2022-11-20 19:15:45 +01:00
# shellcheck disable=SC2034,SC2148
2021-04-27 23:18:32 +02:00
## Vaultwarden Configuration File
2018-06-12 21:09:42 +02:00
## Uncomment any of the following lines to change the defaults
2020-09-12 21:47:24 +02:00
##
## Be aware that most of these settings will be overridden if they were changed
2020-08-13 17:49:25 +02:00
## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json .
2022-02-16 14:42:12 -05:00
##
2022-11-20 19:15:45 +01:00
## By default, Vaultwarden expects for this file to be named ".env" and located
2022-02-16 14:42:12 -05:00
## in the current working directory. If this is not the case, the environment
## variable ENV_FILE can be set to the location of this file prior to starting
2022-11-20 19:15:45 +01:00
## Vaultwarden.
2018-06-12 21:09:42 +02:00
2024-01-31 03:15:37 +09:00
####################
### Data folders ###
####################
2018-06-12 21:09:42 +02:00
## Main data folder
2025-05-29 12:40:58 -07:00
## This can be a path to local folder or a path to an external location
## depending on features enabled at build time. Possible external locations:
##
## - AWS S3 Bucket (via `s3` feature): s3://bucket-name/path/to/folder
##
## When using an external location, make sure to set TMP_FOLDER,
## TEMPLATES_FOLDER, and DATABASE_URL to local paths and/or a remote database
## location.
2018-06-12 21:09:42 +02:00
# DATA_FOLDER=data
2024-01-31 03:15:37 +09:00
## Individual folders, these override %DATA_FOLDER%
# RSA_KEY_FILENAME=data/rsa_key
# ICON_CACHE_FOLDER=data/icon_cache
# ATTACHMENTS_FOLDER=data/attachments
# SENDS_FOLDER=data/sends
2025-05-29 12:40:58 -07:00
## Temporary folder used for storing temporary file uploads
## Must be a local path.
2024-01-31 03:15:37 +09:00
# TMP_FOLDER=data/tmp
2025-05-29 12:40:58 -07:00
## HTML template overrides data folder
## Must be a local path.
2024-01-31 03:15:37 +09:00
# TEMPLATES_FOLDER=data/templates
## Automatically reload the templates for every request, slow, use only for development
# RELOAD_TEMPLATES=false
## Web vault settings
# WEB_VAULT_FOLDER=web-vault/
# WEB_VAULT_ENABLED=true
#########################
### Database settings ###
#########################
2019-06-02 13:44:59 +02:00
## Database URL
Reject unrecognised DATABASE_URL instead of silent SQLite fallback (#7061)
* Panic on unrecognised DATABASE_URL instead of silent SQLite fallback
Previously, any DATABASE_URL that did not match the mysql: or postgresql:
prefix was silently treated as a SQLite file path. This caused data loss
in containerised environments when the URL was misconfigured (typos,
quoting issues), as vaultwarden would create an ephemeral SQLite database
that was wiped on restart.
Now, an explicit sqlite:// prefix is supported and used as the default.
Bare paths without a recognised scheme are still accepted for backwards
compatibility, but only if the database file already exists. If not, the
process panics with a clear error message.
Relates to #2835, #1910, #860.
* Use err!() instead of panic!() for unrecognised DATABASE_URL
Follow the established codebase convention where configuration
validation errors use err!() to propagate gracefully, rather than
panic!(). The error propagates through from_config() and is caught
by create_db_pool() which logs and calls exit(1).
* Use 'scheme' instead of 'prefix' in DATABASE_URL messages
Per review feedback, 'scheme' is the more accurate term for the
sqlite:// portion of the URL.
