// the find
dani-garcia/vaultwarden
Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
Vaultwarden is a Rust reimplementation of the Bitwarden server API, built for self-hosters who want the full Bitwarden client ecosystem without running Bitwarden's official Java/Kotlin stack. It covers nearly the entire feature surface — organizations, groups, emergency access, FIDO2, SSO — in a single binary that idles at a few MB of RAM. The target audience is anyone who wants a self-hosted password manager without paying for Bitwarden's hosted plans or running their resource-hungry official server.
The memory footprint difference is real and significant: the official server needs a JVM, MSSQL, and several services; Vaultwarden is one Rust binary that works with SQLite, MySQL, or PostgreSQL and runs on a $5 VPS or a Pi. Diesel migrations are tracked per database backend and the history goes back to 2018, so schema upgrades are handled properly and you can inspect exactly what changed. The Bitwarden client compatibility is genuine — all official clients (browser extensions, mobile, desktop, CLI) work without modification, which means you're not locked into a forked client that diverges over time. The Docker build pipeline is sophisticated, with multi-arch images built via bake, Trivy vulnerability scanning in CI, and both Debian and Alpine variants.
This is an unofficial reimplementation with no formal API compatibility contract — when Bitwarden changes their internal API (which they do, periodically), Vaultwarden breaks until someone reverse-engineers the new protocol and ships a fix. The disclaimer is honest about this but it's a real operational risk for anyone depending on it for production credentials. SSO support exists but was bolted on over time and the migration history shows repeated schema reshuffles (sso_nonce → auth, binding columns, error columns across 2024-2026) suggesting the implementation wasn't planned for from day one. The 'not associated with Bitwarden' position means you get no SLAs, no CVE coordination with the official team, and security fixes depend entirely on community response time — uncomfortable for something storing every password you have.