• February 12, 2026
• 3 min read

Installing Vaultwarden via Docker

1. Install Docker

Install Docker on your system first.

2. Pull Docker Images

• vaultwarden/server:1.33.2
• openresty/openresty:bookworm

mkdir -p /home/vaultwarden /home/openresty/{ssl,conf.d}

3. Vaultwarden Setup

Create a dedicated Vaultwarden network to avoid direct exposure

docker network create --driver bridge vaultwarden_network

Create the Vaultwarden startup file at /home/vaultwarden/compose.yml

services:
  vaultwarden:
    image: vaultwarden/server:1.33.2
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      TZ: Asia/Shanghai
      ENABLE_WEBSOCKET: false
      # SIGNUPS_ALLOWED: false # Disable new user registration
      SIGNUPS_ALLOWED: true # Allow new user registration
      # ADMIN_TOKEN: Argon2 PHC hashed password for /admin access
      # Generate using: echo -n "YourPassword" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4
      # Or use: docker run --rm -it vaultwarden/server /vaultwarden hash
      ADMIN_TOKEN: xxx
    volumes:
      - ./vw-data:/data
    networks:
      - vaultwarden_network
networks:
  vaultwarden_network:
    external: true

Start Vaultwarden

cd /home/vaultwarden
docker compose up -d

4. Generate an SSL Certificate

cd /home/openresty/ssl
# Generate private key
openssl ecparam -name prime256v1 -genkey -noout -out key.pem
# Create certificate signing request
openssl req -new -key key.pem -out server.csr \
    -subj "/CN=localhost"
# Generate self-signed certificate
openssl x509 -req -in server.csr -signkey key.pem -out cert.pem -days 3650

5. OpenResty Setup

Configure /home/openresty/nginx.conf

pcre_jit on;
worker_processes auto;
events {
    worker_connections 1024;
}
http {
    log_format main '$remote_addr - $remote_user [$time_iso8601] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"'
    '"$request_time" "$upstream_response_time"';
    open_log_file_cache max=1024 inactive=1m valid=5m min_uses=2;
    access_log /var/log/nginx/access.log main;
    error_log /var/log/nginx/error.log debug;
    underscores_in_headers off;
    include mime.types;
    default_type application/octet-stream;
    client_body_temp_path /var/run/openresty/nginx-client-body;
    proxy_temp_path /var/run/openresty/nginx-proxy;
    fastcgi_temp_path /var/run/openresty/nginx-fastcgi;
    uwsgi_temp_path /var/run/openresty/nginx-uwsgi;
    scgi_temp_path /var/run/openresty/nginx-scgi;
    sendfile on;
    keepalive_timeout 65;
    server_tokens off;
    resolver 127.0.0.11 valid=30s;
    types_hash_max_size 4096;
    client_max_body_size 1024M;
    client_body_timeout 1m;
    proxy_connect_timeout 1m;
    proxy_read_timeout 10m;
    proxy_send_timeout 10m;
    include /etc/nginx/conf.d/*.conf;
}

Configure /home/openresty/conf.d/vaultwarden.conf

upstream vaultwarden-default {
    zone vaultwarden-default 64k;
    server vaultwarden:80;
    keepalive 2;
}
map $http_upgrade $connection_upgrade {
    default upgrade;
    '' "";
}
server {
    listen 80;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl;
    http2 on;
    server_name _;
    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1h;
    client_max_body_size 525M;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_connect_timeout 777;
    proxy_send_timeout 777;
    proxy_read_timeout 777;
    send_timeout 777;
    location / {
      proxy_pass http://vaultwarden-default;
    }
}

Configure /home/openresty/compose.yml

services:
  openresty:
    image: openresty/openresty:bookworm
    container_name: openresty
    restart: unless-stopped
    environment:
      - TZ=Asia/Shanghai
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf:ro
      - ./conf.d:/etc/nginx/conf.d/:ro
      - ./default.d/:/etc/nginx/default.d/:ro
      - ./log:/var/log/nginx/:rw
      - ./ssl:/etc/nginx/ssl/:ro
      - ./socks:/var/run/socks
    networks:
      - vaultwarden_network
networks:
  vaultwarden_network:
    external: true
    driver: bridge

Start OpenResty

cd /home/openresty
docker compose up -d

6. Access Vaultwarden

• User interface: https://ip/
• Admin panel: https://ip/admin, password: Password used to generated ADMIN_TOKEN

7. Toggle New User Registration

To enable/disable new user registration: 1. Modify /home/vaultwarden/compose.yml: toggle the SIGNUPS_ALLOWED value 2. Restart Vaultwarden: docker compose restart

Users can be managed through the admin interface.

8. Browser Setup

Install the Bitwarden browser extension to start using Vaultwarden.