Docker Guides Most Popular Topics Self Hosted Synology

How To Install Bitwarden with Docker and Synology

Recently, I did a complete overhaul of my old password management system. This is a fancy way of saying I got tired of storing password hints in an Excel spreadsheet and decided I needed a real password management system. If you are security-minded like me and have a ton of different usernames and passwords, Bitwarden is an awesome solution. In this guide, I will go over how to Install Bitwarden with Docker, on a Synology NAS. If you’re in the market for one, check out my recommended models on Amazon just below!

Entry-level NAS: Synology DS220+ on Amazon
Pro-sumer NAS: Synology DS920+ on Amazon
NAS Hard Drives: Seagate IronWolf NAS 6TB on Amazon

**Note – This post moved from my old website but the content is still relevant. If you’d like to read through the comments for help with troubleshooting, you can read them here. Old Comments for How To Install Bitwarden with Docker and Synology

What is Bitwarden?

Bitwarden is an open source password management application. The company offers a free web application where you can create an account and store your credentials on their system. As a security minded company, they take the security of your data very seriously. Your credentials are secured with encryption before ever leaving your device. However, what sets Bitwarden apart from other password services is that they have created and containerized their stack for deployment in your own private environment using Docker. This means if you have a system that can run Docker like a Linux or Windows PC or server, you can easily deploy your own version of Bitwarden with your data locally stored and secured.

Bitwarden provides this guide for installing on any system, but if you want to install Bitwarden on your Synology NAS, keep reading.

A Few Notes & Prerequisites

From start to finish, the task of installing a web application on a system can seem daunting because there are many individual pieces that need to come together in the right order. You will need to have some of those pieces setup, or ready to be set up before starting this guide:

1) Have your Synology Diskstation already accessible from the internet over HTTPS. This means you will need to have a domain name, DNS records and SSL certificate set up. If you have not done that yet, check out my guide here: Synology Diskstation SSL with Let’s Encrypt.

2) An understanding of reverse proxies and CNAME DNS records. This is important if you want to host more than one externally-available service on your Synology.

3) An understanding of Linux command line and an SSH client (I am using PuTTY).

4) Obtain a Hosting Installation ID and Key from Bitwarden.

How To Install Bitwarden with Docker and Synology

First, we need to create a CNAME DNS record with our domain registrar. The CNAME record should point to whatever subdomain you want to use for Bitwarden. For example “”.

Bitwarden Certificate

Next we need to create the SSL certificate specifically for Bitwarden.

1) Log into your NAS and navigate to Control Panel > Security > Certificate.

2) Choose “Add a new certificate”.

3) Choose “Get a certificate from Let’s Encrypt”.

4) Enter your domain name and a valid email address. Also, enter your DDNS hostname as “Subject Alternative Name” if you are using a DDNS service instead of a public IP. Click apply and make sure you get the certificate.

Reverse Proxy

You’ll need to create a reverse proxy entry to access Bitwarden through “”. If you don’t, when you try to visit your subdomain you’ll probably just land on your Synology’s login page. The reverse proxy entry tells the Synology where to redirect incoming requests for “” which will be the Bitwarden webpage on a separate port.

1) Navigate to Control Panel > Application Portal > Reverse Proxy.

2) Click Create, and enter the following information, substituting your subdomain and domain name:

Protocol: HTTPS


Port: 5001 (or whatever port you have for HTTPS in your DSM Settings). Note, if you have HTTPS redirect enabled, you must enter the specific port that DSM listens on for HTTPS.

Destination: HTTP, localhost, port 8123. Click OK.

Synology Reverse Proxy
Assign the Certificate

Now you can assign the certificate you created earlier to your reverse proxy entry.

1) Navigate to Control Panel > Security > Certificate.

2) Click the drop-down next to your reverse proxy entry and select the certificate.

Install Docker

Open the Synology Package Center and install the Docker app. After it is installed and running make a note of where the docker folder is in File Explorer. Mine was under /volume1/docker.

Installing the Bitwarden Stack

Now we are at the point where we can begin installing the application or rather, the containers that Bitwarden has put together.

