How To Install Bitwarden on Rocky Linux 10
Password security has become more critical than ever in today’s digital landscape. Bitwarden offers a robust, open-source solution for managing passwords with the added benefit of self-hosting capabilities. Installing Bitwarden on Rocky Linux 10 gives you complete control over your password vault while leveraging the enterprise-grade stability that Rocky Linux provides. This comprehensive guide walks you through every step of setting up your own Bitwarden password management server, from initial system preparation to advanced security configurations.
Rocky Linux 10, with its x86_64-v3 architecture support and enhanced security features, serves as an excellent foundation for hosting critical applications like Bitwarden. Throughout this tutorial, you’ll learn how to configure Docker containers, implement SSL/TLS certificates, optimize firewall rules, and establish security best practices. By the end, you’ll have a fully functional, self-hosted password manager accessible from any device.
What is Bitwarden Password Manager?
Bitwarden represents one of the most trusted open-source password management solutions available today. The platform offers end-to-end AES-256 bit encryption, ensuring your sensitive data remains secure at all times. Unlike proprietary alternatives, Bitwarden provides complete transparency through its open-source codebase, allowing security experts worldwide to audit and verify its security implementations.
The password manager supports multiple deployment models. You can choose cloud-hosted services for convenience or self-hosted installations for maximum control. Self-hosting eliminates third-party dependencies and ensures your password vault remains entirely under your administration. Bitwarden includes features like secure password generation, password sharing for teams, two-factor authentication support, and cross-platform compatibility across Windows, macOS, Linux, iOS, and Android devices.
Organizations benefit from advanced features including user management, collections, event logging, and directory synchronization. The zero-knowledge encryption model means Bitwarden never has access to your unencrypted data. Even if someone compromises the server, your passwords remain protected by your master password.
Prerequisites for Installing Bitwarden on Rocky Linux 10
System Requirements
Rocky Linux 10 requires specific hardware configurations to run effectively. Your server needs at least 2 CPU cores with x86_64-v3 microarchitecture support, meaning Intel Haswell processors from 2013 or newer, or AMD Excavator equivalents. The system must have a minimum of 2GB RAM, though 4GB is strongly recommended for production environments running Bitwarden with Docker containers.
Disk space requirements include at least 25GB of free storage for the operating system, Docker images, and Bitwarden data. SSD storage significantly improves database performance and container startup times. Your server requires an active internet connection during installation to download packages and Docker images.
You must have root access or a user account with sudo privileges. SSH access to the server is essential for remote administration. Ensure your Rocky Linux 10 installation is fresh and updated to minimize conflicts with existing services.
Domain and Network Requirements
Bitwarden requires a fully qualified domain name (FQDN) pointing to your server’s public IP address. Configure your DNS records with an A record directing your chosen domain to the server. Without proper DNS configuration, SSL certificate generation will fail.
Your firewall must allow incoming connections on ports 80 (HTTP) and 443 (HTTPS). Port 80 is necessary even if you plan to use only HTTPS, as Let’s Encrypt requires it for certificate validation. If your server sits behind a router, configure port forwarding rules to direct external traffic to your Rocky Linux server.
A static IP address prevents DNS mismatches and certificate validation issues. You’ll also need a valid email address to obtain a Bitwarden installation ID from the official website.
Step 1 – Update Rocky Linux 10 System
System updates patch security vulnerabilities and ensure compatibility with the latest software packages. Begin by connecting to your Rocky Linux 10 server via SSH and switching to the root user or using sudo for all commands.
Execute the following command to update all installed packages:
sudo dnf update -yThis command refreshes repository metadata and upgrades packages to their latest versions. The -y flag automatically confirms all prompts. The process may take several minutes depending on your internet connection and the number of outdated packages.
Next, install the EPEL repository, which provides additional packages not included in the standard Rocky Linux repositories:
sudo dnf install epel-release -yInstall essential utilities that will be useful during the installation process:
sudo dnf install curl wget vim nano net-tools -yVerify your Rocky Linux version to confirm you’re running version 10:
cat /etc/rocky-releaseIf kernel updates were applied, reboot your server to ensure all changes take effect:
sudo rebootWait approximately two minutes, then reconnect via SSH to continue.
Step 2 – Install Docker and Docker Compose on Rocky Linux 10
Adding Docker Repository
Docker Engine provides the containerization platform that Bitwarden requires. Rocky Linux 10 doesn’t include Docker in its default repositories, so you must add the official Docker CE repository.
