BitWarden - self hosted password manager using vaultwarden/server image

Docker BitWarden - self hosted password manager using vaultwarden/server image

UPDATE 09/07/2023 - v 1.29 - Mobile client push​

With version 1.29, VaultWarden team has added new features for the mobile apps, push notification sync support.

feat: Implement Push Notifications sync by GeekCornerGH · Pull Request #3304 · dani-garcia/vaultwarden

With this feature active on your instance, any changes done inside the VaultWarden server will be instantly visible to the mobile clients. This means, adding a new item, changing it, or creating and deleting the folder, for example.

In order to activate and use it, there are two major steps that need to be done. First is to get the installation ID and key, from the official Bitwarden request site.

If you are unfamiliar with this site, it is the same one that will generate the ID and key value for your self-hosted version of the official BW instance, or the upcoming BitWarden Unified setup.

In any event, once you have the ID and Key, make the changes to the compose file as follows:


Alter the variables listed above with the values you have got from the official BW request site, and rebuild the container using the 1.29 image version.

Websock sync will still work, but it can be removed from the compose.
Previously the ADMIN_TOKEN could only be in a plain text format. You can now hash the ADMIN_TOKEN using Argon2 by generating a PHC string.

This can be generated by using a built-in hash command within Vaultwarden, or using the argon2 CLI tool.

Here are a few examples of how to start with the generation of the PHC string using the Vaultwarden 1.28.0 (or newer) version of the image.

# Using the Bitwarden defaults (default preset)
# Via docker on a running container
docker exec -it vwcontainer /vaultwarden hash

# Via docker and creating a temporary container
docker run --rm -it vaultwarden/server /vaultwarden hash

# Using the vaultwarden binary directly
./vaultwarden hash

# Using the OWASP minimum recommended settings
# Via docker on a running container
docker exec -it vwcontainer /vaultwarden hash --preset owasp

# Via docker and creating a temporary container
docker run --rm -it vaultwarden/server /vaultwarden hash --preset owasp

# Using the vaultwarden binary directly
./vaultwarden hash --preset owasp

The same method applies if you are using any UI for docker management like Portainer for example. Simply use its console function to bash into the container, and then run the command: /vaultwarden hash --preset owasp

Enter the password you want to use on the admin page and wait for the string to be generated. Once you have it, set it as an environmental variable. If you are using docker-compose.yaml file, be sure to make the following changes to prevent interpolation.

Replace all single $ characters with double ones $$ in all five (5) instances inside the string.

Recreate the container, go to the VW admin page: https://fqdn/admin, and enter the password that you typed in during the string generation.
The old image bitwardenrs/server is being deprecated and changed with a new official one called vaultwarden/server.

The resource steps still apply.
If you want to use SMTP with this version of BW image make sure to make these changes to your setup.

Add these variables:

-e SMTP_HOST=<smtp.domain.tld> \
-e SMTP_FROM=<[email protected]> \
-e SMTP_PORT=587 \
-e SMTP_SSL=true \
-e SMTP_USERNAME=<username> \
-e SMTP_PASSWORD=<password> \

Note that if SMTP and invitations are enabled, invitations will be sent to new users via email. You must set the DOMAIN configuration option with the base URL of your bitwarden_rs instance for the invite link to be generated correctly.

This update will focus on the "LiveSync" feature that offers BW users instant sync of any updates across platforms. So for example, if you add a new entry using the web UI that same entry will be visible in any web browser extension as well as your app. The process works in all directions and its really instant.

This is possible using the websocket protocol. Considering that the official version (paid) method will not work with this custom one, developers have offered an alternative that works just as well.

In the default setup of this image, you can see that the web ui is using one port (port 80 by default) and that there is also a port 3012. This is the port that can be used for all websocket needs.

There is a prerequisite for this to work and that's a reverse proxy (more info here: dani-garcia/bitwarden_rs). Now I will assume that you already are using it (there is also a resource on that) but keep in mind that in order to make this work, setting up a reverse proxy entry via DSM UI will NOT give you the desired effect.

As you can see in the link above there are 2 application paths that need to be set via reverse proxy. This is not possible using the UI and needs to be done by hand.

Now I will assume also that you have had your BW setup so far via the built-in reverse proxy, so the next steps need to be followed (if you haven't then just skip to step 3).

01. Stop your BW container
02. Delete the existing reverse proxy BW entry from Control Panel > Application Portal > Reverse proxy
03. Using a text editor create a .conf file with the name of your choice (custom_rp.conf for example)
04. Paste the following content inside it and change the following elements!

  • server_name > enter your bw public domain name
  • ssl_certificate > path to your SSL certificate (full chain would be preferred)
  • ssl_certificate_key > path to your ssl certficate private key
  • proxy_pass > change the URL to point to your NAS ip address as well the port that you are using with your BW docker.
Keep in mind to use port numbers that you have mapped to the OUTSIDE of your container (host side, not inside the container)

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name your_bitwarden_public_domain_name;

    ssl_certificate /path/to/your/ssl/cert/fullchain.pem;

    ssl_certificate_key /path/to/your/ssl/cert/privkey.pem;

    location / {

        proxy_connect_timeout 60;

        proxy_read_timeout 60;

        proxy_send_timeout 60;

        proxy_intercept_errors off;

        proxy_http_version 1.1;

        proxy_set_header        Host            $http_host;

        proxy_set_header        X-Real-IP            $remote_addr;

        proxy_set_header        X-Forwarded-For            $proxy_add_x_forwarded_for;

        proxy_set_header        X-Forwarded-Proto            $scheme;

        proxy_pass http://NAS_IP_ADDRESS:80;


    location /notifications/hub {
        proxy_pass http://NAS_IP_ADDRESS:3012;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    location /notifications/hub/negotiate {
        proxy_pass http://NAS_IP_ADDRESS:80;

    error_page 403 404 500 502 503 504 @error_page;

    location @error_page {
        root /usr/syno/share/nginx;
        rewrite (.*) /error.html break;
        allow all;


04. Copy the file to your NAS (a temp location)
05. Log in your NAS via SSH and elevate to root permission (sudo -i)
06. Copy the file to this location: /usr/local/etc/nginx/sites-enabled using cp
07. Restart nginx service with the following command: synoservice -restart nginx

Thats it! This revers entry will not be visible inside your RP or Certificates dialog so keep this in mind. Test out your BW LiveSync and never again click the "sync now" button ;)
The old image mparsil/bitwarden is being depricated and changed with a new official one called bitwardenrs/server.

The resource steps still apply.
  • Like
Reactions: wwwampy