Vaultwarden - Hades2323/DockerCore GitHub Wiki

Don't go in blind! Spend the time to learn the very basics of your own server administration. This will pay off ten-fold when it comes to customizing or troubleshooting your setup.

Guides can never cover 100% of everyone's specific setups. That is why they are merely guides, giving you a path to follow, but allowing for your own unique setup.

I stress this here because we are about to install a password manager. Yes, it is a GREAT way to improve your security on the internet. But, you should also understand that keeping all of this knowledge in one place means that, if not secured properly, you could leak your passwords to devastating effect.

WARNING: Your server must be behind a firewall. This is the bare minimum. You should have (among other things): Protection against physical theft (don't leave the server in your dorm hallway...) Disabled root password authentication over SSH, and only using (also secured!) SSH keys A banning system like fail2ban or [Crowdsec] Firewall enabled with only the necessary ports open to the internet (if any at all!) Strong backup system already in place following the 3-2-1 principal

DISCLAIMER:

will not be held responsible for a poorly configured server leading to a leakage of your passwords. You have been warned.

If you are new to self-hosting services, I highly recommend protecting your self-hosted password manager behind a [VPN] like Tailscale and ZeroTier. Finally, since we all rely on passwords so heavily, consider the consequences if your server goes down and you are unable to reach your password manager for an extended period. Most browser extensions and mobile apps will keep a cache of your vault for a limited time. You should ask yourself if you are willing to accept this risk, or have a mitigation plan in place!

  include:
  ... 
    - compose/$HOSTNAME/vaultwarden.yml
  ...

Vaultwarden Setup

The setup is relatively straightforward from here, but I wanted to point out a few nice features and some common mistakes people can make.

Create a new account

Below the login, click the Create account link to make a new account. Fill in your info here.

Note: You don't need to use a real email address here. However, if you'd like to receive email notifications, reset your password, etc, it will need to be a real address.

create vaultwarden account

Creating an account is quick. Later, you can turn off the option for people to self-register in the admin page or with an ENV variable. Once created, login with the new account, and you will be redirected to the Vaultwarden homepage.

vaultwarden main vault Vaultwarden's vault homepage. From the homepage, there are many options available to you, but here are a few of my top tips for getting the most out of your Vaultwarden instance.

Importing Passwords

If you already have your passwords stored somewhere (like in Chrome, Firefox, or even another password manager), they can easily be imported into Vaultwarden.

Begin by exporting the password database from its current location. This will depend on which software you are currently using but usually can be found with a quick web search.

This file is usually an unencrypted (anyone who has it can read the contents!) copy of your vault. Be very careful where and how you store it. Personally, I would recommend securely deleting it as soon as you are done importing it into Vaultwarden! Once you have the file, head to your Vaultwarden dashboard, and click on Tools at the top. Next, on the left side, we will see the Import data section.

import passwords vaultwarden Importing is fast and Vaultwarden supports many sources. Next, select your import file type from the drop-down menu, select the file, and click Import data to add the passwords to your Vaultwarden vault.

Install Browser Extensions and Mobile Apps

As noted, before, Vaultwarden is simply a "fork" of Bitwarden. It is written in a different programming language but is nearly 100% compatible with existing Bitwarden clients.

Head to the Bitwarden Clients download page, and download the client(s) for all of your devices. Once installed, there's one small step you'll need to follow to get them to work with our self-hosted Vaultwarden.

Bitwarden client server selection Before Trying To Login, Notice The Server Selection. In this example, I'm using Firefox, but the same will apply to all clients. When you click on the extension (or open the mobile app), you'll be asked to login. Notice just underneath the email address, that you can click the small drop down. Select self-hosted.

enter vault URL Be sure to put your vault's URL here. The new screen that appears is where you'll want to enter the URL of your Vaultwarden instance. Click Save and you'll be taken back to the first screen where you can now login with your username and password created earlier!

Improve your Auto-fill settings

There are several options in the Settings tab of the extensions and apps, but there's one important setting I'd like to draw your attention to. If you, like me, host most of your services behind subdomains, the default auto-fill settings will mean that when you visit one of your sites to login, you will see the login details of ALL of your sites.

This could be helpful, but I find that I prefer to only see the login details for the app I'm looking at. To change this behavior, head to the Settings tab, then click on Auto-fill under the Manage section.

auto-fill options for vaultwarden This setting changed my life... Near the bottom is the Default URI match detection setting. Click the drop down and select Host. This will match the host (music.example.com) instead of the base URL (*.example.com). For more, check out how Bitwarden clients do URI matching.

There are also a few other interesting settings available under the Settings tab if you scroll to the bottom and click the Other section.

Create a shared vault

For those of you with families, significant others, etc. who'd like to share specific information/logins with others, Vaultwarden has you covered.

vaultwarden new organization "Organizations" are the name for shared vaults. From the home page, on the left side, click on + New Organization. You'll have to give it a name and an email address.

create new shared vault Create the new organization for your shared vault. After creation, you'll notice there's a new tab at the top of your homepage where you can directly access any shared vaults.

Shared Vault Tips Inviting members is easily accomplished using the Members tab.

add members to shared vault Here we can customize who part of the shared vault and how they can interact with it. But what's most interesting to me is actually the organization's policies. There are numerous available, like setting requirements on the password generator or master password, and requiring 2FA.

setting shared policies For me, the most critical was the password generator requirements. This was a huge requirement of mine and a simple feature I'm happy exists in Vaultwarden.

Enable and Access Vaultwarden Admin Page

Vaultwarden's Admin page gives you full access to the Vaultwarden Docker Compose app in a nice GUI. It should be noted that everything that can be set on the Admin page can also be done with ENV variables. However, any changes you make via the Admin page would override any you set in the ENV variables.

Generate the Access Code To enable the admin page, you'll have to create an "authentication token". Older versions of Vaultwarden just let you create a long string of letters and numbers to use. The new version allows you to create a much more secure version which is stored as a "hash" (not the actual access code).

We can use a tool in the Vaultwarden Docker Compose container to help us create this "hash". The command is:

sudo docker exec -it vaultwarden /vaultwarden hash

Enter your desired password (twice) which will spit out a long string starting with ADMIN_TOKEN='$argon2...

put this long string, it's going to go into secret vaultwarden_admin_token file.

Insert ADMIN_TOKEN into vaultwarden_admin_token file

Insert this string into vaultwarden_admin_token file in the secrets folder like the following:

echo "your_vaultwarden_admin_token" | sudo tee /opt/docker/core/secrets/vaultwarden_admin_token

Recreate your container

Finally, we will just need to recreate the container

Access the Admin Page

You should now have access to your admin page at your vault URL with /admin: https://vaultwarden.example.com/admin.

Disable Admin Page

If you won't be needing the admin page, the best security would be to switch it off entirely. This is easily done by "commenting out" (putting a "#" sign in front of) the ADMIN_TOKEN line in your Vaultwarden Docker Compose section. You will need to recreate the container again as discussed above.