First, install the dnf-plugins-core package to enable repository management:
sudo dnf install dnf-plugins-core -yAdd the official Docker CE repository for CentOS (compatible with Rocky Linux):
sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repoUpdate the package index to include the newly added Docker repository:
sudo dnf makecacheThis command downloads repository metadata and prepares the system for Docker installation.
Installing Docker Components
Now install Docker Engine along with all necessary components. The installation includes the Docker daemon, command-line interface, container runtime, and plugins for building and orchestrating containers.
Run the following command:
sudo dnf install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -yWhen prompted to accept the Docker GPG key, type y and press Enter. The GPG key verifies package authenticity and prevents tampering during download.
The installed components include:
- docker-ce: The core Docker Engine
- docker-ce-cli: Command-line tools for Docker management
- containerd.io: Low-level container runtime
- docker-buildx-plugin: Advanced image building capabilities
- docker-compose-plugin: Multi-container application management
Installation typically completes within 30 seconds on servers with good internet connectivity.
Starting and Enabling Docker Service
Enable Docker to start automatically at system boot:
sudo systemctl enable dockerStart the Docker service immediately:
sudo systemctl start dockerVerify that Docker is running correctly:
sudo systemctl status dockerYou should see “active (running)” in green text. Press q to exit the status view.
Test your Docker installation by running the hello-world container:
sudo docker run hello-worldIf successful, you’ll see a message confirming that Docker is working properly. This test downloads a minimal image, creates a container, and displays confirmation output.
Check your Docker version:
docker --version
docker compose versionBoth commands should return version information, confirming successful installation.
Step 3 – Create Bitwarden User and Directory
Security best practices recommend running services under dedicated user accounts rather than root. Creating a specific user for Bitwarden isolates the application and limits potential security risks.
Create a new system user named bitwarden:
sudo adduser bitwardenSet a strong password for this user:
sudo passwd bitwardenAdd the bitwarden user to the docker group, allowing it to run Docker commands without sudo:
sudo usermod -aG docker bitwardenCreate the installation directory where Bitwarden will store its configuration and data:
sudo mkdir -p /opt/bitwardenSet ownership of this directory to the bitwarden user:
sudo chown -R bitwarden:bitwarden /opt/bitwardenSet restrictive permissions to prevent unauthorized access:
sudo chmod 700 /opt/bitwardenSwitch to the bitwarden user account:
su - bitwardenNavigate to the Bitwarden directory:
cd /opt/bitwardenRunning Bitwarden under a dedicated user account enhances security by limiting the potential impact of any security vulnerabilities.
Step 4 – Configure Firewall Rules for Bitwarden
Rocky Linux 10 uses firewalld as its default firewall management tool. Proper firewall configuration ensures that only necessary ports remain open while protecting your server from unauthorized access.
Switch back to your sudo user or root account to modify firewall rules:
exitCheck the current firewall status:
sudo firewall-cmd --stateAdd HTTP (port 80) to the permanent firewall configuration:
sudo firewall-cmd --permanent --add-service=httpAdd HTTPS (port 443) to the permanent firewall configuration:
sudo firewall-cmd --permanent --add-service=httpsEnable masquerading to allow Docker containers to access external networks:
sudo firewall-cmd --permanent --add-masqueradeReload the firewall to apply all changes:
sudo firewall-cmd --reloadVerify your firewall configuration:
sudo firewall-cmd --list-allYou should see http, https, and masquerade listed in the output. Port 80 is essential for Let’s Encrypt certificate validation, even if you plan to use only HTTPS for actual traffic.
If your server has SELinux enabled (default on Rocky Linux), verify its status:
sudo sestatusSELinux typically requires additional configuration for Docker networking. Most Bitwarden installations work without issues, but if you encounter permission problems, consult the Rocky Linux SELinux documentation.
Step 5 – Obtain Bitwarden Installation ID and Key
Bitwarden requires a unique installation ID and key for self-hosted deployments. These credentials authenticate your installation and enable connections to Bitwarden services for push notifications and certain features.
Open a web browser and navigate to:
https://bitwarden.com/hostEnter your email address in the provided form. This email receives installation credentials and important notifications about your self-hosted instance.
Select your data region. Choose the region closest to your location or the region that complies with your organization’s data residency requirements.
Submit the form and check your email inbox. Bitwarden sends an email containing:
- Installation ID (a GUID format string)
- Installation Key (a longer alphanumeric string)
Copy both values to a secure location. You’ll need them during the installation process. These credentials don’t contain sensitive vault data but should still be protected. If you lose them, you must request new credentials from the Bitwarden website.
Store these credentials in a password manager or secure notes application for future reference.
Step 6 – Download Bitwarden Installation Script
Switch back to the bitwarden user and navigate to the installation directory:
su - bitwarden
cd /opt/bitwardenBitwarden provides an official installation script that automates the setup process. Download it using curl:
curl -Lso bitwarden.sh "https://func.bitwarden.com/api/dl/?app=self-host&platform=linux"Alternatively, use wget if curl isn’t available:
wget -O bitwarden.sh "https://func.bitwarden.com/api/dl/?app=self-host&platform=linux"Verify the script downloaded successfully:
ls -lh bitwarden.shMake the script executable:
chmod +x bitwarden.shThe bitwarden.sh script handles Docker Compose configuration generation, certificate management, and initial setup automation. Review the script contents if desired:
cat bitwarden.shThis script is maintained by Bitwarden and regularly updated to reflect best practices and security improvements.
Step 7 – Run Bitwarden Installer
Installation Process
Execute the installation script:
./bitwarden.sh installThe installer prompts you for several configuration parameters. Answer each prompt carefully.
Domain Name: Enter your fully qualified domain name (example: bitwarden.yourdomain.com). Do not include https:// or any paths.
Let’s Encrypt Certificate: The installer asks if you want to generate a Let’s Encrypt SSL certificate. Type y if your domain is publicly accessible and DNS is properly configured. Type n if you plan to use a custom certificate or reverse proxy.
If you choose Let’s Encrypt, provide a valid email address for certificate expiration notifications.
Database Name: Accept the default vault or specify a custom name for your Bitwarden database.
Installation ID: Paste the installation ID you received from bitwarden.com/host.
Installation Key: Paste the installation key you received via email.
The installer validates your credentials against Bitwarden’s servers. If validation succeeds, the script generates configuration files in the ./bwdata directory.
Common Installation Errors
“Unable to validate installation ID” typically indicates network connectivity issues or incorrect credentials. Verify your internet connection and ensure you copied the ID and key exactly as provided.
DNS resolution failures occur when your domain doesn’t properly resolve to your server’s IP address. Use dig or nslookup to verify DNS configuration before running the installer.
Port conflicts happen if another service occupies ports 80 or 443. Stop conflicting services or configure Bitwarden to use alternative ports.
If installation fails, the script creates logs in the current directory. Review these logs for specific error messages. Re-run the installer after resolving issues.
Step 8 – Configure SSL/TLS Certificates
Option 1: Let’s Encrypt (Recommended)
Let’s Encrypt provides free, automated SSL certificates trusted by all major browsers. If you selected Let’s Encrypt during installation, the script automatically configured certificate generation.
Let’s Encrypt certificates expire after 90 days but renew automatically through a built-in cron job. The renewal process occurs in the background without intervention.
Verify Let’s Encrypt configuration in ./bwdata/config.yml:
cat ./bwdata/config.yml | grep -A 5 sslFor production environments, Let’s Encrypt offers the best combination of security and convenience.
Option 2: Custom SSL Certificate
If you have existing SSL certificates from a commercial certificate authority, you can use them instead of Let’s Encrypt.
Create the SSL directory if it doesn’t exist:
mkdir -p ./bwdata/ssl/yourdomain.comCopy your certificate files to this directory:
certificate.crt– Your SSL certificateprivate.key– Your private keyca.crt– Certificate authority bundle (if applicable)
Edit the configuration file:
nano ./bwdata/config.ymlLocate the SSL section and update the certificate paths to point to your custom certificates. Set ssl_certificate_path to your certificate location.
Option 3: Self-Signed Certificate
Self-signed certificates should only be used for testing or internal networks. They trigger browser security warnings and aren’t suitable for production.
The Bitwarden installer can generate self-signed certificates automatically if you decline Let’s Encrypt and don’t provide custom certificates. Clients connecting to your Bitwarden instance must explicitly trust your self-signed certificate.
Step 9 – Configure Bitwarden Settings
Edit the Bitwarden configuration file to customize your installation:
nano ./bwdata/config.ymlKey configuration parameters include:
url: Your Bitwarden URL (e.g., https://bitwarden.yourdomain.com)
http_port: HTTP port (default 80)
https_port: HTTPS port (default 443)
database_password: Automatically generated; change only if necessary
admin_email: Email address for the admin panel
smtp_host: SMTP server for email notifications
smtp_port: SMTP port (typically 587 for TLS, 465 for SSL)
smtp_ssl: Enable SSL for SMTP connections
smtp_username: Your SMTP authentication username
smtp_password: Your SMTP authentication password
Configure SMTP settings to enable email verification, password reset requests, and security notifications. Without SMTP configuration, users cannot reset passwords or receive important security alerts.
