Infrastructure · Case Study Mar 2026

Self-Hosted Password Manager

Replaced a commercial password manager subscription with a fully self-hosted Vaultwarden instance — accessible on every device, backed up to two offsite locations, and protected by an automatic failover system built on a Cloudflare Worker with zero monthly platform fees.

Read the Story

How It Works

The Architecture

→

01 — Serve

Vaultwarden on Jetson

A Vaultwarden Docker container runs on an NVIDIA Jetson Orin Nano Super — consuming under 100MB RAM idle alongside an existing LLM workload. Exposed to the internet via Cloudflare Zero Trust tunnel with zero open ports.

→

02 — Route

Cloudflare Worker Failover

All traffic to vault.bnacuw.dev passes through a custom Cloudflare Worker that health-checks the Jetson on every request. If the Jetson is unreachable, traffic is automatically rerouted to a warm standby VPS — no manual intervention required.

03 — Backup

Three-Layer Redundancy

Encrypted vault data syncs twice daily via rsync to both a local QNAP NAS and a remote Vultr VPS. The VPS runs a live Vaultwarden instance kept in sync and ready to serve traffic the moment the Worker detects a primary failure.

Open ports on host device

Independent backup locations

<5s

Automatic failover detection

Subscription fees

Capabilities

Feature Parity with Commercial Services

Access

Every Device, Every Platform

Accessible via the official Bitwarden browser extension (Chrome, Firefox, Edge, Safari) and mobile apps (iOS, Android) simply by pointing them at a private subdomain. Auto-fill, biometric unlock, and save-on-login work identically to any commercial service.

Security

AES-256 Client-Side Encryption

All vault data is encrypted on the client before it ever leaves the device. The server never sees a master password or decrypted credentials — the same zero-knowledge model used by Bitwarden's own cloud service.

Storage

File Attachments Included Free

Secure file attachments — scanned IDs, insurance cards, sensitive documents — are supported natively and encrypted client-side. A premium Bitwarden feature, unlocked for free on self-hosted Vaultwarden.

Reliability

Offline Cache & Local Fallback

Bitwarden clients cache the encrypted vault locally on every logged-in device. If the server is temporarily unreachable, all existing passwords remain accessible and auto-fill continues working without interruption.

Resilience

Three-Layer Backup Architecture

Primary Live

Jetson Orin Nano Super

The primary Vaultwarden instance. Runs as a Docker container managed by systemd, auto-starting on boot. All live traffic is served from here under normal conditions via the Cloudflare tunnel at vault-jetson.bnacuw.dev.

Secondary Warm Standby

Vultr VPS — Chicago

A live Vaultwarden instance on a remote VPS, kept in sync via twice-daily rsync. The Cloudflare Worker automatically routes traffic here if the Jetson fails a health check — no DNS changes or manual steps required.

Tertiary Local Backup

QNAP NAS

A local encrypted backup of all vault data — database, attachments, and RSA keys — synced twice daily via rsync over the local network. Serves as a disaster recovery restore point if both the Jetson and VPS need to be rebuilt from scratch.

The Problem

Why Build Instead of Buy

I was paying for a commercial password manager that stored my credentials on someone else's servers. The service worked fine — but the data wasn't mine, the infrastructure wasn't mine, and every month I was paying for the privilege of trusting a third party with my most sensitive information.

I already had the hardware. The Jetson was running a local LLM for BNA-Finances. The QNAP was sitting on the network. I had a real domain, a working Cloudflare tunnel, and Docker already set up. The infrastructure to replace a $180/year subscription was already paid for and sitting idle.

What I built goes beyond a simple replacement. The automatic failover system — a Cloudflare Worker health-checking the Jetson on every request and routing to a VPS standby when needed — delivers higher availability than most paid services without touching Cloudflare's $5/month Load Balancing product. The Worker runs on the free tier. The VPS costs $5/month. The vault itself costs nothing.

The result is a password manager I fully control, that syncs to three independent locations, fails over automatically in under five seconds, and costs less per month than a single cup of coffee.