BestHub
Sign in
Cloud Computing 18 min read

Deploying a Private Bitwarden Password Manager on Tencent Cloud

This guide walks you through deploying a low‑cost, private Bitwarden password manager on Tencent Cloud by preparing a domain and SSL certificate, installing Docker on a CentOS CVM, running Bitwarden and Nginx containers, optionally enabling CDN, configuring backups to COS, and applying security hardening such as two‑factor authentication.

Tencent Cloud Developer
Tencent Cloud Developer
Tencent Cloud Developer
Deploying a Private Bitwarden Password Manager on Tencent Cloud

This article provides a step‑by‑step guide for building a low‑cost, private password‑management service using Tencent Cloud resources and the open‑source Bitwarden server.

1. Preparation – You need a personal domain (e.g., mm.zhangge.net ), an SSL certificate (Tencent Cloud free certificate), a DNSPod account, a Tencent Cloud CVM (CentOS 7.2+), and optionally CDN and COS services.

2. Environment Initialization – Install Docker on the CVM (skip if Docker is already present):

# 1、登录root,获取在线安装脚本
curl -fsSL https://get.docker.com -o get-docker.sh
# 2、执行安装脚本
sh get-docker.sh --mirror AzureChinaCloud
# 3、修改Docker持久化目录(可选/推荐)
test -d /var/lib/docker && \
    mv /var/lib/docker /var/lib/docker_backup && \
    mkdir -p /data/docker && \
    ln -sf /data/docker /var/lib/docker
# 4、开启镜像加速(可选/推荐)
cat >/etc/docker/daemon.json <
3. Deploy Bitwarden
– Run the Bitwarden container with Docker:
docker run -d \
    --name bitwarden \
    -p 8080:80 \
    -p 3012:3012 \
    --restart=always \
    -e SIGNUPS_ALLOWED=true \
    -e WEB_VAULT_ENABLED=true \
    -e DOMAIN=https://mm.zhangge.net \
    -v /data/bitwarden/data:/data \
    bitwardenrs/server:latest
4. Reverse Proxy (Nginx)
– If you do not use CDN for HTTPS, configure an Nginx container to terminate TLS:
server {
  listen 443 ssl http2;
  server_name mm.zhangge.net; # modify as needed
  ssl_certificate /data/bitwarden/cert/1_mm.zhangge.net_bundle.crt;
  ssl_certificate_key /data/bitwarden/cert/2_mm.zhangge.net.key;
  ssl_session_cache shared:le_nginx_SSL:1m;
  ssl_session_timeout 1440m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:...:!DSS";
  client_max_body_size 128M;

  location / {
    proxy_pass http://127.0.0.1:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  location /notifications/hub {
    proxy_pass http://127.0.0.1:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    proxy_pass http://127.0.0.1:8080;
  }
}
Start the Nginx container:
docker run -d \
    --name nginx \
    --restart=always \
    --net=host \
    -v /data/bitwarden/cert:/data/bitwarden/cert \
    -v /data/bitwarden/nginx/vhost.conf:/etc/nginx/conf.d/default.conf \
    nginx:latest
5. Enable CDN
– Use Tencent Cloud CDN to accelerate the site, enable HTTPS, and hide the origin IP. Configure the domain’s CNAME to point to the CDN‑provided address and set cache rules (static files cached, others not).
6. Bitwarden Configuration
– After DNS propagation, access
https://mm.zhangge.net/
, create an account, and optionally disable further registrations by recreating the container with
SIGNUPS_ALLOWED=false
:
# Remove existing container
docker rm -f bitwarden
# Re‑run with registration disabled
docker run -d \
    --name bitwarden \
    -p 8080:80 \
    -p 3012:3012 \
    --restart=always \
    -e SIGNUPS_ALLOWED=false \
    -e WEB_VAULT_ENABLED=true \
    -e DOMAIN=https://mm.zhangge.net \
    -v /data/bitwarden/data:/data \
    bitwardenrs/server:latest
7. Usage
– Install the Bitwarden browser extension (Chrome/Firefox/Edge) and set the server URL to
https://mm.zhangge.net/
. The extension supports auto‑fill, password generation, and two‑step verification (Google Authenticator recommended).
8. Security Hardening
– Apart from CDN, enable two‑factor authentication in Bitwarden and regularly back up data.
9. Data Backup Script
– A shell script (
/data/bitwarden/opt/backup.sh
) can back up the Bitwarden SQLite database or web files, compress them with a password, and upload to COS. Example usage:
#!/bin/sh
# ... (script header omitted for brevity) ...
while [ "$1" ]; do
    case $1 in
        '--db' | 'db')
            backupDB $2 $3 $4 $5 $6
            exit
            ;;
        '--file' | 'file')
            backupFile $2 $3 $4
            exit
            ;;
        *)
            printHelp
            exit
            ;;
    esac
done
# Add a daily cron job:
# 0 3 * * * bash /data/bitwarden/opt/backup.sh file mm.zhangge.net /data/bitwarden/data /data/bitwarden/backup >/dev/null 2>&1
10. Conclusion
– By combining Tencent Cloud CDN, CVM, COS, DNSPod, and a free SSL certificate, you can deploy a personal, secure password‑management service based on Bitwarden. The article also provides a demo instance (not for production) and emphasizes that real passwords should never be stored on public demos.
DockercdnBackupTencent CloudBitwardenPassword Management
Tencent Cloud Developer
Written by

Tencent Cloud Developer

Official Tencent Cloud community account that brings together developers, shares practical tech insights, and fosters an influential tech exchange community.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment