Vaultwarden (Password Manager) — User Guide
Electric Monk provides Vaultwarden — a self-hosted, Bitwarden-compatible password manager at vault.electricmonk.io.
Features
- Password vault — securely store passwords, notes, credit cards, and identities
- End-to-end encrypted — your vault is encrypted with your master password before leaving your device
- Browser extensions — autofill passwords in Chrome, Firefox, Safari, Edge, and Brave
- Mobile apps — iOS and Android apps with biometric unlock
- Desktop apps — Windows, macOS, and Linux
- TOTP generator — built-in authenticator for two-factor codes
- Password generator — generate strong, random passwords
- Secure sharing — share credentials via Organizations
- SSO login — authenticate through Authentik (no separate registration needed)
- Password health reports — identify weak, reused, or breached passwords
Getting Started
Web Vault
- Go to vault.electricmonk.io
- Click Enterprise Single Sign-On
- Enter your Authentik email address
- Authenticate with Authentik
- On first login, you'll be prompted to create a master password
Browser Extension
- Install the Bitwarden extension from your browser's extension store
- Click the extension icon → Settings (gear icon)
- Under Self-hosted Environment, set:
- Server URL:
https://vault.electricmonk.io
- Server URL:
- Save and go back to the login screen
- Click Enterprise Single Sign-On
- Enter your email and authenticate with Authentik
Mobile App (iOS / Android)
- Install Bitwarden from the App Store or Google Play
- On the login screen, tap Self-hosted (or the region selector)
- Set Server URL to
https://vault.electricmonk.io - Save → tap Enterprise Single Sign-On
- Enter your email and authenticate with Authentik
- Enable biometric unlock (Face ID / fingerprint) in settings for convenience
Desktop App
- Download Bitwarden Desktop from bitwarden.com/download
- Go to Settings → set server URL to
https://vault.electricmonk.io - Log in via Enterprise Single Sign-On
Master Password — How It Works
Your master password is the single most important credential you have. Here's how Vaultwarden uses it:
Encryption Model
Master Password → PBKDF2 (600,000 iterations) → Master Key → Encrypts your vault
- Your master password is never sent to the server in plain text
- It is stretched using PBKDF2-SHA256 with 600,000 iterations
- The derived key encrypts/decrypts your entire vault locally on your device
- The server only stores your encrypted vault — it cannot read your passwords
- Even an administrator with full database access cannot decrypt your vault
Choosing a Strong Master Password
- Use at least 12 characters (16+ recommended)
- Include a mix of uppercase, lowercase, numbers, and symbols
- Consider a passphrase: 4–6 random words (e.g., "correct horse battery staple")
- Do not reuse a password from any other service
- Do not store your master password in the vault itself
Master Password Recovery
There is no "forgot password" recovery. If you forget your master password and have no other recovery method, your vault data is permanently lost.
This is by design — it's what makes the encryption trustworthy. The server never has access to your master password or decryption keys.
Recovery Options
Set these up before you need them:
1. Emergency Access (Recommended)
Designate a trusted person who can request access to your vault after a configurable waiting period:
- Web vault → Settings → Emergency Access
- Invite a trusted contact (they need a Vaultwarden account)
- Set the wait time (e.g., 7 days) — this is the delay before they can access your vault
- The trusted person can request access; you get notified and can reject it
- If you don't respond within the wait period, they gain read-only (or takeover) access
2. Recovery Key / Backup
- Export your vault periodically: Tools → Export Vault
- Choose encrypted JSON format (protected by your master password)
- Store the export in a physically secure location (USB drive in a safe, etc.)
- Never store an unencrypted export digitally
3. Write It Down
- Write your master password on paper
- Store it in a physical safe, safety deposit box, or sealed envelope with a trusted person
- This is explicitly recommended by Bitwarden/Vaultwarden for critical accounts
What Happens If You Lose Your Master Password
| Situation | Outcome |
|---|---|
| Biometric unlock still active on a device | Log in with biometrics, change master password in settings |
| Emergency Access contact configured | They can request access after the waiting period |
| Recent vault export exists | Create a new account, import the export |
| None of the above | Vault is permanently lost — create a new account and start over |
Security Best Practices
Two-Factor Authentication (2FA)
Protect your vault with a second factor beyond your master password:
- Web vault → Settings → Two-step Login
- Recommended methods:
- Authenticator app (TOTP) — use Bitwarden's built-in TOTP or a separate app
- Security key (FIDO2/WebAuthn) — YubiKey, etc.
- Save your 2FA recovery code somewhere outside the vault (paper, etc.)
Session Management
- Review active sessions: Settings → Sessions
- Deauthorize Sessions to log out all devices if a device is lost/stolen
- Set vault timeout: lock the vault after a period of inactivity
- Recommended: Lock (requires master password) rather than Log out (requires re-auth with SSO)
Browser Extension Security
- Set the extension to lock on browser restart
- Enable PIN or biometric unlock for convenience without reducing security
- Never save your master password in your browser's built-in password manager
Organizations (Shared Vaults)
Organizations let you share credentials securely with other users:
- Web vault → New Organization
- Invite members by email (they must have Vaultwarden accounts)
- Create Collections to organize shared items
- Assign collection access per-member
Shared items are encrypted — each member's copy is encrypted with their own keys.
Troubleshooting
"Invalid master password"
- Master passwords are case-sensitive — check caps lock
- Try typing it in a text editor first to verify
- If you've changed your Authentik password, your master password is unchanged (they are separate — Authentik is for SSO login, master password is for vault encryption)
Can't log in with SSO
- Ensure server URL is set to
https://vault.electricmonk.io - Try the web vault directly at vault.electricmonk.io
- Verify your Authentik account at auth.electricmonk.io
Vault not syncing
- Check your internet connection
- Pull down to refresh (mobile) or click the sync icon (extension/desktop)
- Verify the server URL is correct in your app settings