RXed AI News

Your AI intelligence briefing
An afternoon Workflow v1.0 · 2026-07-12

The shared password vault: team credentials on your own box, not someone else's cloud

Stop paying per user — one container, every Bitwarden client, zero monthly fee

⏱ Setup: An afternoon (~2-4 h) 💶 Running: EUR 4-6/mo · software EUR 0 ⚡ Time saved: High — EUR 20-40/month per team eliminated; onboarding/offboarding goes from hours to minutes; no more password reset panic 🔧 Built with: Vaultwarden + Bitwarden clients + Caddy
Passwords & credentialsSecurityPrivacySelf-hosted
For: Any small team · Small agencies · Freelancers · Consultants · Retail shops
Version history
v1.0 · 2026-07-12 — First release, built on Vaultwarden (Rust, AGPL-3.0) + official Bitwarden clients + Caddy reverse proxy.

A shared password vault for your team that costs nothing per user, runs on your own hardware, and works with every official Bitwarden app — because the cheapest breach is the one that never happens.

The problem

Every small business shares passwords: the social media account, the supplier portal, the accountant's tool, the shipping platform. Most share them through a chat thread or a sticky note. When someone leaves, the passwords don't. And the commercial tools that fix this — 1Password Business, LastPass Teams, Dashlane — charge EUR 4-8 per person every month, so the subscription gets skipped, and the sticky notes win. The 2022 LastPass breach, where customer vault data was exfiltrated from their cloud, is the case study everyone forgets: when your passwords live on someone else's server, you are trusting their security team, not your own.

The architecture

Your team's phones and laptopsbrowser extension or app — the same Bitwarden everyonealready knowspasswords are encrypted on the device before theyleave itVaultwarden — your vault, on your own boxone Docker container, under 50 MB RAM, stores encryptedblobs it cannot readShared logins organised bycollection: social, accounting,suppliers2FA codes for every login, storedalongside the passwordEncrypted file sharing — send apassword or document with an expirydateSomeone leaves? Revoke their account in the admin panel — instant, nopassword rotation needed for the vault itself.
[ Employee phone / laptop / browser ]
        ▼  Bitwarden app or browser extension (official, free)
        │  vault is encrypted on the device, not on the server
        ▼
[ Vaultwarden (self-hosted, one Docker container) ]
        ├─ stores the encrypted blobs — cannot read them
        ├─ manages user accounts, org membership, sharing
        ├─ sends invitations + 2FA via your SMTP
        └─ under 50 MB RAM, runs on the cheapest VPS

Admin panel → you invite users, revoke on exit. The vault never leaves your box unencrypted.

One Docker container, one domain, one backup. Vaultwarden speaks the Bitwarden protocol, so every official Bitwarden client — browser extension, iOS app, Android app, desktop app — connects to your server as if it were Bitwarden's cloud. Your team never installs anything unusual. The server stores encrypted blobs it cannot decrypt; the master password exists only on each employee's device. When someone leaves, you revoke their account from the admin panel, and they lose access immediately.

Tool choices — and why

Vaultwarden (AGPL-3.0, 63.6k stars, active — last push 08/07/2026) is the centerpiece. It is an unofficial Bitwarden-compatible server written in Rust by a single maintainer with 173 contributors. It does not use the official Bitwarden server codebase — it reimplements the API, which is why it runs in tens of megabytes of RAM instead of the multi-gigabyte official stack. AGPL-3.0 permits business use including modification, with the standard copyleft obligation if you distribute modified versions (you won't — you're running it internally). It supports every feature a small team needs: organisations, shared collections, send (encrypted file/text sharing), emergency access, and multiple 2FA methods including TOTP, Duo, and WebAuthn/YubiKey.

Official Bitwarden clients (free, all platforms) are what your team actually installs. Browser extensions for Chrome, Firefox, Edge, Safari; mobile apps for iOS and Android with native autofill integration; desktop apps for Windows, macOS, Linux. Your employees use the same app they may already use personally — they just point it at your server URL instead of bitwarden.com. Zero training friction.

Why not the official self-hosted Bitwarden? It exists and is also open-source (GPL), but it requires Docker Compose with multiple containers, a dedicated database, and roughly 2-4 GB RAM minimum. For a 5-person team, that is overkill. Vaultwarden gives you the same client experience from a single container that sips resources. If you later need enterprise features like directory sync or SSO, migrating to official Bitwarden is straightforward — same clients, same vault format.

