Why I Moved from Enpass to Bitwarden (via Vaultwarden)
For years, I was a satisfied paid user of Enpass. It was simple, reliable, offered a one-time purchase model that respected the idea of software ownership, and best of all, worked everywhere that I worked – Linux, MacOS, Android, and iOS all synced with WebDAV.
But when Enpass changed their business model to a subscription based system, effectively leaving license holders like myself out in the cold, I started re-evaluating my long-term password management strategy.
I looked at many other options that would hopefully meet my needs:
- KeePass and variants - too clunky for multi-device sync, interface was not good
- LastPass - too many security issues
- 1Password - subscription only, no self-hosting
- Bitwarden - stood out for its open-source roots, strong client support, and self hosting options
This post details some of the reasons I chose Bitwarden, and how I set up my self-hosting using Vaultwarden, and the considerations I made along the way.
TL;DR: After years with Enpass, I switched to Bitwarden and now self-host it with Vaultwarden. Here’s how I set it up, why it works for me, and how you can do it too.
Why I Left Enpass and What I Looked for in a Replacement
Enpass was a great product for me. It worked well across my phone, tablets, and my desktop computers. It had excellent browser integration with both Firefox and Chrome. The sync worked well using WebDAV (running on my Synology NAS). When they shifted their licensing and reworked the client, specifically the Linux client as I spend the bulk of my time working on Linux, I knew I had to find a different alternative. All good things, it seems.
So when I was looking at alternatives, I had several key factors in mind:
- Secure, proven encryption model
- Multi-device sync
- Cross-platform with good browser integrations
- Self-hosting support
- Active development community
A personal note on that last point about Active development community. I’m not the kind of person that always chases the new shiny thing. When I install something, I typically want to try to set-it and forget-it. When I say active I mean that people are actively eliminating bugs, making sure that there’s no security threats outstanding, etc. I don’t mind stable point releases as long as they don’t break my installation. If it adds too much tech debt because it’s too active, then realistically, I won’t be able to use it because I don’t have the bandwidth to be constantly monitoring everything that I run. Anything I run needs to be secure and stable and not require weekly maintenance because every new point release breaks something.
After looking at and evaluating each of the above alternatives, the only one left standing was Bitwarden. So I did some additional searching, and came across Vaultwarden as a means of hosting it myself.
Bitwarden does offer a hosted solution and also publishes the official server source that allows for self-hosting, but it’s relatively heavy. Vaultwarden is a community-maintained Rust reimplementation of that server — and the two work interchangeably with official Bitwarden clients.
Why Vaultwarden?
- Bitwarden’s official server is fairly heavy
- Vaultwarden is a Rust-based reimplementation of the Bitwarden server API
- Extremely lightweight, easily runs in Docker on a Synology NAS, Mini-PC, or small VPS
- Works flawlessly with official Bitwarden clients
- Easy to backup and manage
With Vaultwarden, I was able to create a service that all of my clients could connect to from anywhere on the Internet that was completely under my control in a matter of minutes. That’s exactly the type of software that’s perfect for self-hosting.
There’s a caveat to the works flawlessly claim. It does need to be kept up to date. Bitwarden has changed some API calls without warning that left my Bitwarden clients unable to sync with Vaultwarden once or twice. It was easy enough to resolve by simply updating Vaultwarden. The Vaultwarden community is active and keeps up to date on the changes. It’s everything one could ask for in an open source project’s community.
