Getting Started

You’ve ordered a managed Vaultwarden from server.camp — congratulations! Vaultwarden is an open-source password manager fully compatible with the Bitwarden apps. You and your team can manage, share, and auto-fill passwords securely — everything encrypted, everything on GDPR-compliant infrastructure in Germany. This guide is written for freelancers, small and medium-sized businesses, and nonprofits that want to finally take password security seriously.

The reality in many SMBs is alarming: passwords stored in spreadsheets, shared via email, or written on sticky notes next to the screen. That’s a serious security risk — and an operational headache when staff change.

Vaultwarden solves both: passwords are encrypted securely, easy to share within the team, and when someone leaves, revoking access to the password collection is all it takes.

Common use cases:

• Shared accounts: social media accounts, admin accounts, service email addresses
• Generate strong passwords instead of reusing the same simple one everywhere
• Team collections by department: accounting accesses tax portal logins, sales accesses CRM logins
• Customer credentials stored securely (hosting panel, etc.)
• Notes and documents encrypted (API keys, certificates, emergency contacts)
• Simplify onboarding: a new team member gets access to the right collection or group
• Store encrypted library passwords securely (e.g. for Seafile libraries)

Vaultwarden / Bitwarden works on two levels:

• Personal vault — passwords that belong only to you (private)
• Organization — a shared space for the entire company or nonprofit

Both levels contain collections: a subsection for a topic (e.g. “Accounting”, “Marketing”, “IT Admin”) that you assign entries to. Collections are the central structure for organizing passwords and controlling access.

To manage access to collections within an organization, there are groups: a set of members that are collectively granted access to collections (e.g. “Sales Team”, “Accounting”, “Management”). This lets you control access efficiently without specifying who has access to each collection individually.

Tip: collections and groups simplify access control

Create one organization for your company, divide it into collections by topic, and use groups to manage access efficiently.

The Bitwarden extension integrates seamlessly into your browser and auto-fills passwords:

1. Install the Bitwarden extension from the browser store:

• Chrome / Edge
• Firefox

2. In the extension: click the gear icon → under “Self-hosted server”, enter your Vaultwarden URL
3. Sign in with your username and master password

Download the Bitwarden desktop app for Windows, macOS, and Linux. Before signing in, update the server URL in settings to point to your Vaultwarden instance.

Install the Bitwarden app from the App Store (iOS) or Play Store (Android). In settings, enable “Self-hosted server” and enter your URL.

Connect all your devices

Install the Bitwarden extension and app on all devices you use — work computer, laptop, phone. Passwords sync automatically across all devices. Save a password once and have it everywhere.

1. Sign in to the Vaultwarden web interface (your Vaultwarden URL)
2. Click your profile in the top left → “New organization”
3. Enter a name (e.g. your company name or nonprofit name)

Under Organization → Members → Invite:

1. Enter the new member’s email address
2. Choose a role:

3. Select the collections the member should have access to
4. Invited members receive an email and must accept the invitation
5. After acceptance, an admin or owner must confirm the membership (Invite → Accept → Confirm)

Three-step onboarding

Vaultwarden uses a three-step process: Invite → Accept → Confirm. This protects security — no member gains access to shared passwords until an admin actively confirms the membership. Don’t forget the final confirmation step, or the new member won’t see any shared entries.

Collections are the central structure for organizing passwords by topic and controlling access. Every entry in an organization must belong to at least one collection.

Under Organization → Collections:

1. Click “New collection”
2. Enter a name
3. Choose the members or groups that should have access
4. Set permissions:

• Can manage — members can add, edit, and delete entries
• Can edit — members can edit existing entries but not delete them
• Read only — members can view entries and copy passwords but can’t make changes
• Hide passwords — members can use the password to fill in forms but can’t see it in plain text

Set permissions deliberately

Use “Read only” for collections where team members should use credentials but not change them (e.g. social media accounts). “Hide passwords” is especially useful for accounts where team members need to sign in without knowing the actual password — ideal for shared accounts at external services.

Without groups, you have to manually specify for each new collection or new member who has access to what. With 5 members and 3 collections that’s manageable — with 20 members and 10 collections it quickly becomes chaotic.

Groups solve this: create a group (e.g. “Accounting”), assign the relevant collections to it, and add members. When a new team member joins, just add them to the group — collection access is transferred automatically.

Without groups:

• New employee → manually assign every collection (3 clicks × number of collections)
• New collection → manually add every authorized user (3 clicks × number of users)

With groups:

• New employee → assign to one or two groups → done
• New collection → assign to relevant groups → all group members have access immediately

Enable the groups feature

The groups feature is available in Vaultwarden as a beta feature and must be enabled server-side. At server.camp, you can enable it via our dashboard in your Vaultwarden instance settings. The feature works reliably in practice and is used in production by many organizations, even though it’s still officially labeled beta.

After enabling the feature:

1. Go to Organization → Groups
2. Click “New group”
3. Enter a name (e.g. “Accounting”, “IT Admin”, “Board”)
4. Choose the members that belong to the group
5. Choose the collections the group should have access to and set the permission level

The combination of groups and collections works best when you plan a clear structure. Here are recommendations for different scenarios:

For freelancers (2–3 people / with external contractors):

For SMBs (10–50 employees):

For nonprofits:

Groups save time during onboarding and offboarding

When a new board member is elected, add them to the “Board” group — they immediately have access to all relevant collections. When someone leaves the board, remove them from the group. No need to go through individual collections manually.

In the browser extension: when you sign in to a new website, Bitwarden automatically asks if you want to save the password.

