Become Sovran

Bitwarden: Self Hosted Password Manager

May 02, 2022

What is Bitwarden? How does it work? Most importantly how does it help keep your data safe online? Bitwarden is a password manager, password managers help you generate unique passwords and store them safely. Sadly, in today’s online environment fraught with data leaks and thefts having the same four passwords for everything is no longer a practical way to keep your online accounts safe. (No matter how clever you think those variations of your dog’s name are, they are not secure). Password managers make it easy to have a unique password for every online account you have. So, if one of your accounts gets hacked attackers can’t reuse that password and email combination to get into anything beyond that account.

 A brief overview of what the Bitwarden platform can do. Secure password sharing between users, “Vault health reports” where it can check for leaked passwords and emails by running your emails through HIBP, check your reused passwords, check the strength of your passwords, and let you know what sites are not using SSL. They even offer 2FA support (But I don’t recommend using your password manager as a 2FA method. 2FA really should be on a second device.). Best of all it can be self-hosted! You don’t have to rely on Bitwarden servers to store your data. I will point out that while it is self-host-able they still ask for $10 a year for access to some premium features like password sharing, all those health reports and an emergency access feature so your loved ones can get into your account. They also have a $3.33 a month “family plan” for up to 6 users. A meager price compared to competitors. If you want a truly free and non-cloud-based option, check out Keepass.

 Bitwarden uses a client / server model. You host a server and the cross-platform clients they offer can connect back to that server. There are phone, desktop, and browser apps. Your passwords are stored on your server with salted hashing and accessed in an end-to-end encrypted fashion. They are also regularly audited by third party. One last feature I like is you can export all your data into a few different formats making it useable in different platforms in case you don’t like Bitwarden and as a backup method in case your server breaks or you somehow lose access to your server. One last note for installation, by default Bitwarden requires a URL to work properly. There are some tweaks for more advanced users to not need this and I wont be covering in this. Check the official install documentation for more on this.(most of this guide is pulled from there anyways.)


Install


This guide is for Linux installation but if need be Bitwarden server can be installed on Windows. Bitwarden does not use a lot of resources minimum requirements are x64 | 1.4GHz, 2GB RAM, and 10GB storage as well as engine 19 or greater and compose 1.24 or greater. It is recommended though to have at least a 2GHz dual core processor, 4GB of RAM, and 25GB of storage. For reference I ran Bitwarden on a Digital Ocean VPS for $10 a month with zero issues. Also runs on a Raspberry pi 4 just fine.

This will be using Ubuntu 20.04. Also, this guide will assume you have some firewall, DNS, and command line knowledge but I’ll make this as clear, and copy paste-able as I can.

Before Install

Something you need from Bitwarden

Before installing Bitwarden, you will need to generate the Bitwarden installation ID and Key. You can generate them from the Bitwarden website: Here

Save the ID and key for later you’ll need it during install.


DNS


DNS or The Domain Name System is a core part of how the internet as we know it works. If you’re interested in networking and plan on doing a lot of self-hosting it will save a lot of headaches if you at least have some basic understanding of DNS. For an in-depth overview read this. The post basically says “Think of DNS like a phone book” It’s what allows you to type duckduckgo.com instead of “ 52.250.42.157” every time you need to search the internet. It translates something easy for humans to remember into the information needed by computers to actually reach “duckduckgo.com”.

If you’re using a combo of a VPS and a Webhost its fairly simple to set up. Assuming you own a domain, login to your webhost and make a subdomain to use with Bitwarden (bitwarden.example.org) Then make sure you have an A record for that subdomain pointed at the IP address of the VPS hosting Bitwarden. After installing you will be able to access your instance at that URL.

Hosting from home presents some challenges. One prominent one is (and a valid question that I hear often) not having a static IP address. In the early days of the internet it was easy to get a static IP address due to the lack of devices online. Now with the number of devices online needing IP addresses we do a lot of juggling, and most IP addresses are assigned dynamically. This is called Dynamic DNS or DDNS. This allows automatic refreshing of DNS servers every time an IP address changes. This is something I’m still working on for my own home set up but in the past, I have used free services like dynv6 to get a free domain for a service I had on a PI. In writing this guide I realized that proper DNS is important for self hosting and plan on tackling DNS from a home hosting perspective next. Feel free to explore this list of DDNS hosts. I have not used all of these so be careful what you chose. Also please note there are a LOT of risks when it comes to exposing your home network to the internet so, please read up on the pros and cons of this and decide what works best you.


