The Definitive Architect's Guide to Deploying Bitwarden and Vaultwarden on Synology NAS

Published by TechMarmot Editorail Staff on | Category Docker

The pursuit of digital sovereignty in the modern era necessitates a robust strategy for credential management. Bitwarden, a free and open-source password management service, serves as a critical pillar in this architecture by providing an encrypted vault for sensitive information, including website credentials. By deploying Bitwarden on a Synology Network Attached Storage (NAS) device, users transition from relying on third-party cloud providers to a self-hosted model where they maintain absolute control over their encryption keys and data residency. The Bitwarden ecosystem is notably versatile, offering a comprehensive suite of client applications that ensure accessibility across diverse environments, including a centralized web interface, dedicated desktop applications, browser extensions for real-time credential filling, mobile applications for on-the-go access, and a Command Line Interface (CLI) for power users and automation scripts.

Implementing this solution on Synology hardware leverages the power of containerization, primarily through Docker and management interfaces like Portainer or the native Synology Container Manager. This approach abstracts the application from the underlying host operating system, ensuring that the Bitwarden environment remains isolated and portable. Whether opting for the official Bitwarden release—such as version 2026.3.2—or the lightweight community alternative known as Vaultwarden (formerly bitwarden_rs), the integration into a Synology ecosystem requires a precise orchestration of networking, security certificates, and database management.

Architectural Comparison: Official Bitwarden vs. Vaultwarden

When deploying a password manager on Synology, the primary decision is between the official Bitwarden image and Vaultwarden. This choice significantly impacts the resource consumption of the NAS and the administrative overhead required.

Feature Official Bitwarden (Lite/Standard) Vaultwarden (bitwarden_rs)
Source Official Bitwarden Image Community-driven Rust Implementation
Resource Usage Higher (Requires DB and multiple services) Extremely Low (Lightweight)
Deployment Docker Compose / Portainer Docker / Container Manager
Database MySQL / PostgreSQL SQLite / MySQL
Licensing Open Source / Commercial options Fully Free (FOSS)
Primary Goal Enterprise-grade feature parity Home user efficiency and simplicity

Prerequisites and Environmental Setup

Before initiating the installation process, the Synology environment must be prepared to handle the networking and security requirements of an encrypted vault.

Portainer Installation and Management

For advanced users, Portainer is recommended as the primary management interface for Docker containers on Synology. Portainer provides a graphical user interface (GUI) that simplifies the deployment of Docker stacks and the management of volumes.

  • Install the latest version of Portainer using a step-by-step guide to ensure all features are available.
  • Ensure the Portainer container is running and accessible via the NAS local IP address.
  • Use Portainer to manage the "Stack" (Docker Compose) for Bitwarden to ensure easy updates and configuration changes.

Network Security and SSL Certification

Because Bitwarden handles highly sensitive data, it requires an HTTPS connection to function. The Bitwarden clients and browser extensions will generally refuse to communicate with a server that does not have a valid SSL certificate.

  • Obtain a synology.me Wildcard Certificate. A wildcard certificate allows multiple subdomains (e.g., bitwarden.yourname.synology.me, nextcloud.yourname.synology.me) to be secured under a single certificate.
  • Configure the certificate through the Synology Control Panel under Security -> Certificates.
  • For users with their own domains (e.g., inwx.de), a CNAME record must be created in the DNS settings to point the desired subdomain (e.g., pass.example.tld) to the NAS IP or DDNS address.
  • Use Let's Encrypt for automated certificate renewal, which is natively supported by the Synology interface.

Configuring the Synology Reverse Proxy

A reverse proxy is essential for routing external HTTPS traffic (Port 443) to the internal port where the Bitwarden container is listening. This eliminates the need to expose non-standard ports to the public internet.

To configure the reverse proxy, navigate to Control Panel -> Login Portal -> Advanced Tab -> Reverse Proxy.

  • Click the "Create" button to start a new proxy rule.
  • Set the Source Protocol to HTTPS.
  • Set the Source Hostname to the specific subdomain used for the vault (e.g., containername.xxx.synology.me).
  • Set the Source Port to 443.
  • Set the Destination Protocol to HTTP.
  • Set the Destination Hostname to "localhost" or the internal IP address of the Synology NAS.
  • Set the Destination Port to the specific UI port number defined in the Docker Compose YAML file (e.g., 8080 or 8123).

To ensure that real-time notifications and communication channels function correctly, the Reverse Proxy must be configured for WebSockets. Under the "Custom Header" tab in the Reverse Proxy settings, click "Create" and select "WebSocket." This action adds the necessary headers for the connection to upgrade from HTTP to WebSocket, preventing session timeouts and synchronization errors.

Technical Deployment via Docker Compose

The deployment of the official Bitwarden Lite image involves a multi-container architecture consisting of the application server and a database.

Database Configuration (Bitwarden-DB)

The database is the persistent storage layer for the vault's metadata and encrypted items.

  • Image: The database is typically deployed using a MySQL image.
  • Container Name: Bitwarden-DB.
  • Environment Variables:
    • TZ=Europe/Bucharest: Sets the timezone for log consistency.
    • MYSQL_ROOT_PASSWORD=rootpass: The administrative password for the database.
    • MYSQL_DATABASE=bitwarden_vault: The name of the database created for the vault.
    • MYSQL_USER=bitwardenuser: The specific user account the application uses to access the DB.
    • MYSQL_PASSWORD=bitwardenpass: The password for the application user.
  • Volumes:
    • /volume1/docker/bitwarden/db:/var/lib/mysql:rw: Maps the database data to the NAS filesystem for persistence.
    • /volume1/docker/bitwarden/db:/etc/mysql/conf.d:rw: Allows for custom MySQL configuration files.
  • Restart Policy: on-failure:5.

