Looking for guides/tutorials/walkthroughs/etc for setting up bitwarden free license, self-hosted (on premise). As well as guides/tutorials/walkthroughs/etc that cover backups/restores.
Currently using keepass as my offline filebased password manager.
Looking to implement a free, open source, and non-cloud based (e.g. ‘self-hosted’ on premise) password manager for a family with three people.
I think Bitwarden fits the bill as far as "free, open source, and non-cloud based.
Is there any kind of “fail-over/hot-spare/stand-by/high-available” configuration in the free license of Bitwarden?
Scenarios where I would like some kind of “fail-over/hot-spare/stand-by/high-available” configuration:
Scenario #1 = reduce/avoid downtime/outages when performing maintenance/updates on the virtual machines runing bitwarden
Scenario #2 = I could separate the virtual machines running bitwarden between my two esxi hosts… in case either host has a problem.
Scenario #3 = If I had a alternate private home location with internet access, I could (theoretically) distribute the virtual machines running bitwarden between both locations.
Also, what should be considered for automating backups of bitwarden?
– Does bitwarden have its own scheduled backup?
– Or do I need to look into Veeam Backup and Replication community editon?
Unless you are very knowledgeable about setting up database HA I would not go there with Bitwarden. For the self hosted I have it as a VM on my XCP-ng server and I have multiple virtualization hosts available in case one fails. Bitwarden has it’s own built in backup which I use Sycnthing to sync automatically and I use the builtin XCP-ng backup the virtual machine.
I second Vaultwarden as well. I’ve been selfhosting it on my Unraid server at home for years now, though not HA.
As I selfhost Luckybackup, I use it to schedule VW whole folder backup to an external HDD.
I also have a docker container to back it up. Thanks to bruceforce/vaultwarden-backup github.
Actually, when you install the Bitwarden extension on Chrome/Edge (yes, it works with self-hosted vaultwarden), all the password entries are regularly synced to the desktop/laptop browser; so if your server is offline for whatever reason, you still have those passwords copy on your desktop. Just use the export function in Bitwarden extension to back it up manually.
I’m not sure you need a separate installation for each family member. I don’t know if it supports multiusers in one installation or not; if not, and if you run it as a docker container, you can spin up as many containers as you wish.
Third for Vaultwarden
have a few implemented and working well, behind Nginx Proxy Manager
Updates take a bit of time and are released often but works great and we also added a PS script to install the chrome plugin on client machines via action1.
didn’t get the auto config for the URLs would have been nice, but that will be later.
For Edge just modify the reg location
$regKey = “HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist”
# Set the extension ID directly or via Action1 parameters
$extensionId = "nngceckbapebfimnlniiiahkandclblb" # Replace with your actual extension ID
# Check if the extension ID is provided
if (-not $extensionId) {
return "No Extension ID"
}
$extensionId = "$extensionId;https://clients2.google.com/service/update2/crx"
$regKey = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
# Create the registry key if it doesn't exist
if (-not (Test-Path $regKey)) {
New-Item -Path $regKey -Force
}
# Adding the extension to the forced install list
$extensionsList = New-Object System.Collections.ArrayList
$number = 0
$noMore = 0
do {
$number++
try {
$install = Get-ItemProperty -Path $regKey -Name $number -ErrorAction Stop
$extensionObj = [PSCustomObject]@{
Name = $number
Value = $install.$number
}
$extensionsList.add($extensionObj) | Out-Null
} catch {
$noMore = 1
}
} until ($noMore -eq 1)
$extensionCheck = $extensionsList | Where-Object { $_.Value -eq $extensionId }
if ($extensionCheck) {
return "Extension Already Exists"
} else {
$newExtensionId = $extensionsList[-1].name + 1
New-ItemProperty -Path $regKey -PropertyType String -Name $newExtensionId -Value $extensionId -Force
return "Installed Extension"
}
HA Wise - Depends on your Cluster config (Prox and XCP both do this natively) all depends on if you have reliable shared storage.
Fault Tolerance wouldn’t skip a beat, costly though,
HA usually solid and less downtime than a Backup Restore.
Script pushes those to install the standard extension…
Users tend to be a little difficult to get those installed. Just an small addon when / if you deploy to more than yourself , but not important if using for just yourself.
