The importance of keeping your data safe and available increases with the priority of the data you’re storing.
Are you worried about losing critical data and is that keeping you from hosting your own password manager? Then this is for you.
What do I need to back up? #
Basically it’s a bunch of directories and (at least in the default configuration) a SQLite database. The wiki of the Vaultwarden GitHub repo shows you exactly which directories to back up, what they contain and where to find them.
How does it work? #
There are multiple ways on how to create your Vaultwarden backup, either choose the manual way or use one of the many
third party solutions.
I’m using
bruceforces’ vaultwarden-backup for quite a while now and can confirm that it works.
Both ways can be used in bash scripts or be executed by a cronjob.
Get notified when your scripts or cronjobs have been successfully executed.
Put your services behind WireGuard whenever possible!
The Manual Way #
All files and directories you should consider backing up can be found in the mapped docker volume, in my case /var/lib/docker/volumes/vaultwarden_bw-data.
Create a backup of your database.
sqlite3 /var/lib/docker/volumes/vaultwarden_bw-data/_data/db.sqlite3 ".backup '/path/to/backups/vaultwarden/db-$(date '+%Y%m%d-%H%M').sqlite3'"
Create an archive of the Vaultwarden docker volume.
tar -czvf /path/to/backups/vaultwarden/Vaultwarden_data-$(date '+%Y%m%d-%H%M').tar.gz /var/lib/docker/volumes/vaultwarden_bw-data/_data/
The “Easy” Way #
Making use of third party solutions to make your life easier is no shame, but keep in mind that you depend on work of someone else.
Bruceforces’ vaultwarden-backup does the same thing as “The Manual Way” by temporary spinning up a docker container.
docker run --rm --volumes-from=vaultwarden -e UID=1000 -e BACKUP_DIR=/data/backup -e TIMESTAMP=true -v /path/to/backups/vaultwarden:/data/backup bruceforce/vaultwarden-backup manual
- Make sure your Vaultwarden docker container is named
vaultwardenor replace the name in the--volumes-fromsection. - If necessary, replace your user ID in the
-e UID=section. - Define the backup directory inside the docker container in the
BACKUP_DIR=section. - Map a volume as backup destination with
-v /opt/vaultwarden/backup_tmp:/data/backup.
Check this link for more environment variables.
Restoring your Backups #
Even though you hopefully might never need it you should always make sure that restoring your backup works as expected. Testing this process is vital!
Follow these simple steps assuming your Vaultwarden data directory is at /var/lib/docker/volumes/vaultwarden_bw-data/_data and your backup is at ./backups/vaultwarden.
- Delete existing .sqlite3* files
rm /var/lib/docker/volumes/vaultwarden_bw-data/_data/db.sqlite3*
- Copy your backed up database into the Vaultwarden data directory
cp ./backups/vaultwarden/<TIMESTAMP>_db.sqlite3 /var/lib/docker/volumes/vaultwarden_bw-data/_data/db.sqlite3
<TIMESTAMP> with the timestamp included in the filename.
- Extract the additional folders from the archive you created into the Vaultwarden data directory
tar -xzvf ./backups/vaultwarden/<TIMESTAMP>_data.tar.gz -C /var/lib/docker/volumes/vaultwarden_bw-data/_data/
<TIMESTAMP> with the timestamp included in the filename.
- Restart the Vaultwarden docker container.
docker-compose restart
Final thoughts #
Combine this tutorial with a solid backup strategy including remote backups and only access critical services like Vaultwarden via a VPN like WireGuard.