a password vault contains a lot of long-lived secrets protected by a human-provided key, so it's really not something you want out there, even encrypted.
I would assume most people that are doing self-hosted are securing it behind a VPN like Wireguard instead of opening it to the whole web. (at least I hope so)
I am not. Working well so far. My instance is behind Caddy, behind a secret URL path. To talk to the instance, this “pre-shares secret” needs to be known first. So far I haven’t seen any abnormal hits. I’m closing in on 3 years of using it in this setup, via Vaultwarden.
I’m aware that this is security through obscurity. The instance’s accounts use strong passwords and MFA.
Yeah, the full URL can be specified in Bitwarden clients (browser extension, mobile app) and then never touched again. The secret path only leaks if users use Bitwarden's sharing feature. It's not a "pre-shared secret" in that sense, as it can publicly leak by design.
I'm afraid not. I've seen some really dumb setups of BW when helping selfhosted.
I do think that while selfhosting is admirable, in the case of your password vault, it's not. It's one thing where I'd always advice against selfhosting or DIY, because the downside risk is just too big.
The chance of fng up may be tiny, bit if you fck up, it's bad. Potentially bankruptcy or jail bad.