Save your changes and exit the editor (Ctrl+X, then Y, then Enter for nano).
Step 10 – Build and Start Bitwarden
Rebuilding Bitwarden
After configuration changes, rebuild the Bitwarden environment:
./bitwarden.sh rebuildThe rebuild command regenerates Docker Compose files based on your configuration. It pulls the latest Bitwarden Docker images from the GitHub Container Registry. This process may take several minutes depending on your internet speed.
Watch for any error messages during the rebuild. Common issues include network timeouts or insufficient disk space.
Starting Bitwarden Services
Launch all Bitwarden containers:
./bitwarden.sh startThe start command brings up multiple Docker containers:
- bitwarden-nginx: Web server and reverse proxy
- bitwarden-web: Web vault interface
- bitwarden-api: REST API server
- bitwarden-identity: Authentication server
- bitwarden-mssql: Database server
- bitwarden-attachments: File attachment storage
- bitwarden-icons: Website icon fetching service
Initial startup takes 30-60 seconds as containers initialize and connect to each other.
Verify all containers are running:
docker psYou should see multiple containers with status “Up” and healthy. If any container shows “Restarting” or “Exited,” check the logs:
./bitwarden.sh logsReview the logs for specific error messages. Common startup issues include database initialization failures or port conflicts.
Step 11 – Access Bitwarden Web Interface
Open your web browser and navigate to your configured domain:
https://bitwarden.yourdomain.comThe Bitwarden login page appears. Since this is your first visit, click “Create Account” to register your master account.
Enter your email address, name, and a strong master password. Your master password must be at least 12 characters long. Choose a password you can remember but others cannot guess. Bitwarden cannot recover forgotten master passwords due to zero-knowledge encryption.
Optionally, provide a password hint. Remember that hints are stored unencrypted.
Complete the registration process. Bitwarden sends a verification email if SMTP is configured.
Log in with your new credentials. You now have access to your personal password vault.
Create your first password entry by clicking the plus icon. Enter the website URL, username, password, and any notes. Bitwarden automatically encrypts all data before storing it.
Test the vault by saving a password, logging out, and logging back in. Verify that your saved password is retrievable.
Post-Installation Configuration
Enabling Two-Factor Authentication
Navigate to Settings > Security > Two-step Login. Bitwarden supports multiple 2FA methods including authenticator apps (recommended), email, YubiKey, FIDO2, and Duo Security.
Click “Manage” next to Authenticator App. Scan the QR code with an authenticator app like Authy, Google Authenticator, or Microsoft Authenticator.
Enter the six-digit code from your authenticator app to verify setup. Save your recovery code in a secure location separate from your password vault.
Log out and log back in to test 2FA. You’ll need both your master password and the six-digit code from your authenticator app.
Configuring SMTP for Email Notifications
Edit your configuration file again:
nano ./bwdata/config.ymlAdd or modify SMTP settings:
globalSettings__mail__smtp__host: smtp.gmail.com
globalSettings__mail__smtp__port: 587
globalSettings__mail__smtp__ssl: true
globalSettings__mail__smtp__username: your-email@gmail.com
globalSettings__mail__smtp__password: your-app-passwordFor Gmail, create an app-specific password rather than using your regular password. Other providers like SendGrid, Mailgun, or AWS SES work similarly.
Rebuild and restart Bitwarden:
./bitwarden.sh rebuild
./bitwarden.sh restartTest email delivery by requesting a password hint or inviting a user.
Setting Up Backup Strategy
Bitwarden stores all data in the ./bwdata directory. Regular backups protect against data loss from hardware failures or accidental deletions.
Create a backup script:
nano /home/bitwarden/backup-bitwarden.shAdd the following content:
#!/bin/bash
BACKUP_DIR="/home/bitwarden/backups"
DATE=$(date +%Y%m%d_%H%M%S)
mkdir -p $BACKUP_DIR
./bitwarden.sh stop
tar -czf $BACKUP_DIR/bitwarden_backup_$DATE.tar.gz /opt/bitwarden/bwdata
./bitwarden.sh start
find $BACKUP_DIR -name "bitwarden_backup_*.tar.gz" -mtime +30 -deleteMake the script executable:
chmod +x /home/bitwarden/backup-bitwarden.shSchedule daily backups using cron:
crontab -eAdd this line for daily backups at 2 AM:
0 2 * * * /home/bitwarden/backup-bitwarden.shStore backups on separate storage or upload to cloud storage services. Test your backup restoration process periodically.
