Self-hostingInstall & Deploy Guides

Install and Deploy - Offline (Linux)

This article will walk you through the procedure to install and deploy Bitwarden to your own server in an offline or air-gapped environment.


Manual installations should be conducted by advanced users only. Only proceed if you are very familiar with Docker technologies and desire more control over your Bitwarden installation.

Manual installations lack the ability to automatically update certain dependencies of the Bitwarden installation. As you upgrade from one version of Bitwarden to the next you will be responsible for changes to required environment variables, changes to nginx default.conf, changes to docker-compose.yml, and so on.

We will try to highlight these in the release notes on GitHub. You can also monitor changes to the dependency templates used by the Bitwarden installation script on GitHub.


Before proceeding with the installation, please ensure the following requirements are met:

  • Docker Engine and Docker Compose are installed and ready to use on your server.

  • Using a machine with internet access, you have downloaded the latest file from the Bitwarden Server repository's releases page and transferred this file to your server.

  • An offline SMTP Server is setup and active in your environment.


Bitwarden is currently supported only in a Docker and Docker Compose environment. Bitwarden's installation scrips and manual installation artifacts do not accurately convert to Kubernetes manifests without extensive knowledge of the Bitwarden stack and Kubernetes. Automatic conversions of the installation artifacts are not recommended at this time and could result in a broken deployment environment.

System specifications




x64, 1.4GHz

x64, 2GHz dual core







Docker Version

Engine 19+ and Compose 1.24+

Engine 19+ and Compose 1.24+

Installation procedure

Configure your domain

By default, Bitwarden will be served through ports 80 (http) and 443 (https) on the host machine. Open these ports so that Bitwarden can be accessed from within and/or outside of the network. You may opt to choose different ports during installation.

We recommend configuring a domain name with DNS records that point to your host machine (for example,, especially if you are serving Bitwarden over the internet.

Create Bitwarden local user & directory

We recommend configuring your server with a dedicated bitwarden service account from which to install and run Bitwarden. Doing so will isolate your Bitwarden instance from other applications running on your server.

These steps are Bitwarden-recommended best practices, but are not required. For more information, see Docker's post-installation steps for Linux documentation.

  1. Create a bitwarden user:

    sudo adduser bitwarden
    Text Copied!
  2. Set a password for the bitwarden user:

    sudo passwd bitwarden
    Text Copied!
  3. Create a docker group (if it doesn't already exist):

    sudo groupadd docker
    Text Copied!
  4. Add the bitwarden user to the docker group:

    sudo usermod -aG docker bitwarden
    Text Copied!
  5. Create a bitwarden directory:

    sudo mkdir /opt/bitwarden
    Text Copied!
  6. Set permissions for the /opt/bitwarden directory:

    sudo chmod -R 700 /opt/bitwarden
    Text Copied!
  7. Set the bitwarden user ownership of the /opt/bitwarden directory:

    sudo chown -R bitwarden:bitwarden /opt/bitwarden
    Text Copied!

Configure your machine

To configure your machine with the assets required for your Bitwarden server:


If you have created a Bitwarden user & directory, complete the following as the bitwarden user from the /opt/bitwarden directory.

  1. Create a new directory named bwdata and extract to it, for example:

    unzip -d bwdata
    Text Copied!

    Once unzipped, the bwdata directory will match what the docker-compose.yml file's volume mapping expects. You may, if you wish, change the location of these mappings on the host machine.

  2. In ./bwdata/env/global.override.env, edit the following environment variables:

    • globalSettings__baseServiceUri__vault=: Enter the domain of your Bitwarden instance.

    • globalSettings__sqlServer__ConnectionString=: Replace the RANDOM_DATABASE_PASSWORD with a secure password for use in a later step.

    • globalSettings__identityServer__certificatePassword: Set a secure certificate password for use in a later step.

    • globalSettings__internalIdentityKey=: Replace RANDOM_IDENTITY_KEY with a random key string.

    • globalSettings__oidcIdentityClientKey=: Replace RANDOM_IDENTITY_KEY with a random key string.

    • globalSettings__duo__aKey=: Replace RANDOM_DUO_AKEY with a random key string.

