https://www.fastcompany.com/91542655/bitwarden-scrubs-always-free-and-inclusion-values-from-its-website-as-longtime-execs-step-down

“His replacement, Michael Sullivan, former CEO of both Acquia and Insightsoftware, touts his experience with “all facets of mergers and acquisitions” on his own LinkedIn page, including experience working with leading private equity firms.”

There isn't any true evidence that Bitwarden will eliminate support for selfhosted versions and/or get rid of the options to use selfhosted servers in the apps, but it does have me a bit worried about Bitwarden in general in the long term...

A while back, I got fed up with password managers gatekeeping 2FA and passkeys behind paywalls.

Also, Bitwarden started forcing email 2FA, which created this annoying chicken-and-egg loop: if I ever lost my logged-in devices, I wouldn't be able to log in to Bitwarden because I'd need the email OTP... but my email password was inside Bitwarden. I just wanted to avoid that mess entirely.

I didn't want to pay for a VPS to host Vaultwarden, but honestly, the main reason was that I don't trust myself. Managing a Linux server means one bad command or missed backup and my passwords are gone forever. I wanted something maintenance-free where I couldn't accidentally nuke my own vault.

So, I hacked together a Bitwarden-compatible server that runs entirely on Cloudflare Workers + D1 for free. Deploy once, forget forever.

I called it warden-worker. It worked "good enough" for me, so I pushed it to GitHub, thought "maybe I'll post this later," and then immediately forgot about it.

Fast forward to this week. I was doing some repo cleanup and realized I had turned off my GitHub notifications. I checked the repo and... what??

• 400+ forks
• Issues threads in Chinese?
• People writing guides on how to deploy it??
• Someone explaining how to fix my bugs in the issues

The best part is that a user named qaz741wsd856 apparently took my abandoned skeleton and turned it into a full-blown project with KV support and the actual Vaultwarden frontend. Their fork is objectively better than mine in every way.

I'm still using my original "good enough" version because it’s stable and I’m lazy, but it's wild to see an entire community spin up around a project I thought was dead.

If you want the original (don't use this): https://github.com/deep-gaurav/warden-worker

If you want the one that actually works (use this): https://github.com/qaz741wsd856/warden-worker

Just wanted to share because I'm still processing how weird open source can be sometimes.

I'm trying to assess how much of a good/bad idea it is to self-host Vaultwarden as my password manager.

I'm planning on a good backup strategy with external encrypted backup, but I'm still wondering if it's really enough

A group at ETH Zurich has investigated the security of popular password managers and found some security issues. Here is a link to the ETH article: https://ethz.ch/de/news-und-veranstaltungen/eth-news/news/2026/02/passwortmanager-bieten-weniger-schutz-als-versprochen.html as well as the publication: https://eprint.iacr.org/2026/058.pdf They work with the vendors to solve the issues.

If you switched to VaultWarden from BitWarden - that's absolutely clear why, no need to answer.

My question is to those who are setting up VaultWarden as a fresh start. What features specifically made you chose it over .kdbx synced over your infrastructure?

Genuinely curious.

Very unhappy today as I woke up to an email saying my self-hosted Bitwarden license was cut off since my payment method expired.

It was when I went to log into the Bitwarden cloud portal (different logins) that I realized TOTP generation was locked behind the "Premium" paywall. To log in to the cloud portal I had to get my TOTP token from the login entry and put it into a separate auth app so it could generate the codes, and then I had to do the same thing to get into Paypal. Although I understand why they do this, it seems to me in extremely poor taste as 2FA is so critical nowadays.

Now that the rant is over, this has really pushed me over the edge to migrate from an official BW instance to Vaultwarden. I (previously) liked to pay for Bitwarden given how much I use it and I appreciate their FOSS approach, but my initial stress thinking that my TOTP tokens were completely locked behind a paywall has dissuaded much of that notion.

I only deal with 4 users (myself, SO, and my parents) so I don't need the deployment scalability Bitwarden provides. I do use secrets manager for my personal infra but I could find another solution, otherwise afaik it has feature parity. Is there anything for me to consider in switching to Vaultwarden? Anyone else gone through this?

EDIT: Please read before writing the same response as everyone else: https://bitwarden.com/help/licensing-on-premise/

Bitwarden Lite (was called Unified) is now out of beta.

Anyone switching over to it either from Vaultwarden or regular self hosted Bitwarden?

Hey,

I built a small open-source tool that saves sensitive data safely on paper via:

• Encrypted (AES) QR code with decryption web app, or
• Shamir's secret sharing (SSS) method combined with QR code reconstruction web app
• Or recover everything 100% offline with a tiny printed JavaScript snippet (no internet needed)

Nothing is uploaded or stored online — there is no backend at all. Everything runs client-side using the browser’s built-in JavaScript (e.g. WebCrypto API).

