Skip to content
LitePassword
Get started — free
← All migration guides
FROM VAULTWARDEN

Migrate from Vaultwarden to LitePassword (export & decommission guide)

You ran Vaultwarden for the zero-knowledge guarantee and no per-seat fees. Keep the guarantee, drop the container you patch, back up, and keep online. Move in about 15 minutes.

Create your account first Estimated time: ~15 minutes for a 10-person team

Step-by-step migration from Vaultwarden

  1. 01

    Export your vault via a Bitwarden client

    Vaultwarden speaks the Bitwarden protocol, so use any Bitwarden client pointed at your instance. Web vault (or desktop): Tools → Export Vault. Choose ".json" (unencrypted) for the easiest import, or "JSON (Encrypted)" if you want it protected in transit. Each user exports their own vault; an org admin can export shared collections. Save the file locally — never email it or drop it in Slack. It contains decrypted secrets.

  2. 02

    Note your collections and org layout

    Before touching LitePassword, jot down your Vaultwarden organization collections and who has access to each. LitePassword maps "collections" to "vaults" and replaces granular group permissions with three roles plus per-vault access. Plan the mapping on paper first — it makes the import clean.

  3. 03

    Create your LitePassword account

    Go to app.litepassword.com/sign-up. Use your work email and pick a strong master password (16+ characters) — different from your Vaultwarden master password. When the one-time recovery key appears, store it somewhere durable (a sealed envelope, a safe, a separate manager). It is the only way to reset your master password, and we never see it.

  4. 04

    Recreate your structure as vaults

    Create empty shared vaults matching your Vaultwarden collections — "Production credentials", "Client — Acme", "Tooling". One vault per collection is the cleanest mapping. Your private vault is auto-created on first sign-in.

  5. 05

    Import secrets by type

    Open the JSON export in any viewer. Walk through each item and create the matching LitePassword secret: Logins → Login type, Cards → Credit Card, Identities → Custom, Secure Notes → Secure Note. Skip Bitwarden Sends if you have any (LitePassword has no equivalent). Per-type manual entry produces a cleaner vault than a bulk dump, and a 10-person setup usually moves in well under 20 minutes.

  6. 06

    Move TOTP seeds to an authenticator

    If your Vaultwarden setup stored TOTP seeds, those move to a dedicated authenticator app — LitePassword does not generate TOTP codes today. Re-enroll the affected accounts before you shut anything down.

  7. 07

    Invite your team and assign roles

    Users page → Invite user. Pick a role: Admin for owners, Manager for full members who create and edit vaults, View only for contractors. Each person signs up, sets their own master password, and generates their own recovery key. No accounts to provision on a server you run.

  8. 08

    Grant per-vault access

    For each member, open Manage Vault Access and toggle on only the vaults they need. Access is cryptographically enforced — the vault key is wrapped per recipient, so members literally cannot decrypt vaults they were not granted. On their first unlock, the key re-wraps with their master-derived key.

  9. 09

    Securely delete the export

    The JSON from step 1 contains your secrets in (possibly) plaintext. Securely delete it (Mac: rm -P, Linux: shred -u, Windows: SDelete) and empty the trash. Do not keep it "just in case."

  10. 10

    Decommission the Vaultwarden container

    Once everyone has unlocked from LitePassword, run Vaultwarden in parallel for at least a week as a fallback. Then take a final encrypted backup of the database, stop the container (docker compose down), revoke any API tokens, remove the DNS record and reverse-proxy config, and let the TLS certificate lapse. Keep the encrypted backup for 30 days, then delete it permanently. No more patching, backups, or uptime pages.

Why teams leave self-hosted Vaultwarden

Vaultwarden is one of the best ways to self-host a password manager — a lightweight, Bitwarden-compatible server that runs happily on a $5 VPS. The cost isn’t the software; it’s the operations. You run the container, which means OS and image patches, database backups, TLS certificate renewals, version upgrades, monitoring, and the bus-factor risk of being the one person who knows how the instance is wired.

