Vault Warden: A Self Hostable  Password Manager

Enki
2 Jan 2020
Vaultwarden

Vault Warden: Self Hosted Password Manager


What is Vault Warden? Why should you use it? Most importantly, how does it help keep you safe online? Vault Warden is a password manager, password managers help you generate unique passwords and store them safely. Sadly, in today’s online environment fraught with data leaks and thefts, having the same four passwords for everything is no longer a practical way to keep your online accounts safe. (No matter how clever you think those variations of your dog’s name are, they are not secure). Password managers make it easy to have a unique password for every online account you have. So, if one of your accounts gets hacked, attackers can’t reuse that password and email combination to get into anything beyond that account.

A brief overview of what the vault warden platform can do. Secure password sharing between users, “Vault health reports” where it can check for leaked passwords and emails by running your emails through HIBP, check your reused passwords, check the strength of your passwords, and let you know what sites are not using SSL. They even offer 2FA support (But I don’t recommend using your password manager as a 2FA method. 2FA really should be on a second device.). Vault Warden is a fork of Bitwarden that is more tuned to hosing on a device like a Raspberry Pi, and it is not meant for enterprise use. If you want a non-cloud-based option, check out KeePass.


What this Post covers

I’m going to go over a couple ways to do this. The first is the recommended way by the documentation, it's also the fastest way to get up and running. The second way will use docker to extract a pre-compiled binary from the docker image to use. If you really don’t want to touch docker, I also tell you how to do that, but you do need to use a script made by the Vault Warden people. If you really want to be a nerdnic and build the binary yourself, I’m not going to cover that here. The GitHub is well documented, so hop over there for that info.

If you don’t want to do any of this yourself, I do have a handy dandy script that installs Vault Warden for you on any Debian based platform. You can snag that here. Also if you want a more in depth overview of server setup you can read this post.

Docker Install

Make sure docker is installed on the machine that you want to host vault warden. You can check out my post about server setup for a more in depth overview on setting a computer up for hosting. Or keep going for just the Docker install. I just pulled this from the official documentation for Debian

for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt-get remove $pkg; done


Setup dockers apt repository and add Docker's official GPG key:

sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /	etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc


Add the repository to your apt sources by copying what's below and running it:

echo \
  	"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] 	https://download.docker.com/linux/debian \
  	$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  	sudo tee /etc/apt/sources.list.d/docker.list > /dev/null


Then run:

sudo apt-get update && sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y


Make sure its installed with:

docker –version


You should get a response. Now you're ready to popup Vault Warden. Run:

docker pull vaultwarden/server:latest

docker run -d --name vaultwarden -v /vw-data/:/data/ --restart unless-stopped -p 8080:80 vaultwarden/server:latest


What this command does is makes a folder called /vw-data so you can access and backup your data in the container (good to do in case of a major server failure). It also changes the port that Vault Warden is serving the app at. If you want to run more than one thing on a server, you need to not use port80. So using 8080:80 means that inside the container Vault Warden is using port 80, but It's reachable via port 8080 on your machine. You can update your container by running:

docker stop vaultwarden
docker rm vaultwarden
docker pull vaultwarden/server:latest
docker run -d --name vaultwarden -v /vw-data/:/data/ --restart unless-	stopped 	-p 8080:80 vaultwarden/server:latest


Now you can move on to the nginx config section if you want to attach this to a domain.

Extracting a binary and using it


If you have docker installed you can use the “docker pull” command to pull a copy for your machine:

docker pull docker.io/vaultwarden/server:latest-alpine

docker create --name vw docker.io/vaultwarden/server:latest-alpine
docker cp vw:/vaultwarden .
docker cp vw:/web-vault .
docker rm vw


What the above commands do is extract the needed files into the directory you're in. You should make a data file with:

mkdir data


Next, you need to make an .env file for Vault Warden. I’m not going to cover the .env file in detail, but a couple of things to note. If you plan on making this available over the web, you need a domain to use, and you need to set the location of the web-vault folder you copied in the .env file. You also might want to consider disallowing registration after you make your account. Anyway, head to the .env template on GitHub and read over it carefully and change what you need. If you don’t know what to change after the domain and registration, the defaults should be fine for now.

nano .env


Hit ctl+shift+v to paste the .env template in there. Make your changes then hit ctl+s and ctl+x to save and exit. Now just to test lets run:

./vaultwarden


The app should start up, and you should see how to connect to it, normally that will be something like 127.0.0.1:8000 unless you changed something. Don’t bother messing with it now unless you want to. Hit ctl+c to exit the app and get back to configuring. If you really don’t want to install or user docker, there is a method for it. The Vault Warden folks made a docker extraction script. Use it like this:

mkdir vw-image

cd vw-image
	
wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
chmod +x docker-image-extract
./docker-image-extract vaultwarden/server:latest-alpine


Running these one by one: makes a folder, pulls the script, makes it executable, then pulls the proper image. Everything should be in a folder called output. Double check with:

ls -a output


You only need the data and web-vault folders plus the Vault Warden file, so to clean up your folder do this:

mkdir /path/to/newfolder

cp -r /path/to/output/data /path/to/newfolder/ 
cp -r /path/to/output/web-vault /path/to/newfolder/
cp /path/to/output/vaultwarden /path/to/newfolder/


You can now exit the folder you're in a nuke it. Make and edit the .env file. In your new folder.
Now we need to add it to systemd so it can start up when the machine does. And it makes Vault Warden a bit easier to manage.

sudo nano /etc/systemd/system/vaultwarden.service


Copy and paste:

[Unit]
Description=Vaultwarden (Bitwarden) password manager
After=network.target
[Service]
# Adjust these paths if necessary
ExecStart=/path/to/newfolder/vaultwarden
WorkingDirectory=/path/to/newfolder
Environment=ROCKET_ENV=production
# Uncomment and adjust the following lines if needed for your setup
# User=vaultwarden
# Group=vaultwarden
# Restart settings
Restart=always
RestartSec=5
# Logging
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=vaultwarden
[Install]
WantedBy=multi-user.target
ctl+s and ctl+x to save and exit. Then run: 
sudo systemctl daemon-reload
sudo systemctl enable vaultwarden.service
sudo systemctl start vaultwarden.service


ctl+s and ctl+x to save and exit. Then run:

sudo systemctl daemon-reload

sudo systemctl enable vaultwarden.service

sudo systemctl start vaultwarden.service


If there are no errors double check to make sure its up and running with:

sudo systemctl status vaultwarden.service


You should be good to go now.

NGINX Configuration


Install nginx with Certbot if you have not already. Make a new file with:

sudo nano /etc/nginx/sites-available/vaultwarden 


Copy and paste:

server {
	server_name yourdomain.whatever;
	listen 80;
	location / {
		proxy_pass http://localhost:8000;  # Change to the appropriate port
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		}
}


Make sure you have an A record pointed at your server's IP (you can see your IP with ‘ifconfig’ on most systems.) for the domain or subdomain you want to use. If you don’t know what I’m talking about, but you have a domain, editing DNS is unfortunately different for every web-host and platform. Search how to do this on your web host. After this is done, run Certbot. Follow all the steps and your SSL cert should be good to go. You can now visit your new domain and Vault Warden instance.

Enable the Admin Page

This is an optional step but the admin page is useful for managing server users if you only have yourself on there then you might consider skipping this step as all the aspects of Vault Warden can be changed by editing the .env file and restarting Vault Warden. But if you do keep reading.

You need to set an authentication token. This token can be anything but its recommended to use a long string of randomly generated numbers. We are going to use a method that lets you use a normal password (you still want it to be a decent password as this is how you will login to your backend). Run:

sudo apt install argon2

echo -n "MySecretPassword" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4


Copy this string and paste it on to the admin token it should look something like:

ADMIN_TOKEN=’$argon2id$v=19$m=65540,t=3,p=4$bXBGMENBZUVzT3VUSFErTzQzK25Jck1BN2Z0amFuWjdSdVlIQVZqYzAzYz0$T9m73OdD2mz9+aJKLuOAdbvoARdaKxtOZ+jZcSL9/N0’


The first time you save a setting in the admin page, config.json will be generated in your data folder. Values in this file will take precedence over the corresponding environment variable.

After setup notes


Whether or not you set up the admin page I would review your .env file one more time. You might want to add an SMTP server for users to confirm their emails. Check that the 2fa settings are they way you want. Consider paying for an API key from Have I Been Pwned so you can check your info against existing breaches.

Conclusion


Thanks for reading. I hope it helps. I tried to cover most of the functions of Vault Warden and how to mange you instance. If I missed anything or if something is not working yell at me on nostr.

Nostr Logo