# Build instructions
## Dependencies
- `Rust nightly` (strongly recommended to use [rustup](
- `OpenSSL` (should be available in path, install through your system's package manager or use the [prebuilt binaries](
- `NodeJS` (only when compiling the web-vault, install through your system's package manager or use the [prebuilt binaries](
## Run/Compile
# Compile and run
cargo run --release
# or just compile (binary located in target/release/bitwarden_rs)
cargo build --release
When run, the server is accessible in [http://localhost:80](http://localhost:80).
### Install the web-vault
A compiled version of the web vault can be downloaded from [dani-garcia/bw_web_builds](
If you prefer to compile it manually, follow these steps:
*Note: building the Vault needs ~1.5GB of RAM. On systems like a RaspberryPI with 1GB or less, please [enable swapping]( or build it on a more powerful machine and copy the directory from there. This much memory is only needed for building it, running bitwarden_rs with vault needs only about 10MB of RAM.*
- Clone the git repository at [bitwarden/web]( and checkout the latest release tag (e.g. v2.1.1):
# clone the repository
git clone web-vault
cd web-vault
# switch to the latest tag
git checkout "$(git tag | tail -n1)"
- Download the patch file from [dani-garcia/bw_web_builds]( and copy it to the `web-vault` folder.
To choose the version to use, assuming the web vault is version `vX.Y.Z`:
- If there is a patch with version `vX.Y.Z`, use that one
- Otherwise, pick the one with the largest version that is still smaller than `vX.Y.Z`
- Apply the patch
# In the 'web-vault' directory
git apply vX.Y.Z.patch
- Then, build the Vault:
npm run sub:init
npm install
npm run dist
Finally copy the contents of the `build` folder into the `bitwarden_rs/web-vault` folder.
# Configuration
The available configuration options are documented in the default `.env` file, and they can be modified by uncommenting the desired options in that file or by setting their respective environment variables. Look at the README file for the main configuration options available.
Note: the environment variables override the values set in the `.env` file.
## How to recreate database schemas (for developers)
Install diesel-cli with cargo:
cargo install diesel_cli --no-default-features --features sqlite-bundled
Make sure that the correct path to the database is in the `.env` file.
If you want to modify the schemas, create a new migration with:
diesel migration generate <name>
Modify the *.sql files, making sure that any changes are reverted in the down.sql file.
Apply the migrations and save the generated schemas as follows:
diesel migration redo
# This step should be done automatically when using diesel-cli > 1.3.0
# diesel print-schema > src/db/


# Proxy examples
In this document, `<SERVER>` refers to the IP or domain where bitwarden_rs is accessible from. If both the proxy and bitwarden_rs are running in the same system, simply use `localhost`.
The ports proxied by default are `80` for the web server and `3012` for the WebSocket server. The proxies are configured to listen in port `443` with HTTPS enabled, which is recommended.
When using a proxy, it's preferrable to configure HTTPS at the proxy level and not at the application level, this way the WebSockets connection is also secured.
## Caddy
localhost:443 {
# The negotiation endpoint is also proxied to Rocket
proxy /notifications/hub/negotiate <SERVER>:80 {
# Notifications redirected to the websockets server
proxy /notifications/hub <SERVER>:3012 {
# Proxy the Root directory to Rocket
proxy / <SERVER>:80 {
## Nginx (by shauder)
server {
listen 443 ssl http2;
server_name vault.*;
# Specify SSL config if using a shared one.
#include conf.d/ssl/ssl.conf;
location / {
proxy_pass http://<SERVER>:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location /notifications/hub {
proxy_pass http://<SERVER>:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
location /notifications/hub/negotiate {
proxy_pass http://<SERVER>:80;
## Apache (by fbartels)
<VirtualHost *:443>
SSLEngine on
ServerName bitwarden.$hostname.$domainname
SSLCertificateKeyFile ${SSLKEY}
SSLCACertificateFile ${SSLCA}
ErrorLog \${APACHE_LOG_DIR}/bitwarden-error.log
CustomLog \${APACHE_LOG_DIR}/bitwarden-access.log combined
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://<SERVER>:3012/$1 [P,L]
ProxyPass / http://<SERVER>:80/
ProxyPreserveHost On
ProxyRequests Off
## Traefik (docker-compose example)
- 'traefik.frontend.rule=Host:vault.example.local'
- ''
- 'traefik.port=80'
- 'traefik.enable=true'
- 'traefik.web.frontend.rule=Host:vault.example.local'
- 'traefik.web.port=80'
- 'traefik.hub.frontend.rule=Path:/notifications/hub'
- 'traefik.hub.port=3012'
- 'traefik.negotiate.frontend.rule=Path:/notifications/hub/negotiate'
- 'traefik.negotiate.port=80'