If you self host bitwarden/vaultwarden, each client stores an encrypted copy of the database, so even if your server was completely destroyed, you'd still have access to all the accounts you're saving in it.
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
I use KeePassXC its free works on what I use. The encrypted list of passwords is synced with my phone twice a day with Syncthing. Chrome had a fit with the android app to I switched to Firefox after. I selfhost it because it's free and I know enough to troubleshoot any problems.
I use a KeePassXC database on a syncthing share and haven't had any issues. You get synchronization and offline access, and even if there are sync conflicts, the app can merge the two files.
One benefit to hosted password vaults over files is that they can use 2FA - you can't exactly do TOTP with a static file.
(As an aside, I wish more "self hosted" apps were instead "local file and sync friendly" apps instead, exactly because of offline access)
You can do 2FA with Keepass, just not TOTP. Add a key file or a hardware key on top of your master password and you pass "something that you have and something that you know" test
KeepassXC handles TOTP.
It can generate TOTP codes, but I'm saying that the vault itself can't be secured with TOTP.
Then the difference is really that someone else is handing the security, right? At the end of the day, there's an encrypted file somewhere, and a TOTP only protects a particular connection by network.
Sure, but there's a big difference between a vault copied and synced on all of my mobile devices that I could easily lose versus only on a server behind locked doors.
Regarding benefits for the paid tier (which I use as a sort of donation):
- it's literally on their page: https://bitwarden.com/help/password-manager-plans/#compare-personal-plans
- What I actually use: A bit of the encrypted upload, some 2FA generators for unimportant services (I prefer using another 2FA app with encrypted automated backups. Helps keeping things separate)
Regarding self-hosting:
I decided against it.
- Too much important stuff in there (+400 accounts)
- Too much stuff in there I would need to back up and keep safe. Not in the mood.
- Not enough experience with hosting a database. If it would go belly-up I had no one except the internet to ask and figure it out myself. At best some selfhost forum/community.
Keepass hosted on my Nextcloud server. You can have the database synced to however many devices you want, and each one will always have a local copy of the latest version. You can use whatever sync solution you want though: syncthing, Dropbox, google drive etc. I suggest using diceware to generate a strong master passphrase for the database :)
I do exactly this, and use Keepass2Android on my phone and have nextcloud-KeeWeb installed.
Tangentally related - For anyone looking to take over a project, KeeWeb is looking for a new maintainer!
Yeah. I use KeepassXC on my computers and KeepassDX on my phone. All synced with syncthing and it works great.
Bitwarden also syncs a local copy to every device it connects to.
This is the way. It's also one of the simplest self-hosted setups you can have. Highly recommend it.
If a FOSS project provides easy self hosting but also a paid hosting I usually go for that to support the project and gain something at the same time. Not only for password managers but any service.
I don’t understand it tbh. Password managers and email are the main things I avoid self hosting. Email because it’s just too easy to fuck something up and never realize you’re not actually properly sending/receiving email. And password managers because if I lose access to it, I’m kinda royally fucked. And the password managers I use keeps a local copy of your database that gets periodically updated, so even without internet I do still have access.
Could one not theoretically self-host a PW manager that also keeps a local copy of the database for times with no internet?
Idk if that doesn't exist yet or what, and there are plenty of other reasons against self-hosting a PW manager but that seems like a logical work-around for that particular problem. Keep your access when the internet is down, and keep your data out of third party control.
Bitwarden does exactly that. It will mostly work with no server connection.
Absolutely, in fact I’d be willing to bet vaultwarden does just that. That’s a good point.
Yep, it does!
Because when whatever company gets a data breach I don't want my data in the list.
With bitwarden If your server goes down then all your devices still have a local copy of your database you just can't add new passwords until the server is back up.
I selfhost vault warden, and in all honesty, it's just painless. I do reverse proxy it, but you could also just setup wireguard or Tailscale at home and keep it even more secure that way.
The reason I chose to selfhost is because I want to be in as much control as possible of my data. I chose Vault warden because it's fully featured and super easy to deploy the server, ridiculously so.
Now,if anyone was to ask me if they should selfhost Bitwarden or just use their hosted service, I'd suggest to take the second option, for 2 reasons:
1.- it's even easier and just works 2.- if you choose the paid tier it has some nice features and you help the project stay alive
I use KeepassXC
I switched from Lastpass to 1Pass and it was pretty miserable. I then swtiched to Bitwarden. It's not perfect, but it's better than LP and 1Pass.
The reason you'd want to self-host is so that nobody has access to your data but you. "The cloud" is just someone elses computer"
Bitwarden does external audits with reports and stores in zero knowledge storage.