My Self-Hosting Setup
Overview
- Runs in Docker
- Reverse proxy via Caddy (as a separate Docker service)
- Mounted volume for encrypted vault storage
- Uses PostgreSQL backend
- Uses my personal Zoho email account for email communications (optional)
Here is my docker-compose.yaml for running Vaultwarden:
services:
db:
image: postgres
container_name: vaultwarden-db
hostname: vaultwarden-db
healthcheck:
test: ["CMD", "pg_isready", "-q", "-d", "vaultwarden", "-U", "vaultwardenuser"]
timeout: 45s
interval: 10s
retries: 10
volumes:
- /opt/docker/vaultwarden/db:/var/lib/postgresql/data:rw
environment:
POSTGRES_DB: vaultwarden
POSTGRES_USER: vaultwardenuser
POSTGRES_PASSWORD: vaultwardenpass
restart: unless-stopped
vaultwarden:
image: vaultwarden/server:1.33.0
container_name: vaultwarden
hostname: vaultwarden
ports:
- 4080:4020
volumes:
- /opt/docker/vaultwarden/data:/data:rw
environment:
ROCKET_PORT: 4020
DATABASE_URL: postgresql://vaultwardenuser:vaultwardenpass@vaultwarden-db:5432/vaultwarden
ADMIN_TOKEN: YOURADMINTOKENGOESHERE
DISABLE_ADMIN_TOKEN: false
DOMAIN: https://vaultwarden.yourdomain.com
SMTP_HOST: smtp.zoho.com
SMTP_FROM: yourzohoemailaddress@zohomail.com
SMTP_PORT: 587
SMTP_SECURITY: starttls
SMTP_USERNAME: yourzohoemailaddress@zohomail.com
SMTP_PASSWORD: YOURAPPPASSWORD
restart: unless-stopped
depends_on:
db:
condition: service_started
Caddy Configuration
Adding it to the Caddyfile is very straightforward as well:
vaultwarden.yourdomain.com {
reverse_proxy 192.168.1.8:4080
}
Make sure to add vaultwarden as a CNAME record on your domain to point to wherever your Caddy instance is running (see note below).
Replace the IP address with localhost or the IP address of the server you’re running docker on and reload/restart Caddy. Caddy will then go fetch a cert from Lets Encrypt and you’re off and running.
When you’re all done, you should be able to open up your Vaultwarden admin UI at https://vaultwarden.yourdomain.com:
My Caddy and Docker setup is probably a bit more complicated than most. I have some services running on my Synology NAS, and some services running on a handful of MinisForum mini PCs, but I have only a single Caddy service running to serve as my ingress controller and routes things to the appropriate docker service on whatever machine it’s running on.
Caddy is an amazing reverse proxy that can be used for a wide variety of different applications. For a homelab or self-hosting it’s the perfect amount of power, flexibility, reliability, and ease-of-use. I’ll likely go into more details on Caddy and my use-cases in a future post.
Reliability and Daily Use
One other consideration I made when first doing this was transferring my Enpass vault to Bitwarden. Bitwarden handled that without an issue once I exported my Enpass vault to json format. In fact, Bitwarden can import from most of the common password managers and browsers. That import made transitioning quick and easy.
Since I installed Vaultwarden and Bitwarden on all of my devices and added the browser extensions, things have been very stable for me. It definitely falls into the must-have category for anyone doing self-hosting.
- Syncs between desktop, mobile, and browser extensions
- No noticeable difference from official Bitwarden cloud
- Stable and low maintenance
- No surprise changes in licensing or feature access
- Can add family groups and share password entries with family members or friends
- Excellent browser integration, including Firefox Mobile as an extension
I run Linux on my desktops and laptops, use Android for both my phone and tablet, and have an iPad and Mac Studio for app work — Bitwarden syncs cleanly across all of them using Vaultwarden as the backend.
Closing Thoughts
The Bitwarden and Vaultwarden combination has been rock-solid. It gives me full control over my data, plays nicely with minimal infrastructure, and solved the core problems I had with Enpass.
After running this setup for a while now, I can’t see myself recommending any other configuration to anyone. Even if you don’t want to self-host the service, Bitwarden’s own personal offerings are very reasonably priced as of this writing – $10/year for individuals and $40/year for up to 6 people in a family. That’s totally worth it. And unless you’re doing a lot of self hosting beyond just Vaultwarden, the price or running your own server will far exceed the cost of a Bitwarden subscription.