Two Questions:
Question #1 of 2 = Has vaultwarden been audited/vetted as well as Bitwarden has been?
I suppose in the end, if I do not learn to become my own professional software developer I will have to trust the word of those who are and say they have done the proper things to properly audit/vet/certify/validate software projects like Bitwarden.
Question #2 of 2 = switching context from “real-I.T.” to “I.T.-support-for-older people”
I am thinking about a situation where I would like to find as close to a stupidly-dead-simple way to self host a most basic instance of Bitwarden that theoretically could easily run independent of complex computer iron (and certainly without the very beefy ‘big iron of something like my own massively over engineered production server)
I perform pro-bono community support / consultation for a few special retired elderly people who are still very much smart and still stay active on the computer/internet – besides their one (1) laptop and home router they have zero (0) infrastructure to leverage/manager.
I had this idea in my mind: what if I could give them this box that needs to be kept plugged in to the power outlet and kept plugged into their home router and this box is their Keep-It-Stupidly-Simple self hosted bitwarden instance. Since they can manage their offline TV/Soundbar/DVD-player/AppleTV if this box could be as close to ‘appliance’ simple as possible (e.g. "AppleTV”), then these people could manage keeping it powered + keeping it plugged into the router.
Regarding Bitwarden-Selfhosted-On-Raspberry-Pi,
Does anyone have a better tutorial then the 5 year old one below?
I am not aware if any official code review that has been done of Vaultwarden.
And I would not over complicate things, just set them up with the free version of Bitwarden which should be fine for their needs. And if they want the paid version is $10 per year which I think is a verry reasonable price.
Is there any kind of “fail-over/hot-spare/stand-by/high-available” configuration in the free license of Bitwarden?
Its really not needed since the bitwarden client stores a copy of the vault locally. So if you server goes down, you don’t loose functionality other than not being able to sync new passwords. But even without internet, Bitwarden will continue to work locally, although there is a delay when you first log in as it tries to sync.
Also, what should be considered for automating backups of bitwarden?
I use vaultwarden running in a docker container. I store my volume for vaultwarden on my Synology via an NFS share. I let Synology handle all the backup tasks. Easy Peasy.
Here’s a link to my Github repo if you want to try out my docker compose file for Vaultwarden. The way Vaultwarden works is you use the official Bitwarden clients on your devices or as a browser extension, and you point them to your self hosted vaultwarden as the back end. . Homelab/docker/vaultwarden at main · louie-lab2000/Homelab · GitHub
Question #1 of 2 = Has vaultwarden been audited/vetted as well as Bitwarden has been?
Personally I don’t care. I don’t expose vaultwarden to the outside world at all. Its only on my local network. If I need to connect to the Vaultwarden server to sync my local vault, and I am not at home, I just connect using Tailscale to do that, then I once again disconnect from Tailscale. Otherwise, the Bitwarden client works fine without being connected to the Vaultwarden server, and I can also just wait until I am back on my own network to sync.
Question #2 of 2 = switching context from “real-I.T.” to “I.T.-support-for-older people”
Vaultwarden can run locally on almost anything, including a raspberry pi. It might make your backup function a little more complex, but the vaults do not take up much space on disk, and you could write a cron job with rclone to copy the volume to your NAS environment as a backup. Again, the only thing Vaultwarden does is act as a back end data sync. All the functionality is in the client for the most part, and the client keeps a local copy of the vault that gets synced to the server.
I would use these instructions: GitHub - Rapha-Borges/deploy-vaultwarden: Step by step to deploy a self-hosted Vaultwarden
Honestly I wouldn’t bother with certificates (unless you really want to create an internal domain with FQDNs for the customer) or Cloudflare tunnels or even trying to expose this service to the internet at all. I would just run it locally on their network. Vaultwarden will sync the Bitwarden clients whenever your pro bono clients connect their phones to their wifi. If you install watchtower it will update the Vaultwarden docker container automatically. You could also enable unattended upgrades in Debian to keep the OS up to date. But you may still have to SSH in to do some maintenance. Load Tailscale on the Raspberry pi and add the device to your personal tailnet.You will easily be able to SSH into the machine from anywhere. From the Pro-bono customers’ point of view they won’t have to do anything other than plug it in.