2026-05-16 19:18:53 +00:00
## When using SQLite, this should use the sqlite:// scheme followed by the path
## to the DB file. It defaults to sqlite://%DATA_FOLDER%/db.sqlite3.
## Bare paths without the sqlite:// scheme are supported for backwards compatibility,
## but only if the database file already exists.
# DATABASE_URL=sqlite://data/db.sqlite3
2020-08-13 02:33:22 -07:00
## When using MySQL, specify an appropriate connection URI.
2024-01-31 03:15:37 +09:00
## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html
2020-08-13 02:33:22 -07:00
# DATABASE_URL=mysql://user:password@host[:port]/database_name
## When using PostgreSQL, specify an appropriate connection URI (recommended)
## or keyword/value connection string.
## Details:
2024-01-31 03:15:37 +09:00
## - https://docs.diesel.rs/2.1.x/diesel/pg/struct.PgConnection.html
2020-08-13 02:33:22 -07:00
## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
# DATABASE_URL=postgresql://user:password@host[:port]/database_name
2019-06-02 13:44:59 +02:00
2024-01-31 03:15:37 +09:00
## Enable WAL for the DB
## Set to false to avoid enabling WAL during startup.
## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
## this setting only prevents Vaultwarden from automatically enabling it on start.
## Please read project wiki page about this setting first before changing the value as it can
## cause performance degradation or might render the service unable to start.
# ENABLE_DB_WAL=true
## Database connection retries
## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely
# DB_CONNECTION_RETRIES=15
2020-10-06 15:23:55 +02:00
2023-07-29 13:10:46 +02:00
## Database timeout
## Timeout when acquiring database connection
# DATABASE_TIMEOUT=30
2025-08-25 18:11:36 -04:00
## Database idle timeout
## Timeout in seconds before idle connections to the database are closed.
# DATABASE_IDLE_TIMEOUT=600
## Database min connections
## Define the minimum size of the connection pool used for connecting to the database.
# DATABASE_MIN_CONNS=2
2024-01-31 03:15:37 +09:00
## Database max connections
2025-08-25 18:11:36 -04:00
## Define the maximum size of the connection pool used for connecting to the database.
2024-01-31 03:15:37 +09:00
# DATABASE_MAX_CONNS=10
2022-04-26 17:50:20 -07:00
## Database connection initialization
## Allows SQL statements to be run whenever a new database connection is created.
2022-04-29 00:26:49 -07:00
## This is mainly useful for connection-scoped pragmas.
## If empty, a database-specific default is used:
## - SQLite: "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;"
## - MySQL: ""
## - PostgreSQL: ""
# DATABASE_CONN_INIT=""
2022-04-26 17:50:20 -07:00
2024-01-31 03:15:37 +09:00
#################
### WebSocket ###
#################
2018-06-12 21:09:42 +02:00
2024-03-17 19:52:55 +01:00
## Enable websocket notifications
# ENABLE_WEBSOCKET=true
2018-09-13 20:59:51 +02:00
2024-01-31 03:15:37 +09:00
##########################
### Push notifications ###
##########################
2023-06-11 13:28:18 +02:00
## Enables push notifications (requires key and id from https://bitwarden.com/host)
2024-01-31 03:15:37 +09:00
## Details about mobile client push notification:
## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification
# PUSH_ENABLED=false
2023-06-11 13:28:18 +02:00
# PUSH_INSTALLATION_ID=CHANGEME
# PUSH_INSTALLATION_KEY=CHANGEME
2024-07-30 20:42:56 +03:00
# WARNING: Do not modify the following settings unless you fully understand their implications!
# Default Push Relay and Identity URIs
2023-07-29 13:10:46 +02:00
# PUSH_RELAY_URI=https://push.bitwarden.com
2024-01-01 16:01:57 +01:00
# PUSH_IDENTITY_URI=https://identity.bitwarden.com
2024-07-30 20:42:56 +03:00
# European Union Data Region Settings
# If you have selected "European Union" as your data region, use the following URIs instead.
# PUSH_RELAY_URI=https://api.bitwarden.eu
# PUSH_IDENTITY_URI=https://identity.bitwarden.eu
2023-06-11 13:28:18 +02:00
2024-01-31 03:15:37 +09:00
#####################
### Schedule jobs ###
#####################
2022-12-15 17:15:48 +01:00
2021-04-02 20:16:49 -07:00
## Job scheduler settings
##
## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron),
## and are always in terms of UTC time (regardless of your local time zone settings).
##
2022-11-20 19:15:45 +01:00
## The schedule format is a bit different from crontab as crontab does not contains seconds.
2025-06-15 00:19:08 +01:00