Start up your SSH client and log into your Synology with the built-in admin account and password. If you follow best practices, you may have already disabled this account so re-enable it temporarily if that is the case. Also (and it should be obvious) you need to have SSH turned on so go to Control Panel > Terminal and do that if needed.

Once you are logged in, elevate to root and re-enter your password:

sudo su –

Change directories to your docker folder:

cd /volume1/docker

Import the install package:

curl -s -o \ \ && sudo chmod u+x

Run the install script:

./ install

Installer Prompts

Enter the following information as the installer prompts you:

Enter the domain name…

Do you want to use Let’s Encrypt to generate…

Enter “n” for no. We already have our certificate.

Enter your installation id and key…

Enter the ID and key you got earlier.

Do you have a SSL certificate to use…

Again, enter “n” for no.

You will see a “WARNING” message but that is ok. The reverse proxy is handling our SSL certificate.

HTTP Port Change

There are some additional changes that the installer either does not prompt for or does not do in this version of Bitwarden. Leave the SSH terminal open and switch to the Synology DSM screen.

Open File Explorer on your Synology and download a copy of the config.yml file at /volume1/docker/config.yml. The line for HTTP port needs to be changed to match our reverse proxy. Change it to 8123 and clear the value for HTTPS:

Bitwarden Config

Save your changes. In File Explorer, rename the original config.yml to config.yml.bak. Then upload your edited config.yml file to the /volume1/docker/ folder.

Create Supporting Directories

Next, you need to create some folders manually since the installer does not do this for some reason. Switch to your SSH terminal and make sure you are still in the docker directory: /volume1/docker.

The following directories need to be created under /docker/bwdata so make sure you are in the docker folder when running these commands. Also, double check the /bwdata folder to see if any of these directories were actually created. The guides I followed mentioned some folders may have been created but that was not the case for me.

Use the mkdir command to make the following directories (or make sure they are already there):


Start Bitwarden

Now you can try starting Bitwarden.

./ start

If you encounter any errors such as “path does not exist” be sure to create that directory and try again. Errors relating to port bindings may also occur if you have another service listening on the specified port. Google is your friend in that case. You can also try running ./ update and then restart Bitwarden itself to see if that helps.

The initial startup will take a minute or so to pull the containers to your NAS. Once finished, you can open the Docker app on Synology and see if all of your containers are running normally. If they are, try visiting the subdomain address you created for Bitwarden.

Update the Database

Before you create an account, you must update the database:

./ updatedb

Last Items to Consider

At this point Bitwarden should be up and running. However, a few more things can be done.

After creating your account (or however many accounts you want), you should disable new registrations by editing /bwdata/env/global.override.env. Change the below line to “true” so that new accounts cannot be registered. This does not remove the button to register, but when someone tries to register, it will fail.


Save your changes to global.override.env and upload to the proper folder.

Additional commands (including update command):

./ install
./ start
./ rebuild
./ restart
./ stop
./ updateself
./ update

Another note worth mentioning is that I had issues using the Docker application to turn the containers on and off. I could turn them all off but they would never all turn back on properly. I found that I had to use the command line to do this. Thankfully, they auto-start when the NAS boots up so if your system goes offline unexpectedly, when it comes back on the Bitwarden application stack will start back up.


If you’ve followed this far and gotten everything up and running, congratulations! Bitwarden has made managing my passwords a breeze. I have access over the web and have also installed their mobile app with fingerprint authentication. Now I can have my passwords anywhere I go.

Thanks for reading and I hope you’ve enjoyed this guide on How To Install Bitwarden with Docker and Synology.

Entry-level NAS: Synology DS220+ on Amazon
Pro-sumer NAS: Synology DS920+ on Amazon
NAS Hard Drives: Seagate IronWolf NAS 6TB on Amazon

Products mentioned are available through affiliate links at no extra cost to you. Using these affiliate links to purchase helps support the blog and allows me to bring you new content. Thank you!

Amazon Associate Program: As an Amazon Associate I earn from qualifying purchases.

