or homelab use it is entirely appropriate; for regulated enterprise use it is not a substitute for the official server.

Do Bitwarden apps work with Vaultwarden?

Yes. Official iOS, Android, desktop, browser, and CLI clients connect to a Vaultwarden server with no modification — just set a custom server URL pointing at your instance. Updates to the official clients usually work with Vaultwarden within a release or two.

Can Vaultwarden do SSO?

Not natively. SSO/SAML/SCIM are Bitwarden Enterprise features and are not implemented in Vaultwarden. There are third-party reverse-proxy-based workarounds (oauth2-proxy in front of the Vaultwarden web vault) but they do not integrate with the mobile apps and are not a substitute for real SSO.

Is the server code open source?

Vaultwarden is AGPL-3.0. Official Bitwarden Server moved to a source-available licence (BSL-style) in 2023 — the code is readable but with commercial restrictions. Read the licence before commercial deployment; if you are offering a hosted service or repackaging, this matters.

How do I migrate from one to the other?

Use the official Bitwarden export (encrypted JSON) from your current server, then import it into the target. Organisations and shared folders sometimes need manual adjustment after import — expect to spot-check a sample of entries. Run both in parallel for at least a day before retiring the old server.

Which is more secure?

Both use the same client-side encryption and zero-knowledge model — your master password never leaves the client. Differences come down to attack surface (Vaultwarden has less code) versus process maturity (Bitwarden has SOC 2 and a dedicated security team). For most self-hosters, correctly configuring HTTPS and 2FA matters more than the server choice.

Can I run both on the same server?

You can, but they will conflict on default ports and use different database engines. Unless you are testing a migration, pick one. The clients can only point at one server at a time anyway.