Self Hosted Password Manager: bitwarden_rs

2021-02-10 3 min read Cool stuff Self-Hosted Tech Teknikal_Domain Unable to load comment count

You familiar with BitWarden? It’s another one of those password manager services that comes as a browser extension or standalone program, and allows for things like storing TOTP keys, generating new, secure passwords, and all that fun stuff. Except unlike others that I’ve seen, it has one difference: You can self-host an instance. Though, their self-hosted options look a little lacking unless you want to give them money. Well as it happens with an open sourced project, someone decided to create a BitWarden API compatible server, thus creating bitwarden_rs. And this is why it’s cool.

Unlike all the pricing options offered by the official BitWarden server, bitwarden_rs just has everything, no payments. And it’s distribution couldn’t be simpler (in theory): Just a docker image. Just run bitwardenrs/server with container port 80 mapped, and you’re up and running, though you might want to do a few other things:

  • Bind /data to a volume or a folder on the host, for persistence
  • Set the LOG_FILE envar to a file in /data/ so you can easily read the log
  • Set SIGNUPS_ALLOWED to true to… allow signups if you wish
  • Set ADMIN_TOKEN to some (secure) string to allow access to the admin page

All you need after that is an email and master password for your account. BitWarden is pretty cool about how it handles your data — only the client device, meaning the browser extension or BitWarden client program, has access to your decrypted data. All data on the server is encrypted using an encryption key generated from that master password.1 Besides storing your logins and passwords (and TOTP keys!), you can also store, for some reason, “identities” (name, address, contact info…) and cards (actual credit / debit card data for payments) for easier form filling. Additionally, a fourth data type called “secure notes” is just an arbitrary text field to store whatever you like.

If you feel like being extra secure, you can require a TOTP or hardware 2FA key in addition to your master password. By default, this is only required for new clients. If you’ve already signed in with one before, you just need that password. Otherwise, if it’s never been seen before, you need the key.2 Also, most clients, as long as they’re running, don’t properly sign you out after inactivity, they just “lock” which requires the master password to unlock. And, yes, you can change that master password but it will require re-encrypting all your data with the new derived key.

Personally, I’m not too much of a fan of the only official bitwarden_rs “installation” method being Docker, I prefer to have actual executables if possible, especially since my current infrastructure setup means I’m running Docker in an LXC container with the nesting feature flag. It’s not perfect, and there’s likely a small performance penalty, but… I just don’t like it, I’d rather have some distributable package that’s easy enough to install and drop in a systemd unit for. But that’s probably just me being me.

So in the end if you like the idea of a password manager, yet want one that’s open sourced and gives you full control of your data, check out the bitwarden_rs server implementation, just remember to enable the TLS options (explained by their docs) or put it behind a reverse proxy, many browsers will keep the APIs that it wants to use from being used over a plain HTTP connection, you need HTTPS for that.

  1. The default is 100,000 rounds of PBKDF2, SHA-256. You can change this for your account as you wish. ↩︎

  2. Maybe it’s just my Hackintosh, but every time BitWarden updates, and, by extension (hah!) updates the Safari extension, that’s a “new client” that I need to re-authenticate to. ↩︎

comments powered by Disqus