Linux Offline Deployment | Bitwarden Help Center (2024)

Table of Contents
Requirements Installation procedure Configure your domain Create Bitwarden local user & directory Configure your machine Download & transfer images Start your server Next Steps: Update your server Make a suggestion to this page FAQs References

Self-hostingInstall & Deploy Guides

This article will walk you through the procedure to install and deploy Bitwarden to your own server in an offline or air-gapped environment. Please review Bitwarden software release support documentation.

warning

Manual installations should be conducted by advanced users only. Only proceed if you are very familiar with Docker technologies and desire more control over your Bitwarden installation.

Manual installations lack the ability to automatically update certain dependencies of the Bitwarden installation. As you upgrade from one version of Bitwarden to the next you will be responsible for changes to required environment variables, changes to nginx default.conf, changes to docker-compose.yml, and so on.

We will try to highlight these in the release notes on GitHub. You can also monitor changes to the dependency templates used by the Bitwarden installation script on GitHub.

Requirements

Minimum

Recommended

Processor

x64, 1.4GHz

x64, 2GHz dual core

Memory

2GB RAM

4GB RAM

Storage

12GB

25GB

Docker Version

Engine 26+ and Composeª

Engine 26+ and Composeª

ª - Docker Compose is automatically installed as a plugin when you download Docker Engine. Download Docker Engine for Linux.

Additionally, ensure the following requirements are met:

  • Using a machine with internet access, you have downloaded the latest docker-stub.zip file from the Bitwarden Server repository's releases page and transferred this file to your server.

  • An offline SMTP Server is setup and active in your environment.

note

Bitwarden is currently supported only in a Docker and Docker Compose environment. Bitwarden's installation scrips and manual installation artifacts do not accurately convert to Kubernetes manifests without extensive knowledge of the Bitwarden stack and Kubernetes. Automatic conversions of the installation artifacts are not recommended at this time and could result in a broken deployment environment.

Installation procedure

Configure your domain

By default, Bitwarden will be served through ports 80 (http) and 443 (https) on the host machine. Open these ports so that Bitwarden can be accessed from within and/or outside of the network. You may opt to choose different ports during installation.

We recommend configuring a domain name with DNS records that point to your host machine (for example, bitwarden.example.com), especially if you are serving Bitwarden over the internet.

Create Bitwarden local user & directory

We recommend configuring your server with a dedicated bitwarden service account from which to install and run Bitwarden. Doing so will isolate your Bitwarden instance from other applications running on your server.

These steps are Bitwarden-recommended best practices, but are not required. For more information, see Docker's post-installation steps for Linux documentation.

  1. Create a bitwarden user:

    Bash
    sudo adduser bitwarden

  2. Set a password for the bitwarden user:

    Bash
    sudo passwd bitwarden

  3. Create a docker group (if it doesn't already exist):

    Bash
    sudo groupadd docker

  4. Add the bitwarden user to the docker group:

  5. Create a bitwarden directory:

    Bash
    sudo mkdir /opt/bitwarden

  6. Set permissions for the /opt/bitwarden directory:

    Bash
    sudo chmod -R 700 /opt/bitwarden

  7. Set the bitwarden user ownership of the /opt/bitwarden directory:

    Bash
    sudo chown -R bitwarden:bitwarden /opt/bitwarden

Configure your machine

warning

If you have , complete the following as the bitwarden user from the /opt/bitwarden directory. Do not install Bitwarden as root, as you will encounter issues during installation.

To configure your machine with the assets required for your Bitwarden server:

  1. Create a new directory named bwdata and extract docker-stub.zip to it, for example:

    Bash
    unzip docker-stub.zip -d bwdata

    Once unzipped, the bwdata directory will match what the docker-compose.yml file's volume mapping expects. You may, if you wish, change the location of these mappings on the host machine.

  2. In ./bwdata/env/global.override.env, edit the following environment variables:

    • globalSettings__baseServiceUri__vault=: Enter the domain of your Bitwarden instance.

    • globalSettings__sqlServer__ConnectionString=: Replace the RANDOM_DATABASE_PASSWORD with a secure password for use in a later step.

