Overview
Bitwarden Server services can be configured using environment variables. Environment variables override settings from appsettings.json files.
Environment variable names use double underscores (__) to represent nested configuration sections.Example: globalSettings__sqlServer__connectionString
Variable Naming Convention
Configuration path to environment variable conversion:
{
"globalSettings": {
"sqlServer": {
"connectionString": "Server=localhost;..."
}
}
}
globalSettings__sqlServer__connectionString="Server=localhost;..."
Core Configuration
Global Settings
globalSettings__selfHosted
Enable self-hosted mode. Disables cloud-specific features.globalSettings__selfHosted=true
globalSettings__siteName
string
default:"Bitwarden"
Display name for the installation.globalSettings__siteName="My Company Vault"
globalSettings__projectName
Service name (Api, Identity, Admin, etc.).globalSettings__projectName=Api
Database Configuration
globalSettings__sqlServer__connectionString
Primary database connection string.SQL Server:globalSettings__sqlServer__connectionString="Server=mssql;Database=vault;User Id=sa;Password=YourPassword;TrustServerCertificate=True;"
globalSettings__sqlServer__connectionString="Host=postgres;Database=vault;Username=postgres;Password=YourPassword;"
globalSettings__sqlServer__connectionString="Server=mysql;Database=vault;Uid=root;Pwd=YourPassword;"
globalSettings__sqlServer__readOnlyConnectionString
Optional read replica connection string for read operations.globalSettings__sqlServer__readOnlyConnectionString="Server=replica;Database=vault;User Id=readonly;Password=pass;"
globalSettings__databaseProvider
string
default:"sqlserver"
Database provider: sqlserver, postgres, or mysql.globalSettings__databaseProvider=postgres
Certificate Configuration
globalSettings__identityServer__certificateThumbprint
SHA-1 thumbprint of Identity Server signing certificate.globalSettings__identityServer__certificateThumbprint=ABC123DEF456789...
globalSettings__identityServer__certificatePath
Path to Identity Server certificate PFX file (alternative to thumbprint).globalSettings__identityServer__certificatePath=/etc/bitwarden/identity_server.pfx
globalSettings__identityServer__certificatePassword
Password for Identity Server certificate PFX file.globalSettings__identityServer__certificatePassword=your_password
globalSettings__dataProtection__certificateThumbprint
SHA-1 thumbprint of Data Protection certificate.globalSettings__dataProtection__certificateThumbprint=ABC123DEF456789...
Storage Configuration
globalSettings__storage__connectionString
Blob storage connection string for attachments.Azure Blob Storage:globalSettings__storage__connectionString="DefaultEndpointsProtocol=https;AccountName=account;AccountKey=key;"
globalSettings__storage__connectionString="DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=http://storage:10000/devstoreaccount1;"
globalSettings__attachment__connectionString
Separate storage for attachments (optional).globalSettings__attachment__connectionString="DefaultEndpointsProtocol=https;..."
globalSettings__send__connectionString
Separate storage for Send files (optional).globalSettings__send__connectionString="DefaultEndpointsProtocol=https;..."
Mail Configuration
globalSettings__mail__replyToEmail
Reply-to email address for system emails. globalSettings__mail__sendGridApiKey
SendGrid API key for email delivery.globalSettings__mail__sendGridApiKey=SG.xxxxxxxxxx
globalSettings__mail__smtp__host
SMTP server hostname.globalSettings__mail__smtp__host=smtp.gmail.com
globalSettings__mail__smtp__port
SMTP server port.globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__ssl
Enable SSL/TLS for SMTP.globalSettings__mail__smtp__ssl=true
globalSettings__mail__smtp__username
SMTP authentication username. globalSettings__mail__smtp__password
SMTP authentication password.globalSettings__mail__smtp__password=your_password
Service URLs
globalSettings__baseServiceUri__api
Public URL for API service.globalSettings__baseServiceUri__api=https://api.vault.example.com
globalSettings__baseServiceUri__identity
Public URL for Identity service.globalSettings__baseServiceUri__identity=https://identity.vault.example.com
globalSettings__baseServiceUri__admin
Public URL for Admin service.globalSettings__baseServiceUri__admin=https://admin.vault.example.com
globalSettings__baseServiceUri__notifications
Public URL for Notifications service.globalSettings__baseServiceUri__notifications=wss://notifications.vault.example.com
globalSettings__baseServiceUri__sso
Public URL for SSO service.globalSettings__baseServiceUri__sso=https://sso.vault.example.com
globalSettings__baseServiceUri__vault
Public URL for web vault.globalSettings__baseServiceUri__vault=https://vault.example.com
Message Bus Configuration
globalSettings__serviceBus__connectionString
Azure Service Bus or RabbitMQ connection string.Azure Service Bus:globalSettings__serviceBus__connectionString="Endpoint=sb://namespace.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=key"
globalSettings__serviceBus__connectionString="amqp://username:password@rabbitmq:5672"
globalSettings__serviceBus__useRabbitMq
Use RabbitMQ instead of Azure Service Bus.globalSettings__serviceBus__useRabbitMq=true
Cache Configuration
globalSettings__redis__connectionString
Redis connection string for distributed caching.globalSettings__redis__connectionString="redis:6379,password=your_password"
