Self-host an Organization
Before you can self-host an organization, you'll need to install and deploy Bitwarden to your server. Bitwarden can be run, using Docker, on Linux and Windows machines. While there are a variety of methods for installing Bitwarden, including methods for offline or air-gapped environments, we recommend starting with one of these guides:
Some features used by Bitwarden organizations are not configured by the standard installation procedure documented in the above articles. To equip your self-hosted server with all the features available to Bitwarden organizations, set the following variables in your ./bwdata/env/global.override.env file:
Variable | Description | Use |
|---|---|---|
globalSettings__mail__smtp__host= | Your SMTP server hostname (recommended) or IP adress. | Used for inviting users to your organization. |
globalSettings__mail__smtp__port= | The SMTP port used by the SMTP server. | Used for inviting users to your organization. |
globalSettings__mail__smtp__ssl= | (Boolean) Whether your SMTP server uses an encryption protocol:
| Used for inviting users to your organization. |
globalSettings__mail__smtp__username= | A valid username for the | Used for inviting users to your organization. |
globalSettings__mail__smtp__passsword= | A valid password for the | Used for inviting users to your organization. |
globalSettings__enableCloudCommunication= | Set to | Used for billing and license sync. |
globalSettings__duo__aKey= | A randomly generated Duo akey. For more information, see Duo's Documentation. | Used for organization-wide two-step login via Duo. |
globalSettings__hibpApiKey= | Your HaveIBeenPwned (HIBP) API Key, available here. | Allows users to run the Data Breach report and to check their master password for presence in breaches when they create an account. |
globalSettings__disableUserRegistration= | Specify | Used to limit users on the server to those invited to the organization. |
globalSettings__sso__enforceSsoPolicyForAllUsers= | Specify | Used to enforce the Require SSO authentication policy for owner and admin roles. |
Once you've made changes to your environment variables, perform a ./bitwarden.sh restart to apply the changes to your server.
At this stage, you're ready to start your organization and port it over to your self-hosted server. For billing purposes, organizations must first be created in the Bitwarden cloud web vault (https://vault.bitwarden.com). Follow these instructions to create an organization.
Once your cloud organization is created, follow these instructions to retrieve your license from the cloud and upload it to your self-hosted server to create a self-hosted copy of the organization.
Self-hosted Bitwarden organizations will be able to utilize all paid features provided by their chosen plan. Only Families and Enterprise organizations can be imported to self-hosted servers. Learn more here.
Next, setup your self-hosted organization for billing and license sync from your cloud organization. Doing so is optional, but will have a few advantages:
Enabling easier license updating when you change your organization's seat count.
Enabling easier license updating when your subscription comes to its renewal date.
Unlocking sponsored Families organizations for members of Enterprise organizations.
Follow these instructions to setup billing and license sync for your organization.
note
Billing and license syncing requires that the globalSettings__enableCloudCommunication= environment variable is set to true (learn more).
You're now ready to start administering your self-hosted organization! Here's how you might approach it:
Invite your admin team
Every all-star organization needs an all-star admin team. Start inviting high-privileged members who can help you build a foundation for secure credential sharing with Bitwarden. If you’re building an Enterprise organization, you can give members highly-flexible custom permissions to fit your needs.
For protective redundancy, we recommend including at least one other organization owner in your newly-formed admin team.
Set policies (Enterprise-only)
Your business has unique security needs. Use policies to build a consistent deployment and experience for all team members, like requiring SSO authentication or enrolling members in admin password reset. To get your organization ready for more team members, it's important to set your policies early.
Import your data
Is your business coming to Bitwarden from another password manager? Good news! You can import that data directly to your organization to avoid a painful day of copy-and-pasting.
Build groups & collections
Once you've got items in your vault, it's a good time to set up collections and groups to ensure that the right users have access to the right credentials. Every organization is different, but here are some tips to help you get started with collections and get started with groups.
Invite your team
It's finally time to start inviting users! If you use an identity provider or directory service like Azure Active Directory, use SCIM or Directory Connector to automatically sync users. Otherwise, follow the same steps you took to build your admin team to invite more users to the organization.
Invite your admin team
Every all-star organization needs an all-star admin team. Start inviting high-privileged members who can help you build a foundation for secure secret sharing with Bitwarden.
For protective redundancy, we recommend including at least one other organization owner in your newly-formed admin team.
Set policies
Your business has unique security needs. Use policies to build a consistent deployment and experience for all team members, like requiring SSO authentication or enrolling members in admin password reset. To get your organization ready for more team members, it's important to set your policies early.
Import your data
Is your business coming to Bitwarden from another secret manager? Good news! You can import that data directly to your organization to avoid a painful day of copy-and-pasting.
Invite your team
It's finally time to start inviting users! If you use an identity provider or directory service like Azure Active Directory, use SCIM or Directory Connector to automatically sync users. Otherwise, follow the same steps you took to build your admin team to invite more users to the organization. Once everyone is onboarded, start giving users access to Secrets Manager.