3 min read

Moving from Proton Pass to a Self-Hosted Vaultwarden

In my ongoing journey toward self-hosting and digital independence, I recently decided to move from Proton Pass to a self-hosted Vaultwarden instance. Proton Pass is a solid password manager with strong security features, but as someone who prefers to control my own data and reduce reliance on third-party services, Vaultwarden seemed like the natural choice. In this blog post, I'll share my reasoning, the migration process, and my experience so far.

Why Switch from Proton Pass?

1. Data Ownership and Control

Proton Pass encrypts everything end-to-end, but your vault still resides on Proton's servers. With Vaultwarden, you maintain complete control over where your passwords are stored,

2. Cost Savings

Proton Pass requires a subscription for premium features like unlimited shared vaults and advanced security options. With Vaultwarden, I only need to pay for hosting, which is significantly cheaper in the long run.

3. Integration with My Self-Hosting Stack

I already self-host several services, and adding Vaultwarden to my stack fits perfectly. It integrates well with my reverse proxy setup, and I can configure backups, security policies, and user access the way I want.

Setting Up Vaultwarden

Vaultwarden is a lightweight, Rust-based alternative to Bitwarden, and it works well in self-hosted environments. Here’s how I set it up:

1. Deploying Vaultwarden with Docker

Since I run most of my self-hosted services in Docker, I deployed Vaultwarden with a simple docker-compose configuration:

version: '3.3'
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=false  # Optional: Disable new user signups
      - ADMIN_TOKEN=<your_admin_token>
    volumes:
      - /srv/vaultwarden/data:/data
    ports:
      - 8080:80
    networks:
      - proxy

networks:
  proxy:
    external: true

This setup ensures Vaultwarden runs efficiently while allowing me to manage users and security settings via the admin panel.

2. Configuring HTTPS with Nginx Proxy Manager

Since my Vaultwarden instance runs behind Nginx Proxy Manager (NPM), I configured a subdomain (ie. pwd.mydomain.com) and enabled Let's Encrypt for SSL encryption. The reverse proxy settings ensure secure remote access while keeping my setup simple.

3. Enabling Two-Factor Authentication (2FA)

Vaultwarden supports two-factor authentication (2FA), which I enabled immediately to enhance security. Additionally, I configured my instance to require a YubiKey for logging in as an extra security measure.

Migrating from Proton Pass to Vaultwarden

1. Exporting Passwords from Proton Pass

Proton Pass allows exporting passwords in .csv format. This can be done through the web interface by navigating to:

  1. Settings > Export Vault
  2. Choose "Bitwarden (json)" as the export format
  3. Enter your Proton account password.
  4. Download the .json file.

2. Importing into Vaultwarden

Once I had the exported .csv, I imported it into Vaultwarden:

  1. Logged into my Vaultwarden web vault.
  2. Navigated to Tools > Import Data.
  3. Selected "Bitwarden (CSV)" as the import format.
  4. Uploaded the .csv file.
  5. Verified that all entries were imported correctly.

Username Field Issue

An issue was encountered during the import process where the Username field was not recognized correctly. This is a known issue with Proton Pass exports when importing into Bitwarden-based services. To resolve this, the following steps were taken:

  1. Exporting the Bitwarden vault in an unencrypted JSON format.
  2. Purging the Vaultwarden vault.
  3. Re-importing the modified JSON file, specifying “Bitwarden (json)” as the import file format.

Using a text editor to replace every instance of:

"name": "email",

with

"name": "Email",

This adjustment resolved the problem, allowing all credentials to be imported correctly.

My Experience So Far

After using Vaultwarden for a few weeks, here’s what I’ve observed:

Pros:

  • Full Control: I have complete ownership over my password vault.
  • Seamless Bitwarden Compatibility: Works with Bitwarden clients (browser extensions, mobile apps, desktop apps).
  • Lower Cost: No subscription fees beyond my existing server costs.
  • Secure & Lightweight: Runs smoothly on my existing infrastructure with minimal resource usage.

Cons:

  • No Proton Ecosystem Integration: If you rely on Proton services for seamless authentication across email, VPN, etc., you lose some convenience.
  • Self-Managed Security: I am responsible for updates, backups, and security policies.

Conclusion

If you’re looking for a self-hosted password management solution, Vaultwarden is an excellent alternative to Proton Pass. The migration was straightforward, and the benefits of self-hosting outweigh the minor inconveniences. While self-hosting does require some maintenance, the trade-off in security, flexibility, and cost savings makes it worth it.

Would I recommend this switch? Absolutely—if you're comfortable managing your own infrastructure and want full control over your data. If not, Proton Pass remains a great, secure option for those who prefer a managed service.

Published by:

Jarno