Bitwarden - uthomelabs/guides GitHub Wiki
Overview
One of the most important good practices to follow with regard to passwords and account security is to use a password manager. There are a lot of options out there - some free, some paid, some in-between. A really good one that is open source, has good free and self-hosted options, and is what a lot of people would call a "good" password manager is Bitwarden. While they do have hosted options and paid features that you can sign up for we will be focusing on self-hosting it in this guide.
Why self-host?
In today's world there are increasingly more data breaches, companies selling off user data, and many closed-source products that users have no way of knowing anything about from a security standpoint. We are often left having to just trust whatever SaaS company we have been suckered into paying for their software and services. Whether it be to save money or because you are concerned about privacy or the security of your data it is an enticing alternative to host software yourself so that you have the peace of mind and fewer monthly services to pay for. Some people really don't want to devote the time and effort it might take to self-host things but many home labbers don't mind and hopefully this can be something that helps.
Prerequisites
This guide will be walking you how to get a server up and running using Docker. If you don't have experience with Docker that's fine... we'll walk through all the steps together. The basics that you will need are:
- A computer or server to run the server-side software on:
- You could learn by just installing Docker on your computer and running it locally
- Get a spare computer on your home network up and running with Docker
- Get a cloud-hosted server/VPS: AWS, Google Cloud, Digital Ocean, Linode, etc.
- The Docker software:
- The Docker Desktop software for macOS/Windows
- Linux-native Docker packages
Choosing a server implementation
There is an official Bitwarden server that can be self-hosted and the documentation for it walks you through setting everything up to run it on a virtual machine but one downside of the official server is that it is somewhat heavy with all of its dependencies and isn't super simple to get running. A really nice alternative implementation called Vaultwarden is a fully API compliant version of the Bitwarden server that is written in Rust and is much lighter and easier to get set up. For the sake of this lab we'll be going with the latter option to keep things simple but feel free to follow the documentation for the official server and see how it differs. One key way the official implementation is better is that it will always get all the new features right away.
Running with Compose
Docker compose is a really useful and elegant way to represent the state of your docker containers and configuration in a reproducible way that generally allows you to easily tear down and recreate your container setup at will. To simplify this guide we'll focus on using compose though there are tons of other legitimate ways of deploying containerized services. Let's begin by creating a directory for the project and then copying and pasting this simple compose file:
mkdir lab-guides && cd lab-guides
mkdir vaultwarden
vim docker-compose.yml # or another editor if you prefer :D
docker-compose.yml
services:
vaultwarden:
image: "vaultwarden/server:latest"
container_name: "vaultwarden"
volumes:
- "${PWD}/vaultwarden/data:/data"
ports:
- "8080:80/tcp"
restart: "unless-stopped"
Now let's go ahead and get it to pull the image and run a container instance:
$ docker compose up -d
[+] Running 7/7
⠿ vaultwarden Pulled 16.2s
⠿ bd159e379b3b Pull complete 10.6s
⠿ 6f0a1017d8d4 Pull complete 11.7s
⠿ 0da7d747c4e4 Pull complete 12.4s
⠿ 6522f1ce7398 Pull complete 13.2s
⠿ 7162c01102f2 Pull complete 13.3s
⠿ c49cdc7a6450 Pull complete 13.4s
[+] Running 2/2
⠿ Network lab-guides_default Created 0.2s
⠿ Container vaultwarden Started 2.4s
If all goes well you should be able to see that it is running happily:
$ docker compose ps
NAME COMMAND SERVICE STATUS PORTS
vaultwarden "/start.sh" vaultwarden running (starting) 3012/tcp, 0.0.0.0:8080->80/tcp
Accessing the service
To see the server running, notice either the ports mapping the docker-compose.yml file or in the docker compose ps output above where it shows the mapped ports that we've defined. Essentially we've told docker to map port 80 in the container to port 8080 on our host system. You should be able to access your running container now by just heading to that port on your local system: http://localhost:8080. If everything went well you should see the web UI for Bitwarden where you can now set up an account and get things configured:
Further notes on doing this for real
So far we have focused on getting this up and running just locally on your lab system or laptop. That's great for just learning and playing around with it but if you want to go further by actually running this in your own home lab for real there are a few things you should do differently:
- Get/use a real domain name: it's always a really good idea to use a real domain name for your home lab. Typically they are really low-cost (even as low as $5-$10 per year with a free Cloudflare account) and doing so allows you to obtain real SSL/TLS certificates and even make some of your services accessible over the Internet.
- Set up DNS pointing a subdomain for the service (e.g. https://vaultwarden.mydomain.com) to somewhere you are hosting it.
- Secure it behind a reverse proxy such as NGINX, Traefik, or Caddy that provides you with a valid SSL/TLS certificate (Let's Encrypt or another ACME provider is great for things like this)