    • globalSettings__installation__id=: Enter an installation id retrieved from

    • globalSettings__installation__key=: Enter an installation key retrieved from

    • globalSettings__pushRelayBaseUri=: This variable should be blank. See Configure Push Relay for more information.


      At this time, consider also setting values for all globalSettings__mail__smtp__ variables and for adminSettings__admins. Doing so will configure the SMTP mail server used to send invitations to new organization members and provision access to the System Administrator Portal.

      Learn more about environment variables.

  3. From ./bwdata, generate a .pfx certificate file for the identity container and move it to the mapped volume directory (by default, ./bwdata/identity/). For example, run the following commands:

    openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key -out identity.crt -subj "/CN=Bitwarden IdentityServer" -days 10950
    Text Copied!


    openssl pkcs12 -export -out ./identity/identity.pfx -inkey identity.key -in identity.crt -passout pass:IDENTITY_CERT_PASSWORD
    Text Copied!

    In the above command, replace IDENTITY_CERT_PASSWORD with the certificate password created and used in Step 2.

  4. Copy identity.pfx to the ./bwdata/ssl directory.

  5. Create a subdirectory in ./bwdata/ssl named for your domain, for example:

    mkdir ./ssl/
    Text Copied!

  6. Provide a trusted SSL certificate and private key in the newly created ./bwdata/ssl/ subdirectory.


    This directory is mapped to the NGINX container at /etc/ssl. If you can't provide a trusted SSL certificate, front the installation with a proxy that provides an HTTPS endpoint to Bitwarden client applications.

  7. In ./bwdata/nginx/default.conf:

    1. Replace all instances of with your domain, including in the Content-Security-Policy header.

    2. Set the ssl_certificate and ssl_certificate_key variables to the paths of the certificate and private key provided in Step 6.

    3. Take one of the following actions, depending on your certificate setup:

      • If using a trusted SSL certificate, set the ssl_trusted_certificate variable to the path to your certificate.

      • If using a self-signed certificate, comment out the ssl_trusted_certificate variable.

  8. In ./bwdata/env/mssql.override.env, replace RANDOM_DATABASE_PASSWORD with the password created in Step 2.

  9. In ./bwdata/web/app-id.json, replace with your domain.

  10. In ./bwdata/env/uid.env, set the UID and GID of the bitwarden users and group you created earlier so the containers run under them, for example:

    Text Copied!

Download & transfer images

To get docker images for use on your offline machine:

  1. From an internet-connected machine, download all bitwarden/xxx:latest docker images, as listed in the docker-compose.yml file in

  2. Save each image to a .img file, for example:

    docker image save -o mssql.img bitwarden/mssql:version
    Text Copied!
  3. Transfer all .img files to your offline machine.

  4. On your offline machine, load each .img file to create your local docker images, for example:

    docker image load -i mssql.img
    Text Copied!

Start your server

Start your Bitwarden server with the following command:

docker-compose -f ./docker/docker-compose.yml up -d
Text Copied!

Verify that all containers are running correctly:

docker ps
Text Copied!
docker-healthy.png |

Congratulations! Bitwarden is now up and running at Visit the web vault in your browser to confirm that it's working.

You may now register a new account and log in. Your will need to have configured SMTP environment variables (see environment variables) in order to verify the email for your new account.

Next Steps:

Update your server

Updating a self-hosted server that has been installed and deployed manually is different from the standard update procedure. To update your manually-installed server:

  1. Download the latest archive from the releases pages on GitHub.

  2. Unzip the new archive and compare its contents with what's currently in your bwdata directory, copying anything new to the pre-existing files in bwdata.
    Do not overwrite your pre-existing bwdata directory with the contents of the newer archive, as this would overwrite any custom configuration work you've done.

  3. Download the latest container images and transfer them to your offline machine as documented above.

  4. Run the following command to restart your server with your updated configuration and the latest containers:

    docker-compose -f ./docker/docker-compose.yml down && docker-compose -f ./docker/docker-compose.yml up -d
    Text Copied!

© 2023 Bitwarden, Inc.