Key Takeaways
- Same clients, different server — Vaultwarden is an unofficial, community-maintained reimplementation of the Bitwarden server API, written in Rust. The official Bitwarden client apps, browser extensions, and CLI work against it unchanged. If you use Bitwarden today, the experience on Vaultwarden is the same client experience.
- Vaultwarden unlocks paid tiers for free — Because Vaultwarden has no licensing tier, features Bitwarden gates behind paid plans, organizations, two-factor authentication, Send, and emergency access, are available without payment. The trade-off is that it is unofficial, with no commercial support or SLA.
- Bitwarden is the audited, supported product — Bitwarden, Inc. ships the official server, runs a managed cloud option, and carries SOC 2 audits, compliance attestations, and commercial support. Its self-hosted server is a heavier .NET and SQL stack than Vaultwarden's single Rust binary.
- This is the password-manager layer, not agent secrets — Both tools store human credentials. For application or AI-agent secrets, distributed and rotated programmatically, that is a different layer; see the credential vaults radar instead.
Same clients, two servers
Vaultwarden and Bitwarden present the same thing to a user: the official Bitwarden apps, browser extensions, and CLI. The difference sits on the server. Bitwarden ships the official server from Bitwarden, Inc. Vaultwarden is an unofficial, community-maintained reimplementation of the Bitwarden server API, written in Rust and originally released as bitwarden_rs by dani-garcia. Point the same client at either server and it behaves identically.
A note on scope before the comparison: this is the password-manager layer, where humans store logins, cards, and notes. It is distinct from machine and AI-agent secrets management, where applications fetch and rotate credentials programmatically. For that layer, see our credential vaults for AI agents radar.
Licensing and affiliation, in plain terms
Vaultwarden is licensed AGPL-3.0, a genuine OSI-approved open-source licence, and it is not affiliated with Bitwarden, Inc. Bitwarden's own server core is also AGPL-3.0, but it is open-core: some enterprise files sit under a proprietary Bitwarden License in a bitwarden_license directory. A 2024 concern about the Bitwarden SDK's licensing was resolved, with the clients building against GPL and OSI licenses only.
The practical consequence of Vaultwarden having no licensing tier is that it unlocks features Bitwarden gates behind paid plans. Organizations, two-factor authentication, Send, and emergency access are all available without payment. That is the headline reason homelabbers reach for it. The cost is that the server is unofficial, with no commercial support, no SLA, and no formal audit, and that you carry all security, hosting, and backup responsibility yourself.
Feature comparison
Vaultwarden vs Bitwarden
| Feature | Vaultwarden | Bitwarden |
|---|---|---|
| Licence & Project | ||
| Licence | AGPL-3.0 (OSI-approved open source) | Server core AGPL-3.0; some enterprise files under a proprietary Bitwarden License (open-core) |
| Affiliation | Unofficial, community-maintained, not affiliated with Bitwarden, Inc. | Official product from Bitwarden, Inc. |
| Free for all features | Yes; no licensing tier, so paid Bitwarden features are unlocked | Free tier plus paid plans; some features gated behind subscriptions |
| Origin | Originally bitwarden_rs, by dani-garcia; Rust reimplementation of the API | Reference implementation, .NET and SQL stack |
| Capabilities | ||
| Client apps, extensions & CLI | Official Bitwarden clients work unchanged | First-party clients |
| Organizations, 2FA, Send, emergency access | Available without payment (no licensing tier) | Available; some gated behind paid plans |
| Managed cloud option | Self-host only; you operate it | Bitwarden cloud SaaS, plus official self-host |
| Machine and developer secrets product | Password-manager layer only | Separate Bitwarden Secrets Manager product |
| Operations & Support | ||
| Resource footprint | Very lightweight; runs comfortably on a Raspberry Pi via Docker | Heavier official self-hosted server (.NET and SQL) |
| Audits & compliance attestations | Community project; no formal audit or attestations | Audited, SOC 2, compliance attestations |
| Commercial support & SLA | Community only; no commercial support or SLA | First-party from Bitwarden, Inc. |
| Security, hosting & backup responsibility | Yours entirely; you own security, hosting, and backups | Bitwarden handles the cloud option; self-host shifts it to you |
Footprint and operations
The clearest operational difference is weight. Vaultwarden is a single Rust binary that runs comfortably on a Raspberry Pi via Docker, which is why it dominates homelab setups. The official Bitwarden self-hosted server is a heavier .NET and SQL stack and expects a more substantial host. If the goal is the smallest possible secrets server on modest hardware, Vaultwarden is the obvious pick.
