How to Deploy Vaultwarden (Bitwarden) Password Manager on Hong Kong VPS (2026)

Vaultwarden is an unofficial, lightweight Bitwarden server implementation written in Rust — fully compatible with all official Bitwarden clients (browser extensions, mobile apps, desktop apps) while using a fraction of the resources required by the official Bitwarden server. Self-hosting on a Hong Kong VPS keeps your passwords and secrets under your control, accessible from mainland China via CN2 GIA routing, with end-to-end encryption ensuring the server never sees your unencrypted data.

Why Self-Host a Password Manager on Hong Kong VPS

• Data sovereignty: Your encrypted vault is stored on your server — not on 1Password’s, LastPass’s, or Bitwarden’s infrastructure
• China accessibility: Bitwarden.com is accessible from China, but unreliably so — a self-hosted instance on Hong Kong VPS with CN2 GIA routing is consistently fast for Chinese team members
• No per-seat SaaS fees: Vaultwarden’s organisation features (shared vaults, team access) are free for self-hosted deployments — Bitwarden charges per-user for these enterprise features
• Offline vault access: Bitwarden clients cache the encrypted vault locally — accessible even if your VPS is temporarily unreachable

Step 1: Deploy Vaultwarden

mkdir -p /home/deploy/vaultwarden
cd /home/deploy/vaultwarden
nano docker-compose.yml

version: '3.8'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    ports:
      - "127.0.0.1:8222:80"
    volumes:
      - vaultwarden_data:/data
    environment:
      # Security
      - ADMIN_TOKEN=${ADMIN_TOKEN}
      - SIGNUPS_ALLOWED=false        # Disable public registration
      - INVITATIONS_ALLOWED=true     # Allow admin to invite users

      # Domain
      - DOMAIN=https://vault.yourdomain.com

      # Email (for account verification and alerts)
      - SMTP_HOST=smtp.youremail.com
      - SMTP_PORT=587
      - SMTP_SECURITY=starttls
      - SMTP_USERNAME=${SMTP_USER}
      - SMTP_PASSWORD=${SMTP_PASS}
      - SMTP_FROM=vault@yourdomain.com

      # Performance
      - ROCKET_WORKERS=4
      - WEB_VAULT_ENABLED=true

      # Logging
      - LOG_LEVEL=warn
      - EXTENDED_LOGGING=false

volumes:
  vaultwarden_data:

nano .env

ADMIN_TOKEN=$(openssl rand -base64 48)
SMTP_USER=your@email.com
SMTP_PASS=your_email_password

chmod 600 .env
docker compose up -d
docker compose logs -f vaultwarden

Step 2: Configure Nginx with Security Headers

nano /etc/nginx/sites-available/vaultwarden

server {
    listen 443 ssl http2;
    server_name vault.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/vault.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;

    # Vaultwarden security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options SAMEORIGIN always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    # Rate limiting for login attempts
    limit_req zone=vaultwarden burst=10 nodelay;
    limit_req_status 429;

    # Restrict admin panel to your IP only
    location /admin {
        allow YOUR_HOME_IP;
        deny all;
        proxy_pass http://127.0.0.1:8222;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location / {
        proxy_pass http://127.0.0.1:8222;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket for live sync
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

# Add rate limiting zone to nginx.conf http block
# limit_req_zone $binary_remote_addr zone=vaultwarden:10m rate=10r/m;

ln -s /etc/nginx/sites-available/vaultwarden /etc/nginx/sites-enabled/
certbot --nginx -d vault.yourdomain.com --email your@email.com --agree-tos --no-eff-email
nginx -t && systemctl reload nginx

Step 3: Initial Configuration via Admin Panel

1. Navigate to https://vault.yourdomain.com/admin
2. Enter the ADMIN_TOKEN from your .env file
3. Configure email settings and test email delivery
4. Create your first user account via Users → Invite User
5. Disable admin panel after initial setup (or keep restricted to your IP as configured)

Step 4: Connect Bitwarden Clients

All official Bitwarden clients support self-hosted servers:

Browser extension (Chrome/Firefox/Safari):

1. Click the Bitwarden extension icon → Settings icon
2. Server URL: https://vault.yourdomain.com
3. Log in with your Vaultwarden account

Mobile (iOS/Android):

1. Bitwarden app → Region → Self-hosted
2. Server URL: https://vault.yourdomain.com

Desktop app:

1. Settings gear → Server URL → https://vault.yourdomain.com

Step 5: Backup Your Vault Data

nano /root/backup-vaultwarden.sh

#!/bin/bash
DATE=$(date +%Y%m%d_%H%M)
BACKUP_DIR="/var/backups/vaultwarden"
mkdir -p $BACKUP_DIR

# Backup Vaultwarden data volume
docker run --rm \
  -v vaultwarden_data:/data \
  -v $BACKUP_DIR:/backup \
  alpine tar czf /backup/vaultwarden_${DATE}.tar.gz -C /data .

# Keep last 30 daily backups
find $BACKUP_DIR -name "*.tar.gz" -mtime +30 -delete

echo "Vaultwarden backup completed: ${DATE}"

chmod 700 /root/backup-vaultwarden.sh
# Schedule daily at 01:00
crontab -e
# 0 1 * * * /root/backup-vaultwarden.sh

Conclusion

Self-hosted Vaultwarden on a Hong Kong VPS provides team password management with full data control, CN2 GIA-fast access for Chinese team members, and zero per-seat SaaS fees for shared vaults and organisation features. End-to-end encryption ensures your passwords remain secure even if the server were compromised.

Deploy your password vault on Server.HK’s Hong Kong VPS plans — Vaultwarden’s minimal resource requirements (under 20 MB RAM) make it suitable for running alongside your main application stack without impacting performance.

Frequently Asked Questions

Is Vaultwarden as secure as the official Bitwarden server?

Vaultwarden uses the same end-to-end encryption as Bitwarden — all password data is encrypted client-side before being sent to the server. The server never sees your unencrypted passwords regardless of which server implementation you use. Vaultwarden is open-source, actively maintained, and widely audited by the security community. The main security difference is that official Bitwarden undergoes formal third-party security audits — Vaultwarden relies on community review.

Can I migrate from the official Bitwarden cloud to self-hosted Vaultwarden?

Yes. Export your vault from Bitwarden.com (Account → Export Vault → JSON format), then import it into your self-hosted Vaultwarden instance. The exported file is encrypted with your master password. Update all client apps to point to your new self-hosted server URL after migration.

What happens to my passwords if my Hong Kong VPS goes down?

Bitwarden clients cache an encrypted copy of your vault locally — you can still access all saved passwords offline while the server is unreachable. You cannot sync new passwords or access shared vaults until the server is back online. This is the same behaviour as the official Bitwarden cloud service during any outage.