    • globalSettings__identityServer__certificatePassword: Set a secure certificate password for use in a later step.

    • globalSettings__internalIdentityKey=: Replace RANDOM_IDENTITY_KEY with a random alphanumeric string.

    • globalSettings__oidcIdentityClientKey=: Replace RANDOM_IDENTITY_KEY with a random alphanumeric string.

    • globalSettings__duo__aKey=: Replace RANDOM_DUO_AKEY with a random alphanumeric string.

    • globalSettings__installation__id=: Enter an installation id retrieved from https://bitwarden.com/host.

    • globalSettings__installation__key=: Enter an installation key retrieved from https://bitwarden.com/host.

    • globalSettings__pushRelayBaseUri=: This variable should be blank. See Configure Push Relay for more information.

      tip

      At this time, consider also setting values for all globalSettings__mail__smtp__ variables and for adminSettings__admins. Doing so will configure the SMTP mail server used to send invitations to new organization members and provision access to the System Administrator Portal.

      Learn more about environment variables.

  3. From ./bwdata, generate a .pfx certificate file for the identity container and move it to the mapped volume directory (by default, ./bwdata/identity/). For example, run the following commands:

    Bash
    openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key -out identity.crt -subj "/CN=Bitwarden IdentityServer" -days 10950

    and

    Bash
    openssl pkcs12 -export -out ./identity/identity.pfx -inkey identity.key -in identity.crt -passout pass:IDENTITY_CERT_PASSWORD

    In the above command, replace IDENTITY_CERT_PASSWORD with the certificate password created and used in Step 2.

  4. Create a subdirectory in ./bwdata/ssl named for your domain, for example:

    Bash
    mkdir ./ssl/bitwarden.example.com

  5. Provide a trusted SSL certificate and private key in the newly created ./bwdata/ssl/bitwarden.example.com subdirectory.

    note

    This directory is mapped to the NGINX container at/etc/ssl. If you can't provide a trusted SSL certificate, front the installation with a proxy that provides an HTTPS endpoint to Bitwarden client applications.

  6. In ./bwdata/nginx/default.conf:

    1. Replace all instances of bitwarden.example.com with your domain, including in the Content-Security-Policy header.

    2. Set the ssl_certificate and ssl_certificate_key variables to the paths of the certificate and private key provided in Step 6.

    3. Take one of the following actions, depending on your certificate setup:

      • If using a trusted SSL certificate, set the ssl_trusted_certificate variable to the path to your certificate.

      • If using a self-signed certificate, comment out the ssl_trusted_certificate variable.

  7. In ./bwdata/env/mssql.override.env, replace RANDOM_DATABASE_PASSWORD with the password created in Step 2.

  8. In ./bwdata/web/app-id.json, replace bitwarden.example.com with your domain.

  9. In./bwdata/env/uid.env, set the UID and GID of thebitwardenusers and group youcreated earlierso the containers run under them, for example:

    Bash
    LOCAL_UID=1001LOCAL_GID=1001

Download & transfer images

To get docker images for use on your offline machine:

  1. From an internet-connected machine, download all bitwarden/xxx:latest docker images, as listed in the docker-compose.yml file in docker-stub.zip.

  2. Save each image to a .img file, for example:

    Bash
    docker image save -o mssql.img bitwarden/mssql:version

  3. Transfer all .img files to your offline machine.

  4. On your offline machine, load each .img file to create your local docker images, for example:

    Bash
    docker image load -i mssql.img

Start your server

Start your Bitwarden server with the following command:

Bash
docker compose -f ./docker/docker-compose.yml up -d

Verify that all containers are running correctly:

Bash
docker ps
Linux Offline Deployment | Bitwarden Help Center (1)

Congratulations! Bitwarden is now up and running at https://your.domain.com. Visit the web vault in your browser to confirm that it's working.

You may now register a new account and log in. Your will need to have configured SMTP environment variables (see environment variables) in order to verify the email for your new account.

Next Steps:

  • If you are planning to self-host a Bitwarden organization, see self-host an organization to get started.

  • For additional information see self hosting FAQs.

