Aller au contenu
← Back to blog

Self-Hosted Password Manager on Raspberry Pi — Complete 2026 Guide

self-hostedraspberry-pipassword-managervaultwardenkypassxchomelabprivacy

Self-Hosted Password Manager on Raspberry Pi — Complete 2026 Guide

Running a self-hosted password manager on a Raspberry Pi is one of the smartest moves for privacy-conscious users in 2026. You get full control over your vault, no recurring fees, and the satisfaction of running your own infrastructure on hardware that costs less than a year of LastPass Premium.

This guide compares the three best options for Raspberry Pi — Vaultwarden, KeePassXC, and VaultKeepR — and walks you through a complete setup.

Why Self-Host on a Raspberry Pi?

BenefitWhat It Means
Full data ownershipYour encrypted vault never leaves hardware you control
Zero subscriptionNo monthly or annual fees — your electricity is the only cost
Privacy by designNo telemetry, no third-party analytics, no account required
Always-on syncYour phone, laptop, and family devices sync over your local network or VPN
EducationYou learn real Linux, networking, and security skills

The trade-offs are real: you're responsible for updates, backups, uptime, and physical security. For most home users, that's a feature, not a bug.

Hardware Requirements

Minimum (Vaultwarden, KeePassXC)

  • Raspberry Pi 4 Model B (4GB RAM) or newer
  • 32GB Class 10 microSD card (Samsung EVO Select recommended)
  • Official USB-C power supply (5.1V / 3A)
  • Ethernet cable (Wi-Fi works but is less reliable for sync)

Recommended for VaultKeepR (IPFS)

  • Raspberry Pi 5 (8GB) or Pi 4 (8GB)
  • 128GB+ microSD or USB 3.0 SSD (IPFS cache grows)
  • UPS HAT (e.g., Geekworm, SunFounder) — protects against power loss
  • Ethernet (mandatory for IPFS performance)

Option 1: Vaultwarden on Raspberry Pi

Vaultwarden is a community Rust port of the Bitwarden server. It uses ~50MB RAM and runs comfortably on a Pi 3.

Install via Docker (recommended)

# Update system

sudo apt update && sudo apt upgrade -y

Install Docker

curl -fsSL https://get.docker.com -o get-docker.sh sudo sh get-docker.sh sudo usermod -aG docker $USER

Create a folder for Vaultwarden

mkdir -p ~/vaultwarden && cd ~/vaultwarden

Create docker-compose.yml:

version: "3"

services: vaultwarden: image: vaultwarden/server:latest container_name: vaultwarden restart: unless-stopped volumes: - ./vw-data:/data ports: - 80:80 environment: - DOMAIN=https://vault.example.com - SIGNUPS_ALLOWED=false # Disable public registration - INVITATIONS_ALLOWED=true - SHOW_PASSWORD_HINT=false - LOG_LEVEL=warn

docker compose up -d

Expose Securely with Tailscale

Do NOT open port 443 to the public internet. Use Tailscale for private access:

curl -fsSL https://tailscale.com/install.sh | sh

sudo tailscale up

Install Tailscale on your phone and laptop, then access http:// from anywhere in your tailnet.

Pros and Cons

ProsCons
Battle-tested (used by millions)Still requires email + master password
Full Bitwarden client compatibilityCentralized server model (single point of failure)
Free, open sourceYou handle all backups, updates, security patches
Active communityHeavy Docker image (300MB+)

Option 2: KeePassXC + Syncthing

KeePassXC is a desktop-first password manager with no central server. You sync the .kdbx database file across devices using Syncthing (peer-to-peer file sync).

Setup

# Install KeePassXC desktop

sudo apt install keepassxc -y

Install Syncthing

sudo apt install syncthing -y sudo systemctl enable --now syncthing@$USER

Open http://localhost:8384 in a browser, set up folders, and share the .kdbx file across your devices.

Pros and Cons

ProsCons
No server at all — fully P2PNo native mobile auto-fill (use Strongbox or KeePassDX)
KeePass format is 20+ years stableNo real-time multi-device sync (file-level only)
Strong offline-first designManual conflict resolution if two devices edit at the same time
Tiny resource footprintNo built-in 2FA TOTP support (uses KeePassXC plugins)

Option 3: VaultKeepR (Decentralized, No Email)

VaultKeepR is built around IPFS for sync, so it works without a central server. On a Raspberry Pi 5, you run a lightweight IPFS node that caches and serves your encrypted vault to your other devices.