Managing Bitwarden on Rocky Linux 10
Essential Bitwarden Commands
The bitwarden.sh script provides several management commands:
Start Bitwarden:
./bitwarden.sh startStop Bitwarden:
./bitwarden.sh stopRestart Bitwarden:
./bitwarden.sh restartView logs:
./bitwarden.sh logsUpdate Bitwarden:
./bitwarden.sh updateMonitor container health regularly using docker ps and docker stats to track resource usage.
Updating Bitwarden
Check for updates periodically. Bitwarden releases updates containing security patches and new features.
Before updating, create a backup:
./bitwarden.sh stop
tar -czf ~/bitwarden-backup-before-update.tar.gz /opt/bitwarden/bwdataRun the update command:
./bitwarden.sh updateThe update script downloads new Docker images and restarts containers. Review release notes before updating to understand changes.
Test critical functionality after updates to ensure everything works correctly.
Security Best Practices for Self-Hosted Bitwarden
Implement these security measures to protect your password vault:
Keep Rocky Linux 10 updated with the latest security patches. Run sudo dnf update weekly or enable automatic security updates.
Configure fail2ban to prevent brute force attacks on SSH and Bitwarden login endpoints. Install with:
sudo dnf install fail2ban -yLimit SSH access to specific IP addresses through firewall rules. Disable password authentication and use SSH keys exclusively.
Enable automatic Docker image updates or check for new Bitwarden versions monthly. Subscribe to Bitwarden security announcements.
Monitor system logs for suspicious activity using journalctl -u docker and ./bitwarden.sh logs. Set up log aggregation for centralized monitoring.
Implement strong password policies requiring 14+ character master passwords. Enforce 2FA for all user accounts, especially administrators.
Regular security audits identify vulnerabilities before attackers exploit them. Use tools like OpenVAS or Lynis for vulnerability scanning.
Troubleshooting Common Issues
Docker-Related Issues
Docker service fails to start: Check system logs with sudo journalctl -u docker. Common causes include corrupted Docker data or conflicting network configurations.
Container health check failures: Verify database connectivity and ensure all containers can communicate through Docker networks.
Permission denied errors: Confirm the bitwarden user belongs to the docker group. Log out and back in after adding the user to groups.
Insufficient disk space: Use df -h to check available storage. Clean up old Docker images with docker system prune.
SSL/TLS Certificate Problems
Certificate validation errors: Verify DNS records point to your server’s IP. Use online SSL checkers to diagnose certificate issues.
Let’s Encrypt renewal failures: Check that port 80 remains accessible from the internet. Review renewal logs in ./bwdata/letsencrypt/log.
Browser security warnings: Ensure your certificate matches your domain name exactly. Mixed content warnings indicate some resources load over HTTP.
Access and Authentication Issues
Cannot access web vault: Verify firewall rules allow traffic on ports 80 and 443. Check that Docker containers are running with docker ps.
Login failures: Clear browser cache and cookies. Verify SMTP configuration if email-based 2FA fails.
Database connection errors: Check that the bitwarden-mssql container is running and healthy. Review database logs for specific errors.
Port conflicts: If another service uses ports 80 or 443, either stop that service or configure Bitwarden to use alternative ports in config.yml.
Performance Optimization Tips
Optimize database performance by allocating sufficient RAM to the SQL Server container. Edit Docker Compose files to increase memory limits.
Configure Docker resource constraints to prevent any single container from consuming all system resources.
Implement log rotation to prevent log files from filling your disk:
sudo nano /etc/logrotate.d/bitwardenAdd log rotation configuration:
/opt/bitwarden/bwdata/logs/*.log {
daily
rotate 7
compress
delaycompress
missingok
notifempty
}Monitor system resources using htop or glances. Upgrade server specifications if CPU or memory consistently exceeds 80% utilization.
For organizations with many users, consider deploying Bitwarden behind a CDN like Cloudflare to reduce server load and improve global access speeds.
Congratulations! You have successfully installed Bitwarden. Thanks for using this tutorial for installing the Bitwarden password manager on your Rocky Linux 10 system. For additional help or useful information, we recommend you check the official Bitwarden website.
