Please please please do this. I have plenty of issues with their prioritisation but at the end of the day, Bitwarden is extremely cheap, and is a great product. There is little to no reason to not pay that $10 a year.
Another satisfied user of `bitwarden_rs` here, and I can vouch for it. I migrated from LastPass and couldn't be more happier. The setup is pretty simple and I even managed to migrate it to a new server without any hassles. All the apps work flawlessly.
The peace of mind in having all your sensitive data under your control is totally worth it.
> The peace of mind in having all your sensitive data under your control is totally worth it.
I used to have some illusions that "if I self host, I am in control", and "if I don't connect my home infra to the internet, I am safe". Later I realized neither is true.
I can't trust all the consumer grade devices in my network, I don't trust a software just because it is open source. And I don't have time to keep up with all the security patches and do security auditing / vulnerability scan routinely...etc.
It is fine to self host hobby stuff for fun, but professionally managing sensitive data is a full time job.
Assuming that you're not a high profile target self-hosting does make it rather unlikely that you'll get pwned in this case.
An attacker can justify allocating a lot of resource to pwn bitwarden.com. If you manage to break into the vaults you're bound to find something juicy, just because of how large the target is.
Or you could decide to pwn me. Figure out where my bitwarden is hosted, what my config looks like, what mistakes I might have made setting it up, then maybe find a way in. Then it's just the start, since the passwords are encrypted on disk, so at best you have access to an encrypted sqlite database. Now you need to find a way to get me to leak my vault key. Maybe I sometimes use the web interface? Maybe not. Who knows.
After all of that you may realize that all of my passwords are either not super important or require some form of 2FA, therefore wasting your time.
Just set up backups, enable apt unattended upgrades for major security patches and forget the rest.
If you want to really get paranoid, pass it all through wireguard or ssh tunnels, but for bitwarden at least it's all client side encrypted anyways, you could probably run it on a very out of date system without issue.
Personally, having my sensitive data under my own control (but internet facing) terrifies me. I know enough to know that there are risks, and yet wouldn't have a clue about how to make it secure.
My self-hosted bitwarden server is only accessible from the LAN. Since the full password database is cached locally on each client, you can use it to lookup existing passwords just fine without a connection to the server. Bitwarden does require a connection to the server to add passwords, as it isn't a distributed architecture, so this setup does prevent you from adding new passwords while you are out and about, but I don't have the need to do that often, and in the rare occasions when I do, I write them on scrap paper in my wallet till I get home.
My concern about this is less about making it secure but keeping it secure. Zero-day vulnerabilities are a thing and you can never be 100% safe against those, so the next best thing is to have good monitoring in place so you get alerted when something nefarious is going on. This unfortunately requires 24/7 monitoring that's better left off to a dedicated team.
I would set it up locally on raspberrypi with PiVPN and only allow specific IP (bitwarden IP) to be accessible via that VPN connection. Also you will need self-signed cert installed on the devices where you want to access bitwarden if you dont have a public domain.
I mean at the end of the day your data is encrypted before it leaves your device and unless someone breaks encryption you can display it on a banner ad on Times Square and it doesn't make a difference.
Personally I think hosting the server locally doesn't give much benefit because I'm more likely to screw things up than Bitwarden is on that front.
I love this project, but something has always bothered me about it. For something as critical as your entire set of passwords, aren’t you essentially trusting this person you’ve never met to not just take all of them when you use the server?
For example, one day a malicious maintainer could flip a switch that simply updates the docker image to send thousands of peoples’ entire vault somewhere and then disappear, no?
If I'm not mistaken it should be mostly fine as long as you trust the desktop/phone versions of Bitwarden not to send off the (unhashed) key to the server
Note also that the bitwarden desktop app has a remote code execution vulnerability that the developers refuse to fix, which means that the developers can, at any time, replace your local copy of the bitwarden desktop app with a different version that could steal all your passwords in exactly the manner you describe.
You can patch the bitwarden client (and also take the opportunity to remove the spyware they have embedded in it, as well), or use a program like LuLu or Little Snitch to block it from communicating with anything but your own selfhosted bitwarden_rs instance.
