fuwari/src/content/posts/en/2024/10/05.md

---
title: Install Vaultwarden with Docker and Harden Its Security
lang: en
published: 2024-10-05T06:35:04.819Z
description: Install Vaultwarden easily with Docker and learn basic steps to keep it secure. Create and manage unique passwords for all your online accounts safely.
image: ""
tags:
  - Vaultwarden
  - Docker
  - Password Manager
category: Cybersecurity
draft: false
---

# Install Vaultwarden with Docker and Harden Its Security

Install Vaultwarden easily with Docker and learn basic steps to keep it secure. Create and manage unique passwords for all your online accounts safely.

>[!IMPORTANT]
>You should never store Bitcoin wallet passphrases in Vaultwarden or any digital format.

## Docker

Enable running Docker without sudo. Replace "username" with your own:

```bash
sudo usermod -aG docker username
```

Create a folder named vaultwarden:
```bash
mkdir ~/docker
cd ~/docker
mkdir vaultwarden
```

Create docker-compose.yml:
```bash
nano docker-compose.yml
```

Edit docker-compose.yml:
```yaml
version: '3.8'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    user: 1000:1000
    ports:
      - "7789:80"
    volumes:
      - ./volumes/vw-data/:/data/
    restart: unless-stopped
    environment:
      - ADMIN_TOKEN=insecure
```

Start Docker:
```bash
docker compose up -d
```

## Reverse Proxy

Install Caddy:

```bash
sudo apt install caddy
```

Open Caddyfile:

```bash
sudo nano /etc/caddy/Caddyfile
```

Update Caddyfile:

```
example.com {
  route /pass* {
    uri strip_prefix /pass
    redir https://pass.{host}{uri}
  }
}

pass.example.com {
  reverse_proxy localhost:7789
}
```

Restart Caddy:
```bash
sudo systemctl restart caddy
```

Go to Vaultwarden at https://pass.example.com or at https://example.com/pass if you prefer using a subpath.

## Security

### 1. Disable Registration

Before proceeding, create new accounts for yourself and your family.

Go to the admin panel at https://pass.example.com/admin. Enter "insecure" as the admin token.

Go to **General Settings** and uncheck **Allow new signups**.

### 2. Strong Admin Token

On your local machine, run the following commands. Replace "Insecure Password" with new admin password, like a 12-word passphrase or a password with 50+ characters.

```bash
sudo apt install argon2
echo -n "Insecure Password" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4
```

*(Retrieved from [Vaultwarden wiki](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#using-argon2) on October 5, 2024)*

The output will start with `($argon2id$v=19$m=65540,t=3,p=4$...)`, which is the salt. Go to **General Settings** and enter the salt in **Admin token/Arg2 PHC** field.

Save your changes and log out. When you log back in, use your admin password.

Comment out the environment section in docker-compose.yml:

```yml
# environment:
#  - ADMIN_TOKEN=insecure
```

Restart Docker:
```bash
docker compose down; docker compose up -d
```

### 3. Restrict Admin Panel

Redirect anyone trying to access the admin panel to homepage.

Update Caddyfile:

```
pass.example.com {
  reverse_proxy localhost:7789
  rewrite /admin* /
}
```

Restart Caddy:
```bash
sudo systemctl restart caddy
```

### 4. Disallow Search Engine Indexing

Prevent your Vaultwarden site from being indexed by Google. When you search for "Vaultwarden Web", you might find other people's Vaultwarden sites and their admin panels.

Open robots.txt:
```bash
sudo nano /var/www/html/robots.txt
```

Update robots.txt:
```txt
User-agent: *
Disallow: /pass
Allow: /$
```