How to back up Vaultwarden in Docker (2026)
Vaultwarden spreads its state across its SQLite, PostgreSQL and MySQL databases and 1 data volume on disk, plus compose and .env config. A backup that skips any layer will not restore cleanly. Dockstash auto-detects each layer, dumps the database from inside the container, and stores the lot off-site with restic.
What Vaultwarden stores
| Compose services | vaultwarden |
|---|---|
| Databases detected | sqlite, postgres, mysql |
| Data volumes | vw_data (/data) |
| Config paths | docker-compose.yml, .env |
The backup plan
- Back up the database consistently. For the SQLite default, use sqlite3 ".backup" on /data/db.sqlite3 through the online backup API. For a Postgres/MySQL backend, run pg_dumpall or mysqldump --single-transaction.
- Capture the data directory (keys and attachments). Restic the /data volume: rsa_key files, attachments, sends, icon cache, and config.json. The rsa_key is required to issue and validate tokens after restore.
- Capture compose and .env config. Restic docker-compose.yml and .env, including any ADMIN_TOKEN, so the admin panel and settings match on restore.
Restoring Vaultwarden
The rsa_key files in /data are as important as the database — without them the restored instance cannot validate existing sessions. Vault data is client-side encrypted, but you must still restore the database and keys together. Never copy db.sqlite3 live under WAL.
Back up Vaultwarden in one click All guides
Last updated: July 2026
Frequently asked questions
What must I back up besides the Vaultwarden database?
The rsa_key files, attachments, and sends in /data. The rsa_key signs authentication tokens — lose it and the restored server cannot validate sessions even with a perfect database restore.
Is a live copy of db.sqlite3 safe?
No — under WAL you can capture a torn file. Use sqlite3 ".backup" via the online backup API, or dump the Postgres/MySQL backend if you configured one.
Are my passwords exposed in the backup?
Vault contents are end-to-end encrypted with the user’s master password, so the database stores ciphertext. Still, protect the backup — restic encrypts it at rest with your key.