I Replaced My €4.99/Month Password Manager with a Self-Hosted One for €10/Year — Here's Exactly How

Tommi Kivistö — Sun, 10 May 2026 05:50:02 +0000

Password managers are essential in 2026. But why pay €35–€60 per year to store your most sensitive data on someone else's server?
I run Vaultwarden on a Raspberry Pi 4 with Home Assistant. Total cost: ~€10/year for the domain. Everything else is free forever.
Here's the full setup.
What You Need
Hardware:
Raspberry Pi 4 (2GB+ RAM) — Pi 5 also works
SSD recommended for reliability
Stable internet connection
Free accounts:
Cloudflare — for domain, tunnel and email routing
Tailscale — optional backup access
Free software:
Home Assistant OS running on your Pi
Bitwarden app (Android, iOS, Windows, Mac, Linux)
Bitwarden browser extension (Chrome, Firefox, Edge, Safari)
What You'll Build
By the end of this guide you'll have:
✅ Vaultwarden running privately on your Pi
✅ Accessible from anywhere via vault.yourdomain.com
✅ HTTPS encryption — no open ports on your router
✅ Free email aliases as a bonus
✅ All official Bitwarden clients working normally
Chapter 1 — Install Vaultwarden on Home Assistant
Vaultwarden is a lightweight open-source reimplementation of the Bitwarden server. It uses the official Bitwarden apps — so your phone and browser extensions work exactly as normal — but your data stays on your own hardware.
Add the Community Repository
Vaultwarden isn't in the default HA app store. Add the community repository first.
Go to Settings → Apps → App Store
Click the menu (top right) → Repositories
Paste and add: https://github.com/hassio-addons/repository
Refresh the page and search for Vaultwarden
Click Install (takes 1–2 minutes)
Configure Vaultwarden
Go to the Configuration tab and set:
Yaml
Cloudflare will handle HTTPS for us — this setting is critical. Without it, Vaultwarden crashes.
Enable Start on boot, Watchdog and Auto update, then click Start.
Save Your Admin Token
Go to the Log tab — you'll see a long random string. This is your admin token. Copy it now — you'll need it later.
Verify It's Running
Open your browser and go to:
Code
Replace xxx with your Pi's IP. You should see the Vaultwarden login page.
⚠️ You can't create an account yet — we need HTTPS first.
Chapter 2 — Register a Domain with Cloudflare
A domain lets you access Vaultwarden via vault.yourdomain.com from anywhere. Cloudflare Registrar offers at-cost pricing — a .com domain costs around €10/year.
Go to cloudflare.com and create a free account
Go to Domain Registration → Register Domains
Search for your domain (e.g. yourname.com) and complete the purchase
Your domain shows as Active within a few minutes.
Chapter 3 — Set Up Cloudflare Tunnel
A Cloudflare Tunnel creates an encrypted connection between your Pi and Cloudflare's network. No open ports on your router — much more secure than traditional port forwarding.
Create the Tunnel
Go to dash.cloudflare.com → Zero Trust → Networks → Tunnels
Click Create a tunnel → choose Cloudflared
Name it homeassistant → click Save tunnel
Select Linux as OS and arm64 as architecture
Copy the long token from the install command
Add Vaultwarden as a Public Hostname
In tunnel settings → Public Hostname → Add a public hostname:
Field
Value
Subdomain
vault
Domain
yourdomain.com
Type
HTTP
URL
http://192.168.1.xxx:7277
Install Cloudflared in Home Assistant
In HA App Store → Repositories → add: https://github.com/brenner-tobias/ha-addons
Search for Cloudflared and install
In Configuration tab, paste your tunnel token
Enable Start on boot and Watchdog → Save → Start
Verify
Open https://vault.yourdomain.com — you should see the Vaultwarden login page with a valid HTTPS certificate. 🎉
⚠️ 502 error? Check that the tunnel hostname URL uses http:// (not https://) pointing to your Pi's local IP.
Chapter 4 — Connect Your Devices
Create Your Account
Go to https://vault.yourdomain.com → Create Account
Choose a strong master password
🔴 Critical: Write your master password on paper and store it safely. If you lose it, your vault cannot be recovered.
Disable Public Registration
Go to https://vault.yourdomain.com/admin and enter your admin token. Under General Settings, disable Allow new signups. This prevents anyone else from creating an account on your server.
Browser Extension
Install Bitwarden from your browser's extension store. Before logging in, click the gear icon and set Server URL to:
Code
Android & iPhone
Install Bitwarden from Google Play or App Store. Tap the gear icon before logging in and set the same server URL.
Enable autofill:
Android: Settings → General Management → Passwords and Autofill → Bitwarden
iPhone: Settings → Passwords → Password Options → Bitwarden
Chapter 5 — Free Email Aliases (Bonus)
With your Cloudflare domain you get free email routing — unlimited aliases that forward to your real email.
In Cloudflare dashboard → your domain → Email → Email Routing
Add your real email as destination and verify it
Create aliases like:
vault@yourdomain.com — for your Vaultwarden account
shopping@yourdomain.com — for online stores
banking@yourdomain.com — for financial services
If any service leaks your email and you start getting spam, you know exactly who leaked it — and you can disable that alias.
The Trickiest Parts (Lessons Learned)
These are the mistakes I made so you don't have to:
ssl: false in Vaultwarden config — without this it crashes. Cloudflare handles HTTPS so Vaultwarden doesn't need to.
Tunnel URL must use http:// — the public hostname pointing to your Pi must use http:// not https://.
Admin token — copy it from the log immediately on first start. Easy to miss.
Set server URL in Bitwarden clients — tap the gear icon before logging in, otherwise it tries to connect to Bitwarden's servers.
Cost Comparison
Solution
Annual Cost
Your Data
1Password
€36/year
Their servers
Bitwarden Premium
€10/year
Their servers
Proton Pass
€35/year
Their servers
This guide
~€10/year
Your Pi
Monthly Maintenance (15 minutes)
✓ Confirm https://vault.yourdomain.com loads
✓ Check HA → Apps — Vaultwarden and Cloudflared both Running
✓ Export vault backup: Tools → Export vault → save safely
✓ Check Cloudflare domain auto-renewal is set up
Is This For You?
Self-hosting is great if:
You want full control of your data
You already have a Pi running 24/7
You're comfortable with occasional maintenance
Bitwarden's hosted service is better if:
You need guaranteed uptime
You're not comfortable managing updates
You travel frequently without home access
Both are valid choices. Bitwarden's zero-knowledge encryption means even their hosted service is trustworthy — self-hosting is about control, not just security.
Want the Complete Guide?
This article covers the full setup. If you want a PDF with screenshots, troubleshooting reference and quick-reference card for your specific setup, I wrote it up here: payhip.com/b/dMpns
Happy to answer questions in the comments!

Forem: Tommi Kivistö

I Replaced My €4.99/Month Password Manager with a Self-Hosted One for €10/Year — Here's Exactly How