## You can test the format here: https://crontab.guru, but remove the first digit!
2022-11-20 19:15:45 +01:00
## SEC MIN HOUR DAY OF MONTH MONTH DAY OF WEEK
## "0 30 9,12,15 1,15 May-Aug Mon,Wed,Fri"
## "0 30 * * * * "
## "0 30 1 * * * "
##
2021-04-02 20:16:49 -07:00
## How often (in ms) the job scheduler thread checks for jobs that need running.
## Set to 0 to globally disable scheduled jobs.
# JOB_POLL_INTERVAL_MS=30000
##
## Cron schedule of the job that checks for Sends past their deletion date.
2021-04-05 23:12:36 -07:00
## Defaults to hourly (5 minutes after the hour). Set blank to disable this job.
# SEND_PURGE_SCHEDULE="0 5 * * * *"
2021-04-02 20:52:15 -07:00
##
## Cron schedule of the job that checks for trashed items to delete permanently.
2021-04-05 23:12:36 -07:00
## Defaults to daily (5 minutes after midnight). Set blank to disable this job.
# TRASH_PURGE_SCHEDULE="0 5 0 * * *"
2021-03-24 20:15:55 +01:00
##
2021-10-25 01:36:05 -07:00
## Cron schedule of the job that checks for incomplete 2FA logins.
## Defaults to once every minute. Set blank to disable this job.
# INCOMPLETE_2FA_SCHEDULE="30 * * * * *"
##
2021-10-19 01:27:50 -07:00
## Cron schedule of the job that sends expiration reminders to emergency access grantors.
2022-11-26 19:07:28 +01:00
## Defaults to hourly (3 minutes after the hour). Set blank to disable this job.
# EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 3 * * * *"
2021-03-24 20:15:55 +01:00
##
2021-10-19 01:27:50 -07:00
## Cron schedule of the job that grants emergency access requests that have met the required wait time.
2022-11-26 19:07:28 +01:00
## Defaults to hourly (7 minutes after the hour). Set blank to disable this job.
# EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 7 * * * *"
2022-11-20 19:15:45 +01:00
##
## Cron schedule of the job that cleans old events from the event table.
## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start.
# EVENT_CLEANUP_SCHEDULE="0 10 0 * * *"
2024-01-31 03:15:37 +09:00
## Number of days to retain events stored in the database.
## If unset (the default), events are kept indefinitely and the scheduled job is disabled!
# EVENTS_DAYS_RETAIN=
##
## Cron schedule of the job that cleans old auth requests from the auth request.
## Defaults to every minute. Set blank to disable this job.
# AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *"
2024-07-24 09:50:35 -05:00
##
## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
## Defaults to every minute. Set blank to disable this job.
# DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *"
2025-08-08 23:22:22 +02:00
#
2025-12-06 22:20:04 +01:00
## Cron schedule of the job that cleans sso auth from incomplete flow
2025-08-08 23:22:22 +02:00
## Defaults to daily (20 minutes after midnight). Set blank to disable this job.
2025-12-06 22:20:04 +01:00
# PURGE_INCOMPLETE_SSO_AUTH="0 20 0 * * *"
2021-04-02 20:16:49 -07:00
2024-01-31 03:15:37 +09:00
########################
### General settings ###
########################
2018-12-06 20:35:25 +01:00
2024-01-31 03:15:37 +09:00
## Domain settings
## The domain must match the address from where you access the server
## It's recommended to configure this value, otherwise certain functionality might not work,
## like attachment downloads, email links and U2F.
## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
## To use HTTPS, the recommended way is to put Vaultwarden behind a reverse proxy
## Details:
## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS
## - https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
## For development
# DOMAIN=http://localhost
## For public server
# DOMAIN=https://vw.domain.tld
## For public server (URL with port number)
# DOMAIN=https://vw.domain.tld:8443
## For public server (URL with path)
# DOMAIN=https://domain.tld/vw
2020-07-22 21:50:49 -07:00
2024-01-31 03:15:37 +09:00
## Controls whether users are allowed to create Bitwarden Sends.
## This setting applies globally to all users.
## To control this on a per-org basis instead, use the "Disable Send" org policy.
# SENDS_ALLOWED=true
2018-12-06 20:35:25 +01:00
2024-01-31 03:15:37 +09:00
## HIBP Api Key
## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key
# HIBP_API_KEY=
2019-04-27 20:14:37 +02:00
2024-01-31 03:15:37 +09:00
## Per-organization attachment storage limit (KB)
## Max kilobytes of attachment storage allowed per organization.
## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization.
