Self Hosted Password Vault with Bitwarden

admin

Self Hosted Password Vault with Bitwarden

Btiwarden is an open source password vault with features similar to certain commercial products.

Bitwarden enables anyone to self host their own password vault. With just a little bit of effort you can operate your own self hosted password vault complete with a web interface, browser plugins and a mobile app.

Self Hosted or Managed

Bitwarden.com offers very affordable service plans for business or personal use, including a free tier. This is a fine option if you are only looking for a free password vault with a great list of features.

Read on if you want the security of having your passwords stored securely on a server you control.

Self Hosted Password Vault with Bitwarden

The easiest way to establish a self hosted password vault with Bitwarden is to use the pre-built docker container.

Refer to the official documentation to install Docker.

Now run the docker container for Bitwarden:

$ mkdir -p /srv/bitwarden/data
$ docker run -d --name bitwarden -v /srv/bitwarden/data:/data/ -p 8099:80 bitwardenrs/server:latest

At this point you can reach your self hosted password vault by connecting to your server on port 8099, but this installation is NOT secure. There is no encryption on this connection to keep your passwords secure.

Securing your self hosted password vault

TLS

In order to secure your self hosted password vault you will need to have a TLS capable reverse-proxy to front Bitwarden. This example uses the Apache web server and a TLS cert procured with Letsencrypt

<VirtualHost *:80>
    ServerName bitwarden.yourdomain.com

    RewriteEngine On
    RewriteRule   ^(.*)$  https://%{HTTP_HOST}$1  [R=301]
</VirtualHost>

<VirtualHost *:443>
        ServerName bitwarden.yourdomain.com
        ServerAdmin bitwarden.yourdomain.com
        ProxyPreserveHost On
        RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
        RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}

        <Location />
                Require all granted
                ProxyPass http://127.0.0.1:8099/
                ProxyPassReverse http://127.0.0.1:8099/
                ProxyPassReverseCookieDomain 127.0.0.1 bitwarden.yourdomain.com
        </Location>

        SSLCertificateFile /etc/letsencrypt/live/bitwarden.yourdomain.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/bitwarden.yourdomain.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Browser plugin

Most users will want to install a browser plugin. Bitwarden has browser plugins for Firefox and Chrome.

Mobile App

Mobile users can download a Bitwarden mobile app for Android and Apple iDevices.

Next Steps

This is a basic installation howto. Following along with this guide should result in a basic Bitwarden installation.

This installation will allow open registrations, meaning that anyone who can find your bitwarden installation will be able to sign up and create a vault, and there is no admin page. These topics and more will be covered in an upcoming advanced guide.

Be sure to become a subscriber to be notified of additional tutorials and guides that will help you in Breaking Up with Big Tech. All new subscribers receive free cloud credits!

Leave a Reply