Vaultwarden on Ubuntu 24.04 on Azure User Guide
Overview
Vaultwarden is a lightweight, Rust-based password manager server that is compatible with the Bitwarden clients. It implements the Bitwarden API, so the official Bitwarden desktop, mobile, CLI and browser-extension applications connect to it directly, and it bundles the official web-vault for full in-browser access. The cloudimg image delivers Vaultwarden 1.36.0 compiled from upstream source and fully configured, so a private password manager is running within minutes of launch. Backed by 24/7 cloudimg support.
What is included:
- Vaultwarden 1.36.0 server (compiled from source, binary at
/usr/local/bin/vaultwarden) bound to loopback127.0.0.1:8000 - Official web-vault 2026.4.1 (bundled), served through nginx
- nginx reverse proxy on
:80with WebSocket upgrade for live sync notifications, ready for TLS on:443 - A dedicated Azure data disk at
/var/lib/vaultwardenholding the SQLite database, attachments and sends — separate from the OS disk and re-provisioned with every VM - Per-VM admin token generated at first boot (only its argon2id hash is stored in the config), in a root-only file
vaultwarden.service+nginx.serviceas systemd units, enabled and active- 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a good starting point for personal and small-team vaults. NSG inbound: allow 22/tcp from your management network, 80/tcp for the web-vault, and 443/tcp once you terminate TLS (see Enabling HTTPS — the Bitwarden web-vault requires a secure context to create accounts and unlock vaults).
Step 1 — Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Vaultwarden by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22), HTTP (80) and HTTPS (443). Review the dedicated data disk on the Disks tab, then Review + create → Create.
Step 2 — Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name vaultwarden \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--ssh-key-values ~/.ssh/id_ed25519.pub \
--vnet-name <your-vnet> --subnet <your-subnet> \
--public-ip-sku Standard
az vm open-port --resource-group <your-rg> --name vaultwarden --port 80 --priority 1010
az vm open-port --resource-group <your-rg> --name vaultwarden --port 443 --priority 1011
Step 3 — Connect to your VM
ssh azureuser@<vm-public-ip>
Step 4 — Confirm the services are running
Vaultwarden and nginx are managed by systemd and start automatically on boot:
systemctl is-active vaultwarden nginx
The Vaultwarden server binds to the loopback interface on port 8000; nginx listens on port 80 and reverse-proxies to it (and upgrades the WebSocket notifications endpoint):
sudo ss -tlnp | grep -E ':80 |:8000 '
The liveness endpoint is open and returns HTTP 200 when the server is healthy:
curl -s -o /dev/null -w '%{http_code}\n' http://127.0.0.1/alive

Step 5 — Retrieve your admin token
On the first boot of every VM a one-shot service (vaultwarden-firstboot.service) generates a fresh admin token that is unique to that VM, stores only its argon2id hash in the server configuration, and writes the plaintext token to a root-only file. The SQLite database ships empty, so no users, vaults or shared credentials are baked into the image.
sudo cat /root/vaultwarden-credentials.txt
The file contains the web-vault URL, the admin panel URL and the admin token:
vaultwarden.url=http://<vm-public-ip>/
vaultwarden.admin.url=http://<vm-public-ip>/admin
vaultwarden.admin.token=<your-per-instance-token>

Step 6 — Sign in to the web-vault
Browse to https://<vm-public-ip>/ (after enabling HTTPS) and you are presented with the Bitwarden-compatible web-vault sign-in page. Open registration is enabled on the fresh image so the first administrator can create their account: click Create account, enter an email address and a name, and choose a strong master password.
Your master password is the key to your vault — Vaultwarden never stores it and cannot recover it, so keep it safe. Once your account exists you can install the Bitwarden client of your choice and sync your vault across every device.
Lock down registration once your accounts exist. Open signups are convenient for the first launch but should be disabled afterwards — see Managing signups, or toggle it from the admin panel.
Step 7 — The admin diagnostics panel
Vaultwarden ships an admin diagnostics panel at /admin, protected by the per-VM admin token. Browse to http://<vm-public-ip>/admin, paste the token from /root/vaultwarden-credentials.txt, and you reach the diagnostics, user management and settings pages. From here you can confirm the installed server and web-vault versions, invite users, manage organisations and toggle open registration at runtime.

Step 8 — Connect Bitwarden clients
Vaultwarden speaks the Bitwarden API, so the official Bitwarden apps work against it directly:
- Install the Bitwarden desktop, mobile, CLI or browser-extension client.
- Before logging in, open the client's Settings (the gear / region selector on the login screen) and set the Server URL (self-hosted environment) to your VM, for example
https://vault.example.com. - Log in with the email and master password you created in the web-vault. Your vault now syncs through your own server.
Managing signups
The signup policy lives in the server environment file. To disable open registration after your accounts are created:
sudo sed -i 's/^SIGNUPS_ALLOWED=.*/SIGNUPS_ALLOWED=false/' /etc/vaultwarden/vaultwarden.env
sudo systemctl restart vaultwarden
To re-enable open registration, set the value back to true and restart the service. You can also invite specific users from the admin panel without opening registration to everyone:
sudo sed -i 's/^SIGNUPS_ALLOWED=.*/SIGNUPS_ALLOWED=true/' /etc/vaultwarden/vaultwarden.env
sudo systemctl restart vaultwarden
Enabling HTTPS
The image serves the web-vault over plain HTTP on port 80 so you can reach it immediately, but the Bitwarden web-vault requires a secure context (HTTPS) to create accounts and unlock vaults, and you should always run a password manager over TLS in production. nginx ships ready to terminate TLS on port 443.
The simplest route is a free Let's Encrypt certificate with Certbot once you have a DNS name pointing at the VM's public IP. Install Certbot and obtain a certificate for your domain (replace the placeholder with your real hostname):
sudo apt-get update && sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d your-domain.example.com
Certbot installs the certificate, rewrites the nginx server block to listen on 443 with TLS, and sets up automatic renewal. After it completes, browse to https://your-domain.example.com/ and create your account.
Data and backups
The SQLite database, attachments and sends live under /var/lib/vaultwarden, which is a dedicated, independently-resizable Azure data disk separate from the operating-system disk:
df -h /var/lib/vaultwarden
Snapshot that disk in Azure to back up your vault on a schedule. The admin panel also offers an on-demand Backup Database action. Keep the OS patched with sudo apt update && sudo apt upgrade; the server restarts cleanly with sudo systemctl restart vaultwarden.

Support
This image is backed by 24/7 cloudimg support. Contact us by email and chat for help with deployment, upgrades, TLS termination, backups and Bitwarden client onboarding.
Vaultwarden and Bitwarden are trademarks of their respective owners. All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.