Vaultwarden selfhosting, or bitwarden service?

Submitted ⁨⁨6⁩ ⁨hours⁩ ago⁩ by ⁨someacnt@sh.itjust.works⁩ to ⁨selfhosted@lemmy.world⁩

I am looking into password managers, as number of my accounts are increasing. Currently I am weighing two options:

Host Vaultwarden on a VPS, or
Use the free bitwarden service.

I want to know how they are in practical aspects.

While I am fine self-hosting many services, password managers seem to be one of the most critical services that should not admit downtime. I surely cannot keep it up, as I need to update it time to time.

On the other hand, using bitwarden might require some level of trust. How much should I trust the company to use the free service? How do I know if my passwords would be safe, not being exposed to the wide net?

I want to gauge pros and cons, are there aspects I missed? How are your opinions on this? If you are self-hosting vaultwarden, how do you manage the downtime? Thanks in advance!

source

Comments

Sort:hotnew top

axum@lemmy.blahaj.zone ⁨4⁩ ⁨hours⁩ ago
The bitwarden vaults themselves are encrypted. So I’m not sure what there is to not trust with bitwarden, as even if files were stolen, they are encrypted so they’re largely useless.

source
- MajesticElevator@lemmy.zip ⁨4⁩ ⁨hours⁩ ago
  It’s important to specify that the items are encrypted using a key derived from your password, so Bitwarden themselves don’t have access to your passwords even if they wanted to.
  
  Since they handle redundancy and backups I think it’s fine staying with them (+ great product)
  
  source
  - spooky2092@lemmy.blahaj.zone ⁨3⁩ ⁨hours⁩ ago
    
    Since they handle redundancy and backups I think it’s fine staying with them (+ great product)
    
    This. I love self hosting services, but anything that I 100% can’t live without isn’t one of them. Because I don’t have the funds for proper redundancy/high availability, and my backup practices at home are… Not ideal. I’ve had a couple brushes with data loss due to gaps in backups, lack of monitoring for impending hardware failures, and had 2 disks suddenly die together in a raid array, all in over a decade of self hosting.
    
    I have cold backups of most of my critical services, but they’re not nearly regular enough for me to trust my passwords to myself.
    
    source
Moonrise2473@feddit.it ⁨5⁩ ⁨hours⁩ ago
Vaultwarden allows a bit of downtime, the vault is cached by the clients

When the server is not reachable, no writes are allowed

source
GnuLinuxDude@lemmy.ml ⁨2⁩ ⁨hours⁩ ago
If you’re planning on getting more people than yourself into the password manager, it may be worthwhile to pay for a family plan. BitWarden is really low-cost and they publish their stuff as FOSS (and therefore are worth supporting), but crucially you don’t want to be the point of technical support for when something doesn’t work for someone else.

That said, I use Vaultwarden only as backup (manually bring the server online and sync to my phone now and again), and my primary password manager is through Keepassxc.

source
- neatobuilds@lemmy.today ⁨1⁩ ⁨hour⁩ ago
  that was my thinking too, if something happened to me I dont want all my wifes passwords to be locked out so I made her an admin on the account as well to be able to continue paying for the service or export her passwords
  
  source
borokov@lemmy.world ⁨2⁩ ⁨hours⁩ ago
Maybe worth to mention that bitwarden also propose bitwarden.eu to host data in Europe. I’ve used bitwarden.com for years, and switch to bitwarden.eu a few month ago because of reasons, you know…

source
Object@sh.itjust.works ⁨5⁩ ⁨hours⁩ ago
One little bonus for using Vaultwarden is that you get access to premium features for free. But still, I put availability much higher when it comes to Bitwarden, so I would go with paid Bitwarden. That is what I did before moving to Keepass.

source
- mbirth@lemmy.ml ⁨5⁩ ⁨hours⁩ ago
  The Bitwarden clients cache your data locally. So even if your Vaultwarden goes down, you’ll still be able to access your passwords. Just not sync new ones or make changes.
  
  source
suicidaleggroll@lemm.ee ⁨3⁩ ⁨hours⁩ ago
I self-host Bitwarden, hidden behind my firewall and only accessible through a VPN. It’s perfect for me. If you’re going to expose your password manager to the internet, you might as well just use the official cloud version IMO since they’ll likely be better at monitoring logs than you will. But if you hide it behind a VPN, self-hosting can add an additional layer of security that you don’t get with the official cloud-hosted version.

Downtime isn’t an issue as clients will just cache the database. Unless your server goes down for days at a time you’ll never even notice, and even then it’ll only be an issue if you try to create or modify an entry while the server is down. Just make sure you make and maintain good backups. Every night I stop and rsync all containers (including Bitwarden) to a daily incremental backup server, as well as making nightly snapshots of the VM it lives in. I also periodically make encrypted exports of my Bitwarden vault which are synced to all devices - those are useful because they can be natively imported into KeePassXC, allowing you to access your password vault from any machine even if your entire infrastructure goes down.

source
harsh3466@lemmy.ml ⁨5⁩ ⁨hours⁩ ago
I self host vaultwarden and its great. Its an easy self host, and in my experience, it has never gone down on me.

