Self-Hosted Password Manager on Raspberry Pi — Complete 2026 Guide
Self-Hosted Password Manager on Raspberry Pi — Complete 2026 Guide
Running a self-hosted password manager on a Raspberry Pi is one of the smartest moves for privacy-conscious users in 2026. You get full control over your vault, no recurring fees, and the satisfaction of running your own infrastructure on hardware that costs less than a year of LastPass Premium.
This guide compares the three best options for Raspberry Pi — Vaultwarden, KeePassXC, and VaultKeepR — and walks you through a complete setup.
Why Self-Host on a Raspberry Pi?
| Benefit | What It Means |
|---|---|
| Full data ownership | Your encrypted vault never leaves hardware you control |
| Zero subscription | No monthly or annual fees — your electricity is the only cost |
| Privacy by design | No telemetry, no third-party analytics, no account required |
| Always-on sync | Your phone, laptop, and family devices sync over your local network or VPN |
| Education | You learn real Linux, networking, and security skills |
The trade-offs are real: you're responsible for updates, backups, uptime, and physical security. For most home users, that's a feature, not a bug.
Hardware Requirements
Minimum (Vaultwarden, KeePassXC)
- Raspberry Pi 4 Model B (4GB RAM) or newer
- 32GB Class 10 microSD card (Samsung EVO Select recommended)
- Official USB-C power supply (5.1V / 3A)
- Ethernet cable (Wi-Fi works but is less reliable for sync)
Recommended for VaultKeepR (IPFS)
- Raspberry Pi 5 (8GB) or Pi 4 (8GB)
- 128GB+ microSD or USB 3.0 SSD (IPFS cache grows)
- UPS HAT (e.g., Geekworm, SunFounder) — protects against power loss
- Ethernet (mandatory for IPFS performance)
Option 1: Vaultwarden on Raspberry Pi
Vaultwarden is a community Rust port of the Bitwarden server. It uses ~50MB RAM and runs comfortably on a Pi 3.
Install via Docker (recommended)
# Update system
sudo apt update && sudo apt upgrade -y
Install Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker $USER
Create a folder for Vaultwarden
mkdir -p ~/vaultwarden && cd ~/vaultwarden
Create docker-compose.yml:
version: "3"
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
volumes:
- ./vw-data:/data
ports:
- 80:80
environment:
- DOMAIN=https://vault.example.com
- SIGNUPS_ALLOWED=false # Disable public registration
- INVITATIONS_ALLOWED=true
- SHOW_PASSWORD_HINT=false
- LOG_LEVEL=warn
docker compose up -d
Expose Securely with Tailscale
Do NOT open port 443 to the public internet. Use Tailscale for private access:
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
Install Tailscale on your phone and laptop, then access http:// from anywhere in your tailnet.
Pros and Cons
| Pros | Cons |
|---|---|
| Battle-tested (used by millions) | Still requires email + master password |
| Full Bitwarden client compatibility | Centralized server model (single point of failure) |
| Free, open source | You handle all backups, updates, security patches |
| Active community | Heavy Docker image (300MB+) |
Option 2: KeePassXC + Syncthing
KeePassXC is a desktop-first password manager with no central server. You sync the .kdbx database file across devices using Syncthing (peer-to-peer file sync).
Setup
# Install KeePassXC desktop
sudo apt install keepassxc -y
Install Syncthing
sudo apt install syncthing -y
sudo systemctl enable --now syncthing@$USER
Open http://localhost:8384 in a browser, set up folders, and share the .kdbx file across your devices.
Pros and Cons
| Pros | Cons |
|---|---|
| No server at all — fully P2P | No native mobile auto-fill (use Strongbox or KeePassDX) |
| KeePass format is 20+ years stable | No real-time multi-device sync (file-level only) |
| Strong offline-first design | Manual conflict resolution if two devices edit at the same time |
| Tiny resource footprint | No built-in 2FA TOTP support (uses KeePassXC plugins) |
Option 3: VaultKeepR (Decentralized, No Email)
VaultKeepR is built around IPFS for sync, so it works without a central server. On a Raspberry Pi 5, you run a lightweight IPFS node that caches and serves your encrypted vault to your other devices.