You are in control here. It's like every other bit of software you run yourself: it's your problem to do it properly.
1) if you worry about people replacing the docker image you are using, build your own. It's not hard. Alternatively, use a specific version of the docker image by specifying the version or the hash (if you are really paranoid). Of course after you review the Dockerfile. Minimum at least glance through the Dockerfile.
2) bitwarden has import/export functionality (client side) so if your server disappears for whatever reason, you can still export your passwords from the client side.
3) if you don't trust the OSS code, audit it or at least look through it. That's the whole point of OSS. Build it from source if you must. File bugs. Look at the issue tracker. You can choose not to but if something happens it's your problem; not somebody else's problem.
4) The vault is encrypted and the server never handles or sees the decrypted content (see 3 to verify this). Other people's ability to break that encryption depends on you using a secure master password.
5) Or just pay Bitwarden to host passwords for you and rely on their terms of use, SLAs, support, good reputation, and what not. That's probably the best option if you want ass coverage for professional usage. Their pricing is very reasonable for small setups. And probably sharing passwords with a large group of users is just a spectacularly bad idea to begin with. A couple of key users, should cost you max 20/month. Not really worth dedicating devops time for self hosting unless you have a really good reason to. If you do, see 1-4.
"3) if you don't trust the OSS code, audit it or at least look through it. That's the whole point of OSS."
Thats an outright fantasy, every day I rely on like 50 pieces of software written in 20 different languages and frameworks. They are updated multiple times a month. How many man hours would it take? 1000 a week?
Proffesional developers couldn't find heartbleed for years, you really think anyone would notice a hidden backdoor in software like this withing a year?
Bitwarden server phones home every install. In order to remove the phoning home bit, you must recompile the entire codebase. I wonder if this rust alternative makes that easier to remove...
4) this not 100% true. To get someone’s passwords you just have to compromise their bitwarden_rs to include a malicious web client that sends the master password to the attacker if the user logs in. This is a different story of course when the web client is never used. Then it is impossible to get the passwords because it’s encrypted at client side.
Isn't this true for any service? We're just trusting that the bitwarden/server image or bitwarden.com won't do the same?
Also this is only a risk if you use the provided Web vault. If you use the desktop, mobile or browser extension clients, it would require both Bitwarden LLC and dani garcia to conspire against you as the server doesn't control code those clients run and the API only provides it data in encrypted format.
Finally, if you're that worried you can pin the container version by hash and only update when you are confident in the new version
Yes, but if a company does this, they are essentially killing themselves. They have presumably spent a lot of time creating a company, gain customers etc, whereas a single(?) maybe anonymous open source developer does not have that much to lose.
Isn't the same thing true for every password manager? What's stopping LastPass from pushing an update that steals all my passwords? What's stopping Chrome from auto-updating to a version that sends every password I enter to Google?
Because of the way bitwarden works, I think as long as the client is secure, compromise of the server is not a major concern except for data loss. Your vault is encrypted client-side.
The real threat is that someone takes control of the bitwarden browser extension and pushes a malicious update.
> The real threat is that someone takes control of the bitwarden browser extension and pushes a malicious update.
That's why I don't use any KeePass extensions. I just don't trust browser enough to be able to get any of my passwords.
I'm thinking about writing my own extension which will communicate with KeePass in a way that suits me (basically: when I'm pressing button in browser, it'll popup KeePass window with search field filled with server domain. Then I can either auto-type password from KeePass or copy it to clipboard, either way I'm only using KeePass and browser extension have no way to get any information.
That's actually a cool idea for a password manager in general. After logging in, you input a "salt" value that is appended to the end of all your passwords. That value is never sent to the password server, so even if the server is compromised your associated accounts aren't.
With any password manager, encryption happens client-side. A malicious or compromised host could make off with your encrypted vault, but that would not by itself compromise passwords.
OP is arguing that the software could be changed to upload your encrypted version as usual, but also silently upload your unencrypted version. Either unintentionally (bug) or intentionally (tin foil hat saying NSA)
I had the same concern. There's also the matter of supporting upstream development, which the maintainer does address in his readme. I ended up paying for a premium subscription of vanilla Bitwarden, which I self host. Sure it's overkill on resources and number of containers, but it's still insignificant. It seems slightly more safe to trust a company that depends on the software for revenue, if I'm going to use it without auditing the source. I've also e-mailed their support quite a few times, and they're great. It just doesn't feel right to me to do that while using a free custom backend to avoid the cost...