Why VaultKeepR is Different

  • No email, no account — your device identity is a WebAuthn passkey or a smart contract account
  • No central server to breach — your vault is encrypted client-side with XChaCha20-Poly1305 and distributed across IPFS
  • Open source — every line of code is auditable on GitHub
  • Works offline — the cache lives on your Pi and your devices, so you can sign in even if the IPFS network is unreachable

Install VaultKeepR Node on Pi 5

# Install IPFS

wget https://dist.ipfs.tech/kubo/v0.30.0/kubo_v0.30.0_linux-arm64.tar.gz tar -xvzf kubo_v0.30.0_linux-arm64.tar.gz cd kubo && sudo bash install.sh ipfs init --profile server ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["*"]' sudo systemctl enable --now ipfs

Then install the VaultKeepR desktop client from /download, point it to your Pi's IPFS API at http://:5001, and your vault syncs peer-to-peer.

Pros and Cons

ProsCons
Truly decentralized — no single point of failureNewer project, smaller community than Vaultwarden
Works offline via local cacheIPFS storage is paid in FIL or pinned for free (small vaults are free)
No email, no master password, no central accountMobile app is in active development
Modern crypto (XChaCha20-Poly1305 + Argon2id)Requires IPFS knowledge for advanced setup

Comparison: Raspberry Pi Password Managers in 2026

FeatureVaultwardenKeePassXC + SyncthingVaultKeepR
ArchitectureClient-server (Docker)P2P file syncP2P (IPFS)
RAM usage~50 MB~150 MB (Syncthing + KeePassXC)~120 MB (IPFS node)
Email requiredYesNoNo
Master passwordYesYes (database password)No (biometric passkey or smart account)
Mobile auto-fillBitwarden appStrongbox / KeePassDXVaultKeepR iOS / Android
Offline supportLimitedYes (file-based)Yes (local cache)
Open sourceYesYesYes
Setup time30 min20 min45 min
Best forFamilies, power usersPrivacy maximalistsCrypto-native users, decentralization advocates

Security Hardening for Your Pi

Regardless of which option you choose, follow these steps:

  1. Change the default pi user password (or disable password login entirely).
  2. Enable SSH key-only authentication:
   sudo sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config

sudo systemctl restart ssh

  1. Enable the UFW firewall:
   sudo apt install ufw -y

sudo ufw allow 22/tcp sudo ufw enable

  1. Encrypt the SD card with LUKS (advanced — see Raspberry Pi docs).
  2. Set up automatic security updates:
   sudo apt install unattended-upgrades -y

sudo dpkg-reconfigure -plow unattended-upgrades

  1. Configure automated backups to a second device or encrypted cloud storage (Backblaze B2 is cheap).

Backup Strategy

For all three options, follow the 3-2-1 rule:

  • 3 copies of your encrypted vault
  • 2 different storage media (e.g., microSD + USB SSD)
  • 1 off-site (encrypted cloud, second physical location)

For Vaultwarden, back up the vw-data volume nightly:

tar -czf vw-backup-$(date +%F).tar.gz ~/vaultwarden/vw-data

For KeePassXC, back up the .kdbx file (Syncthing will replicate it to all your devices automatically).

For VaultKeepR, your vault is already on IPFS (replicated across hundreds of nodes), but keep an offline NFC backup for disaster recovery (see our NFC encrypted backup guide).

Which Should You Choose?

  • You want the most mature, well-known option → Vaultwarden
  • You want zero server, file-based simplicity → KeePassXC + Syncthing
  • You want modern crypto, no email, and true decentralization → VaultKeepR

All three are excellent. The best one is the one you'll actually keep updated and backed up.

Next Steps


Found this useful? Subscribe to our newsletter for monthly self-hosting tutorials and security tips.

Share𝕏in

Ready to take control of your passwords?

VaultKeepR is the first decentralized password manager. Zero-knowledge. Wallet-native. Yours.

Try VaultKeepR →