Manually: in the web interface or app, click “New item”:

• Name — a recognizable name (e.g. “Stripe Dashboard”)
• Username / email
• Password — or generate a secure one directly
• URI — the website URL (for auto-fill)
• Notes — additional info (e.g. “Account no. 12345”, “Support: 0800-123456”)
• Collection — which collection should this entry belong to?

New entries are private by default

When you create a new entry, you’re set as the owner by default — only you have access. To make it visible in your organization, set your organization as the owner (when creating or later) and choose the appropriate collections.

Beyond logins, Vaultwarden supports:

Secure notes for non-login data

Use “Secure note” for everything that isn’t a classic login: Wi-Fi passwords, PINs, license codes, bank details, recovery keys, server configs. All sensitive data in one place.

Click the generator icon in the password field. Recommendations:

• Length: at least 20 characters
• Type: passphrase (4–5 random words) for passwords you need to remember; random character string for everything else

Update all company passwords immediately

Change all important company passwords to secure, generated passwords — right when you add them to Vaultwarden. That’s the most valuable first step. Start with the most critical accounts: email, banking, hosting, and admin accounts.

When creating or editing an entry: under Collections, choose which shared area the entry belongs to.

All members (or groups) with access to that collection see the entry immediately and can use it via their browser extension or app.

• Entries in the personal vault are visible only to you
• Entries in an organization collection are visible to all authorized collection and group members
• You can set differentiated permissions per collection (view, edit, manage, hide passwords)

Personal vs. organization entries

Keep a clear separation between personal passwords (personal vault) and company passwords (organization collections). Private passwords (personal email, personal banking) belong in the personal vault. Everything business-related belongs in the organization — ensuring company credentials aren’t lost when someone leaves.

Your password manager is the crown jewel of your digital security — it should be protected with 2FA itself.

Each user can enable 2FA under Account settings → Security → Two-step login:

• TOTP (authenticator app) — recommended (Aegis, Google Authenticator, etc.)
• YubiKey — for maximum security on critical admin accounts

Store recovery codes safely

Save the recovery codes when enabling 2FA — on paper in a physically secure location, or via a separate backup mechanism. If you lose 2FA access and the recovery codes, the vault is permanently locked.

Require 2FA for all members

Make 2FA mandatory for everyone with access to the organization — especially owners and admins. In Vaultwarden, go to Organization → Settings → Policies to enforce 2FA for all organization members.

The master password is the key to your entire vault. It’s never transmitted to the server — nobody but you has access.

Recommendations:

• Use a passphrase of at least 5 words (e.g. “correct-horse-battery-staple-horizon1”)
• Avoid common phrases or quotes that can be guessed; add numbers or special characters for extra security
• Choose a master password you can remember but that nobody can guess
• Use the master password nowhere else
• Write it down once on paper and store it in a physically secure place (safe, lockbox)

The master password cannot be reset

If you forget your master password and have no recovery option configured, the data in the vault is inaccessible — including to our support team. Vaultwarden uses end-to-end encryption where only you hold the key.

When a team member leaves the company or a member leaves the nonprofit:

1. In the organization under Members, remove the user
2. The former member immediately loses access to all collections
3. Shared passwords remain intact — only access is revoked

Change shared passwords after offboarding

After offboarding, change all passwords the person had regular access to — even though Vaultwarden revokes access immediately. Locally cached passwords or browser caches may still contain credentials. Prioritize critical accounts: email, banking, admin accounts, and hosting.

Simplify offboarding with groups

If you use groups, offboarding only requires removing the person from their groups — all associated collection access is revoked automatically. That’s not only faster, it also prevents accidentally overlooking an individual collection access.

• Create an organization with a few collections (General, Hosting, Clients)
• Use the personal vault for private passwords and organization collections for business ones
• When working with external contractors, create a collection with “Hide passwords” for credentials they need to use but shouldn’t see in plain text
• Use secure notes for API keys, license codes, and SSH keys

• Create groups that reflect your team structure (Accounting, IT, Sales, Marketing)
• Use collections per topic/system and assign them to the appropriate groups
• Enforce 2FA via an organization policy
• Keep an “Admin / Emergency” collection with critical credentials accessible only to management and IT
• Onboarding: invite member → assign to relevant groups → done
• Offboarding: remove from groups and organization → rotate critical passwords
• If you use Authentik for SSO: Vaultwarden supports OpenID Connect (OIDC) for single sign-on

• Create an organization with the nonprofit’s name
• Create collections by area of responsibility (General, Finance, Website, Venues)
• Use groups (Board, Treasurer, Communications) to simplify access changes when board members change
• Store all critical credentials in a “Emergency” collection (bank account, domain, email) accessible only to the board
• Board changeover: remove the old member from the group, add the new one → all relevant access is transferred immediately

Vaultwarden supports OpenID Connect (OIDC) for single sign-on. At server.camp, this requires the Corporate plan. With Authentik, your team signs in to Vaultwarden with their central account.

Master password still required

Even with SSO, the master password remains — it’s needed to decrypt the vault. SSO doesn’t replace the master password; it complements the sign-in process.

Use Vaultwarden to store and share passwords for encrypted Seafile libraries or Nextcloud share links securely within your team.

If you use Node-RED, you can automate group permissions in Vaultwarden — for example, automatically assign the right groups during onboarding or revoke access during offboarding. Get in touch with our support team if you’re interested.

If you need help setting up your organization, collections, groups, or 2FA, reach out any time at support@server.camp.

Find answers to common questions on our product page.