Install and Deploy - Windows
This article will walk you through the procedure to install and deploy Bitwarden to your own Windows server. Bitwarden can also be installed and deployed on Linux and macOS machines.
x64, 2GHz Dual Core
8+ GB RAM
Engine 19+ and Compose 1.24+
Engine 19+ and Compose 1.24+
Running Bitwarden on Windows Server requires use of nested virtualization. Please check your Hypervisor's documentation to find out if nested virtualization is supported and how to enable it.
If you are running Windows Server as an Azure VM, we recommend a Standard D2s v3 Virtual Machine running Windows Server 2019 Gen2, which meets all system requirements including support for nested virtualization.
The following is a summary of the installation procedure in this article. Links in this section will jump to detailed Installation procedure sections:
Configure your domain. Set DNS records for a domain name pointing to your machine, and open ports 80 and 443 on the machine.
Create a Bitwarden user & directory from which to complete the installation.
Install and setup Docker Desktop on your machine.
Retrieve an installation id and key from https://bitwarden.com/host for use in installation.
For more information, see What are my installation id and installation key used for?
Install Bitwarden on your machine.
Configure your environment by adjusting settings in
At a minimum, configure the
globalSettings__mail__smtp...variables to setup an email server for inviting and verifying users.
Test your installation by opening your configured domain in a web browser.
Once deployed, we recommend regularly backing up your server and checking for system updates.
Using the Powershell ISE to run Powershell commands will cause the Bitwarden installation to fail. Completing a successful install will require Powershell.
By default, Bitwarden will be served through ports 80 (
http) and 443 (
https) on the host machine. Open these ports so that Bitwarden can be accessed from within and/or outside of the network. You may opt to choose different ports during installation.
If you are using Windows Firewall, Docker Desktop for Windows will not automatically add an exception for itself in Windows Firewall. Add exceptions for TCP ports 80 and 443 (or chosen alternative ports) to prevent related errors.
We recommend configuring a domain name with DNS records that point to your host machine (for example,
bitwarden.example.com), especially if you are serving Bitwarden over the internet.
Open PowerShell and create a Bitwarden local user by running the following commands:
PS C:\> $Password = Read-Host -AsSecureStringText Copied!
After running the above command, enter the desired password in the text input dialog. After specifying a password, run the following:
New-LocalUser "Bitwarden" -Password $Password -Description "Bitwarden Local Admin"Text Copied!
As the newly created user, create a Bitwarden folder under
PS C:\> mkdir BitwardenText Copied!
In Docker Desktop, navigate to Settings → Resources → File Sharing and add the created directory (
C:\Bitwarden) to the Resources list. Select Apply & Restart to apply your changes.
The Bitwarden user must be added to the docker-users group. See Docker's documentation to learn how.
Bitwarden will be deployed and run on your machine using an array of Docker containers. Docker Desktop for Windows includes both Docker Engine and Docker Compose. Download and install Docker Desktop for Windows and check the Enable Hyper-V Windows Features configuration option during installation.
Bitwarden provides a Powershell Cmdlet file (
.ps1) for easy installation on Windows machines. Complete the following steps to install Bitwarden using the Cmdlet:
If you have created a Bitwarden user & directory, complete the following as the
Navigate to the created directory:
cd C:\BitwardenText Copied!
Run the following command to download the Bitwarden installation script (
Invoke-RestMethod -OutFile bitwarden.ps1 -Uri "https://func.bitwarden.com/api/dl/?app=self-host&platform=windows"Text Copied!
Run the installer script using the following command:
.\bitwarden.ps1 -installText Copied!
Complete the prompts in the installer:
Enter the domain name for your Bitwarden instance:
Typically, this value should be the configured DNS record.
Do you want to use Let's Encrypt to generate a free SSL certificate? (y/n):
yto generate a trusted SSL certificate using Let's Encrypt. You will be prompted to enter an email address for expiration reminders from Let's Encrypt. For more information, see Certificate Options.
nand use the do you have a SSL certificate to use? option.
Enter your installation id:
Retrieve an installation id using a valid email at https://bitwarden.com/host. For more information, see What are my installation id and installation key used for?