This is the use case that something like sandstorm.io tries to solve, by locking down system calls on the backend and (slowly but surely) CSP on the frontend. I don’t think BitWarden has been ported yet, though.
Is sandstorm active again? A few years ago there was some news about the company behind it running out of money and abandoning the project if I remember correctly.
The greatest thing about this implementation is its simplicity. I actually deployed this server for my personal use because everything lives in one Docker image and not a lot of them like the official implementation. I do understand that the official implementation helps with scalability and more, I just don't need it.
I set it up in a couple of minutes using Docker-compose with Traefik. I love that Bitwarden has clients and plugins everywhere (FF and iOS being most relevant to me) and I can self-host. The sweetspot for me. I have had too many conflicts with my KeepassXC database on Nextcloud in the past, time for a solution with integrated sync.
Btw the "custom server" setting is a bit hidden, it is behind the cogwheel in the upper left in most cases.
Even their CSV import worked flawlessly and my CSV export from Lastpass looked like a train wreck to parse but everything is present and correct in bitwarden.
I'm using KeePass. On Linux, windows and android and Google drive to sync the database.
it is a hassle.
The graphics look terrible. And most of the times the keeweb plugin doesn't really work on Firefox and I have to copy paste the password.
But I have been using it for a long time now and got used to it.
The best thing about it is the plugin system.
I would not suggest it, I think bit warden does all of this and is a lot more user friendly.
I do use KeePass for work, since we're not authorized to put passwords on the cloud, but device synchronization and browser auto fill is a pain.
For personal, Bitwarden is much better. Browser plugins just work, android auto fill just works, passwords synchronized across devices, support for auto filling payment information. 2FA support.
My company used to use the unmaintained "CorporateVault", but switched to Bitwarden_rs after Flash (which CorporteVault used for copying to the clipboard) was deprecated. Bitwarden_rs was chosen because it had a relatively painless install compared to pretty much everything else I looked at, requiring only one Docker container. It's not bad.
You give in trust your company’s passwords to a random dude’s open source project that was never audited professionally. Seems a very risky thing to do.
The only thing you have to trust on a BitWarden server is the Javascript client that it serves you, and using that is entirely optional as you can just use other clients. The server could be explicitly malicious and still safe to use.
bitwarden_rs bundles the upstream JS in its default containers, so it's the same code that you'd be running from bitwarden.com
Maybe you didn't get the whole "I picked it because it was easy to install" part. Building software from source is pretty much the exact opposite of that.
I switched to using this because keepass didn’t have a good way of syncing its database with iOS devices, and the official bitwarden server has too many moving parts (including MS-SQL with no support for open source databases??) - aside from missing ssh-agent support, I’m loving all of it :)
SQL isn't as portable as people would like. Especially when you're trying to stay high performance as you're dealing with millions of customers. Once you start building for a specific SQL server, it hard to switch to another variant.
Readit News
The peace of mind in having all your sensitive data under your control is totally worth it.
I used to have some illusions that "if I self host, I am in control", and "if I don't connect my home infra to the internet, I am safe". Later I realized neither is true.
I can't trust all the consumer grade devices in my network, I don't trust a software just because it is open source. And I don't have time to keep up with all the security patches and do security auditing / vulnerability scan routinely...etc.
It is fine to self host hobby stuff for fun, but professionally managing sensitive data is a full time job.
An attacker can justify allocating a lot of resource to pwn bitwarden.com. If you manage to break into the vaults you're bound to find something juicy, just because of how large the target is.
Or you could decide to pwn me. Figure out where my bitwarden is hosted, what my config looks like, what mistakes I might have made setting it up, then maybe find a way in. Then it's just the start, since the passwords are encrypted on disk, so at best you have access to an encrypted sqlite database. Now you need to find a way to get me to leak my vault key. Maybe I sometimes use the web interface? Maybe not. Who knows.
