Install Vaultwarden on Raspberry Pi

Why Raspberry Pi for Vaultwarden?

Vaultwarden is one of the best apps you can run on a Raspberry Pi. It idles at around 50 MB of RAM, uses almost no CPU, and has native ARM64 Docker images. Even a Pi Zero 2 W can handle it. A Pi running Vaultwarden gives you a dedicated, always-on password vault for your household that draws about 3 watts of power. This guide covers the Pi-specific setup: ARM64 Docker, SQLite on USB SSD for reliability, SD card backup strategy, and keeping the whole thing running 24/7.

Prerequisites

• Raspberry Pi 3B+, Pi 4, Pi 5, or Pi Zero 2 W
• Raspberry Pi OS Lite (64-bit / ARM64) installed and running
• Docker and Docker Compose installed (guide)
• USB SSD recommended for database storage (SD cards degrade under write-heavy loads)
• 256 MB of free RAM
• 500 MB of free disk space
• SSH access enabled
• A domain name with HTTPS (Bitwarden clients require it)

Install Docker on Raspberry Pi OS

curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER

Log out and back in, then verify:

docker run --rm hello-world

Confirm you are running 64-bit:

uname -m
# Should output: aarch64

If it shows armv7l, you are on 32-bit Raspberry Pi OS. Vaultwarden works on 32-bit but the 64-bit image is better maintained. Reflash with the 64-bit image for best results.

Set Up USB SSD Storage

SD cards are fine for the OS but not ideal for a database that handles constant small writes. Mount a USB SSD for Vaultwarden’s data:

# Identify your USB drive
lsblk

# Format it (replace sdX with your device — BE CAREFUL)
sudo mkfs.ext4 /dev/sda1

# Create mount point and mount
sudo mkdir -p /mnt/ssd
sudo mount /dev/sda1 /mnt/ssd

# Make it persistent
echo "$(blkid -s UUID -o value /dev/sda1) /mnt/ssd ext4 defaults,noatime 0 2" | sudo tee -a /etc/fstab

# Create Vaultwarden data directory
sudo mkdir -p /mnt/ssd/vaultwarden
sudo chown $USER:$USER /mnt/ssd/vaultwarden

Docker Compose Configuration

Create your project directory:

mkdir -p ~/vaultwarden && cd ~/vaultwarden

Create a docker-compose.yml:

services:
  vaultwarden:
    image: vaultwarden/server:1.35.4
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      # REQUIRED: Your domain (must be HTTPS)
      - DOMAIN=https://vault.example.com
      # Admin panel token — generate with: openssl rand -base64 48
      - ADMIN_TOKEN=${ADMIN_TOKEN}
      # Disable signups after creating your account
      - SIGNUPS_ALLOWED=true
      # WebSocket support for instant browser extension sync
      - WEBSOCKET_ENABLED=true
      # Rate limiting
      - LOGIN_RATELIMIT_MAX_BURST=5
      - LOGIN_RATELIMIT_SECONDS=60
      # Logging
      - LOG_LEVEL=warn
      - EXTENDED_LOGGING=true
    volumes:
      # Store data on USB SSD, not the SD card
      - /mnt/ssd/vaultwarden:/data
    ports:
      - "8080:80"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:80/alive"]
      interval: 30s
      timeout: 10s
      retries: 3

Generate your .env:

echo "ADMIN_TOKEN=$(openssl rand -base64 48)" > .env

Start the container:

docker compose up -d

Verify it is running:

docker compose ps
curl -s http://localhost:8080/alive && echo " OK"

First-Time Setup

1. You need HTTPS before Bitwarden clients will connect. Set up a reverse proxy with SSL — see the Reverse Proxy guide or use Cloudflare Tunnel for a zero-port-forwarding approach that works well with residential ISPs.

2. Navigate to your HTTPS URL and create your account.

3. Disable signups in docker-compose.yml:

      - SIGNUPS_ALLOWED=false

docker compose up -d

4. Install a Bitwarden client and point it at your domain. The web vault, browser extension, desktop app, and mobile app all work with Vaultwarden.