Why VaultKeepR is Different
- No email, no account — your device identity is a WebAuthn passkey or a smart contract account
- No central server to breach — your vault is encrypted client-side with XChaCha20-Poly1305 and distributed across IPFS
- Open source — every line of code is auditable on GitHub
- Works offline — the cache lives on your Pi and your devices, so you can sign in even if the IPFS network is unreachable
Install VaultKeepR Node on Pi 5
# Install IPFS
wget https://dist.ipfs.tech/kubo/v0.30.0/kubo_v0.30.0_linux-arm64.tar.gz
tar -xvzf kubo_v0.30.0_linux-arm64.tar.gz
cd kubo && sudo bash install.sh
ipfs init --profile server
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["*"]'
sudo systemctl enable --now ipfs
Then install the VaultKeepR desktop client from /download, point it to your Pi's IPFS API at http://, and your vault syncs peer-to-peer.
Pros and Cons
| Pros | Cons |
|---|---|
| Truly decentralized — no single point of failure | Newer project, smaller community than Vaultwarden |
| Works offline via local cache | IPFS storage is paid in FIL or pinned for free (small vaults are free) |
| No email, no master password, no central account | Mobile app is in active development |
| Modern crypto (XChaCha20-Poly1305 + Argon2id) | Requires IPFS knowledge for advanced setup |
Comparison: Raspberry Pi Password Managers in 2026
| Feature | Vaultwarden | KeePassXC + Syncthing | VaultKeepR |
|---|---|---|---|
| Architecture | Client-server (Docker) | P2P file sync | P2P (IPFS) |
| RAM usage | ~50 MB | ~150 MB (Syncthing + KeePassXC) | ~120 MB (IPFS node) |
| Email required | Yes | No | No |
| Master password | Yes | Yes (database password) | No (biometric passkey or smart account) |
| Mobile auto-fill | Bitwarden app | Strongbox / KeePassDX | VaultKeepR iOS / Android |
| Offline support | Limited | Yes (file-based) | Yes (local cache) |
| Open source | Yes | Yes | Yes |
| Setup time | 30 min | 20 min | 45 min |
| Best for | Families, power users | Privacy maximalists | Crypto-native users, decentralization advocates |
Security Hardening for Your Pi
Regardless of which option you choose, follow these steps:
- Change the default
piuser password (or disable password login entirely). - Enable SSH key-only authentication:
sudo sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart ssh
- Enable the UFW firewall:
sudo apt install ufw -y
sudo ufw allow 22/tcp
sudo ufw enable
- Encrypt the SD card with LUKS (advanced — see Raspberry Pi docs).
- Set up automatic security updates:
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades
- Configure automated backups to a second device or encrypted cloud storage (Backblaze B2 is cheap).
Backup Strategy
For all three options, follow the 3-2-1 rule:
- 3 copies of your encrypted vault
- 2 different storage media (e.g., microSD + USB SSD)
- 1 off-site (encrypted cloud, second physical location)
For Vaultwarden, back up the vw-data volume nightly:
tar -czf vw-backup-$(date +%F).tar.gz ~/vaultwarden/vw-data
For KeePassXC, back up the .kdbx file (Syncthing will replicate it to all your devices automatically).
For VaultKeepR, your vault is already on IPFS (replicated across hundreds of nodes), but keep an offline NFC backup for disaster recovery (see our NFC encrypted backup guide).
Which Should You Choose?
- You want the most mature, well-known option → Vaultwarden
- You want zero server, file-based simplicity → KeePassXC + Syncthing
- You want modern crypto, no email, and true decentralization → VaultKeepR
All three are excellent. The best one is the one you'll actually keep updated and backed up.
Next Steps
- Download VaultKeepR for Raspberry Pi
- Compare VaultKeepR vs Bitwarden
- Read our decentralized storage deep dive
- Self-hosting with Tailscale — guide
Found this useful? Subscribe to our newsletter for monthly self-hosting tutorials and security tips.
Ready to take control of your passwords?
VaultKeepR is the first decentralized password manager. Zero-knowledge. Wallet-native. Yours.
Try VaultKeepR →