# ORG_ATTACHMENT_LIMIT=
## Per-user attachment storage limit (KB)
## Max kilobytes of attachment storage allowed per user.
## When this limit is reached, the user will not be allowed to upload further attachments.
# USER_ATTACHMENT_LIMIT=
## Per-user send storage limit (KB)
## Max kilobytes of send storage allowed per user.
## When this limit is reached, the user will not be allowed to upload further sends.
# USER_SEND_LIMIT=
2019-03-25 14:12:41 +01:00
2024-01-31 03:15:37 +09:00
## Number of days to wait before auto-deleting a trashed item.
## If unset (the default), trashed items are not auto-deleted.
## This setting applies globally, so make sure to inform all users of any changes to this setting.
# TRASH_AUTO_DELETE_DAYS=
2019-02-18 14:57:21 +00:00
2024-01-31 03:15:37 +09:00
## Number of minutes to wait before a 2FA-enabled login is considered incomplete,
## resulting in an email notification. An incomplete 2FA login is one where the correct
## master password was provided but the required 2FA step was not completed, which
## potentially indicates a master password compromise. Set to 0 to disable this check.
## This setting applies globally to all users.
# INCOMPLETE_2FA_TIME_LIMIT=3
## Disable icon downloading
## Set to true to disable icon downloading in the internal icon service.
## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external
## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons
## will be deleted eventually, but won't be downloaded again.
# DISABLE_ICON_DOWNLOAD=false
## Controls if new users can register
# SIGNUPS_ALLOWED=true
## Controls if new users need to verify their email address upon registration
2025-03-17 16:28:01 +01:00
## On new client versions, this will require the user to verify their email at signup time.
## On older clients, it will require the user to verify their email before they can log in.
2024-01-31 03:15:37 +09:00
## The welcome email will include a verification link, and login attempts will periodically
## trigger another verification email to be sent.
# SIGNUPS_VERIFY=false
## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time
## an email verification link has been sent another verification email will be sent
# SIGNUPS_VERIFY_RESEND_TIME=3600
## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification
## email will be re-sent upon an attempted login.
# SIGNUPS_VERIFY_RESEND_LIMIT=6
## Controls if new users from a list of comma-separated domains can register
## even if SIGNUPS_ALLOWED is set to false
# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org
## Controls whether event logging is enabled for organizations
## This setting applies to organizations.
## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings.
# ORG_EVENTS_ENABLED=false
## Controls which users can create new orgs.
## Blank or 'all' means all users can create orgs (this is the default):
# ORG_CREATION_USERS=
## 'none' means no users can create orgs:
# ORG_CREATION_USERS=none
## A comma-separated list means only those users can create orgs:
# ORG_CREATION_USERS=admin1@example.com,admin2@example.com
2025-06-15 00:19:08 +01:00
## Allows org admins to invite users, even when signups are disabled
2024-01-31 03:15:37 +09:00
# INVITATIONS_ALLOWED=true
## Name shown in the invitation emails that don't come from a specific organization
# INVITATION_ORG_NAME=Vaultwarden
## The number of hours after which an organization invite token, emergency access invite token,
## email verification token and deletion request token will expire (must be at least 1)
# INVITATION_EXPIRATION_HOURS=120
## Controls whether users can enable emergency access to their accounts.
## This setting applies globally to all users.
# EMERGENCY_ACCESS_ALLOWED=true
## Controls whether users can change their email.
## This setting applies globally to all users
# EMAIL_CHANGE_ALLOWED=true
## Number of server-side passwords hashing iterations for the password hash.
## The default for new users. If changed, it will be updated during login for existing users.
# PASSWORD_ITERATIONS=600000
2024-11-12 21:22:25 +01:00
## Controls whether users can set or show password hints. This setting applies globally to all users.
2024-01-31 03:15:37 +09:00
# PASSWORD_HINTS_ALLOWED=true
## Controls whether a password hint should be shown directly in the web page if
2024-11-12 21:22:25 +01:00
## SMTP service is not configured and password hints are allowed.
## Not recommended for publicly-accessible instances because this provides
## unauthenticated access to potentially sensitive data.
2024-01-31 03:15:37 +09:00
# SHOW_PASSWORD_HINT=false
#########################
### Advanced settings ###
#########################
## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP"
## Set to the string "none" (without quotes), to disable any headers and just use the remote IP
# IP_HEADER=X-Real-IP
2020-10-04 14:13:31 +02:00
2021-12-20 01:34:31 -08:00
## Icon service
## The predefined icon services are: internal, bitwarden, duckduckgo, google.
## To specify a custom icon service, set a URL template with exactly one instance of `{}`,
## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`.
##
## `internal` refers to Vaultwarden's built-in icon fetching implementation.
2021-12-29 18:01:32 -08:00
## If an external service is set, an icon request to Vaultwarden will return an HTTP
2021-12-20 01:34:31 -08:00
## redirect to the corresponding icon at the external service. An external service may
## be useful if your Vaultwarden instance has no external network connectivity, or if
## you are concerned that someone may probe your instance to try to detect whether icons
## for certain sites have been cached.
# ICON_SERVICE=internal
2021-12-29 18:01:32 -08:00
## Icon redirect code
## The HTTP status code to use for redirects to an external icon service.
2022-01-08 23:40:35 -08:00
## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent).