Raspberry Pi Optimization

Reduce SD card writes. Move Docker’s storage to the SSD as well:

sudo systemctl stop docker
sudo mkdir -p /mnt/ssd/docker
sudo rsync -a /var/lib/docker/ /mnt/ssd/docker/

Edit /etc/docker/daemon.json:

{
  "data-root": "/mnt/ssd/docker",
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "5m",
    "max-file": "2"
  }
}

sudo systemctl start docker

Enable watchdog timer. If the Pi freezes, the hardware watchdog reboots it automatically:

sudo apt install -y watchdog
sudo systemctl enable watchdog

Add to /etc/watchdog.conf:

watchdog-device = /dev/watchdog
max-load-1 = 24

Overclock (Pi 4 only, optional). Vaultwarden does not need it, but if you run other services:

Add to /boot/config.txt:

over_voltage=6
arm_freq=2000

Backup Strategy

With SQLite on a Pi, backups are critical. SD cards and even SSDs can fail.

Create ~/vaultwarden/backup.sh:

#!/bin/bash
BACKUP_DIR="$HOME/vaultwarden-backups"
DATA_DIR="/mnt/ssd/vaultwarden"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)

mkdir -p "$BACKUP_DIR"

# Safe SQLite backup (not just a file copy)
sqlite3 "$DATA_DIR/db.sqlite3" ".backup '$BACKUP_DIR/db_$TIMESTAMP.sqlite3'"

# Copy RSA keys and attachments
cp "$DATA_DIR/rsa_key.pem" "$BACKUP_DIR/rsa_key_$TIMESTAMP.pem" 2>/dev/null
cp "$DATA_DIR/rsa_key.pub.pem" "$BACKUP_DIR/rsa_key_pub_$TIMESTAMP.pem" 2>/dev/null
cp -r "$DATA_DIR/attachments" "$BACKUP_DIR/attachments_$TIMESTAMP" 2>/dev/null

# Keep only last 14 days
find "$BACKUP_DIR" -type f -mtime +14 -delete
find "$BACKUP_DIR" -type d -empty -mtime +14 -delete

echo "$TIMESTAMP: Backup complete"

chmod +x ~/vaultwarden/backup.sh
crontab -e

Add for daily 2 AM backups:

0 2 * * * /home/pi/vaultwarden/backup.sh >> /home/pi/vaultwarden/backup.log 2>&1

For off-site backup, sync to another machine:

# Add to cron after the backup job
30 2 * * * rsync -az ~/vaultwarden-backups/ user@remote-server:~/vaultwarden-backups/

Troubleshooting

Container pulls the wrong architecture image

If Docker pulls an amd64 image instead of arm64, force the platform:

    platform: linux/arm64

Or verify your OS is 64-bit: dpkg --print-architecture should output arm64.

SQLite database locked errors

This usually happens when you copy the database file while Vaultwarden is running. Always use sqlite3 ... ".backup" for safe backups, never cp on a live database.

High SD card I/O and slow performance

Move the Vaultwarden data directory and Docker data root to a USB SSD. SD cards throttle under sustained writes and have limited write endurance.

Vaultwarden won’t start after Pi reboot

Check that the USB SSD is mounted before Docker starts:

sudo systemctl status mnt-ssd.mount

If the mount fails, the /mnt/ssd/vaultwarden path won’t exist and the container will fail. Ensure the fstab entry is correct and the drive is connected.

Out of memory on Pi Zero 2 W

The Pi Zero 2 W has 512 MB of RAM. Vaultwarden only uses ~50 MB, but Docker itself needs memory. Add a swap file:

sudo fallocate -l 512M /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

Resource Requirements

• RAM: ~50 MB idle, ~80 MB under active use
• CPU: Negligible on any Pi model
• Disk: ~50 MB for the application, vault data typically under 100 MB
• Power: Adds essentially nothing to the Pi’s baseline ~3W draw

Related

• How to Self-Host Vaultwarden with Docker
• Install Vaultwarden on Ubuntu Server
• Install Vaultwarden on Proxmox VE
• Best Self-Hosted Password Managers
• Docker Compose Basics
• Reverse Proxy Explained
• Cloudflare Tunnel Setup