How to back up Vaultwarden in Docker (2026)

Vaultwarden spreads its state across its SQLite, PostgreSQL and MySQL databases and 1 data volume on disk, plus compose and .env config. A backup that skips any layer will not restore cleanly. Dockstash auto-detects each layer, dumps the database from inside the container, and stores the lot off-site with restic.

What it stores

What Vaultwarden stores

Compose servicesvaultwarden
Databases detectedsqlite, postgres, mysql
Data volumesvw_data (/data)
Config pathsdocker-compose.yml, .env
Step by step

The backup plan

  1. Back up the database consistently. For the SQLite default, use sqlite3 ".backup" on /data/db.sqlite3 through the online backup API. For a Postgres/MySQL backend, run pg_dumpall or mysqldump --single-transaction.
  2. Capture the data directory (keys and attachments). Restic the /data volume: rsa_key files, attachments, sends, icon cache, and config.json. The rsa_key is required to issue and validate tokens after restore.
  3. Capture compose and .env config. Restic docker-compose.yml and .env, including any ADMIN_TOKEN, so the admin panel and settings match on restore.

Restoring Vaultwarden

The rsa_key files in /data are as important as the database — without them the restored instance cannot validate existing sessions. Vault data is client-side encrypted, but you must still restore the database and keys together. Never copy db.sqlite3 live under WAL.

Back up Vaultwarden in one click All guides

Last updated: July 2026

Frequently asked questions

What must I back up besides the Vaultwarden database?

The rsa_key files, attachments, and sends in /data. The rsa_key signs authentication tokens — lose it and the restored server cannot validate sessions even with a perfect database restore.

Is a live copy of db.sqlite3 safe?

No — under WAL you can capture a torn file. Use sqlite3 ".backup" via the online backup API, or dump the Postgres/MySQL backend if you configured one.

Are my passwords exposed in the backup?

Vault contents are end-to-end encrypted with the user’s master password, so the database stores ciphertext. Still, protect the backup — restic encrypts it at rest with your key.