Disclaimer: This guide has been paraphrased from an older guide on the Synology forums but includes changes that I encountered with my setup.

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Gene Mills

I actually have HA running in a Docker on port 8123. Would this cause a conflict or can I just change the http port to something like 8124?


It did work ok. But I ended up deleting the install until I figure out more about securing the NAS to the internet with some kind of VPN.. wasn’t sure if having a password manager exposed like that would be ok


I believe you can change that. 8123 just came from the documentation that I based this guide on. Give it a try and let me know how it goes. Thanks!!


Really great installation guide! Thanks a lot 🙂


Glad you liked it! Thanks for the comment!!


It should be noted that if you goof anything up after doing the initial install, you may need to perform a rebuild… otherwise, when you run start, you could get errors (I got one for nginx where 443 was already in use… presumably the initial install had built the nginx configs to use port 443 and did not update them without a rebuild)


Very useful run through – have you tried using the native DSM docker interface?


Thanks for the guide – super useful. It would be worth adding that you need to rebuild after updating the config.yml. Question: do I need to manually keep this package up to date, or does docker take care of that for me? If its up to me, what are the commands to do this?


Hello, Chris!
Did you get Admin panel work? i mean
I still can’t solve it…


Thanks for answer. I solve mine issue with setting reverse proxy source port to 443 instead of 5001 and appropriate router’s port-forwarding rule. Now it works as well.



my installation was successfully but unable to access


Hi guys. Logged in as Admin with PuTTY. When i run this line: “curl -s -o \ \ && sudo chmod u+x” I get nothing. Nothing downloads. I’ve tried different folders, and can confirm i can access the link from Google. Any ideas?


Thanks! I typed it in manually… still didn’t work. I tried it without the \, so just
curl -s -o…/ and it worked. Then ran sudo “chmod u+x”. But it didn’t create a config.yml file! Thanks for your quick reply!


All good. Got a permission wrong. Thanks!

Michael Kasper

thanks sharing this guide… my question to point 1) : I have no domain, I’m using Synology quickconnect … is it possible to use and follow this manual?


Thank you very much! Have you ever backup up your vault? What would you recemmend in terms of backing it up?


Thanks Chris! Im relatively new to using Docker and Bitwarden. Im looking in to how to set up something similar. Would you say it’s enough to just have the folder that holds the docker instances backed up? What would the restore process look like?


Thank for such a quick reply! Do i need to think about temporarily stopping the Bitwarden container before proceeding with the backup in order for it to work? (i have set up phone/tablet access)


Hello, I know that this is a relatively “old” post, but I just tryed to install Bitwarden on my Synology, and I’m having a 404 error.

Do you think you can help me?


Thank you for the reply 🙂 my server is accessible on a custom port, lets say 25647: my Synology reverse proxy settings is → http://localhost:27270 (http port specified on the config.yml file). I’m doing inside my local LAN for the moment. After I asked, I also found a NGINX log file, that contains this error message: 2022/02/16 10:12:23 [error] 23013#23013: 481950 upstream timed out (110: Connection timed out) while reading response header from upstream, client: xx.x.xxxx, server:, request: “GET / HTTP/2.0”, upstream: “”, host: “” What do you think? If you need, I can try to give… Read more »


Hello, no luck there also…

Normally my NAS redirects HTTP to HTTPS. I tried this way first (on both HTTP and HTTPS):

  • HTTP: error 504 nginx
  • HTTPS: SSL error

and than I disabled the redirection and tried both, same errors…

I just try to ping, and it works well, the server respond.

I also tried to change the listening ports from 25647 to 443, but nothing changes.

One question: On the config.yml file, what should I have on the following variables?

  • url
  • real_ips

Thanks for your time 🙂


Just for you to know, I managed to get around the issue.

I don’t know when it started, but Bitwarden uses a bridge network on its containers. Synology DSM 7 (?) consider them as outside networks, and block their access.

I had to add a firewall rule on DSM to allow income connections for these networks, and all starts to work! 🙂