Basic Device Security


If you are on a VPS like Digital Ocean they take care of most of this for you and you can more than likely skip this and move on to installing docker. But double checking is good.


SSH

So you’ll need a way to access your device remotely. You can do it by a password and a username but that is not as secure. You want to use SHH (Secure Shell) and make sure that SSH is the only way to log in. To do that you’ll need an SSH key. If your on a VPS sometimes they offer to make or import one. If you want to generate your own you will need a program like putty if your on windows or you can use: 

ssh-keygen

in windows command prompt.

Or on Linux with:

ssh-keygen -t rsa

Follow the instructions it should ask you where you want to save the file and if you want a password or not. It is strongly advised you use a password. Upload this to your VPS if your using one.

If you need to in install your public key manually you can do it like so:

ssh-copy-id -i ~/.ssh/id_rsa.pub YOUR_USER_NAME@IP_ADDRESS_OF_THE_SERVER

keep in mind user@remote-server-ip is the username and the remote device you are trying to copy your public key into. When you get prompted for a password it will be the password for the account on the remote device NOT the password you just made for the SSH key. Once verified it will copy over the public key and you can now log in Via SSH. To turn off username and password log in type in:

sudo nano /etc/ssh/sshd_config

Find these values and set them as you see them here.

PasswordAuthentication no 

ChallengeResponseAuthentication no 

UsePAM no 

PermitRootLogin no 

This disallows every login method besides SSH under the user you copied your public key to. Hit CTL+S to save and CTL+x to get out of the file editor. Restart SSH

sudo service ssh restart

This might boot you out of the session. If it does this is a good time to test the other login methods to see if they are declined before continuing. Also it should go without saying but you need to keep the private key safe and if you lose it you will not be able to get in remotely anymore.


Basic Firewall

UFW (uncomplicated firewall) is a great easy to use firewall. If your on a VPS like digital ocean its comes preinstalled if your not in your command line enter:

sudo apt install ufw

You can enable IPv6 in “/etc/default/ufw” by setting “IPv6 = yes” this is optional.

Enable some default policies

sudo ufw default deny incoming

sudo ufw default allow outgoing

This stops incomming connections and allows outgoing connections but this is a server and needs to respond to incoming requests so lets open some ports

sudo ufw allow ssh

This will make sure you can still log in via SSH. You also need to open port 80 and 443 with

sudo ufw allow 80, 443

Enable UFW

sudo ufw enable

Check the status with

sudo ufw status verbose


Fail2ban

fail2ban is a helps stop brute force attempts into your server its simple and does not require configuration.

sudo apt-get install fail2ban

should be all you need to do.


Install Docker

Update your system:

sudo apt update

Install dependencys:

apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common -y

Add the GPG Key:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -

Add the docker repoitroy:

add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"

once thats added you can install Docker and Compose with:

apt-get install docker-ce docker-ce-cli containerd.io docker-compose -y

Check the installed version with:

docker --version

and

docker-compose --version


Install Bitwarden

It is recommended to set up your server with a dedicated Bitwarden service account, from which to install and run Bitwarden. Doing so will isolate your Bitwarden instance from other applications running on your server.


Make the user:

sudo adduser bitwarden

Set the password:

sudo passwd bitwarden

Make the docker group:

sudo groupadd docker

Add the Bitwarden user to the docker group:

sudo usermod -aG docker bitwarden

Make the directory:

sudo mkdir /opt/bitwarden

Set permissions for the /opt/bitwarden directory:

sudo chmod -R 700 /opt/bitwarden

Set the bitwarden user ownership of the /opt/bitwarden directory:

sudo chown -R bitwarden:bitwarden /opt/bitwarden

Now you can download the Bitwarden installation script:

curl -Lso bitwarden.sh https://go.btwrdn.co/bw-sh && chmod 700 bitwarden.sh

and run it:

./bitwarden.sh install

Complete the prompts in the installer

  • Enter the domain name for your Bitwarden instance: Typically, this value should be the configured DNS record.
  • Do you want to use Let’s Encrypt to generate a free SSL certificate? (y/n): Specify y to generate a trusted SSL certificate using Let’s Encrypt. You will be prompted to enter an email address for expiration reminders from Let’s Encrypt.
  • Enter your installation id
  • Enter your installation key
  • Do you have a SSL certificate to use? (y/n) : f you already have your own SSL certificate, specify y and place the necessary files in the ./bwdata/ssl/your.domain directory. You will be asked whether it is a trusted SSL certificate (y/n). Alternatively, specify n and use the self-signed SSL certificate? option, which is only recommended for testing purposes.
  • Do you want to generate a self-signed SSL certificate? (y/n) : Specify y to have Bitwarden generate a self-signed certificate for you. This option is only recommended for testing. If you specify n, your instance will not use an SSL certificate and you will be required to front your installation with a HTTPS proxy, or else Bitwarden applications will not function properly.


Post Install Configuration

Environment Variables (Required)

Some features of Bitwarden are not configured by the bitwarden.sh script. Configure these settings by editing the environment file, located at ./bwdata/env/global.override.env. At a minimum, you should replace the values for:

globalSettings__mail__smtp__host= 

globalSettings__mail__smtp__port= 

globalSettings__mail__smtp__ssl= 

globalSettings__mail__smtp__username= 

globalSettings__mail__smtp__password=

adminSettings__admins= …

Replacing globalSettings__mail__smtp…=

placeholders will configure the SMTP Mail Server that will be used to send verification emails to new users and invitations to Organizations. Adding an email address to adminSettings__admins= will provision access to the Admin Portal. Fun fact that email does not have to be one registered with your instance.

After editing global.override.env, run the following command to apply your changes:

./bitwarden.sh restart


Installation File

The Bitwarden installation script uses settings in ./bwdata/config.yml to generate the necessary assets for installation. Some installation scenarios (e.g. installations behind a proxy with alternate ports) may require adjustments to config.yml that were not provided during standard installation.

Edit config.yml as necessary and apply your changes by running:

./bitwarden.sh rebuild

The first time you start Bitwarden it may take some time as it downloads all of the images from Docker Hub.

Verify that all containers are running correctly:

docker ps

Woot! Bitwarden is now up and running at https://your.domain.com. Visit the web vault in your web browser to confirm that it’s working. You may now register a new account and log in. You will need to have configured SMTP environment variables in order to verify the email for your new account. Now that you have Bitwarden installed you can install the phone, desktop and Web apps for access to your passwords on all your devices.


Maintenance and some last post set up notes

Remember to every now and then to update your instance. To do this SSH into your instance and run :

./bitwarden.sh update

Also because this is self hosting and things go wrong, you will want to take semi regular backups of your data. ./bwdata on your instance is the folder you want to back up if you can. Inside that folder there is :

./bwdata/env – This is your Instance’s environment variables, including database and certificate passwords.

./bwdata/core/attachments – Instance’s Vault item attachments.

./bwdata/mssql/data – Instance’s database data.

Bitwarden automatically takes nightly backups of the mssql database container, when running. This helps in restoring a broken instance.

But an instance can always be rebuilt, what cant be replaced is the vault contents Bitwarden allows you to import and export vaults I try and back this up monthly or so. (Depends on the amount of accounts I’m making) if you do not backup the bwdata folder at the very least take a backup of this. It can be encrypted on export or not.


Sharing your instance

If you want to let people use your instance or close it off is up to you. Here’s how you toggle this.

cd /opt/bitwarden nano bwdata/env/global.override.env

Find the “globalSettings__disableUserRegistration=” setting and toggle it true or false depending on your preference. Restart Bitwarden.

./bitwarden.sh restart


Conclusion

Thanks for reading. I hope it helps. I tried to cover most of the functions of Bitwarden and how to mange you instance. If I missed anything or if something is not working yell at me on Twitter or Matrix.