What is Vault Warden? Why should you use it? Most importantly, how does it help keep you safe online? Vault Warden is a password manager, password managers help you generate unique passwords and store them safely. Sadly, in today’s online environment fraught with data leaks and thefts, having the same four passwords for everything is no longer a practical way to keep your online accounts safe. (No matter how clever you think those variations of your dog’s name are, they are not secure). Password managers make it easy to have a unique password for every online account you have. So, if one of your accounts gets hacked, attackers can’t reuse that password and email combination to get into anything beyond that account.

A brief overview of what the vault warden platform can do. Secure password sharing between users, “Vault health reports” where it can check for leaked passwords and emails by running your emails through HIBP, check your reused passwords, check the strength of your passwords, and let you know what sites are not using SSL. They even offer 2FA support (But I don’t recommend using your password manager as a 2FA method. 2FA really should be on a second device.). Vault Warden is a fork of Bitwarden that is more tuned to hosing on a device like a Raspberry Pi, and it is not meant for enterprise use. If you want a non-cloud-based option, check out KeePass.

‍

What this Post covers

I’m going to go over a couple ways to do this. The first is the recommended way by the documentation, it's also the fastest way to get up and running. The second way will use docker to extract a pre-compiled binary from the docker image to use. If you really don’t want to touch docker, I also tell you how to do that, but you do need to use a script made by the Vault Warden people. If you really want to be a nerdnic and build the binary yourself, I’m not going to cover that here. The GitHub is well documented, so hop over there for that info.

If you don’t want to do any of this yourself, I do have a handy dandy script that installs Vault Warden for you on any Debian based platform. You can snag that here. Also if you want a more in depth overview of server setup you can read this post.

Docker Install

Make sure docker is installed on the machine that you want to host vault warden. You can check out my post about server setup for a more in depth overview on setting a computer up for hosting. Or keep going for just the Docker install. I just pulled this from the official documentation for Debian

for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt-get remove $pkg; done

Setup dockers apt repository and add Docker's official GPG key:

sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /	etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

Add the repository to your apt sources by copying what's below and running it:

echo \
  	"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] 	https://download.docker.com/linux/debian \
  	$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  	sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Then run:

sudo apt-get update && sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y

Make sure its installed with:

docker –version

You should get a response. Now you're ready to popup Vault Warden. Run:

docker pull vaultwarden/server:latest

docker run -d --name vaultwarden -v /vw-data/:/data/ --restart unless-stopped -p 8080:80 vaultwarden/server:latest

What this command does is makes a folder called /vw-data so you can access and backup your data in the container (good to do in case of a major server failure). It also changes the port that Vault Warden is serving the app at. If you want to run more than one thing on a server, you need to not use port80. So using 8080:80 means that inside the container Vault Warden is using port 80, but It's reachable via port 8080 on your machine. You can update your container by running:

docker stop vaultwarden
docker rm vaultwarden
docker pull vaultwarden/server:latest
docker run -d --name vaultwarden -v /vw-data/:/data/ --restart unless-	stopped 	-p 8080:80 vaultwarden/server:latest

Now you can move on to the nginx config section if you want to attach this to a domain.

Extracting a binary and using it

If you have docker installed you can use the “docker pull” command to pull a copy for your machine:

docker pull docker.io/vaultwarden/server:latest-alpine

docker create --name vw docker.io/vaultwarden/server:latest-alpine
docker cp vw:/vaultwarden .
docker cp vw:/web-vault .
docker rm vw

What the above commands do is extract the needed files into the directory you're in. You should make a data file with:

mkdir data

Next, you need to make an .env file for Vault Warden. I’m not going to cover the .env file in detail, but a couple of things to note. If you plan on making this available over the web, you need a domain to use, and you need to set the location of the web-vault folder you copied in the .env file. You also might want to consider disallowing registration after you make your account. Anyway, head to the .env template on GitHub and read over it carefully and change what you need. If you don’t know what to change after the domain and registration, the defaults should be fine for now.

nano .env

Hit ctl+shift+v to paste the .env template in there. Make your changes then hit ctl+s and ctl+x to save and exit. Now just to test lets run:

./vaultwarden

mkdir vw-image

cd vw-image
	
wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
chmod +x docker-image-extract
./docker-image-extract vaultwarden/server:latest-alpine

ls -a output

mkdir /path/to/newfolder

cp -r /path/to/output/data /path/to/newfolder/ 
cp -r /path/to/output/web-vault /path/to/newfolder/
cp /path/to/output/vaultwarden /path/to/newfolder/

sudo nano /etc/systemd/system/vaultwarden.service

[Unit]
Description=Vaultwarden (Bitwarden) password manager
After=network.target
[Service]
# Adjust these paths if necessary
ExecStart=/path/to/newfolder/vaultwarden
WorkingDirectory=/path/to/newfolder
Environment=ROCKET_ENV=production
# Uncomment and adjust the following lines if needed for your setup
# User=vaultwarden
# Group=vaultwarden
# Restart settings
Restart=always
RestartSec=5
# Logging
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=vaultwarden
[Install]
WantedBy=multi-user.target
ctl+s and ctl+x to save and exit. Then run: 
sudo systemctl daemon-reload
sudo systemctl enable vaultwarden.service
sudo systemctl start vaultwarden.service

sudo systemctl daemon-reload

sudo systemctl enable vaultwarden.service

sudo systemctl start vaultwarden.service

sudo systemctl status vaultwarden.service

sudo nano /etc/nginx/sites-available/vaultwarden 

server {
	server_name yourdomain.whatever;
	listen 80;
	location / {
		proxy_pass http://localhost:8000;  # Change to the appropriate port
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		}
}

sudo apt install argon2

echo -n "MySecretPassword" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4

ADMIN_TOKEN=’$argon2id$v=19$m=65540,t=3,p=4$bXBGMENBZUVzT3VUSFErTzQzK25Jck1BN2Z0amFuWjdSdVlIQVZqYzAzYz0$T9m73OdD2mz9+aJKLuOAdbvoARdaKxtOZ+jZcSL9/N0’