2021-12-29 18:01:32 -08:00
## Temporary redirects are useful while testing different icon services, but once a service
2022-01-08 23:40:35 -08:00
## has been decided on, consider using permanent redirects for cacheability. The legacy codes
## are currently better supported by the Bitwarden clients.
# ICON_REDIRECT_CODE=302
2021-12-29 18:01:32 -08:00
2024-01-31 03:15:37 +09:00
## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
## Default: 2592000 (30 days)
# ICON_CACHE_TTL=2592000
## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
2025-12-07 06:11:58 +09:00
## Default: 259200 (3 days)
2024-01-31 03:15:37 +09:00
# ICON_CACHE_NEGTTL=259200
2019-01-28 23:58:32 +01:00
2019-02-12 21:56:28 +01:00
## Icon download timeout
## Configure the timeout value when downloading the favicons.
2025-06-15 00:19:08 +01:00
## The default is 10 seconds, but this could be too low on slower network connections
2019-02-12 21:56:28 +01:00
# ICON_DOWNLOAD_TIMEOUT=10
2024-07-12 22:33:11 +02:00
## Block HTTP domains/IPs by Regex
## Any domains or IPs that match this regex won't be fetched by the internal HTTP client.
2019-03-18 22:12:39 +01:00
## Useful to hide other servers in the local network. Check the WIKI for more details
2025-06-15 00:19:08 +01:00
## NOTE: Always enclose this regex within single quotes!
2024-07-12 22:33:11 +02:00
# HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
2019-03-18 22:12:39 +01:00
2025-06-15 00:19:08 +01:00
## Enabling this will cause the internal HTTP client to refuse to connect to any non-global IP address.
2020-10-06 18:54:21 +02:00
## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
2024-07-12 22:33:11 +02:00
# HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true
2019-10-08 13:30:17 +02:00
2024-01-31 03:15:37 +09:00
## Client Settings
## Enable experimental feature flags for clients.
## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3".
2025-05-26 21:00:59 +02:00
## Note that clients cache the /api/config endpoint for about 1 hour and it could take some time before they are enabled or disabled!
2024-01-31 03:15:37 +09:00
##
## The following flags are available:
2026-03-23 21:21:21 +01:00
## - "pm-5594-safari-account-switching": Enable account switching in Safari. (Safari >= 2026.2.0)
## - "ssh-agent": Enable SSH agent support on Desktop. (Desktop >= 2024.12.0)
## - "ssh-agent-v2": Enable newer SSH agent support. (Desktop >= 2026.2.1)
## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Clients >= 2024.12.0)
## - "pm-25373-windows-biometrics-v2": Enable the new implementation of biometrics on Windows. (Desktop >= 2025.11.0)
## - "anon-addy-self-host-alias": Enable configuring self-hosted Anon Addy alias generator. (Android >= 2025.3.0, iOS >= 2025.4.0)
## - "simple-login-self-host-alias": Enable configuring self-hosted Simple Login alias generator. (Android >= 2025.3.0, iOS >= 2025.4.0)
