[antran22]

When I first learnt about Bitwarden about 3 years ago, I started hosting Vaultwarden right away. Right now I have one instance for myself and another for my friend's company. Everything runs as smooth as butter. If you can self-host something, do self-host a Vaultwarden instance. If you are (like me) somewhat paranoid about the fact that Vaultwarden hasn't got a proper security audit on its codebase, just run it behind a VPN, it will probably be fine.

I'm not particularly worried about Bitwarden going belly up because it has already have such a well-established open-source replacement. The worst-case scenario is that Bitwarden make the clients incompatible with Vaultwarden, and like how OP already mentioned in the post, somebody in the community will fork them as soon as this happen.

[gchamonlive]

Yes, but vaultwarden isn't something you can casually run by yourself without some careful thinking. You are hosting secrets whose longevity is important, so if deploying yourself, take good care of backups and do regular drills, so you validate that the backups work, that they aren't corrupted and that you keep a copy off-site.

[antran22]

Actually, I didn't have any careful planning when I started out self-hosting Vaultwarden. I didn't even have system backup (was just a script kiddie back then, didn't even know about 1-2-3). I have to migrate my instance 3-4 times. But because I'm just hosting Vaultwarden for myself, I can export the whole account from one of the Bitwarden clients (either the extension or mobile app) and reimport it in the new instance. Because I always have at least three devices with active use connected to my Vaultwarden instance, for me this also counts as 3 off-site backup that can be used to re-instate the whole setup.

It is surprisingly very durable and maintenance-free even for a script kiddie like me to maintain. My advice is (at least when it comes to Vaultwarden) don't think too much about this, just selfhost it, at least for yourself. You'll probably be able to manage it when something happen.

[inexcf]

Me and some friends have each been hosting vaultwarden casually for years now. What problem do you see? I mean if the Server goes down and gets completely corrupted, worst case, all my devices still have the version of the vault they recently used. Technically every device has it's own backup of the vault.

[gchamonlive]

If I stay offline for more than 30 days, can I still access my local passwords? Honest question, because if that's the case it's nice, but I think you'd need to somehow authenticate before accessing your local vault.

[inexcf]

Thanks for making me check. Did not know this: "Offline Vault sessions will expire after 30 days. Except for mobile client applications, which will expire after 90 days." But for me that is enough time to feel safe, still will do backups regularly.

[DANmode]

If you’re self-hosting,

and not using their official clients,

your database stays functional in perpetuity.

[gchamonlive]

Which client? Is there a unofficial client for android that doesn't expire?

[venusenvy47]

You need a VPS, correct? Are there any concerns about hardening your VPS from attackers? I worry about my ability to harden a public - facing service that is handling something so critical for myself.

[noAnswer]

Don't make it public facing! Put it behind a VPN!!

[porshia]

Firewall*

[DANmode]

Use a host that takes care of this for you.

My host has prebuilds for Vaultwarden.

[borg16]

can you recommend what host do you use? noob here, and looking for something like this.

[hypeatei]

You should be doing regular exports/backups of your vault regardless of how it's hosted. Bitwarden could go belly up tomorrow and lose all their stored vault data.

[gchamonlive]

Easier said than done. If done manually you will eventually forget, and to automate you have to wrap around a call to the bitwarden cli, which as we've seen already suffered a supply chain breach https://news.ycombinator.com/item?id=47876043

The API for managing secrets automatically is gated behind `bitwarden-cli serve` which is surprising for me that I can't call the API directly using urllib or requests directly. I have to pass it through the bitwarden-cli.

I've been using bitwarden for a while, but your comment prompted me to investigate how I could backup my secrets, and this is a surprise. I am considering moving to my own infrastructure, because I dread having to depend on this tool to automate regular backups for me. Better to do that at the service layer. Problem is just how to expose it. There is always tailscale but that's just shifting the problem around.

[hypeatei]

To me, it's not that complicated. The point of a vault backup is to not leave you completely hosed, even if it means some new entries didn't make it in. You don't really need to automate anything, set a calendar reminder every few months if you're prone to forgetting and login to do an export.

Automating this definitely seems like a bad idea, but it depends on where you're putting the backup. I put mine into encrypted, offline storage and thats not something I want to keep connected all the time for a cron job. That, and you're dealing more moving pieces (CLI with vulns like you mentioned) and automating access to your vault.

