Hacker News new | ask | show | jobs
by Fnoord 2476 days ago
Agreed w/your post in general.

> On one hand, Bitwarden's online offering where you trust them with your data is convenient, but also a single point of failure.

Put your network connectivity off, and try to relogin to Bitwarden. It will work. I just tried it. The only downside is that the database might not be synced (which, I admit, can be a problem).

> The only caveat with self-hosting being the overhead. Regular non-techie people just don't have the time or intellectual curiosity to experiment with self-hosting.

I don't know the password to connect to my (hypothetical) self-hosted Bitwarden instance. Because of the above though, that would not be an issue.

Hence I am going to switch to self-hosting. There's a Rust implementation with Docker image.
2 comments
benhurmarcel 2475 days ago
>Put your network connectivity off, and try to relogin to Bitwarden. It will work.

That's correct, but the parent comment is also correct about the single point of failure. The Bitwarden server could erase your database for some reason (bug, hackā€¦), and it would sync on all your devices, erasing all your data.

link
faitswulff 2476 days ago
What operational security risks do you have to be aware of when self hosting passwords?
link
Fnoord 2476 days ago
This is a great question which everyone should ask themselves.

It has to be user-friendly enough (which Bitwarden IMO is). You need to do a CIA threat assessment yourself.

Confidentiality I solve by using WireGuard; hence I don't mind if I use HTTP or HTTPS with self signed certificate. You might be able to use Lets Encrypt instead. Integrity I solve with offsite backups of the most important data. Availability is solved by having decent uptime on my cable provider, about 25 mbit upload. I also used RAID1 on my server. My server is a Synology NAS with Docker.

If that gets compromised by hackers, they have access to private data of mine anyway. If you include the government in your threat assessment they are very likely able to get access to your server (VPS or my example). That is why I prefer to stick to my local government/jurisdiction. I'm already bound by them anyway. If they want to screw me over (including working together with US government) they can and (since we are part of Nine Eyes) likely will.

YMW(ill)V

link