After all of that you may realize that all of my passwords are either not super important or require some form of 2FA, therefore wasting your time.
But hey, you can log into my hacker news account!
Security through irrelevancy.
If you want to really get paranoid, pass it all through wireguard or ssh tunnels, but for bitwarden at least it's all client side encrypted anyways, you could probably run it on a very out of date system without issue.
The situation with Bitwarden is a bit different though. Secrets are encrypted on the clients, the server never sees decrypted data.
Personally I think hosting the server locally doesn't give much benefit because I'm more likely to screw things up than Bitwarden is on that front.
Deleted Comment
For example, one day a malicious maintainer could flip a switch that simply updates the docker image to send thousands of peoples’ entire vault somewhere and then disappear, no?
Edit: Noting that there have been discussions about the default number of iterations. https://github.com/bitwarden/jslib/issues/52
You can patch the bitwarden client (and also take the opportunity to remove the spyware they have embedded in it, as well), or use a program like LuLu or Little Snitch to block it from communicating with anything but your own selfhosted bitwarden_rs instance.
1) if you worry about people replacing the docker image you are using, build your own. It's not hard. Alternatively, use a specific version of the docker image by specifying the version or the hash (if you are really paranoid). Of course after you review the Dockerfile. Minimum at least glance through the Dockerfile.
2) bitwarden has import/export functionality (client side) so if your server disappears for whatever reason, you can still export your passwords from the client side.
3) if you don't trust the OSS code, audit it or at least look through it. That's the whole point of OSS. Build it from source if you must. File bugs. Look at the issue tracker. You can choose not to but if something happens it's your problem; not somebody else's problem.
4) The vault is encrypted and the server never handles or sees the decrypted content (see 3 to verify this). Other people's ability to break that encryption depends on you using a secure master password.
5) Or just pay Bitwarden to host passwords for you and rely on their terms of use, SLAs, support, good reputation, and what not. That's probably the best option if you want ass coverage for professional usage. Their pricing is very reasonable for small setups. And probably sharing passwords with a large group of users is just a spectacularly bad idea to begin with. A couple of key users, should cost you max 20/month. Not really worth dedicating devops time for self hosting unless you have a really good reason to. If you do, see 1-4.
Thats an outright fantasy, every day I rely on like 50 pieces of software written in 20 different languages and frameworks. They are updated multiple times a month. How many man hours would it take? 1000 a week?
Proffesional developers couldn't find heartbleed for years, you really think anyone would notice a hidden backdoor in software like this withing a year?
Unless you review the source code of everything you use, and compile it yourself, there’s always that risk.
What prevents Postgres mainteners to just still all your DB ? Nginx mainteners to redirect your web traffic ?
Ultimately, it boils down to a balance between trust in the author, the community or your own checking process.
Also this is only a risk if you use the provided Web vault. If you use the desktop, mobile or browser extension clients, it would require both Bitwarden LLC and dani garcia to conspire against you as the server doesn't control code those clients run and the API only provides it data in encrypted format.
Finally, if you're that worried you can pin the container version by hash and only update when you are confident in the new version
It's not fair to single out just Bitwarden IMO.
The real threat is that someone takes control of the bitwarden browser extension and pushes a malicious update.
That's why I don't use any KeePass extensions. I just don't trust browser enough to be able to get any of my passwords.
I'm thinking about writing my own extension which will communicate with KeePass in a way that suits me (basically: when I'm pressing button in browser, it'll popup KeePass window with search field filled with server domain. Then I can either auto-type password from KeePass or copy it to clipboard, either way I'm only using KeePass and browser extension have no way to get any information.
Then when you log into somewhere add another secret (which you keep in your head) to the end of the password you stored in Bitwarden.
Switch on 2FA everywhere you can.
Sleep at night.
Btw the "custom server" setting is a bit hidden, it is behind the cogwheel in the upper left in most cases.
But that said, it is by far the best product despite this.
For personal, Bitwarden is much better. Browser plugins just work, android auto fill just works, passwords synchronized across devices, support for auto filling payment information. 2FA support.
bitwarden_rs bundles the upstream JS in its default containers, so it's the same code that you'd be running from bitwarden.com
Deleted Comment