Update your server

Updating a self-hosted server that has been installed and deployed manually is different from the standard update procedure. To update your manually-installed server:

  1. Download the latest docker-stub.zip archive from the releases pages on GitHub.

  2. Unzip the new docker-stub.zip archive and compare its contents with what's currently in your bwdata directory, copying anything new to the pre-existing files in bwdata.
    Do not overwrite your pre-existing bwdata directory with the contents of the newer docker-stub.zip archive, as this would overwrite any custom configuration work you've done.

  3. Download the latest container images and transfer them to your offline machine as documented above.

  4. Run the following command to restart your server with your updated configuration and the latest containers:

    Bash
    docker compose -f ./docker/docker-compose.yml down && docker compose -f ./docker/docker-compose.yml up -d

Make a suggestion to this page

Linux Offline Deployment | Bitwarden Help Center (2024)

FAQs

Can I use Bitwarden without internet? ›

Most functions of Bitwarden are accessible in offline mode, however you won't be able to make edits to or add vault items, attachments, or sends or import new vault items.

Keep Reading
Does Bitwarden work on Linux? ›

This article will walk you through the procedure to install and deploy Bitwarden to your own Linux server. Bitwarden can also be installed and deployed on Windows machines. Please review Bitwarden software release support documentation.

Read The Full Story
Can you run Bitwarden locally? ›

If you have a self-hosted version of Bitwarden, theoretically and technically you would have a “local version” since you are the one who manages this “own instance”, and there would be no reason to be “online”.

Discover More Details
How to host a Bitwarden server? ›

Self-host an Organization
  1. Step 1: Install and deploy your server. ...
  2. Step 2: Configure organization environment variables. ...
  3. Step 3: Start your organization. ...
  4. Step 4: Setup billing and license sync. ...
  5. Step 5: Start organization administration.

Read On
What is the drawback of Bitwarden? ›

What are the cons to Bitwarden? Bitwarden does not offer more premium features such as biometric 2FA, live dark web monitoring, and VPN.

Read More
What's better than Bitwarden? ›

Top Bitwarden and 1Password Alternatives

These password managers include NordPass, Norton Password Manager and Dashlane. Norton Password Manager is rated as our top overall password manager as well as our best free password manager option.

Find Out More
What are the limitations of Bitwarden? ›

A few specialized features are “limited”. For example, Premium subscribers can choose 5 different 2FA methods for their Bitwarden account, but Free users can only choose 3 different methods. Or when using Bitwarden's secure “Send” function, Premium users can send files, but Free users can only send text.

Read The Full Story
Which is better, LastPass or Bitwarden? ›

Bitwarden is best for users looking for a platform with advanced security measures and insights and the most affordable pricing. LastPass is only best for those who prioritize aesthetics at the expense of strong, industry-standard security measures.

Find Out More
Is Bitwarden safe from hackers? ›

Your data is fully encrypted and/or hashed before ever leaving your local device, so no one from the Bitwarden team can ever see, read, or reverse engineer to get to your real data. Bitwarden servers only store encrypted and hashed data. For more information about how your data is encrypted, see Encryption.

Continue Reading
How much does it cost to host Bitwarden? ›

Self-hosting Bitwarden is free, however some features must be unlocked in your self-hosted instance with a registered license file. A license file can be obtained from the Bitwarden-hosted web app by either an account with a premium individual subscription or by the owner of an organization.

Discover More Details

How does Bitwarden make money? ›

Bitwarden's subscription plans for businesses cost up to $72/year per user, so a company with 150 employees would be paying an annual subscription fee of $10k. Thus, even if Bitwarden has only 100 such corporate clients, they gross $1 million dollar annually from business plans alone.

View Details
Is KeePass or Bitwarden better? ›

Which password manager is better: Bitwarden or KeePass? Bitwarden is better for most users — it's easier to use and has more features like password auditing, secure password sharing, emergency access, and secure file storage.

Find Out More
Where are Bitwarden servers located? ›

On Bitwarden servers

Bitwarden processes and stores all vault data securely in the Microsoft Azure Cloud in the US or EU using services that are managed by the team at Microsoft. Since Bitwarden only uses service offerings provided by Azure, there is no server infrastructure to manage and maintain.

