Bitwarden on your own server with SSL

· by Raghu Rajagopalan · Read in about 2 min · (419 words) ·
Homelab vault tools Bitwarden

I’ve been a long time keepass (Actually keepassXC - a more maintained fork) and Syncthing for a password vault and syncing of the vault across machines. Bitwarden recently finished a security audit and that prompted me to look into setting up Bitwarden and possibly migrating to it (provided things worked)

  1. Instead of the official Bitwarden server, I used the rust version of the server - Bitwarden_rs through it’s docker image.

  2. Install docker if you haven’t done so - sudo apt install docker.io

  3. Download a caddy release from their github. We’ll use that for getting SSL certs from Lets encrypt and just SSL termination

  4. Create a unprivileged user to run the docker image and the webserver (caddy)

    sudo useradd -r -s /bin/false bitwarden
sudo usermod -a -G docker bitwarden
sudo mkdir -p /home/bitwarden
sudo chown bitwarden: /home/bitwarden

sudo ufw allow https
sudo ufw allow http
sudo ufw allow 4443

sudo -Hu bitwarden -s bash
cd ~
mkdir -p ~/vault
mkdir -p ~/caddy
cd caddy
# wget and untar caddy release from their github page
exit

sudo setcap cap_net_bind_service=+ep /home/bitwarden/caddy/caddy
sudo -Hu bitwarden docker run -d --name bitwarden -v /home/bitwarden/vault/:/data/ -p 4444:80 mprasil/bitwarden

  5. Verify if you get the bitwarden page - wget http://localhost:4444

  6. TLS termination and proxying with caddy

    sudo -Hu bitwarden
cd ~/caddy
vim Caddyfile
# /home/bitwarden/caddy/Caddyfile
https://vault.<yourdomain.com>:4443 {
        tls <email id here>
        proxy / localhost:4444 {
                except /.well-known
                transparent
        }
        log stdout
        errors stderr
}

  7. Make sure that you open necessary ports on your cloud provider - in this case 4443 and 80.

  8. From your machine, opening https://vault.yourdomain.com:4443 should work

Systemd

  • systemd unit file for running bitwarden /etc/systemd/system/docker.bitwarden.service

    [Unit]
Description=docker.bitwarden
Requires=docker.service
After=docker.service

[Service]
Restart=always
ExecStart=/usr/bin/docker run --name=%n  --tty \
    -v /home/bitwarden/vault:/data -p 4444:80 mprasil/bitwarden:alpine
ExecStop=/usr/bin/docker stop -t 2 %n ; /usr/bin/docker rm -f %n

[Install]
WantedBy=multi-user.target

    • systemctl enable docker.bitwarden

    • systemctl start docker.bitwarden

  • Caddy - ships with systemd unit file - just make sure to point it to the actual Caddyfile.

Security

:: Disable signups . Create a dedicated admin account in bitwarden separate from your user account . after creating your account(s), run the docker image with the following env vars

+

-e SIGNUPS_ALLOWED=false \
-e INVITATIONS_ALLOWED=false \
-e SERVER_ADMIN_EMAIL=admin@example.com \

Backup

  • sqlite3 /home/bitwarden/db.sqlite3 ".backup '/home/bitwarden/backup.sqlite3'"

  • Cron + rclone the entire /home/bitwarden/vault

Problems

  1. Import from keepass XML does not import attachments - ticket 183

  2. Login to sites that need more info doesn’t work. AFAICT, I cannot have a auto-type sequence as in keepass

References

Raghu Rajagopalan's ramblings
     

Latest Notes

Popular Note tags

Homelab Linux Router Desktop