Enter your installation key:
Retrieve an installation key using a valid email at https://bitwarden.com/host. For more information, see What are my installation id and installation key used for?
Do you have a SSL certificate to use? (y/n)
If you already have your own SSL certificate, specify
yand place the necessary files in the
C:\Bitwarden\bwdata\ssl\<your_domain>directory. You will be asked whether it is a trusted SSL certificate (
y/n). For more information, see Certificate Options.
nand use the self-signed SSL certificate? option, which is only recommended for testing purposes.
Do you want to generate a self-signed SSL certificate? (y/n):
yto have Bitwarden generate a self-signed certificate for you. This option is only recommended for testing. For more information, see Certificate Options.
If you specify
n, your instance will not use an SSL certificate and you will be required to front your installation with an HTTPS proxy, or else Bitwarden applications will not function properly.
Configuring your environment can involve making changes to two files; an environment variables file and an installation file:
Environment variables (required)
Some features of Bitwarden are not configured by the
bitwarden.ps1 Cmdlet. Configure these settings by editing the environment file, located at
\bwdata\env\global.override.env. At a minimum, you should replace the values for:
... globalSettings__mail__smtp__host=<placeholder> globalSettings__mail__smtp__port=<placeholder> globalSettings__mail__smtp__ssl=<placeholder> globalSettings__mail__smtp__username=<placeholder> globalSettings__mail__smtp__password=<placeholder> ... adminSettings__admins= ...Text Copied!
globalSettings__mail__smtp...= placeholders to connect to the SMTP mail server that will be used to send verification emails to new users and invitations to organizations. Adding an email address to
adminSettings__admins= will provision access to the admin portal.
global.override.env, run the following command to apply your changes:
.\bitwarden.ps1 -restartText Copied!
The Bitwarden installation script uses settings in
.\bwdata\config.yml to generate the necessary assets for installation. Some installation scenarios (such as installations behind a proxy with alternate ports) may require adjustments to
config.yml that were not provided during standard installation.
config.yml as necessary and apply your changes by running:
.\bitwarden.psq -rebuildText Copied!
Once you have completed all previous steps, start your Bitwarden instance by running the following command:
.\bitwarden.ps1 -startText Copied!
The first time you start Bitwarden it may take some time as it downloads images from Docker Hub.
Verify that all containers are running correctly:
docker psText Copied!
Congratulations! Bitwarden is now up and running at
https://your.domain.com. Visit the web vault in your web browser to confirm that it’s working.
You may now register a new account and log in. You will need to have configured
smtp environment variables (see Environment Variables) in order to verify the email for your new account.
Nach der Installation empfehlen wir, regelmäßig Sicherungskopien Ihres Servers zu erstellen und nach Systemaktualisierungen zu suchen.
If you are planning to self-host a Bitwarden organization, see self-host an organization to get started.
For additional information see self hosting FAQs.
Docker Desktop will only automatically start on boot if you have a logged-in RDP session. To start Docker Desktop on boot regardless of whether there is a user logged in:
Docker Desktop may take up to 15 minutes after boot to fully start and for containers to be accessible from the network.
Open Task Scheduler and select Create Task... from the Actions menu.
Configure the task with the following security options:
Set the task to use the created
Set the task to Run whether user is logged on or not.
Select the Triggers tab and create the following trigger:
From the Begin the task dropdown, select At startup.
In the Advanced settings section, check the Delay task for: checkbox and select 1 minute from the dropdown.
Select the Actions tab and create the following action:
In the Program/script input, specify
"C:\Program Files\Docker\Docker\Docker Desktop.exe".
Select OK to finish creating the scheduled task.
The Bitwarden installation script (
bitwarden.ps1) has the following commands available. All command must be prefixed with a switch (
-), for example
Start the installer.
Start all containers.
Restart all containers.
Stop all containers.
Update all containers and the database.
Update/initialize the database.
Update the run.ps1 file.
Update the installation script.
Update all containers without restarting the running instance.
Before this command executes, you will be prompted to save database files.
Rebuild generated installation assets from
List all commands.