## - "mutual-tls": Enable the use of mutual TLS on Android (Clients >= 2025.2.0)
## - "cxp-import-mobile": Enable the import via CXP on iOS (Clients >= 2025.9.2)
## - "cxp-export-mobile": Enable the export via CXP on iOS (Clients >= 2025.9.2)
## - "pm-30529-webauthn-related-origins":
## - "desktop-ui-migration-milestone-1": Special feature flag for desktop UI (Desktop >= 2026.2.0)
## - "desktop-ui-migration-milestone-2": Special feature flag for desktop UI (Desktop >= 2026.2.0)
## - "desktop-ui-migration-milestone-3": Special feature flag for desktop UI (Desktop >= 2026.2.0)
## - "desktop-ui-migration-milestone-4": Special feature flag for desktop UI (Desktop >= 2026.2.0)
# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=
2020-10-06 18:54:21 +02:00
2024-01-31 03:15:37 +09:00
## Require new device emails. When a user logs in an email is required to be sent.
## If sending the email fails the login attempt will fail!!
# REQUIRE_DEVICE_EMAIL=false
2018-12-18 18:52:58 +01:00
2024-01-31 03:15:37 +09:00
## Enable extended logging, which shows timestamps and targets in the logs
# EXTENDED_LOGGING=true
2019-11-24 22:28:49 -07:00
2024-01-31 03:15:37 +09:00
## Timestamp format used in extended logging.
## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime
# LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f"
2019-11-24 22:28:49 -07:00
2024-01-31 03:15:37 +09:00
## Logging to Syslog
## This requires extended logging
# USE_SYSLOG=false
2019-11-24 22:28:49 -07:00
2024-01-31 03:15:37 +09:00
## Logging to file
# LOG_FILE=/path/to/log
2019-11-16 15:01:45 -07:00
2024-01-31 03:15:37 +09:00
## Log level
## Change the verbosity of the log output
## Valid values are "trace", "debug", "info", "warn", "error" and "off"
2024-07-24 16:49:03 +02:00
## Setting it to "trace" or "debug" would also show logs for mounted routes and static file, websocket and alive requests
## For a specific module append a comma separated `path::to::module=log_level`
## For example, to only see debug logs for icons use: LOG_LEVEL="info,vaultwarden::api::icons=debug"
2024-01-31 03:15:37 +09:00
# LOG_LEVEL=info
2020-08-05 22:35:29 -07:00
2023-02-28 23:09:51 +01:00
## Token for the admin interface, preferably an Argon2 PCH string
## Vaultwarden has a built-in generator by calling `vaultwarden hash`
## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
2018-12-18 18:52:58 +01:00
## If not set, the admin panel is disabled
2023-02-28 23:09:51 +01:00
## New Argon2 PHC string
2023-04-04 17:02:24 +02:00
## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$`
## Also, use single quotes (') instead of double quotes (") to enclose the string when needed
2023-02-28 23:09:51 +01:00
# ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78'
## Old plain text string (Will generate warnings in favor of Argon2)
2018-12-18 18:52:58 +01:00
# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
2019-10-08 19:33:27 +02:00
## Enable this to bypass the admin panel security. This option is only
## meant to be used with the use of a separate auth layer in front
2019-02-20 14:44:35 -06:00
# DISABLE_ADMIN_TOKEN=false
2018-12-18 18:52:58 +01:00
2024-01-31 03:15:37 +09:00
## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in.
# ADMIN_RATELIMIT_SECONDS=300
## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
# ADMIN_RATELIMIT_MAX_BURST=3
2018-08-10 15:21:42 +02:00
2024-01-31 03:15:37 +09:00
## Set the lifetime of admin sessions to this value (in minutes).
# ADMIN_SESSION_LIFETIME=20
2018-07-12 23:28:01 +02:00
2020-10-06 18:54:21 +02:00
## Allowed iframe ancestors (Know the risks!)
## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value.
## Multiple values must be separated with a whitespace.
# ALLOWED_IFRAME_ANCESTORS=
2024-12-15 00:27:20 +01:00
## Allowed connect-src (Know the risks!)
## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value.
## Multiple values must be separated with a whitespace. And only HTTPS values are allowed.
## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld"
# ALLOWED_CONNECT_SRC=""
2021-12-25 01:10:21 +01:00
## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
# LOGIN_RATELIMIT_SECONDS=60
## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2.
# LOGIN_RATELIMIT_MAX_BURST=10
2024-01-31 03:15:37 +09:00
## BETA FEATURE: Groups
## Controls whether group support is enabled for organizations
## This setting applies to organizations.
## Disabled by default because this is a beta feature, it contains known issues!
## KNOW WHAT YOU ARE DOING!
# ORG_GROUPS_ENABLED=false
2021-12-25 01:10:21 +01:00
2024-07-24 21:49:01 +02:00
## Increase secure note size limit (Know the risks!)
## Sets the secure note size limit to 100_000 instead of the default 10_000.
## WARNING: This could cause issues with clients. Also exports will not work on Bitwarden servers!
## KNOW WHAT YOU ARE DOING!
# INCREASE_NOTE_SIZE_LIMIT=false
2024-08-30 21:37:59 +02:00
## Enforce Single Org with Reset Password Policy
## Enforce that the Single Org policy is enabled before setting the Reset Password policy
## Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available.
## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
# ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false
2025-11-26 01:26:10 +01:00
## Prefer IPv6 (AAAA) resolving
## This settings configures the DNS resolver to resolve IPv6 first, and if not available try IPv4
## This could be useful in IPv6 only environments.
# DNS_PREFER_IPV6=false
2025-08-08 23:22:22 +02:00
#####################################
### SSO settings (OpenID Connect) ###
#####################################
## Controls whether users can login using an OpenID Connect identity provider
# SSO_ENABLED=false
## Prevent users from logging in directly without going through SSO
# SSO_ONLY=false
## On SSO Signup if a user with a matching email already exists make the association
# SSO_SIGNUPS_MATCH_EMAIL=true
## Allow unknown email verification status. Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover.
# SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false
## Base URL of the OIDC server (auto-discovery is used)
## - Should not include the `/.well-known/openid-configuration` part and no trailing `/`
## - ${SSO_AUTHORITY}/.well-known/openid-configuration should return a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
# SSO_AUTHORITY=https://auth.example.com
## Authorization request scopes. Optional SSO scopes, override if email and profile are not enough (`openid` is implicit).
2025-08-09 22:18:04 +02:00
# SSO_SCOPES="email profile"
2025-08-08 23:22:22 +02:00
## Additional authorization url parameters (ex: to obtain a `refresh_token` with Google Auth).
# SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"
## Activate PKCE for the Auth Code flow.
# SSO_PKCE=true
## Regex for additional trusted Id token audience (by default only the client_id is trusted).
# SSO_AUDIENCE_TRUSTED='^$'
## Set your Client ID and Client Key
# SSO_CLIENT_ID=11111
# SSO_CLIENT_SECRET=AAAAAAAAAAAAAAAAAAAAAAAA
## Optional Master password policy (minComplexity=[0-4]), `enforceOnLogin` is not supported at the moment.
# SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
## Use sso only for authentication not the session lifecycle
# SSO_AUTH_ONLY_NOT_SESSION=false
## Client cache for discovery endpoint. Duration in seconds (0 to disable).
# SSO_CLIENT_CACHE_EXPIRATION=0
## Log all the tokens, LOG_LEVEL=debug is required
# SSO_DEBUG_TOKENS=false
2024-01-31 03:15:37 +09:00
########################
### MFA/2FA settings ###
########################
2023-02-20 16:10:30 +01:00
2018-11-15 18:40:27 -07:00
## Yubico (Yubikey) Settings
## Set your Client ID and Secret Key for Yubikey OTP
## You can generate it here: https://upgrade.yubico.com/getapikey/
2018-11-15 18:54:53 -07:00
## You can optionally specify a custom OTP server
2018-11-15 18:40:27 -07:00
# YUBICO_CLIENT_ID=11111
# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
2018-11-15 18:54:53 -07:00
# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
2018-11-15 18:40:27 -07:00
2019-04-07 18:58:15 +02:00
## Duo Settings
2024-07-24 09:50:35 -05:00
## You need to configure the DUO_IKEY, DUO_SKEY, and DUO_HOST options to enable global Duo support.
## Otherwise users will need to configure it themselves.
2019-04-07 18:58:15 +02:00
## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
## Then set the following options, based on the values obtained from the last step:
2024-07-24 09:50:35 -05:00
# DUO_IKEY=<Client ID>
# DUO_SKEY=<Client Secret>
2019-04-07 18:58:15 +02:00
# DUO_HOST=<API Hostname>
## After that, you should be able to follow the rest of the guide linked above,
## ignoring the fields that ask for the values that you already configured beforehand.
2024-07-24 09:50:35 -05:00
##
## If you want to attempt to use Duo's 'Traditional Prompt' (deprecated, iframe based) set DUO_USE_IFRAME to 'true'.
## Duo no longer supports this, but it still works for some integrations.
## If you aren't sure, leave this alone.
# DUO_USE_IFRAME=false
2019-04-07 18:58:15 +02:00
2024-01-31 03:15:37 +09:00
## Email 2FA settings
## Email token size
## Number of digits in an email 2FA token (min: 6, max: 255).
## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting!
