[FlyingSnake]

Another satisfied user of `bitwarden_rs` here, and I can vouch for it. I migrated from LastPass and couldn't be more happier. The setup is pretty simple and I even managed to migrate it to a new server without any hassles. All the apps work flawlessly.

The peace of mind in having all your sensitive data under your control is totally worth it.

[zzyzxd]

> The peace of mind in having all your sensitive data under your control is totally worth it.

I used to have some illusions that "if I self host, I am in control", and "if I don't connect my home infra to the internet, I am safe". Later I realized neither is true.

I can't trust all the consumer grade devices in my network, I don't trust a software just because it is open source. And I don't have time to keep up with all the security patches and do security auditing / vulnerability scan routinely...etc.

It is fine to self host hobby stuff for fun, but professionally managing sensitive data is a full time job.

[simias]

Assuming that you're not a high profile target self-hosting does make it rather unlikely that you'll get pwned in this case.

An attacker can justify allocating a lot of resource to pwn bitwarden.com. If you manage to break into the vaults you're bound to find something juicy, just because of how large the target is.

Or you could decide to pwn me. Figure out where my bitwarden is hosted, what my config looks like, what mistakes I might have made setting it up, then maybe find a way in. Then it's just the start, since the passwords are encrypted on disk, so at best you have access to an encrypted sqlite database. Now you need to find a way to get me to leak my vault key. Maybe I sometimes use the web interface? Maybe not. Who knows.

After all of that you may realize that all of my passwords are either not super important or require some form of 2FA, therefore wasting your time.

But hey, you can log into my hacker news account!

Security through irrelevancy.

[arsome]

Just set up backups, enable apt unattended upgrades for major security patches and forget the rest.

If you want to really get paranoid, pass it all through wireguard or ssh tunnels, but for bitwarden at least it's all client side encrypted anyways, you could probably run it on a very out of date system without issue.

[zzyzxd]

Sure. But do you constantly verify backups, check hard drive health and file corruptions, practice disaster recovery?

And these are just for the integrity of your _encrypted_ data. There are a lot more to do to fully secure your home infra in general. How do you secure your wireguard client key on the go? Do you monitor access logs? What about Guest Wi-Fi access, vlan separation...

I don't know if worrying about all these considered being paranoid. End of day it's about risk management, and personally, the benefits of selfhosting does not justify the effort I will need to put into maintaining it.

[hda111]

It’s not everything encrypted. The server sees what domains you have passwords for. So there is a lot of metadata visible on the server. You have to trust the server also if you use the web client because the web client is loaded from the server. It could leak all your data if the server is compromised and you log in via web.

[dastx]

> The server sees what domains you have passwords for.

The server does not see the domains you have passwords for. The following data are saved in plaintext:

- A list of "equivalent domains" (this starts out with a default list, but individuals can change this). This totally can be used to deduce which websites you have an account for, but that's not really enough information, as most websites will not have an entry here.

- Some metadata such as your email, master password hint

- Most of the boolean values (mfa enabled, email verified, premium)

- Custom field types (types only, field name, and value are both encrypted)

- Revision date

- Bunch of UUIDs

Here is what a single password entry looks like when retrieved from the /sync endpoint, which happens before decryption: https://pastebin.com/FLr19qiN

> You have to trust the server also if you use the web client because the web client is loaded from the server.

This is true! However, the android app, cli, and other clients do not get loaded from the server, thus, in theory, you can inspect the source of them, possibly compile it yourself, and use that. In those scenarios you do not have to trust the server.

[the_duke]

Agreed, managing secure servers is a full time job.

The situation with Bitwarden is a bit different though. Secrets are encrypted on the clients, the server never sees decrypted data.

[jamienicol]

Personally, having my sensitive data under my own control (but internet facing) terrifies me. I know enough to know that there are risks, and yet wouldn't have a clue about how to make it secure.

[pavon]

My self-hosted bitwarden server is only accessible from the LAN. Since the full password database is cached locally on each client, you can use it to lookup existing passwords just fine without a connection to the server. Bitwarden does require a connection to the server to add passwords, as it isn't a distributed architecture, so this setup does prevent you from adding new passwords while you are out and about, but I don't have the need to do that often, and in the rare occasions when I do, I write them on scrap paper in my wallet till I get home.

[indigo945]

For home use, and to a limited extent - when all your users are proficient - for corporate use, I really enjoy pass (https://www.passwordstore.org/). It has a decentralized architecture where passwords are synchronized via git, making it excel at situations where you need to generate or store secrets on the go. Unfortunately, the Windows client is not stellar, and the (unofficial?) Android app doesn't seem to have an option to encrypt secrets using more than one key, limiting its use for most teams.

[justusthane]

I got really excited about pass for a bit and almost switched to it, until I realized I was likely increasing my attack surface because in addition to trusting the developer of pass, I also had to trust the developer of whatever other third-party clients I was using with it (such as the iOS client).

Switched to Bitwarden instead.

[Nextgrid]

My concern about this is less about making it secure but keeping it secure. Zero-day vulnerabilities are a thing and you can never be 100% safe against those, so the next best thing is to have good monitoring in place so you get alerted when something nefarious is going on. This unfortunately requires 24/7 monitoring that's better left off to a dedicated team.

[yepguy]

Just connect to it via wireguard or tailscale instead of exposing it to the entire internet.

[alias_neo]

Bingo.

If you're going to host services as home such as your password manager, set up a WireGuard VPN, you can use a Pi and it'll be perfectly sufficient, leave only the VPN open on the internet, VPN in from your phone, laptop, whatever for anything you need access to, and you don't need to rely on Nextcloud or Bitwarden having vulnerabilities discovered in them.

I was using Nextcloud previously for password sync because my password manager needs WebDAV, it was too much to maintain so I wrote a small server in Golang using the WebDAV library and it sits behind NGINX which handles the auth. I run Minio (S3 compatible) for syncing our family photos from our phones and Folder Sync app on Android. They both run on a VM and write out to a ZFS pool.

I have a Pi 3B+ running Raspbian mounted read-only as a WireGuard VPN for remote access, and we use the official WireGuard app. VPN is always on because we have fast, symmetric fibre, and we don't need to worry about trusting public networks.

[mjthompson]

Why would you mount read only, out of interest? How do you keep packages up to date? And what about logging? I'd want to be logging connection attempts.

[alias_neo]

To save the SD card mostly. I log to a ring buffer in RAM.

I've had my Raspberry Pis kill dozens of SD cards over the years, so read only can helas for updates, I manually remount read/write when I do maintenance and then remount read/only again when I'm done.

[mjthompson]

Thanks. I might have a look into doing it for mine, since that seems to make sense. I guess like you said you can just mount the fs rw, and then chroot in to run updates.

[amaccuish]

probably to save the SD card

[technorange]

I would set it up locally on raspberrypi with PiVPN and only allow specific IP (bitwarden IP) to be accessible via that VPN connection. Also you will need self-signed cert installed on the devices where you want to access bitwarden if you dont have a public domain.

[viro]

I had to same thought so I put behind a VPN. a little less convenient. but WAY more secure

[Barrin92]

I mean at the end of the day your data is encrypted before it leaves your device and unless someone breaks encryption you can display it on a banner ad on Times Square and it doesn't make a difference.

Personally I think hosting the server locally doesn't give much benefit because I'm more likely to screw things up than Bitwarden is on that front.