Bitwarden on your own server with SSL

· by Raghu Rajagopalan · Read in about 2 min · (415 words) ·

I’ve been a long time keepass (Actually keepassXC - a more maintained fork) and Syncthing for a password vault and syncing of the vault across machines. Bitwarden recently finished a security audit and that prompted me to look into setting up Bitwarden and possibly migrating to it (provided things worked)

  1. Instead of the official Bitwarden server, I used the rust version of the server - Bitwarden_rs through it’s docker image.

  2. Install docker if you haven’t done so - sudo apt install docker.io

  3. Download a caddy release from their github. We’ll use that for getting SSL certs from Lets encrypt and just SSL termination

  4. Create a unprivileged user to run the docker image and the webserver (caddy)

    sudo useradd -r -s /bin/false bitwarden
    sudo usermod -a -G docker bitwarden
    sudo mkdir -p /home/bitwarden
    sudo chown bitwarden: /home/bitwarden
    
    sudo ufw allow https
    sudo ufw allow http
    sudo ufw allow 4443
    
    sudo -Hu bitwarden -s bash
    cd ~
    mkdir -p ~/vault
    mkdir -p ~/caddy
    cd caddy
    # wget and untar caddy release from their github page
    exit
    
    sudo setcap cap_net_bind_service=+ep /home/bitwarden/caddy/caddy
    sudo -Hu bitwarden docker run -d --name bitwarden -v /home/bitwarden/vault/:/data/ -p 4444:80 mprasil/bitwarden
  5. Verify if you get the bitwarden page - wget http://localhost:4444

  6. TLS termination and proxying with caddy

    sudo -Hu bitwarden
    cd ~/caddy
    vim Caddyfile
    # /home/bitwarden/caddy/Caddyfile
    https://vault.<yourdomain.com>:4443 {
            tls <email id here>
            proxy / localhost:4444 {
                    except /.well-known
                    transparent
            }
            log stdout
            errors stderr
    }
  7. Make sure that you open necessary ports on your cloud provider - in this case 4443 and 80.

  8. From your machine, opening https://vault.yourdomain.com:4443 should work

Systemd

  • systemd unit file for running bitwarden /etc/systemd/system/docker.bitwarden.service

    [Unit]
    Description=docker.bitwarden
    Requires=docker.service
    After=docker.service
    
    [Service]
    Restart=always
    ExecStart=/usr/bin/docker run --name=%n  --tty \
        -v /home/bitwarden/vault:/data -p 4444:80 mprasil/bitwarden:alpine
    ExecStop=/usr/bin/docker stop -t 2 %n ; /usr/bin/docker rm -f %n
    
    [Install]
    WantedBy=multi-user.target
    • systemctl enable docker.bitwarden

    • systemctl start docker.bitwarden

  • Caddy - ships with systemd unit file - just make sure to point it to the actual Caddyfile.

Security

Disable signups

  1. Create a dedicated admin account in bitwarden separate from your user account

  2. after creating your account(s), run the docker image with the following env vars

    -e SIGNUPS_ALLOWED=false \
    -e INVITATIONS_ALLOWED=false \
    -e SERVER_ADMIN_EMAIL=admin@example.com \

Backup

  • sqlite3 /home/bitwarden/db.sqlite3 ".backup '/home/bitwarden/backup.sqlite3'"

  • Cron + rclone the entire /home/bitwarden/vault

Problems

  1. Import from keepass XML does not import attachments - ticket 183

  2. Login to sites that need more info doesn’t work. AFAICT, I cannot have a auto-type sequence as in keepass

References