# EMAIL_TOKEN_SIZE=6
##
## Token expiration time
## Maximum time in seconds a token is valid. The time the user has to open email client and copy token.
# EMAIL_EXPIRATION_TIME=600
##
## Maximum attempts before an email token is reset and a new email will need to be sent.
# EMAIL_ATTEMPTS_LIMIT=3
2024-03-17 22:35:02 +01:00
##
2025-03-17 16:28:01 +01:00
## Setup email 2FA on registration regardless of any organization policy
2024-03-17 22:35:02 +01:00
# EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false
## Automatically setup email 2FA as fallback provider when needed
# EMAIL_2FA_AUTO_FALLBACK=false
2024-01-31 03:15:37 +09:00
## Other MFA/2FA settings
## Disable 2FA remember
## Enabling this would force the users to use a second factor to login every time.
## Note that the checkbox would still be present, but ignored.
# DISABLE_2FA_REMEMBER=false
##
2019-11-07 17:11:29 +01:00
## Authenticator Settings
## Disable authenticator time drifted codes to be valid.
## TOTP codes of the previous and next 30 seconds will be invalid
2020-09-12 21:47:24 +02:00
##
2019-11-07 17:11:29 +01:00
## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
## we allow by default the TOTP code which was valid one step back and one in the future.
2025-08-10 15:03:39 +01:00
## This can however allow attackers to be a bit more lucky with their attempts because there are 3 valid codes.
2019-11-07 17:11:29 +01:00
## You can disable this, so that only the current TOTP Code is allowed.
## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
2021-05-14 22:36:42 +09:00
# AUTHENTICATOR_DISABLE_TIME_DRIFT=false
2019-11-07 17:11:29 +01:00
2024-01-31 03:15:37 +09:00
###########################
### SMTP Email settings ###
###########################
2018-08-15 08:32:19 +02:00
2023-02-12 18:53:55 +01:00
## Mail specific settings, set SMTP_FROM and either SMTP_HOST or USE_SENDMAIL to enable the mail service.
2019-02-08 19:21:48 +01:00
## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
2018-09-13 20:59:51 +02:00
## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
2018-08-15 08:32:19 +02:00
# SMTP_HOST=smtp.domain.tld
2021-04-27 23:18:32 +02:00
# SMTP_FROM=vaultwarden@domain.tld
# SMTP_FROM_NAME=Vaultwarden
2018-08-15 08:32:19 +02:00
# SMTP_USERNAME=username
2019-02-20 14:44:35 -06:00
# SMTP_PASSWORD=password
2020-10-06 18:54:21 +02:00
# SMTP_TIMEOUT=15
2024-02-19 23:29:53 +08:00
## Choose the type of secure connection for SMTP. The default is "starttls".
## The available options are:
## - "starttls": The default port is 587.
## - "force_tls": The default port is 465.
## - "off": The default port is 25.
## Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS).
# SMTP_SECURITY=starttls
# SMTP_PORT=587
2023-02-12 18:53:55 +01:00
# Whether to send mail via the `sendmail` command
# USE_SENDMAIL=false
# Which sendmail command to use. The one found in the $PATH is used if not specified.
# SENDMAIL_COMMAND="/path/to/sendmail"
2020-09-12 21:47:24 +02:00
## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.
## Possible values: ["Plain", "Login", "Xoauth2"].
## Multiple options need to be separated by a comma ','.
2024-01-31 03:15:37 +09:00
# SMTP_AUTH_MECHANISM=
2020-10-06 18:54:21 +02:00
## Server name sent during the SMTP HELO
2025-08-20 23:50:52 +02:00
## By default this value should be the machine's hostname,
2020-10-06 18:54:21 +02:00
## but might need to be changed in case it trips some anti-spam filters
# HELO_NAME=
2022-09-30 19:14:26 +02:00
## Embed images as email attachments
2024-01-31 03:15:37 +09:00
# SMTP_EMBED_IMAGES=true
2022-09-30 19:14:26 +02:00
2020-11-18 12:07:08 +01:00
## SMTP debugging
## When set to true this will output very detailed SMTP messages.
## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting!
# SMTP_DEBUG=false
## Accept Invalid Certificates
## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
## Only use this as a last resort if you are not able to use a valid certificate.
## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead.
# SMTP_ACCEPT_INVALID_CERTS=false
2024-01-31 03:15:37 +09:00
## Accept Invalid Hostnames
## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
## Only use this as a last resort if you are not able to use a valid certificate.
# SMTP_ACCEPT_INVALID_HOSTNAMES=false
2024-05-20 02:30:57 +08:00
#######################
2024-01-31 03:15:37 +09:00
### Rocket settings ###
2024-05-20 02:30:57 +08:00
#######################
2024-01-31 03:15:37 +09:00
## Rocket specific settings
## See https://rocket.rs/v0.5/guide/configuration/ for more details.
# ROCKET_ADDRESS=0.0.0.0
2024-02-19 23:29:53 +08:00
## The default port is 8000, unless running in a Docker container, in which case it is 80.
# ROCKET_PORT=8000
2024-01-31 03:15:37 +09:00
# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
2020-10-06 18:54:21 +02:00
2019-11-11 11:19:58 +01:00
2024-01-31 03:15:37 +09:00
# vim: syntax=ini