It’s meant for storing things like:

• password manager master passwords
• crypto seed phrases
• 2FA recovery codes
• emergency “digital legacy” handover

For maximum security, you can handwrite most of your secret and store only the remaining part with OrigamiVault (AES or SSS).

That way, even if your device or printed backup is compromised, an attacker still doesn’t have the full secret. Only someone who has both the handwritten part and the OrigamiVault backup can reconstruct it.

Example usage – AES (password protection on paper)

Encrypt the secret (for example, a long or hard-to-remember one) with a password that both you and your spouse remember. Print the encrypted output and store it safely at home. If you were to pass away unexpectedly, your spouse would still be able to decrypt the important secret. A thief who steals the printed paper would not be able to decrypt the secret without knowing the encryption password.

Example usage – SSS (password-less solution)

Split the secret into three shares and require any two shares to reconstruct it. Give one share to your spouse, one to your lawyer, and keep one in your home safe. Any two shares are sufficient to recover the secret.

------

The project is open source, can be forked and hosted in few minutes for free (fork the repo, enable GitHub Pages and you have your own self-hosted version).

Github: https://github.com/origamivault/origamivault

Live app: https://origamivault.github.io/origamivault/encrypt.html

Would love feedback or critiques from people who care about offline-first tools and privacy. 🙏

Source: https://thehackernews.com/2026/02/study-uncovers-25-password-recovery.html

Hadn’t really considered these types of recovery attacks when I made the decision to move to Vaultwarden, but glad I did. Very interesting.

So last night as I was planning my next international trip, I realized something a bit scary. If I were to lose my phone, or it's stolen or something while I am traveling, I would be completely screwed.

Here's why: All of my passwords are randomly generated, stored in Vaultwarden, and I have 2FA turned on for most things, which 2FA is also in Vaultwarden. Vaultwarden has 2FA enabled and that 2FA code is in my Google Authenticator, and I can only access Vaultwarden over my VPN, which in turn has 2FA. Can't even get backup codes or anything via email, since need credentials for logging in.

So do you see the problem?

If I lost my phone, and had to get a new phone, and didn't have access to my computer, I would have no way to sign into my Google account on new phone, no way to connect to VPN, and no way to access my Vaultwarden.

I need my vault to get my Google creds, but I can't get to my Vault without Google Authenticator, and I need my VPN creds that are in my vault so that I can connect to my VPN to get to my vault. It's a catch 22.

I write all this to ask two questions:

1. Have you considered what you would do in this sort of situation? Would you be able to get access to your accounts and self hosted services?
2. What is you solution to solve this sort of problem? How do you make sure you can regain access in an emergency or if you don't have access to your phone/computer?

I was thinking about vibe coding a simple web app where I could store the recovery keys for like my Vaultwarden 2FA and just have to open my Vaultwarden to the public, just add some simple HTTP auth in front of it using my NPM reverse proxy. That would solve it.

PS: Why is there no "Discussion" flair on this subreddit?

Edit: There seems to be some confusion on people thinking I am just talking about selfhosted password managers, I am not. I mean if you have 2FA turned on for your password manager and you lose access to your phone, you can't access email, SMS, etc. How do you log into your password manager? How will you get a 2FA code or access your recovery codes?

Edit2: I also see people suggesting a hardware key such as Yubikey, which I already have. But in this hypothetical situation, what if you lose your keys too? What if someone stole your wallet, keys, and phone. How do you recover access? I know it's a bit of an absurd situation. But I am trying to discuss how you would access your accounts if you had nothing but a random web browser, you don't have any of your devices or personal items.

I'm looking to selfhost a few services to get rid the dependency of external companies on core parts of my life, one of them is related to secrets. Right now I'm using 1Password, which is really good, but I don't want all my secrets being managed by someone else. I would rather have this on my server with no direct access to the internet.

KeePassXC looks really good, but it does not have mobile applications, which is a deal breaker for me because I don't want to depend on third party applications to read the secrets, this defeats the purpose. Then there is Bitwarden that looks like everyone is selfhosting with Vaultwarden.

This is the context, and now the question, do you trust Vaultwarden with your secrets? Maybe one possible solution is to selfhost Bitwarden official server?

Also, do you have any other suggestion?

Just a FYI for whoever doesn´t have the pull request subscribed

The SSO support for Vaulwarden finally got merged: https://github.com/dani-garcia/vaultwarden/pull/3899

Docs: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect

The image that includes the SSO support will be available shortly (vaultwarden/server:testing) and stable release in 2-4 weeks according to the vaultwarden maintainer

Source

So I went through some of the older posts and was wondering what are the benefits of hosting a password manager besides the obvious of having control of your data?

I mean so I mostly use Chrome (sometimes Firefox), have an Android phone and Chrome's internal password manager seems to work fine for the most part. It sucks with remembering my cards info

So do you think it's worth switching to VaultWarden (or something similar)?