globalSettings__distributedCache__provider
Cache provider: memory, redis, or cosmos.globalSettings__distributedCache__provider=redis
Service-Specific Variables
API Service
IpRateLimitOptions__EnableEndpointRateLimiting
Enable rate limiting.IpRateLimitOptions__EnableEndpointRateLimiting=true
Header containing real client IP (when behind proxy).IpRateLimitOptions__RealIpHeader=X-Real-IP
Identity Service
IdentityServerOptions__IssuerUri
Override issuer URI for tokens.IdentityServerOptions__IssuerUri=https://identity.example.com
Notifications Service
globalSettings__notificationHub__connectionString
Azure Notification Hub connection string.globalSettings__notificationHub__connectionString="Endpoint=sb://namespace.servicebus.windows.net/;SharedAccessKeyName=DefaultFullSharedAccessSignature;SharedAccessKey=key"
globalSettings__notificationHub__hubName
Azure Notification Hub name.globalSettings__notificationHub__hubName=bitwarden-hub
SSO Service
SsoSettings__CacheLifetimeInMinutes
SSO configuration cache lifetime.SsoSettings__CacheLifetimeInMinutes=10
ASP.NET Core Variables
ASPNETCORE_ENVIRONMENT
string
default:"Production"
Runtime environment: Development, Staging, or Production.ASPNETCORE_ENVIRONMENT=Production
ASPNETCORE_URLS
string
default:"http://+:5000"
URLs to listen on.ASPNETCORE_URLS=http://+:5000;https://+:5001
ASPNETCORE_Kestrel__Certificates__Default__Path
Path to Kestrel HTTPS certificate.ASPNETCORE_Kestrel__Certificates__Default__Path=/etc/ssl/cert.pfx
ASPNETCORE_Kestrel__Certificates__Default__Password
Password for Kestrel HTTPS certificate.ASPNETCORE_Kestrel__Certificates__Default__Password=your_password
Logging Configuration
Logging__LogLevel__Default
string
default:"Information"
Default log level: Trace, Debug, Information, Warning, Error, Critical.Logging__LogLevel__Default=Warning
Logging__LogLevel__Microsoft
Log level for Microsoft libraries.Logging__LogLevel__Microsoft=Information
Docker Compose Example
Complete example with all common variables:
services:
api:
image: ghcr.io/bitwarden/api:latest
environment:
# Core Settings
globalSettings__selfHosted: "true"
globalSettings__siteName: "Bitwarden"
globalSettings__projectName: "Api"
# Database
globalSettings__sqlServer__connectionString: "Server=mssql;Database=vault;User Id=sa;Password=${MSSQL_PASSWORD};TrustServerCertificate=True;"
# Certificates
globalSettings__identityServer__certificatePath: "/etc/bitwarden/identity_server.pfx"
globalSettings__identityServer__certificatePassword: "${IDENTITY_CERT_PASSWORD}"
globalSettings__dataProtection__certificatePath: "/etc/bitwarden/data_protection.pfx"
globalSettings__dataProtection__certificatePassword: "${DATA_PROTECTION_CERT_PASSWORD}"
# Storage
globalSettings__storage__connectionString: "DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=http://storage:10000/devstoreaccount1;"
# Mail
globalSettings__mail__replyToEmail: "no-reply@${DOMAIN}"
globalSettings__mail__smtp__host: "${SMTP_HOST}"
globalSettings__mail__smtp__port: "${SMTP_PORT}"
globalSettings__mail__smtp__ssl: "true"
globalSettings__mail__smtp__username: "${SMTP_USERNAME}"
globalSettings__mail__smtp__password: "${SMTP_PASSWORD}"
# Service URLs
globalSettings__baseServiceUri__api: "https://${DOMAIN}/api"
globalSettings__baseServiceUri__identity: "https://${DOMAIN}/identity"
globalSettings__baseServiceUri__vault: "https://${DOMAIN}"
# Message Bus
globalSettings__serviceBus__connectionString: "amqp://${RABBITMQ_USER}:${RABBITMQ_PASS}@rabbitmq:5672"
globalSettings__serviceBus__useRabbitMq: "true"
# Redis
globalSettings__redis__connectionString: "redis:6379,password=${REDIS_PASSWORD}"
# Rate Limiting
IpRateLimitOptions__EnableEndpointRateLimiting: "true"
IpRateLimitOptions__RealIpHeader: "X-Forwarded-For"
# ASP.NET Core
ASPNETCORE_ENVIRONMENT: "Production"
# Logging
Logging__LogLevel__Default: "Warning"
Environment File
Store variables in .env file:
# Domain
DOMAIN=vault.example.com
# Database
MSSQL_PASSWORD=YourStrongPassword123!
# Certificates
IDENTITY_CERT_PASSWORD=CertPassword123!
DATA_PROTECTION_CERT_PASSWORD=CertPassword123!
# Redis
REDIS_PASSWORD=RedisPassword123!
# RabbitMQ
RABBITMQ_USER=bitwarden
RABBITMQ_PASS=RabbitMQPassword123!
# SMTP
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USERNAME=[email protected]
SMTP_PASSWORD=SmtpPassword123!
Security: Never commit .env files to version control. Add to .gitignore.
Validation
Test configuration after setting environment variables:
# Print effective configuration (redacted)
docker exec bitwarden-api dotnet run --project /app/Api.dll --print-config
# Check specific setting
docker exec bitwarden-api env | grep globalSettings__sqlServer__connectionString
# Verify service starts without errors
docker logs bitwarden-api
Security Best Practices
Use Secrets Management
Store sensitive values in:
- Docker secrets
- Kubernetes secrets
- Azure Key Vault
- HashiCorp Vault
- AWS Secrets Manager
Restrict Access
- Limit who can view environment variables
- Use read-only volumes for certificates
- Rotate credentials regularly
Audit Logging
- Log configuration changes
- Monitor secret access
- Alert on configuration errors
Validation
- Validate on startup
- Use strong passwords
- Test in staging first
Next Steps
Configuration
Learn about appsettings.json configuration
Docker Deployment
Deploy with Docker Compose
SSL Certificates
Configure certificates
Troubleshooting
Resolve configuration issues
