--- title: Install Vaultwarden with Docker and Harden Its Security lang: en published: 2024-10-05T06:35:04.819Z description: Install Vaultwarden easily with Docker and learn basic steps to keep it secure. Create and manage unique passwords for all your online accounts safely. image: "" tags: - Vaultwarden - Docker - Password Manager category: Cybersecurity draft: false --- # Install Vaultwarden with Docker and Harden Its Security Install Vaultwarden easily with Docker and learn basic steps to keep it secure. Create and manage unique passwords for all your online accounts safely. >[!IMPORTANT] >You should never store Bitcoin wallet passphrases in Vaultwarden or any digital format. ## Docker Enable running Docker without sudo. Replace "username" with your own: ```bash sudo usermod -aG docker username ``` Create a folder named vaultwarden: ```bash mkdir ~/docker cd ~/docker mkdir vaultwarden ``` Create docker-compose.yml: ```bash nano docker-compose.yml ``` Edit docker-compose.yml: ```yaml version: '3.8' services: vaultwarden: image: vaultwarden/server:latest container_name: vaultwarden user: 1000:1000 ports: - "7789:80" volumes: - ./volumes/vw-data/:/data/ restart: unless-stopped environment: - ADMIN_TOKEN=insecure ``` Start Docker: ```bash docker compose up -d ``` ## Reverse Proxy Install Caddy: ```bash sudo apt install caddy ``` Open Caddyfile: ```bash sudo nano /etc/caddy/Caddyfile ``` Update Caddyfile: ``` example.com { route /pass* { uri strip_prefix /pass redir https://pass.{host}{uri} } } pass.example.com { reverse_proxy localhost:7789 } ``` Restart Caddy: ```bash sudo systemctl restart caddy ``` Go to Vaultwarden at https://pass.example.com or at https://example.com/pass if you prefer using a subpath. ## Security ### 1. Disable Registration Before proceeding, create new accounts for yourself and your family. Go to the admin panel at https://pass.example.com/admin. Enter "insecure" as the admin token. Go to **General Settings** and uncheck **Allow new signups**. ### 2. Strong Admin Token On your local machine, run the following commands. Replace "Insecure Password" with new admin password, like a 12-word passphrase or a password with 50+ characters. ```bash sudo apt install argon2 echo -n "Insecure Password" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4 ``` *(Retrieved from [Vaultwarden wiki](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#using-argon2) on October 5, 2024)* The output will start with `($argon2id$v=19$m=65540,t=3,p=4$...)`, which is the salt. Go to **General Settings** and enter the salt in **Admin token/Arg2 PHC** field. Save your changes and log out. When you log back in, use your admin password. Comment out the environment section in docker-compose.yml: ```yml # environment: # - ADMIN_TOKEN=insecure ``` Restart Docker: ```bash docker compose down; docker compose up -d ``` ### 3. Restrict Admin Panel Redirect anyone trying to access the admin panel to homepage. Update Caddyfile: ``` pass.example.com { reverse_proxy localhost:7789 rewrite /admin* / } ``` Restart Caddy: ```bash sudo systemctl restart caddy ``` ### 4. Disallow Search Engine Indexing Prevent your Vaultwarden site from being indexed by Google. When you search for "Vaultwarden Web", you might find other people's Vaultwarden sites and their admin panels. Open robots.txt: ```bash sudo nano /var/www/html/robots.txt ``` Update robots.txt: ```txt User-agent: * Disallow: /pass Allow: /$ ```