Why not Passbolt? Passbolt (AGPL-3.0, 5k stars) is excellent for teams that need GPG-based sharing and compliance audits. But it uses its own client, not Bitwarden's, so your team learns a new app. For a small business that wants the "works with everything" path, Vaultwarden is simpler.

Monthly cost. Software: EUR 0. Hosting: one VPS at ~EUR 4-6/month runs Vaultwarden comfortably alongside other small services (it uses under 50 MB RAM). A TLS certificate from Let's Encrypt is free. Email for invitations and 2FA codes: your existing SMTP or a transactional sender's free tier. Compare: 1Password Business at EUR 7.99/user/month for a 5-person team is EUR 40/month; LastPass Teams is EUR 4/user/month = EUR 20/month. Vaultwarden pays for the VPS in the first month and keeps saving every month after.

Setup outline

1. Deploy Vaultwarden via the official Docker image on your VPS. One container, one volume for data, one for the SQLite database (PostgreSQL and MySQL are supported if you already run one).
2. Put it behind a reverse proxy with HTTPS — Caddy (automatic Let's Encrypt) or nginx with certbot. Vaultwarden refuses non-HTTPS connections for client security, and Bitwarden clients will not connect to an unencrypted server.
3. Set the domain, signups disabled (so strangers cannot create accounts on your server), and SMTP for invitations and 2FA codes.
4. Create your admin account first, then disable the admin panel access or protect it with a strong password and IP allowlist.
5. Create an Organisation — this is the shared vault. Inside it, create Collections: "Social media", "Supplier portals", "Accounting", "Shipping". Collections are how you scope who sees what.
6. Invite team members by email. They install the Bitwarden extension or app, create their own master password (you cannot see it), and accept the org invitation.
7. Assign users to Collections by role. The bookkeeper gets Accounting; the social media manager gets Social Media. You see everything.
8. Set a backup: nightly SQLite backup to an off-site location (a cron job that copies the .db file, or rsync to a second location). The data is encrypted, so even a stolen backup is useless without the master passwords.
9. Turn on 2FA for every account — TOTP via an authenticator app is free and sufficient. WebAuthn/YubiKey if you want hardware keys.
10. When someone leaves: revoke their account from the admin panel, then rotate the passwords in collections they had access to. The revocation is instant; the rotation is your insurance.

Pitfalls — the real ones

The master password is a single point of failure. If an employee forgets theirs, their vault is gone — there is no reset, by design. Enforce a strong master password at onboarding and write it down once, stored in a sealed envelope in a locked drawer. This is the one piece of security theatre that actually works.
No backup means no business. The server stores encrypted blobs; if the VPS dies and you have no backup, every team member's vault is lost. Nightly off-site backup is not optional. Test a restore once.
HTTPS is not a suggestion. The Bitwarden clients will refuse to connect over HTTP. Budget the 15 minutes to set up Caddy with automatic TLS or nginx with certbot. Self-signed certificates work but will scare non-technical users with browser warnings.
Signups must be disabled. By default, anyone who finds your server URL can create a personal account. Set SIGNUPS_ALLOWED=false in the environment. You invite users explicitly; nobody self-registers.
Don't skip 2FA. A stolen master password without 2FA is full access. With 2FA, it is useless. TOTP via a free authenticator app costs nothing and stops the most common attack.
Vendor risk still exists — but it is yours. Vaultwarden is maintained by a small team. If a critical vulnerability is found, you apply the update. Set a calendar reminder to check for updates monthly, or watch the GitHub releases feed. The trade-off vs. a commercial provider is control for responsibility — you are the security team now.

Verified repos

Vaultwarden — AGPL-3.0, 63.6k stars, active (July 2026)
Bitwarden clients — GPL-3.0, official browser/mobile/desktop apps (connect to any compatible server)
Caddy — Apache-2.0, automatic HTTPS reverse proxy

Get the next blueprint as it publishes — free, practical, verified tooling only.

Subscribe · Want this audited or extended for your business? DM @RXed_EU

Get this blueprint tailored to your business — free

Tell us what you run and where. We research your sector's specifics — rules, tools, customer habits — and send you a version of this blueprint rebuilt for your situation, usually within 24 hours.