I find password managers to be extremely convenient, especially when they can be easily synced. However, after last year’s security breach at Lastpass, I decided to reevaluate my use case and strategy going forward. Changing over 150 passwords gave me plenty of time to do so.
- Password access and sync
- Browser-based plugin
- Local network use only
- Remote access
I’m not going to discuss Bitwarden or cryptography in depth. Firstly, there are plenty of reviews on different password managers available, and secondly, I don’t have much knowledge on cryptography. So let me share my rationale: cloud-based solutions are very convenient, and I’m sure every password manager out there is doing their best to protect your data. Unfortunately, security is not an easy matter and, let’s face it, everyone makes mistakes. Lastpass made a few mistakes, and now I don’t know when my metadata and/or passwords will surface. So, the only question I had to ask myself was “Do I actually need to take the chance again?”. My answer was “no” and here’s how I achieved it.
- Host Bitwarden on your local network – choose a machine and give it a static IP (ex.: 192.168.0.2).
- Use Docker and the unified deployment method, note that the unified deployment is still in BETA.
It took me some time, but I managed to create the simplest docker-compose file that actually works:
version: '3' services: bitwarden: depends_on: - db image: bitwarden/self-host:beta restart: always ports: - "8080:8080" volumes: - ./bitwarden:/etc/bitwarden environment: BW_DOMAIN: "bitwarden" BW_DB_PROVIDER: "mariadb" BW_DB_SERVER: "db" BW_DB_DATABASE: "bitwarden_vault" BW_DB_USERNAME: "bitwarden" BW_DB_PASSWORD: "db_password" BW_INSTALLATION_ID: "get it from bitwarden.com/host/" BW_INSTALLATION_KEY: "get it from bitwarden.com/host/" db: environment: MARIADB_USER: "bitwarden" MARIADB_PASSWORD: "db_password" MARIADB_DATABASE: "bitwarden_vault" MARIADB_RANDOM_ROOT_PASSWORD: "true" image: mariadb:10.6.11 restart: always volumes: - ./data:/var/lib/mysql
Here are some important limitations to consider:
- Email confirmation will not occur since I don’t have an email server and don’t see the need to set one up
- You will have to use the Bitwarden Web app to import data, as it can’t be done via the browser plugin – more
- Bitwarden Web only seems to work from localhost, otherwise you’ll get an error that says this.subtle is null
Once you have set everything up, the rest is smooth sailing. The Bitwarden browser plugin doesn’t seem to care about the IP address, and it works great. If I need remote access, instead of exposing Bitwarden through a reverse proxy, I would prefer to use a VPN so I can log into my home network and access Bitwarden that way (I think it is safer this way).
I hope this idea is useful, and that Bitwarden will fix some of these limitations in the future.