This article contains Frequently Asked Questions (FAQs) regarding self-hosting.
A: Bitwarden is a cross-platform application that is deployed using Docker Linux containers. This means that Bitwarden can be hosted on Linux, macOS, and Windows machines.
Docker Desktop on Windows may require a license depending on whether your company meets Docker's requirements for licenses, however Docker on Linux is free.
You can read more about Docker and container technologies at the Docker website.
A: Bitwarden is generally deployed as either a single Windows or Linux VM, or a cluster of machines. At this time, Bitwarden does not publish pre-built images for these platforms, but you can find instructions on how to configure a VM on all of the above platforms and more here.
A: High availability can be achieved by configuring multiple instances of the containers into a Docker Swarm and/or by pointing the database connection string that the containers reference to any MSSQL database or cluster. Then you would probably want to load balance the NGINX containers or however you choose to handle the front-end.
A: In order to allow the server to push notifications to Bitwarden clients, you will need to allow the following URLs through your firewall:
You don't have to use push notifications if allowing these URLs won't work for your environment.
A: Bitwarden takes automated nightly backups of the
bitwarden-mssql database container in order to protect your stored credentials. For help with manual backups, or help restoring a backup, see Backup your Hosted Data.
A: Installation ids keys are used when installing Bitwarden on-premises in order to:
Register your installation and contain email so that we can contact you for important security updates.
Authenticate to push relay servers for push notifications to Bitwarden client applications.
Validate licensing of paid features.
Retrieve an installation id and key from https://bitwarden.com/host.
While retrieving your installation Id and Key, be sure to select the server region that corresponds to your Bitwarden client. Learn how to apply the proper self-hosted server region here.
You should not share your installation id or installation key across multiple Bitwarden installations. They should be treated as secrets.
A: Configure the
url: in the
./bwdata/config.yml with your new server name and the run the
./bitwarden.sh rebuild command to rebuild
Check that your server name or FQDN has been proliferated to all
globalSettings_baseServiceUri__* variables in
./bwdata/env/global.override.env, and that your certificate contains a Subject Alternative Name (SAN) with the new server FQDN
If you are using Let's Encrypt certificate, you will need to manually update your certificate.
A: First, change the name of the organization in the cloud using the web app. Once the cloud organization has been changed, you can re-download the license file and upload the new license file to your self-hosted organization as seen here.
Q: Why does the admin portal show an update available when update commands show I'm on the latest version?
A: The System Administrator Portal will show an available update as soon as we release our cloud server, however as mentioned in the release notes, self-hosted server updates typically are made available a few days following cloud. Please wait a few days and try updating your instance again.
A: Running Bitwarden under a domain subfolder (for example,
https://mydomain.com/bitwarden instead of
https://mydomain.com) is not supported. It must run under a host, as a subdomain, or with an additional port.
A: Connect your self-hosted instance to an existing SMTP mail server by editing all
globalSettings__mail__smtp__* values in
./bwdata/env/global.overide.env. For more information, see Configure Environment Variables.
A: Configure the following variables in
globalSettings__mail__replyToEmailfirstname.lastname@example.org globalSettings__mail__smtp__host=smtp.gmail.com globalSettings__mail__smtp__port=587 globalSettings__mail__smtp__ssl=false globalSettings__mail__smtp__username=<valid-gmail-username> globalSettings__mail__smtp__password=<valid-gmail-password>
Whether you are a Workspace Admin or personal user of Gmail, you will need to enable SMTP relay from within Google. For more information, see Google's documentation.
If you are using two-step authentication for your Gmail account, you will need to generate an app-specific password for use with Bitwarden and update the
globalSettings__mail__smtp__password= field in
A: To use custom ports, instead of 80 and 443, edit the
https_port= values in
./bwdata/config.yml and run
./bitwarden.sh rebuild to rebuild your server assets.
Check that the custom port values have been proliferated to