For a 1–12 person team, that maintenance is rarely worth it. You adopted Vaultwarden for the encryption guarantee and the lack of per-seat fees, not for the privilege of being a part-time sysadmin. LitePassword keeps the guarantee — master password derives the key on-device, server holds ciphertext only — and takes the container off your plate at a flat $5–$10/mo.

What changes (and what doesn’t)

Doesn’t change: zero-knowledge architecture, AES-256 encryption, per-vault access control, the principle that the vendor cannot read your data.

Changes for the better: no container to run, flat pricing instead of “free software plus your time”, a recovery-key model with no admin-reset back door, and onboarding that takes a teammate under three minutes.

Changes you should weigh: you lose Bitwarden-client compatibility (apps, extensions, CLI) and open-source. If those are load-bearing, managed Bitwarden may fit better than LitePassword.

After you migrate

  • Confirm each member has unlocked at least one shared vault — that proves the key-wrapping flow worked for them.
  • Double-check logins kept their username + password fields, and that secure notes carried over intact.
  • Run Vaultwarden in parallel for a week, then take a final encrypted backup before you destroy the container, and decommission it cleanly.

Considering whether managed is right for you at all? Read a managed alternative to self-hosted password managers and the side-by-side Vaultwarden vs LitePassword comparison. Coming from Passbolt or cloud Bitwarden instead? See the Passbolt and Bitwarden guides.

RELATED

Considering other tools instead of Vaultwarden?

COMPARE

Bitwarden alternative for small teams (no self-host, no SSO upsell)

Bitwarden is great open-source kit. If you don't want to run your own server and your team is under 12 people, LitePassword is the lighter option.
COMPARE

Passbolt alternative without self-hosting (managed, zero-knowledge)

Passbolt is a fantastic open-source self-host. If you don't have someone who wants to babysit a Postgres + Node deploy, LitePassword gives you the same shape, managed.
COMPARE

Vaultwarden alternative without self-hosting (managed, zero-knowledge)

Vaultwarden is a brilliant lightweight Bitwarden server — until you're the one patching it at 2 a.m. If your team is under 12 and you'd rather not run the box, LitePassword is the managed swap.
MIGRATION FAQ

Common questions about leaving Vaultwarden

How do I export from Vaultwarden if it has no UI of its own?

Vaultwarden is Bitwarden-compatible, so you use a Bitwarden client (web, desktop, or CLI) pointed at your instance and use its built-in Export Vault feature. There is nothing Vaultwarden-specific to learn — it is the standard Bitwarden export flow, just against your server.

How long does a Vaultwarden migration take?

About 15 minutes of focused work for a 10-person team with 50–100 shared secrets, plus a day of calendar time for everyone to sign up, validate, and confirm. Larger or more deeply nested collection structures take a little longer to map to vaults.

Is LitePassword zero-knowledge like Vaultwarden?

Yes. Both derive the encryption key from your master password on your device and store ciphertext only. The difference is operational, not cryptographic — we run the infrastructure so you do not have to, and there is no admin-level decrypt mode on our side.

Can I keep using Bitwarden apps after migrating?

No. The Bitwarden apps and extensions are what made Vaultwarden convenient, but they only work against a Bitwarden-protocol server. LitePassword is its own product with a web vault and one-click copy on every field. If Bitwarden-client compatibility is the whole reason you self-host, migrating to managed Bitwarden may suit you better than LitePassword.

Should I shut down Vaultwarden immediately after migrating?

No — run it in parallel for at least a week so you can validate the migration without losing fallback access. Once every member confirms they can unlock their vaults in LitePassword, take a final encrypted backup, then decommission the container. Keep the backup for 30 days before deleting it.

When does staying on Vaultwarden make more sense?

If you have an ops-comfortable team that already runs the container, you depend on Bitwarden-client compatibility, you have strict data-residency requirements, or your team is well past 12 people, self-hosting may still be the right call. LitePassword is built for 1–12 person teams that would rather not run infrastructure.

Stop sharing passwords in Slack messages.

Create your account in under a minute. Pick a master password. We'll generate your recovery key for you.

Start your new vault → See how vaults work