Application Configuration (Bitwarden)

The main application image handles the logic and user interface.

  • Image: ghcr.io/bitwarden/lite.
  • Container Name: Bitwarden.
  • Security Options: no-new-privileges:true is applied to enhance the security posture of the container.
  • Healthcheck: The system uses curl -fsSo - http://localhost:8080 to ensure the service is responsive.
  • Port Mapping: 9890:8080 (External Port 9890 maps to Internal Port 8080).
  • Critical Environment Variables:
    • BW_DOMAIN: The full URL of the instance (e.g., bitwarden.yourname.synology.me).
    • BW_DB_PROVIDER: Set to mysql.
    • BW_DB_SERVER: Set to bitwarden-db (matching the database container name).
    • BW_DB_DATABASE, BW_DB_USERNAME, BW_DB_PASSWORD: Must match the database container settings.
    • BW_INSTALLATION_ID and BW_INSTALLATION_KEY: Unique identifiers for the specific installation.
    • UID=1026 and GID=100: User and Group IDs to ensure correct file permissions on the Synology volume.
    • BW_ENABLE_ADMIN=true: Enables the administrative dashboard.
    • globalSettings__logDirectory: Set to /etc/bitwarden/logs.
    • adminSettings__admins: The email address of the primary administrator.
    • globalSettings__disableUserRegistration: Initially set to false for setup, then true for security.
    • globalSettings__mail__replyToEmail: The sender address for system emails.
    • SMTP Configuration:
      • globalSettings__mail__smtp__host: e.g., smtp.gmail.com.
      • globalSettings__mail__smtp__ssl: false (when using port 587).
      • globalSettings__mail__smtp__port: 587.
      • globalSettings__mail__smtp__username: The Gmail address.
      • globalSettings__mail__smtp__password: A Google App Password (not the primary account password).
  • Volumes:
    • /volume1/docker/bitwarden/data:/etc/bitwarden: Ensures application settings and keys are persisted.

Advanced Administration and Security Hardening

Once the container is operational and the reverse proxy is routing traffic, the administrator must secure the instance to prevent unauthorized access.

Disabling Public Registration

By default, any person who finds the URL of a self-hosted Bitwarden instance could create an account. This is a critical security risk.

  • Navigate to the Portainer EDITOR tab.
  • Locate the line globalsettings__disableUserRegistration=false.
  • Change the value to globalsettings__disableUserRegistration=true.
  • Click "Update" and confirm the stack redeployment.
  • Verification: New users attempting to register will now see the error message: "An error has occurred. Open Registration has been disabled by the system administrator."

Accessing the Admin Dashboard

The administrative panel allows for the management of users and system-wide settings.

  • Access the dashboard via https://bitwarden.yourname.synology.me/admin.
  • Authentication: Enter the admin token (the password string used to create the Argon2 token) to gain access.
  • Use this panel to invite specific users after public registration has been disabled.

User Interface Customization

For those preferring a different visual aesthetic:

  • Log into the Bitwarden vault.
  • Navigate to Settings -> Preferences in the left sidebar.
  • Select the "Dark" theme and click "Save."

Firewall Configuration and Port Management

A common point of failure in Synology deployments is the internal firewall. If the firewall is enabled, it may block the traffic required for the Bitwarden web interface to communicate with the backend or for the reverse proxy to function.

If the firewall is active, the following ports must be opened to ensure full functionality:

  • Port 80: HTTP (often used for Let's Encrypt validation).
  • Port 443: HTTPS (the primary gateway for encrypted traffic).
  • Ports 5000-5007: Standard Synology DSM management and API ports.
  • Port 3306: MySQL database communication (if the database is accessed externally or by specific monitoring tools).
  • Port 9890: The specific external port mapped to the Bitwarden UI in the provided configuration.
  • Port 8080: Internal application port.

Failure to open these ports often results in the web interface timing out on the password page, even if the login page loads.

Maintenance and Optimization

Operating a containerized password manager requires ongoing maintenance to ensure data integrity and system performance.

  • Backup Strategy: Use docker-compose to automate the spawning of backup containers that archive the database. This prevents data loss in the event of a hardware failure on the NAS.
  • Resource Management: To free up disk space, regularly run Docker cleanup commands to remove unused images and orphaned volumes.
  • Update Cycle: Periodically update the Bitwarden image to the latest version to patch security vulnerabilities and gain new features.
  • Start/Stop Scheduling: For users who only need access to the vault during specific hours, Synology allows for the scheduling of container start and stop times to save system resources.

Conclusion

The deployment of Bitwarden or Vaultwarden on a Synology NAS represents a sophisticated intersection of network engineering and security best practices. By utilizing a reverse proxy with WebSocket support and a wildcard SSL certificate, users can create a professional-grade, secure entry point to their credentials. The transition from the official Bitwarden Lite image to a more lightweight solution like Vaultwarden is often driven by the desire for lower overhead, yet both paths lead to the same goal: the elimination of third-party trust in favor of self-sovereignty. The critical nature of the globalsettings__disableUserRegistration flag cannot be overstated, as it transforms a public-facing utility into a private, secure vault. Ultimately, the success of this installation relies on the precise mapping of ports—specifically the synergy between 443, 8080, and the internal database ports—and the rigorous application of the Synology firewall rules to allow legitimate traffic while blocking potential threats.

Sources

  1. Marius Hosting
  2. Dr. Frankenstein
  3. Bitwarden Community Forum
  4. Stabel Family Blog

Related Posts