Bitwarden — Open Source Password Manager for Teams

Introduction

Bitwarden is the most popular open-source password manager with cloud synchronization. It provides end-to-end encrypted password storage that syncs across all your devices — desktop, mobile, browser extensions, web vault, and CLI. Unlike proprietary alternatives, Bitwarden client code is fully open source and audited.

With over 13,000 GitHub stars (clients repo) and millions of users, Bitwarden offers a free tier for personal use, affordable team plans, and enterprise features. For self-hosters, Vaultwarden provides a lightweight, community-maintained server implementation.

What Bitwarden Does

Bitwarden stores passwords, credit cards, notes, and identities in an end-to-end encrypted vault. Your master password never leaves your device — encryption and decryption happen client-side. The server only stores encrypted blobs. This means even Bitwarden (or your self-hosted server) cannot read your passwords.

Architecture Overview

[Bitwarden Clients]
Web vault, Desktop (Electron),
Mobile (iOS/Android),
Browser extensions, CLI
        |
   [Client-Side Encryption]
   PBKDF2/Argon2 key derivation
   AES-256-CBC encryption
   HMAC-SHA256 verification
        |
   [Encrypted Vault Data]
   Only ciphertext leaves device
        |
+-------+-------+
|               |
[Bitwarden Cloud] [Self-Hosted]
Managed servers   Vaultwarden
US/EU data centers (Rust, lightweight)
SOC2, GDPR       Docker, 10MB RAM

Self-Hosting & Configuration

# Self-host with Vaultwarden (recommended for self-hosting)
docker run -d --name vaultwarden \
  -e DOMAIN=https://bw.example.com \
  -e SIGNUPS_ALLOWED=false \
  -e ADMIN_TOKEN=your-secure-token \
  -v /opt/vaultwarden/data:/data \
  -p 8080:80 \
  vaultwarden/server:latest

# Put behind Nginx/Caddy with HTTPS
# Caddy example:
# bw.example.com {
#   reverse_proxy localhost:8080
# }

# CLI for automation

# Unlock vault
export BW_SESSION=$(bw unlock --raw)

# Create a login item
bw create item "$(echo '{}' | bw encode)" <<< '{
  "type": 1,
  "name": "Server SSH",
  "login": {
    "username": "admin",
    "password": "generated-password"
  }
}'

# Export vault (encrypted)
bw export --format encrypted_json --output backup.json

# Use in scripts
DB_PASS=$(bw get password "Production Database")

Key Features

• End-to-End Encryption — zero-knowledge architecture, client-side crypto
• Cross-Platform — web, desktop, mobile, browser, and CLI clients
• Free Tier — unlimited passwords for personal use
• Organizations — shared vaults for teams with access controls
• Passkeys — FIDO2/WebAuthn passwordless authentication support
• Send — securely share text and files with expiring links
• Self-Hostable — Vaultwarden for lightweight self-hosting
• Audited — regular third-party security audits by Cure53

Comparison with Similar Tools

FAQ

Q: Bitwarden vs 1Password — which is better? A: Bitwarden for open-source transparency, free tier, and self-hosting. 1Password for slightly more polished UX, Watchtower breach monitoring, and enterprise features. Both are excellent and secure.

Q: What is Vaultwarden? A: Vaultwarden is a community-maintained, lightweight Bitwarden-compatible server written in Rust. It uses 10MB RAM vs 2GB+ for the official server, making it perfect for self-hosting on small VPS or Raspberry Pi.

Q: Is the free tier really unlimited? A: Yes. Free personal accounts get unlimited passwords, unlimited devices, a password generator, and basic 2FA. Premium ($10/year) adds TOTP authenticator, encrypted file attachments, and vault health reports.

Q: How do I migrate from another password manager? A: Export from your current manager (CSV or JSON), then import into Bitwarden via Settings > Import Data. Bitwarden supports imports from 50+ password managers.

Sources

• GitHub: https://github.com/bitwarden/clients
• Server: https://github.com/bitwarden/server
• Vaultwarden: https://github.com/dani-garcia/vaultwarden
• Website: https://bitwarden.com
• License: GPL-3.0 (clients), AGPL-3.0 (server)