Google’s password manager takes care of syncing passkeys between Android devices. The same passkeys will sync with Chrome on any platform as long as you’re using the same Google account. However, I exclusively use Firefox on my phone and computers. I’m also a huge fan of self-hosting whenever possible, so I prefer a solution that doesn’t rely on Google. Here is the setup I’m using for that.
How passkeys on desktop and mobile devices work with this self-hosted app
Just use the Bitwarden app or browser extension
Passkeys (for readers unaware) are a means to log into your online accounts without using passwords. Instead of typing a password, you can log into websites like Google, Discord, Spotify, and many others with your fingerprint or face scan. Or you can use your computer’s PIN or password to log into any website that supports passkeys.
The most seamless way to sync your passkeys is to use a third-party password manager that supports passkey sync. But can you safely self-host a password manager like that? Yes, absolutely.
The answer is Vaultwarden. It’s an unofficial, fully open-source fork of the Bitwarden backend. You can use it to self-host your own Bitwarden vault, and it will be compatible with all the official Bitwarden clients—desktop apps, browser extensions, and mobile apps.
Google’s password manager is limited to Android and Chrome. However, Bitwarden will sync passkeys wherever you can install a Bitwarden client. That way, you can access your passkeys on any device or browser but keep them on your home server.
Creating and using passkeys with Vaultwarden
To create and save passkeys, you’ll need to install a Bitwarden client and log into it.
On the desktop, install the Bitwarden extension on your browser and then log into your self-hosted Vaultwarden server. Then go to a website that supports passkeys. When you sign up and click the “create a passkey” button, the Bitwarden extension will automatically prompt you to save the passkey. Just click the “save passkey as new login” button.
The typical Bitwarden login page will show you this “accessing via” button. By default, it will log you into the official Bitwarden servers, but you can choose to log into your self-hosted instance instead.
On your phone or tablet, you will need to install the Bitwarden mobile app. Log into your Vaultwarden server. Then go to the passkeys settings and configure Bitwarden as the default password and passkey service. When you create a new passkey or tap to sign in with a passkey, you’ll see a prompt from the Bitwarden app to do so.
You’ll need to be on Android 14 or newer to use Bitwarden passkeys globally. Older versions don’t support third-party passkey services.
Running a Vaultwarden container
This will be your self-hosted backend for Bitwarden
To set up a self-hosted instance of Bitwarden using Vaultwarden, we’ll spin up a Docker container for it.
Docker for Beginners: Everything You Need to Know
Learn to use this incredibly popular development tool.
I ssh’d into my home server and created a new folder for the Vaultwarden container. Inside the folder, I’ve created this Docker Compose file for Vaultwarden.
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
environment:
SIGNUPS_ALLOWED: "true"
volumes:
- ./vw-data:/data
ports:
- "8080:80"
Replace “true” next to “SIGNUPS_ALLOWED” with “false” once you’ve created an account to secure it. To change the port, you can replace the “8080” with a port number of your choice.
- Brand
-
Raspberry Pi
- Storage
-
8GB
- CPU
-
Cortex A7
- Memory
-
8GB
It’s only recommended for tech-savvy users, but the Raspberry Pi 5 is a tinkerer’s dream. Cheap, highly customizable, and with great onboard specs, it’s a solid base for your next mini PC.
Set up HTTPS for the vault
Vaultwarden requires a secure HTTPS connection to work
Typically, you can just spin up a container and access it in the web browser at this point. However, for security reasons, Vaultwarden requires HTTPS and you cannot access it over plain HTTP.
To enforce an HTTPS connection, I suggest using Caddy. It’s an open-source web server that you can run as a Docker container, and it automatically handles HTTPS for you. Caddy does need a domain name to work. You don’t need to pay for a domain, however. You can either:
- Get a free domain from services like DuckDNS, and you’ll be able to access your vault anywhere in the world, on the public internet, just like any other site.
- Use Tailscale to get a free MagicDNS. Note that this domain name will only be accessible within your private Tailscale network. That means you’ll need to install and run Tailscale on your home server and your client devices to access your vault.
A domain for your homelab makes things a lot easier to access your other services.
Step #1: Spin up a Caddy container
First, let’s spin up a Caddy container. Create a new directory for Caddy and paste this into your Docker compose file for Caddy.
services:
caddy:
image: caddy:latest
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- caddy_data:/data
- caddy_config:/config
extra_hosts:
- "host.docker.internal:host-gateway"
volumes:
caddy_data:
caddy_config:
Run docker compose up -d to spin up the container.
Step #2: get a free domain and point Caddy at it
I already set up a domain name on DuckDNS. It looks something like this: myvault.mooo.com. It takes a few minutes for this new domain name to propagate across the internet. I’ll be pointing Caddy to this domain name and it’ll automatically handle HTTPS enforcement.
Caddy is configured with a single file called CaddyFile. Create a plain text file with this name (it’s case-sensitive) and inside the file, type in the domain name, followed by the port that you assigned to Vaultwarden earlier.
myvault.mooo.com {
reverse_proxy host.docker.internal:8080
}
You should substitute this placeholder domain name with your own. If you’re using a Tailscale MagicDNS, you will replace the placeholder with the ts.net address.
Save the CaddyFile and restart the Caddy container to apply these changes.
docker compose restart caddy
Step #3: Add the domain name to the Vaultwarden compose file
There’s one last change we need to make to the Vaultwarden Docker compose file. Add this line under environment.
DOMAIN=https://myvault.mooo.com
So the Docker compose file for Vaulwarden should look like this.
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
environment:
- SIGNUPS_ALLOWED=true
- DOMAIN=https://myvault.mooo.com
volumes:
- ./vw-data:/data
ports:
- "8080:80"
Restart the Vaultwarden container.
docker compose restart vaultwarden
You should now be able to access the vault within your browser over HTTPS. I can access mine on an address that looks a little like this.
https://myvault.mooo.com
Sign up for an account and set SIGNUPS_ALLOWED to false. Type this same HTTPS address in the self-hosted field when logging into your Vaultwarden server using official Bitwarden clients like extensions and apps.
You now have a self-hosted password manager which automatically syncs your passkeys and passwords across any devices. It even gives you some premium Bitwarden features for free.
Stephan is the sports journalist for the Maple Grove Report.