Bitwarden's weight buys things Vaultwarden does not offer. Bitwarden, Inc. runs an official managed cloud, so a team that does not want to operate anything can use the SaaS. It also ships the audited official server, SOC 2 reports, compliance attestations, and first-party commercial support. Vaultwarden has none of that: it is self-host only, and support comes from the community.
Where Bitwarden goes beyond passwords
Bitwarden also sells a separate developer and machine secrets product, Bitwarden Secrets Manager, aimed at applications and CI rather than human password storage. Vaultwarden does not cover that role at all; it is strictly the password-manager layer. If your need is programmatic secrets for services or agents, that is a different decision, and Vaultwarden is not a candidate for it. Bitwarden Secrets Manager is one option; our radar covers the broader field.
Which to choose
Choose Vaultwarden if you are a homelabber, self-hoster, or privacy-focused individual or small team who wants the Bitwarden client experience with a tiny footprint and no per-seat licensing, and you are comfortable owning security, hosting, and backups and sourcing support from the community. It runs on a Raspberry Pi, it unlocks the paid feature set, and it is genuinely open source under AGPL-3.0.
Choose Bitwarden, either the cloud SaaS or the official self-hosted server, if you are a team or enterprise that needs commercial support, compliance attestations, a managed cloud option, or Bitwarden Secrets Manager. The official product is audited, supported, and backed by a company, which is exactly what procurement and security reviews tend to require.
Either way, remember the two share the same client ecosystem, so this is not a choice about the daily user experience. It is a choice about support, compliance, and who owns operations. And if what you actually need is secrets for applications or AI agents rather than human passwords, that is a different layer; see the credential vaults for AI agents radar. For the broader self-hosted secrets field, see HashiCorp Vault alternatives.
Is Vaultwarden safe and legal to use?
Yes. Vaultwarden is licensed AGPL-3.0, which is a genuine OSI-approved open-source licence, and it uses the official Bitwarden client apps unchanged, so your encrypted vault data is handled by audited client code. The caveat is that the server is an unofficial, community-maintained reimplementation rather than Bitwarden, Inc.'s own server, so it carries no formal audit, no commercial support, and no SLA. You own all security, hosting, and backup responsibility. For a homelab or small team that accepts that, it is a sound choice.
Does Vaultwarden unlock Bitwarden premium features for free?
Yes. Vaultwarden has no licensing tier, so features Bitwarden gates behind paid plans, such as organizations, two-factor authentication, Send, and emergency access, are all available without payment. That is one of the main reasons people self-host it. The trade-off is that you are running an unofficial server with no vendor behind it, so the savings come at the cost of support and formal assurances.
How does the official Bitwarden self-host compare to Vaultwarden on resource use?
The official Bitwarden self-hosted server is a heavier .NET and SQL stack and expects a more substantial host. Vaultwarden is a single Rust binary that runs comfortably on a Raspberry Pi via Docker. If your goal is the smallest possible footprint on modest hardware, Vaultwarden wins clearly. If you want the exact official server that Bitwarden, Inc. ships and supports, you accept the larger stack.
Is this the same as secrets management for apps and AI agents?
No. Both Vaultwarden and Bitwarden are password managers for human credentials. Distributing and rotating secrets for applications or AI agents programmatically is a different layer with different tools. Bitwarden does sell a separate product for that, Bitwarden Secrets Manager, but Vaultwarden does not cover it. For the agent and application secrets layer, see our credential vaults radar shortlist.
Which should a small team pick versus an enterprise?
A small team, homelab, or privacy-focused individual that wants the Bitwarden client experience with a tiny footprint and no per-seat licensing should pick Vaultwarden. A team or enterprise that needs commercial support, compliance attestations, a managed cloud option, or Bitwarden Secrets Manager should pick Bitwarden, either the cloud SaaS or the official self-hosted server. They share the same client ecosystem, so the decision is about support, compliance, and operational ownership rather than the day-to-day user experience.
Ready to Find the Right AI Tools?
Browse our data-driven rankings to find the best AI tools for your team.