[gchamonlive]

I disagree because life is more complicated than just your password manager, so you are not just adding a reminder to backup your vault, it's another thing you need to remember. That might work for you, and it's ok, for me it's a liability.

[unethical_ban]

IMO a paper print-out of all passwords and backup codes is the most reliable backup. No bit-rot, no third party, and "degradation" is obvious - fire, flood, etc.

Theft is also usually obvious.

If self-hosting, keep at a separate location than your hard drives.

[armchairhacker]

Is there anything stopping a commercial Vaultwarden host?

[seanclayton]

Competing with the authority bitwarden the company has over the bitwarden open source project. That's just the first thing off the top of my head. Very few people go to the competitor offering the exact same thing but with less say on the popular codebase.

[dolmen]

That already somewhat exists.

Reimplementing the server side is the easy part.

But a commercial offer will need rebranding the client, and maintaining forks is much more involved. As long as Bit warden publishes the sources ...

[MaKey]

> If you are (like me) somewhat paranoid about the fact that Vaultwarden hasn't got a proper security audit on its codebase [...]

It was audited in 2024: https://www.heise.de/en/news/Password-manager-BSI-reports-cr...

[jerf]

I'm running Vaultwarden because while on the one hand I'd like to just pay a company to make my password problem go away, I don't know who I can actually trust to not try to take advantage of the fact they have all the keys to all my kingdoms at some point. I see some people complaining about "Private Equity", with justification, and before that it was the "Harvard MBA" mindset, where businesses are encouraged to think of their customers as a resource to be stripmined rather than relationships to cultivate.

I don't like being considered a resource to be stripmined by any company, but some are worse than others by the nature of our relationship. I do not need a company greedily looking at my bank password, my Google password, my brokerage account password, and even having them be tempted to look at my set of passwords with them and start valuating which password they can "intermediate" and charge me more for using. I don't even want them pondering the question of how they can break exports ("oops, sorry, passkeys can't be exported because $SECURITY_BLATHER, guess you won't be migrating" - to be fair, while I think Bitwarden had that for a bit I believe it's no longer true, but AFAIK it is true of other things that will hold passkeys for you) so that they can extract the value of my passwords to me.

I don't trust Private Equity or the Harvard MBA mindset to be allowed to hold on to my passwords. I don't trust any company holding passwords to not eventually be acquired by PE/HMBA types looking to stripmine my passwords. I don't trust any company that is, once you trace the entire value chain down, basically taking out real debt with my passwords as collateral. They get the money, I get the risk. Hard pass.

So I'm not happy about self-hosting my password vault in some sense... but who else can I trust?

[dolmen]

As long as you continue to use (and upgrade) the Biwarden client apps, you should consider that BW could have the keys of your garden: they have control of decryption and encryption code, so that code could leak the key, whatever the server.

[crabmusket]

Is this a market failure?

I'm trying to work out why it feels bad to trust a private company with this kind of information, whereas "we" are happy to trust AWS with our servers, Hashicorp with our Vaults, etc.

But these businesses seem to rely on some amount of scale for their trustworthiness. Password managers seem like a cottage industry in comparison, especially as lots of their users will just be "normies" and even ones on a free tier, because ~nobody thinks they should pay for a password manager?

> I don't trust Private Equity or the Harvard MBA mindset to be allowed to hold on to my passwords.

I agree, but you have credible exit. As annoying as it is, it seems quite feasible to continuously migrate to the next provider who is currently in their "don't be evil" phase.

Someone on lobste.rs suggested there should be a worker-owned co-op for password managers. This fits my personal bias, but I wonder if it would be any more resistant to this failure mode? Co-ops can be bought out also, and depend on strong leadership to prevent this.

Maybe a customer-owned co-op instead of a worker-owned one could make it more impractical to buy out. Or a foundation model like Signal, Wikipedia etc.

EDIT: I'm reminded of https://fleetdm.com/ business model, which is heavily open source yet paid. That seems like essentially what Bitwarden was? And presumably Fleet is not protected from the same outcome, no matter how inspiring their example is right now.

[renegade-otter]

I am very happy self-hosting Vaultwarden. I got really tired of being a refugee of one password manager or the next. Either the price goes up, or the service goes away. I am looking at YOU - Dropbox.