Continue Reading
Does Bitwarden have an API? ›

The Bitwarden Public API provides organizations with a suite of tools for managing members, collections, groups, event logs, and policies.

Read On
Does Bitwarden have a desktop client? ›

The Bitwarden desktop app brings a full vault experience straight out of your browser and into your desktop. The desktop app supports up to five logged-in accounts at a time, making it easy to switch between personal and work accounts at any moment (learn more).

Get More Info Here
What are the risks of using Bitwarden? ›

According to Flashpoint, using Bitwarden with autofill enabled on a page that contains iframes could result in password theft. This is because autofill on page load automatically fills out your login and password both on the page you're on and within the iframe — and that exposes you to certain risks.

Read On
Does Bitwarden store data locally? ›

This articles describes where Bitwarden stores your vault data and administrative data. Bitwarden always encrypts and/or hashes your data on your local device before anything is sent to cloud servers for storage. Bitwarden servers are only used for storing encrypted data. For more information, see Encryption.

Keep Reading
Is Bitwarden good for personal use? ›

Verdict: The Best Free Password Manager

Bitwarden is the best choice for password management because it works across platforms, allows unlimited password storage, and offers passkey support, data breach monitoring, and advanced multi-factor authentication options.

View More

References

Top Articles
Envelope Budgeting System – How It Works, Pros & Cons
The Envelope System: A Cash-Based Budgeting Method
Bild Poster Ikea
Lorton Transfer Station
Top Scorers Transfermarkt
Kristine Leahy Spouse
Tx Rrc Drilling Permit Query
Crime Scene Photos West Memphis Three
City Of Spokane Code Enforcement
Toonily The Carry
Catsweb Tx State
Clairememory Scam
A.e.a.o.n.m.s
Keurig Refillable Pods Walmart
How Many Slices Are In A Large Pizza? | Number Of Pizzas To Order For Your Next Party
Breakroom Bw
Labor Gigs On Craigslist
National Office Liquidators Llc
Condogames Xyz Discord
Costco Gas Foster City
Swgoh Turn Meter Reduction Teams
E22 Ultipro Desktop Version
Lonesome Valley Barber
Aps Day Spa Evesham
Shopmonsterus Reviews
Myhr North Memorial
The Largest Banks - ​​How to Transfer Money With Only Card Number and CVV (2024)
4 Times Rihanna Showed Solidarity for Social Movements Around the World
What Is Opm1 Treas 310 Deposit
First Light Tomorrow Morning
Sports Clips Flowood Ms
Song That Goes Yeah Yeah Yeah Yeah Sounds Like Mgmt
Today's Final Jeopardy Clue
Terrier Hockey Blog
Retire Early Wsbtv.com Free Book
Miracle Shoes Ff6
Shuaiby Kill Twitter
Sept Month Weather
Letter of Credit: What It Is, Examples, and How One Is Used
Lcwc 911 Live Incident List Live Status
Luvsquad-Links
Home Auctions - Real Estate Auctions
Shipping Container Storage Containers 40'HCs - general for sale - by dealer - craigslist
Lyndie Irons And Pat Tenore
Tropical Smoothie Address
Stephen Dilbeck, The First Hicks Baby: 5 Fast Facts You Need to Know
Rovert Wrestling
17 of the best things to do in Bozeman, Montana
Craigslist Pets Lewiston Idaho
The Missile Is Eepy Origin
San Pedro Sula To Miami Google Flights
Pauline Frommer's Paris 2007 (Pauline Frommer Guides) - SILO.PUB
Latest Posts
How to Use Envelope Budgeting to Manage Your Finances
Envelope Budget System | Streamline Your Finances Effectively
Article information

Author: Trent Wehner

Last Updated:

Views: 6076

Rating: 4.6 / 5 (56 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Trent Wehner

Birthday: 1993-03-14

Address: 872 Kevin Squares, New Codyville, AK 01785-0416

Phone: +18698800304764

Job: Senior Farming Developer

Hobby: Paintball, Calligraphy, Hunting, Flying disc, Lapidary, Rafting, Inline skating

Introduction: My name is Trent Wehner, I am a talented, brainy, zealous, light, funny, gleaming, attractive person who loves writing and wants to share my knowledge and understanding with you.