Bitwarden free self-hosted (on premise) backup... and "high availability"

GeorgeK1973 · December 3, 2024, 2:55pm

Looking for guides/tutorials/walkthroughs/etc for setting up bitwarden free license, self-hosted (on premise). As well as guides/tutorials/walkthroughs/etc that cover backups/restores.

Currently using keepass as my offline filebased password manager.

Looking to implement a free, open source, and non-cloud based (e.g. ‘self-hosted’ on premise) password manager for a family with three people.

I think Bitwarden fits the bill as far as "free, open source, and non-cloud based.

Is there any kind of “fail-over/hot-spare/stand-by/high-available” configuration in the free license of Bitwarden?

Scenarios where I would like some kind of “fail-over/hot-spare/stand-by/high-available” configuration:
Scenario #1 = reduce/avoid downtime/outages when performing maintenance/updates on the virtual machines runing bitwarden

Scenario #2 = I could separate the virtual machines running bitwarden between my two esxi hosts… in case either host has a problem.

Scenario #3 = If I had a alternate private home location with internet access, I could (theoretically) distribute the virtual machines running bitwarden between both locations.

Also, what should be considered for automating backups of bitwarden?
– Does bitwarden have its own scheduled backup?
– Or do I need to look into Veeam Backup and Replication community editon?

LTS_Tom · December 3, 2024, 6:37pm

Unless you are very knowledgeable about setting up database HA I would not go there with Bitwarden. For the self hosted I have it as a VM on my XCP-ng server and I have multiple virtualization hosts available in case one fails. Bitwarden has it’s own built in backup which I use Sycnthing to sync automatically and I use the builtin XCP-ng backup the virtual machine.

DrHeat · December 4, 2024, 7:03am

Not exactly the question you asked, but since you’re looking to self-host it, have you looked at Vaultwarden?

Their Wiki provides a lot of good info. And here is a tutorial I partially followed when setting up mine, which includes a procedure for backups.

GeorgeK1973 · December 6, 2024, 6:25pm

thank you!

Vault Warden looks interesting!

I thought staying ‘main stream’ with BitWarden would be beneficial for support & documentation.

Looking at the level of documentation for VaultWarden… looks promising!

bthoven · December 9, 2024, 12:37am

I second Vaultwarden as well. I’ve been selfhosting it on my Unraid server at home for years now, though not HA.

As I selfhost Luckybackup, I use it to schedule VW whole folder backup to an external HDD.

I also have a docker container to back it up. Thanks to bruceforce/vaultwarden-backup github.

Actually, when you install the Bitwarden extension on Chrome/Edge (yes, it works with self-hosted vaultwarden), all the password entries are regularly synced to the desktop/laptop browser; so if your server is offline for whatever reason, you still have those passwords copy on your desktop. Just use the export function in Bitwarden extension to back it up manually.

I’m not sure you need a separate installation for each family member. I don’t know if it supports multiusers in one installation or not; if not, and if you run it as a docker container, you can spin up as many containers as you wish.

B-C · December 10, 2024, 12:00am

Third for Vaultwarden
have a few implemented and working well, behind Nginx Proxy Manager

Updates take a bit of time and are released often but works great and we also added a PS script to install the chrome plugin on client machines via action1.

didn’t get the auto config for the URLs would have been nice, but that will be later.
For Edge just modify the reg location
$regKey = “HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist”

# Set the extension ID directly or via Action1 parameters
$extensionId = "nngceckbapebfimnlniiiahkandclblb"  # Replace with your actual extension ID

# Check if the extension ID is provided
if (-not $extensionId) {
    return "No Extension ID"
}

$extensionId = "$extensionId;https://clients2.google.com/service/update2/crx"
$regKey = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"

# Create the registry key if it doesn't exist
if (-not (Test-Path $regKey)) {
    New-Item -Path $regKey -Force
}

# Adding the extension to the forced install list
$extensionsList = New-Object System.Collections.ArrayList
$number = 0
$noMore = 0

do {
    $number++
    try {
        $install = Get-ItemProperty -Path $regKey -Name $number -ErrorAction Stop
        $extensionObj = [PSCustomObject]@{
            Name  = $number
            Value = $install.$number
        }
        $extensionsList.add($extensionObj) | Out-Null
    } catch {
        $noMore = 1
    }
} until ($noMore -eq 1)

$extensionCheck = $extensionsList | Where-Object { $_.Value -eq $extensionId }

if ($extensionCheck) {
    return "Extension Already Exists"
} else {
    $newExtensionId = $extensionsList[-1].name + 1
    New-ItemProperty -Path $regKey -PropertyType String -Name $newExtensionId -Value $extensionId -Force
    return "Installed Extension"
}

HA Wise - Depends on your Cluster config (Prox and XCP both do this natively) all depends on if you have reliable shared storage.
Fault Tolerance wouldn’t skip a beat, costly though,
HA usually solid and less downtime than a Backup Restore.

bthoven · December 10, 2024, 12:53am

Sorry. I’m lost. Why you need to have such script for Chrome and Edge extension? Mine are just the stock extensions.

B-C · December 10, 2024, 1:16am

Script pushes those to install the standard extension…

Users tend to be a little difficult to get those installed. Just an small addon when / if you deploy to more than yourself , but not important if using for just yourself.

bthoven · December 10, 2024, 1:28am

Got it. Thanks for sharing.