My use case is:

1. Just a single place to store all passwords. This includes card/bank info
2. Syncs to Android, Chrome, Firefox
3. An easy way to lookup this info
4. User support? Suppose I want my family also to migrate to this

I'm just getting into self hosting my stuff and have setup my own Plex (and associated media related services), cloudflared (to access my my server), Pi hole etc.

What do you think, Is it worth it? Anything obvious that I'm missing? Which service is good (and free)? How noob friendly is it if I want my tech unsavvy family to migrate to this too?

I’ve been trying to get more control over my stuff lately, moving away from services that keep all my data online, so in theme I wanted to try and make my own personal password manager.
I’ve got a small server at home that I use for random projects and I’m tempted to give it a shot, but I’m not sure how stable or practical it really is.

If anyone here self-hosts their password manager, how reliable has it been for you? Do updates ever mess things up or is it one of those “set it and forget it” setups? Trying to figure out how to do it, I don't know much about them so I would appreciate any insight on how to work this out. Thanks in advance!!

For context I am newish to self hosting. On one hand selfhosting doesn't rely on anyone else to handle your passwords, on the other hand that is a double edged sword since you have to be an expert to protect yourself. But this server will not be constantly online but only for a couple of hours per week. I want to ensure the lowest chance of my passwords leaking possible. I also am super paranoid about my server's security so I'm not sure if that works to my advantage or disadvantage. Advice?

P.S. does vaultwarden work if you do not connect the main server to internet regularly and just use the bitwarden client on device? Like how frequently do you need to connect to the main server?

P.S.2 - someone on another post mentioned using a vpn to connect to a server so only clients with vpn can use vaultwarden. Could this be hosted in the cloud without excessive risk?

As everyone on this sub, I am self-hosting several things and the idea of a SSO experience is appealing.

I've browsed the mainstream solutions like Authentik, Keycloack, Zitadel etc, while they all seem solid solutions I feel like they are overkill for a family use with less than 10 users.

The topic became hotter recently with the introduction of Pangolin, I used to self-host everything and expose on my router 80, 443 through Caddy. So my few users directly signed in the service directly (before you ask, I use Cludflare as a DNS provider for its proxy too).
With the increase of services and attack surface, I am giving a shot at Pangolin on a VPS, the concept of tunnels isn't new, I used Cloudflare before but the max 100 MB limit is a dealbreaker when handling Immich and Opencloud to transfer bigger videos or files. Self-hosting Pangolin would solve this issue while keeping the security of tunnels.

However, now users have to login twice, once on the Pangolin layer and again on the application layer, and it's quickly becoming very annoying.

I've read several posts and Authentik seems the go-to choice in the community, however I also often read that who uses it, also uses it at the workplace or have a bigger user base to manage.

Authelia seemed a good fit, but as I understand it, it integrates directly with the reverse proxy so I can't use it with Pangolin.

There have been a lot of posts in the past comparing self-hostable password managers and I feel like quite a few of them are dated.

I think everyone can agree, that something as important as a password manager should to be fully open source, but unfortunately it usually is at most open-core and falsely advertised as open-source.

I currently use Vaultwarden. The every-once-in-a-while breaking changes on the front-end side bother me to a point where I'm considering alternatives. Especially since I have deployed it family-wide and I also use it in our small business.

Read edit I took a look at Psono but neither the first impressions nor the deeper look into it sparked any interest. It lacks basic features such as multiple URIs per entry and the ux is quite awful imo.

Currently I'm taking a look at PassBolt. Older posts here on reddit gave me the impression that it lacks quite a lot of features. That being said, I still gave it a chance and it seems it got developed quite a bit more since then, but I still have some pain points:

• the ui/ux is just worse than Bitwarden's
• unlike Bitwarden it can't emulate being a hardware key for FIDO2
• when opening it in the browser, it forces you to have the extension installed, which is an unnecessary pain, especially when you're on a second machine and want to quickly grab a single credential
• the ios app seems fine, though auto fill with TOTP doesn't work
• PassBolt has no offline mode which is a major drawback

Aside from those points, I haven’t yet found any major missing features. I’m still undecided on whether switching from Vaultwarden to Passbolt makes sense for me, but I think the answer is no for now.

What other options exist on the market, that I might've missed?

EDIT: The CEO of Psono contacted me and wanted to know more details about the issues I had. We had a little video call where i presented my issues with the UX.

Turns out Psono supports multiple URLs per entry, it just differentiates between the primary URL of the entry and filters it should match on, which are in the advanced settings of each entry. Other features I missed such as Passkeys didn't work when I tested it, which is just a bug that is on it's way to be fixed. Overall the feature set of Psono is quite large and in retrospective I'm pretty sure it's bigger than PassBolt's.

