Vaultwarden - Hardened Bitwarden-Compatible Password Server

This is a repackaged software product wherein additional charges apply for hardening, security configuration, and support.

WHAT IS VAULTWARDEN

Vaultwarden is an unofficial, lightweight, open-source implementation of the Bitwarden server API, written in Rust. It is fully compatible with the official Bitwarden clients - desktop apps for Windows, macOS and Linux, mobile apps for iOS and Android, and browser extensions for all major browsers.

Vaultwarden runs on a single instance with minimal resources, uses SQLite by default, and supports the full Bitwarden feature set: organizations, shared collections, TOTP authenticator, hardware security keys (FIDO2/WebAuthn), emergency access, and the Send feature.

WHY SELF-HOST YOUR PASSWORD VAULT

Passwords are your most sensitive credentials. Storing them with a cloud provider means trusting that provider's security posture, uptime, and business continuity - and paying growing per-user fees as your team scales.

Self-hosted Vaultwarden keeps your password vault entirely within your own infrastructure. Your credentials never leave your VPC. You control backups, retention, and access policies. For GDPR-regulated organizations and teams with strict data residency requirements, self-hosting is the only fully compliant option.

ENHANCED SECURITY OUT OF THE BOX

A production-ready Vaultwarden deployment requires HTTPS, a unique admin token, database access controls, and a hardened OS - steps that are easy to skip and hard to audit after the fact.

This AMI pre-configures all of these for you: HTTPS is live at first boot, the admin token is unique to your instance, the database is never exposed to the network, and the underlying OS meets CIS Level 1 from day one.

WHAT THIS AMI ADDS

Security defaults:

• HTTPS enabled at first boot with a self-signed certificate
• Unique admin token generated per instance - no shared or default token
• Certbot pre-installed - replace self-signed cert with Let's Encrypt in one command
• SQLite database accessible from localhost only
• UFW firewall - only ports 80 (Certbot HTTP challenge), 443 (HTTPS), and 22 (SSH) open

OS hardening (CIS Level 1):

• CIS Ubuntu 24.04 LTS Level 1 benchmark applied via ansible-lockdown
• auditd - system call auditing for critical paths
• SSH hardening - PasswordAuthentication disabled, key-only access
• fail2ban - SSH brute-force protection
• AppArmor - mandatory access control
• Kernel hardening - SYN cookies, ASLR, rp_filter, TCP BBR
• IMDSv2 enforced - SSRF protection

Compliance artifacts (inside the AMI):

• SBOM - CycloneDX 1.6 software bill of materials at /etc/lynxroute/sbom.json
• CIS Conformance Report - OpenSCAP HTML report at /etc/lynxroute/cis-report.html
• Tailored CIS profile - documents all applied controls and any deviations at /usr/share/doc/lynxroute/CIS_TAILORED_PROFILE.md

Quick Start:

1. Launch instance (t3.small recommended)
2. SSH: ssh -i key.pem ubuntu@<PUBLIC_IP>
3. Read credentials: sudo cat /root/vaultwarden-credentials.txt
4. Open https://<PUBLIC_IP> in your browser and accept the self-signed cert warning
5. Register your first account at https://<PUBLIC_IP>/#/register
6. Optional - point a domain and get a trusted cert: sudo certbot --nginx -d

Admin panel: https://<PUBLIC_IP>/admin - token from credentials file. Important: never expose port 443 with a self-signed cert to users without a real domain and Let's Encrypt certificate in production.