The privacy-tools community generally advocates self-hosting where possible. The advice is solid for most categories. For password managers specifically, the calculation is more nuanced. Self-hosting a password vault adds operational risk that does not apply to file storage or DNS or other commonly self-hosted services.
This piece walks through the actual trade-offs and helps you decide whether self-hosted is right for you specifically.
Why self-hosting a password manager is appealing
You control the infrastructure. The vault file lives on hardware you own. Bitwarden Inc. or 1Password Inc. cannot access your data even if compelled by law enforcement, because they do not have the data.
You eliminate vendor lock-in. If your hosted provider goes through hostile changes (acquisition, price increases, feature degradation), you are not affected.
You learn about how the system works. Self-hosting builds operational maturity that translates to other self-hosted services.
The cost is essentially zero after initial hardware setup. No recurring subscription.
Why self-hosting a password manager is risky
The vault file contains every password you have. If you lose access to it, you have lost everything.
The recovery scenarios are limited. Hosted providers have account recovery flows (through email verification, backup codes, family organizers). Self-hosted setups have whatever you build yourself.
The operational discipline required is higher than for other services. A failed Pi-hole means temporary network DNS issues; a failed self-hosted password manager could mean permanent loss of access to all your accounts.
The threat model is different from cloud-hosted. With Bitwarden Inc., the threat is “Bitwarden is compromised” or “Bitwarden complies with a hostile request.” With self-hosted, the threat is “I lose my server” or “I lose my backups” or “I make a configuration mistake.”
For some users, the second threat profile is worse than the first.
When self-hosting is the right call
You have demonstrated operational competence with simpler self-hosted services. Self-hosting Vaultwarden as your first self-hosting project is risky; doing it after a year of running other services is reasonable.
You have a robust backup strategy that you have actually tested. You can restore your vault from backup on a fresh server. You have practiced this recently.
You have multiple independent backups. The vault file lives on the server, plus daily off-site backup, plus a periodic offline backup on hardware you physically control.
You have a recovery plan documented. If your primary server fails at 2am while you are traveling, what is your access path? If the server fails permanently, how do you restore?
You will accept the operational responsibility. Updates, monitoring, backup verification, occasional troubleshooting are your job.
When hosted is the right call
You are new to self-hosting and password manager is not the right first project.
You manage passwords for non-technical family members who depend on the password manager working reliably without your support.
You travel frequently and need consistent access without worrying about whether your home server is online.
You do not have the time or interest to maintain server infrastructure properly.
You specifically value the built-in account recovery flows that hosted providers offer.
For these scenarios, Bitwarden Premium at $10/year or 1Password Individual at $36/year is the right call.
A hybrid approach
Some users run both. Hosted provider as primary (smooth daily UX, professional recovery flows) with periodic export-and-import to a self-hosted backup vault. The self-hosted vault is your insurance against the hosted provider failing or being compromised.
This adds operational overhead in exchange for added durability. For high-value setups, the trade-off can be worth it.
The self-hosting setup specifics
If you decide to self-host, the practical setup:
Vaultwarden as the server software (lighter than official Bitwarden, suitable for individual and small-team use).
Caddy or Traefik as reverse proxy with automatic HTTPS.
Tailscale for private access (no public exposure of the vault).
A small VPS or home server as the hardware. Hetzner CX11 at €3.79/month is the cheapest option; Raspberry Pi at home with Tailscale exit node is the no-monthly-fee option; existing NAS is the natural option for users who already have NAS hardware.
Automated daily backup to off-site storage (Backblaze B2 is cheap and reliable).
External monitoring of the server uptime (UptimeRobot free tier).
Periodic restore test (every 6 months, restore from backup to a fresh server, verify the vault opens correctly).
Hardware backup of the vault on a USB drive or printed paper, kept in a secure physical location.
This stack costs $5-50/month depending on hosting choice. The operational time investment is roughly 30 minutes per quarter once stable, plus the periodic restore test.
A specific recommendation
For users who want to learn self-hosting and password manager is a logical next step in their progression: self-host with Vaultwarden, with the full operational discipline outlined above.
For users who are not specifically motivated by self-hosting and just want their passwords to work reliably: Bitwarden Premium ($10/year) or 1Password Individual ($36/year). Pay the small fee, let someone else handle infrastructure.
For users with high-value setups who want belt-and-suspenders: hosted provider as primary, periodic exports to self-hosted backup. Adds operational work in exchange for added durability.
For most users: do not self-host your password manager. The marginal benefit over Bitwarden Premium is small relative to the operational risk. Self-hosting is a great learning project, but password managers are the wrong first project.
Vaultwarden | Bitwarden | 1Password
Related: Bitwarden setup walkthrough on a five dollar VPS, Vaultwarden complete setup with Caddy and Tailscale, 13 things I wish someone had told me before self-hosting