That being said, my experience is anecdotal. If you do go the vaultwarden route, realize that your vault is still accessible on your devices (phone, whatever) even if your server goes down, or if you just lose network connectivity. They hold local (encrypted at rest) copies of your vault that are periodically updated.

Additionally, regardless of the route you take you should absolutely be practicing a good 3-2-1 backup strategy with your password vault, as with any other data you value.

source
- MajesticElevator@lemmy.zip ⁨4⁩ ⁨hours⁩ ago
  This: backups might be a pain to handle. Bitwarden does that for you + redundancy.
  
  Depends on the amount of work the person does. I know I’m a lazy self hoster that takes time to update software.
  
  source
mbirth@lemmy.ml ⁨5⁩ ⁨hours⁩ ago
I’d throw in option 3: use a KeePass2 database, sync it using whatever sync tool you like (SyncThing, iCloud, NextCloud, WebDAV, …) and use compatible apps (KeepassXC, Strongbox, etc.)

source
- coaxil@lemm.ee ⁨3⁩ ⁨hours⁩ ago
  I roll it this way, been like this for years and years, fine for my needs
  
  source
irmadlad@lemmy.world ⁨4⁩ ⁨hours⁩ ago
I have used the free Bitwarden now for untold years. It not only houses passwords for personal applications, I use it to keep track of my business account passwords as well. The only problem I’ve had with Bitwarden is their recent UI retool which ended up causing a huge ruckus among the user base to the point where they gave an option to switch back.

There is a certain level of trust for whatever option you choose. If you use Bitwarden free, then you have to trust that Bitwarden will keep your data is safe on their servers. If you self host, the onus of trust lies in you’re ability to secure your server, and to the extent that you trust your host as well. The latter option leaves me a bit queasy, so I do not selfhost my passwords in a selfhosted vault.

Others may have more trust in their security skills than I do. LOL There’s just a lot of sensitive data I have housed within Bitwarden free. Selfhosting it would keep me up at nights.

source
- mike_wooskey@lemmy.thewooskeys.com ⁨4⁩ ⁨hours⁩ ago
  
  The only problem I’ve had with Bitwarden is their recent UI retool which ended up causing a huge ruckus among the user base to the point where they gave an option to switch back.
  
  I think the new UI is pretty terrible. I didn’t know until you mentioned it, irmadlad@lemmy.world, that there was an option to revert. I can’t find it in the settings - how does one revert to the prior UI?
  
  source
  - irmadlad@lemmy.world ⁨3⁩ ⁨hours⁩ ago
    Ok so, I got a popup asking to adjust the Appearance in Settings (Windows/Firefox edition) a little while ago, it seems like it was a month or so ago. I have all the settings there ticked. However, I think what a lot of people who knew, went to their official GitHub and downloaded the previous version’s xpi and sideloaded it. You would have to untick auto updates. That way you can just go back to clicking on the entry in Bitwarden and that autofills instead of having to click the $@#%$$$ ‘Fill’ button. The only caution would be if they upgraded the security components in the new version, meaning the last version may or may not have the same security components baked in.
    
    Yes, the new theme is absolute crap.
    
    source
Hellmo_Luciferrari@lemm.ee ⁨5⁩ ⁨hours⁩ ago
I self host as well as use bitwardens service.

I pay $10 a year, and never have I had access issues with it.

My self hosted instance houses everything for my other self hosted services.

I can also have my Bitwarden duplicated to my self hosted instance.

However, the only way to access my Vailtwarden instance is via my network. And for my use case, this is perfect.

Neither of them have I had any downtime; like others have said it’s anecdotal.

source
anamethatisnt@sopuli.xyz ⁨5⁩ ⁨hours⁩ ago

On the other hand, using bitwarden might require some level of trust. How much should I trust the company to use the free service?
How do I know if my passwords would be safe, not being exposed to the wide net?

Wouldn’t these questions be as true of the VPS service that hosts Vaultwarden as of Bitwarden?
If my internet at home was better I would be selfhosting Vaultwarden and use a full vpn on my laptop/phone/tablet when leaving the house.
Now I’m using KeepassXC with my home pc as the true source and syncing copies of the database to my laptop and phone.

source
- observantTrapezium@lemmy.ca ⁨4⁩ ⁨hours⁩ ago
  No, you don’t need to trust the VPS provider. The VaultaWarden password storage is encrypted, and the master password is never transmitted to the server. The passwords are decrypted only locally on your device.
  
  source
  - anamethatisnt@sopuli.xyz ⁨4⁩ ⁨hours⁩ ago
    How does that differ from Bitwarden?
    
    source
    -> View More Comments
dfense@lemmy.world ⁨5⁩ ⁨hours⁩ ago
At the end of the day you have to trust someone (Bitwarden, Hoster, Hardware Manufacturer…). It comes down to your threat profile and what you personally accept as a risk vs. effort (or convenience). For me Bitwarden was acceptable, but I switched to self hosting Vaultwarden CA. 3 years ago. Main reasons being the advanced features (sharing some passwords with the family, setting up a tech savvy friend to take over my vault should I get hit by a bus, etc.). I did not have any relevant downtime of that service in years.

source