Loose your master password and you are fucked. They can't restore it even if you pay them a million €
That was basically the same claim LP made. Even if true, if you have a bad master password, you can be compromised. While yes, that's on you, your data is a high priority target in a centralized password store... if you host it yourself, someone would first have to know you had that data to even target you for that. Much less exposure hosting it yourself. The convenience factor and potentially less security than a company hosting passwords have, so it's kind of a six of one, half dozen of the other.
I self-Host Vaultwarden at home, this way I have a convenient password manager for myself and my SO, it's easy to setup and maintain. East to access from the phone, Firefox, etc. Bitwarden app keeps a local cache so even when disconnected from the server I have access to my passwords and it will synchronize at the next connections. I otherwise have a Wireguard VPN setup in case I need to connect to my home server from outside my home.
Before I used KeePass+syncthing but it was to much configuration to convince my SO to use it. Bitwarden/Vaultwarden was more successful in that regard.
After trying them all, I’m back at having a local KeePass database that is synced to all my devices via iCloud and SyncThing. There are various apps to work with KeePass databases and e.g. Strongbox on macOS and iOS integrates deeply into Apple’s autofill API so that it feels and behaves natively instead of needing some browser extension. KeePass DX is available for all other platforms, and there are lots of libraries for various programming languages so that you can even script stuff yourself if you want.
And I have the encrypted database in multiple places should one go tits up.
Firefox has a built in password manager, it is stored on each machine you sync. But to anwer your question any cloud stored data is vulnerable, so be sure your password manager supports other verification measures such as Yubikey as another factor of authentication
I use KeePassXC and use syncthing to sync the database to each devise I own. This way I always have the newest version if the database everywhere and don't need to worry about Internet access at all.
Password management is the one thing i don't plan to self-host, on the grounds of not putting all my eggs in one basket. If something goes wrong and all my shit is fried or destroyed, I don't want to also fuck around with account recovery for my entire digital existence.
Plus, if something is breached, im more likely to hear news about Bitwarden than I am about compromised server and/or client versions in a timeframe to actually be able to react to it.
My approach to this is as follows:
- the password manager is probably the most important and often used piece of software I own. We (wife and I share the vault) store everything important/private in there - bank details, hundreds of passwords, passport details, drivers licence etc. It is used many times a day by us both.
- Loss of control of this data would be catastrophic, so I took its security very seriously.
- No one company can be trusted with our data, because they all get hacked or make mistakes at some point.
I’m the security dude for a cloud service provider in my day job, so my goal was to use Separation of Concerns to manage my passwords. I therefore split the software from the storage, choosing software from one company, and storage from a second company. That way, it requires a failure on both parties at the same time for me to lose control of all the data.
I used to use OnePass for the software, storing the data in Dropbox. But then they removed that option, so I switched to Enpass. Data is stored in a vault on the local device and synced to a folder on Dropbox, which we both have access to from all our devices (Mac’s, iPads, iPhones). The vault is encrypted using our master password and Dropbox only sees an encrypted file. Enpass provides software that runs locally and doesn’t get a copy of my vault file.
If Dropbox has another failure and the vault gets out, then that is not a problem as long as Enpass have properly encrypted it. If Enpass has a bug making the vaults crackable - again it’s not a problem as long as Dropbox doesn’t lose control of my vault file. I update Enpass, the vault gets fixed and life goes on.
Enpass is very usable, but buggy. It crashes every night (requiring me to start it again and log in), and often loses connection to Safari and wont re-establish it. It got better with a previous update, but has got unreliable again. I’m about to look for another.
Cheers.
Loss of control of this data would be catastrophic, so I took its security very seriously.
Ask yourself: "If my current system is unavailable: How screwed am I?"
If the answer is anything less than "Not screwed at all!", then it is time for a backup - regardless of what system you're using or plan to use.
vaultwarden syncs your passwords locally so even if your server is down the passwords remain available on your device. And it is a wonderful password manager, you can share passwords with your family, have TOTPs, passkeys.
I'm self-hosting a VaultWarden install, and I'm doing it because uh, well, at this point I've basically ended up hosting every service I use online at this point.
Though, for most people, there's probably no real reason to self-host their own password manager, though please stop using Lastpass because they've shown that they're utterly incompetent repeatedly at this point.
You'll learn pretty quickly that a large chunk of self-hosting people are the types that are just terrified of having things be outside their control, which by extension means they are terrified of other people that aren't them running infrastructure. 🫠
I pay Bitwarden the tenner a year as I have no reason to distrust them and they're definitely providing a more reliable, securer service than I can self-host.
I also do an encrypted export once per week and store that export to an encrypted cloud based service and an encrypted USB stick. Takes 2 minutes.
- Because I don't trust companies to hold onto passwords.
- It syncs. I don't need live access to my home.