Many users create simple passwords or use the same ones while signing up for any service or product online, as they are easy to remember. Some users do use complex passwords but save the credentials in the web browser, which is neither recommended nor safe. Instead of using a web browser to manage your passwords, you can build a self-hosted modern password manager using Bitwarden with Multi-Factor Authentication (MFA), backups, SSL certificate, remote access, and enhanced security.
Things You Will Need
You can set up a Bitwarden server on an old laptop, PC, or Raspberry Pi 3, 4, or 400. However, in this guide we will show how to host Bitwarden and use the password manager on a Raspberry Pi Zero 2 W, which works well as it’s small and runs on low power and resources. You’ll need the following items:
- Raspberry Pi Zero 2 W
- microSD card
- Card reader
- Windows, Mac, or Linux PC
- Wireless LAN (Wi-Fi)
Step 1: Install Raspberry Pi OS Lite (64-bit)
Insert the microSD card into the card reader and connect it to your computer system. Then follow these steps to write the 64-bit Lite version of Raspberry Pi OS to it.
- Download, install and launch the Raspberry Pi Imager tool on your system.
- Click Choose OS > Raspberry Pi OS (Other) > Raspberry Pi OS Lite (64-bit).
- Click the gear icon and enable SSH.
- Fill in the details, such as username and password, Wi-Fi SSID and password, to configure the Wi-Fi connection. For more details, check out our guide on how to install an operating system on a Raspberry Pi.
- After writing the OS to the card, eject it and insert it into your Raspberry Pi Zero.
Step 2: Connect Over SSH
Since we enabled the SSH at the time of writing the OS, we can connect to your Raspberry Pi over SSH using the Terminal app on macOS or Linux, and PuTTY on Windows. To connect to the Pi, we must know the IP of the Raspberry Pi. You can use the Fing app on your smartphone or check the DHCP settings of your router to find the IP.
If you are using the Terminal app on macOS or Linux, run the following command,
Type your password and press the Return/Enter key.
If using PuTTY instead:
- Enter the Raspberry Pi IP address, with port 22, and click Open.
- When prompted with ‘login as:’, type the username and press Enter.
- Type the password and press Enter.
You will be logged in to the Pi over SSH successfully. If not, check the network connection, your username, and your password.
Run the following command to update and upgrade software packages. This may take a while to finish.
sudo apt update && sudo apt upgrade -y
Step 3: Install Docker
To install Docker on Raspberry Pi, run the following command in the SSH terminal window.
curl -sSL https:
This will run a script and install Docker on your Raspberry Pi. Check the Docker version installed using the following command.
Next, we will permit our default pi user to access this Docker installation. The command is as follows:
sudo usermod -aG docker pi
Once this is done, reboot the Raspberry Pi using the sudo reboot command, and then continue following the steps given below to install Portainer.
Step 4: Install Portainer
Although you can manage Docker containers via the command line, Portainer provides a user-friendly GUI interface for deploying and managing our Docker containers on Raspberry Pi. To install Portainer, run the following command in the SSH terminal window.
sudo docker pull portainer/portainer-ce:latest
To run Portainer, we need to create a new Docker container at port 9000.
sudo docker run -d -p 9000:9000 --restart=always --name=portainer -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest
Once done, open the web browser and visit the IP address of Raspberry Pi at port 9000 to open and access the Portainer container:
Enter the desired Username and Password to create a Portainer user account and log in.
Step 5: Install and Set Up Bitwarden RS (Vaultwarden)
After logging into Portainer, follow these steps to deploy and set up a self-hosted BitWarden server on Raspberry Pi.
- Click on Volume > Add Volume.
- Type the name and click the Create the volume button. We have named the volume BitWardenServer.
- Click Containers > Add Container. Enter the information in the following fields:
- Name: BitWarden (You can name it anything)
- Image: vaultwarden/server:latest
Click Publish a new network port. In the host field, type 8080, and in the container field, type 80, as shown in the image below.
- Scroll down and click Volumes > Map additional volume under the Advanced container settings section. Type /data in the container field and choose the BitwardenServer volume we created in earlier steps.
- Click on Restart Policy under the Advanced container settings section and choose Always.
- Click Deploy the container under the Actions section. After a few minutes, it should display the BitWarden server we just deployed as healthy.
- You can now visit the Raspberry Pi IP address at port 8080. This will open the Bitwarden web UI.
Step 6: Set Up a Cloudflare Tunnel
To access and use Bitwarden, you must set up a reverse proxy. You can deploy and use Nginx Proxy Manager to add and set up a proxy host. However, we will use a completely different approach and instead use the Cloudflare Tunnel service to access Bitwarden remotely from anywhere with a secure SSL connection.
To set it up, you must have a registered domain. Add your domain to Cloudflare and then follow these steps to install and set up the Cloudflare Tunnel.
- In the Terminal or PuTTY SSH connection, execute the following commands.
sudo wget https:
sudo cp ./cloudflared /usr/local/bin
sudo chmod +x /usr/local/bin/cloudflared
cloudflared tunnel login
- Copy the displayed URL in the output and open the URL in a web browser. Log in to Cloudflare and authorize the domain you added.
- Now we can create a secure tunnel. We are naming it bitwarden.
cloudflared tunnel create bitwarden
- Copy the tunnel ID and the JSON file path from the output and paste them into a Notepad on your system. Keep this information safe and confidential. Then run the following command to create a configuration file.
sudo nano ~/.cloudflared/config.yml
- In the nano editor, paste the following code. Make sure to replace the tunnel: value and credentials-file: path with your own.
- hostname: bitwarden.YourDomain.com
- service: http_status:404
- Press Ctrl+X, then Y and press the Enter key.
- Create a DNS route for accessing the self-hosted Bitwarden server.
cloudflared tunnel route DNS bitwarden bitwarden.YourDomain.com
- Finally, run the tunnel.
cloudflared tunnel run bitwarden
- You can now visit https://bitwarden.YourDomain.com to access the Bitwarden server.
Step 7: Log In and Create Users
You can now access your self-hosted Bitwarden server from anywhere in the world at the hostname you set up in the Cloudflare Tunnel. Enable the admin panel to manage the users and vaults in your Bitwarden server.
You can also create multiple accounts of your friends and family to allow them to save their passwords in their Bitwarden vaults in encrypted form, generate passwords, etc. Make sure to enable 2-Factor Authentication for better security.
After creating the account, you or users can log in to Bitwarden and import their passwords from the web browser (.csv) to their Bitwarden accounts or vaults to safeguard the passwords. Refer to the Bitwarden documentation to learn more about how to use it. In addition, you may also self-host Bitwarden at (nearly) no cost using Google Cloud.
DIY Password Manager with Complete Privacy
This is how you deploy a secure self-hosted Bitwarden server on a Raspberry Pi Zero 2 W. The steps are the same as discussed in this guide if you want to set up a Bitwarden server on Raspberry Pi 3 or Raspberry Pi 4/400.
After deploying the Bitwarden server, you can install the Bitwarden extension in the web browser, or app on your Android or iOS device, to create and manage passwords. Since we are using Cloudflare Tunnel, we do not expose our public IP, which makes it more secure than other methods. Your passwords and login information remain safe, secure, and private in your Bitwarden vaults.
Read the full article here