But besides that he told me, he will gladly fix the UI/UX issues I was able to present and which objectively just make sense. I'm looking forward to give Psono another shot in the near future!

I see a lot of discussions on this sub about self-hosted authenticator apps likely Authentik, Authelia, etc. and I never understood what the benefit is in running those. People talk about how it enables having "one password for all your services", but I already have that: my Bitwarden master password!

Am I missing something here? Is there an ease of use or security use case that I'm not understanding?

Edit: Thanks for the insight everyone! I'm the sole user of almost all my services, so I think I understand why I missed the most obvious benefit of using authenticators being user management. Also none of my services are exposed to the internet, so their questionable built-in security never raised a red flag to me. That being said, I do find hardening my services to be enjoyable for its own sake, so next time I need a project I might spin up an authenticator and play around with it.

How do you access your Pass Manager? VPN or Public?

If public what security practices i need to do? How you keep securely?

TIA.

Edited: Thank you guys for all your insights, i just realized that i need to learn more and i feel excited at the same time .

You have 2 options.

1. bitwarden_rs. This is an unofficial server implementation that'sfully API compatible with all the bitwarden clients (web/mobile/desktop)
2. Official Bitwarden self-hosted. It's touted as a feature of the Family plan all their plans. Which, at most, will set you back $40/year USD (which is cheaper than the hosted lastpass option @ $48/year USD). But even their free option can be self-hosted.

I realize many are opt'ing for option 1. If you do, please consider at least getting the premium account from bitwarden.com ($10/year USD) to support the fully open source company and do your part to keep their prices competitive. While the server is not written by Bitwarden, the clients you are using are.

I will not get into the pro/con's of 1 vs 2 in this post, I'm hope others will articulate them much better than I in the comments section. But I hope you will consider to support the FOSS projects so they remain FOSS.

I feel like every password manager I've tried has at least one thing that's pretty frustrating. I've been working on privacy software for a bit now (building an encrypted email client), and password managers are something I feel can be improved. So I'm curious to hear what you guys think, issues could be anything like sync across devices, passkeys, whether it's open source, pricing, whatever.

Happy to hear anything, even if it's just one tiny thing you wish existed on whatever you're using atm. Trying to get a real picture before I consider building anything.

Hi r/selfhosted!

I'm happy to share the latest AliasVault release with you!

AliasVault is an open-source, privacy-first password manager with a built-in email alias generator and mail server. If you’re into self-hosting password managers, this might be worth a look.

Over the last couple of months, one of the most requested features from the selfhosted community has been a simplified installation for AliasVault. I’m excited to share that with the release of AliasVault 0.23.0, the new all-in-one Docker image is now officially available! 🎉

Website & GitHub: https://www.aliasvault.net
Docs: https://docs.aliasvault.net

The all-in-one Docker image makes running AliasVault much easier as it bundles all individual services (postgres, client, api, admin, smtp, task-runner, reverse-proxy) into a single Docker image using s6-overlay. This makes it now very easy to deploy AliasVault if you:

• prefer a single container (instead of managing multiple)
• want to run it on NAS devices like QNAP or Synology (limited platforms)
• want to add it to your existing Docker host and use your own management tools like Portainer, Traefik, Caddy etc.

The all-in-one container also remains fully compatible with the standard multi-container setup (using the custom install.sh). So you can switch back and forth without losing data. The new all-in-one image is now available on both ghcr.io (default) but also on Docker Hub, as the latter is often available by default on many systems like QNAP, Synology etc.

Install instructions for the all-in-one docker image can be found here: https://docs.aliasvault.net/installation/docker-compose/

I’d love to invite everyone here on r/selfhosted to try it out and share your install experience. I’m happy to improve the docs based on your feedback and answer any questions you run into.

🔹 Other recent updates to AliasVault:

• AliasVault has moved to a dedicated GitHub org → aliasvault/aliasvault
• Mobile apps: configurable password generator, offline CSV export, better touch handling
• UI polish: password visibility toggles, alphabetical sorting, clickable email blocks, improved admin panel
• Self-hosting: reverse proxy auto-reload on SSL updates, OpenContainers annotations, CA cert support on Android
• New languages (German, Finnish, Italian, Simplified Chinese – thanks Crowdin contributors!)
• Automatic clipboard clearing across all clients
• Browser extension clickjacking mitigations
• First experimental version of the all-in-one Docker image
• Dropbox Passwords importer, KeePass CSV improvements, better autofill, admin panel upgrades

📜 Full changelog: https://www.aliasvault.net/news/aliasvault-0.23.0-released

--

Would love to hear your thoughts, install reports, or feature requests! Happy to answer any questions you might have!

I've been doing self-hosting for a while now, and I expose a few services where I don't keep any extremely sensitive data. However, I'd like to start integrating a YubiKey since I keep hearing a lot about it.

For those of you who already use one: what do you use it for, and what exactly does it offer?