Bitwarden Server: help wanted 1. The Bitwarden Server project contains the APIs, database, and other core infrastructure items needed for the 'backend' of all bitwarden client applications. The server project is written in C# using.NET Core with ASP.NET Core. The database is written in T-SQL/SQL Server. When discussing online privacy and VPNs, the topic of WebRTC leaks and vulnerabilities frequently comes up. While the WebRTC issue is often discussed with VPN services, this is, in fact, a vulnerability with web browsers. OSX: /Library/Application Support/Google/Chrome; Linux: /.config/google-chrome/ Rename the “Default” folder to “Default old“. Open Google Chrome again. If you sync your data with Chrome Sync, attempt to login again (if you’re not logged in already). Hopefully, all of your Chrome data and settings are now restored. Bitwarden has first party support everywhere I need it. Pass has clients everywhere, but other than the CLI I have not been impressed. Its on an OSX keyboard so. Pick a strong password for your master password. I use the Bitwarden passphrase generator with three words, a numeral, and punctuation, which yields over 40 bits of entropy. Set up 2FA for both your new secure email and the Bitwarden account. Secure your master password and 2FA recovery data externally.

Install Docker

Add user(s) to the docker group. The default user would be pi. However, I highly recommend deactivating the default user.

Reboot and then test docker

Install more dependencies

Fight With SSL

This is the most annoying part of the story. You can either choose to use letsencrypt or a self-signed openssl-cert. Letsencrypt will only work, if your service will be exposed publicly. Also, letsencrypt is fairly easy to setup, so I will focus on a self-signed openssl-solution.

First, we’ll need a “virtual” certificate authority (CA) that will actually sign our certificate later. If you already have a CA, you can skip this. The first command creates a private key, the second command creates the root certificate of our CA.

Now, we’ll need to create a “client” key and a certificate signing request, which will then be “sent” to our CA.

For the actual signing, we’ll also need an extension file. I ran into problems with OSX and iOS without adding the used extensions during signing. Neither OSX, iOS nor Google Chrome accepted the certificate without those extensions. Create a file openssl.cnf

Replace <hostname> and <ip> with your actual values.

Finally, the actual signing:

The certificate you’ll need to deploy on your devices is the root certificate. Yes, this will also work on iOS.

Install/Configure Bitwarden

We’ll use the bitwarden_rs docker container. It uses sqlite instead of MSSQL, which is not available for ARM.

If docker successfully downloaded the image, you can run it as follows. I simply created a small bash script.

The ROCKET_TLS argument tells bitwarden, where it can find its key and certificate. The values describe paths within the docker container. For these paths to work, we’ll need to supply a volume mapping (-v). The additional volume mapping bw-data is a volume for bitwarden to store its actual sqlite “database” in. Internally, bitwarden will bind to port 80. Since we know/hope it’ll run SSL, we can map internal port 80 to 443.

If everything works, you can reach your bitwarden vaults on https://<hostname>

You’ll most likely run into SSL problems. Good luck.

Bitwarden Extension

Backup

Read this article.

Debugging/FAQ

Bitwarden Extension Edge

Show running docker containers

Logs and events

Run command within a docker container

Netstat (works w/o actual netstat binary in container. Cool, eh!?)

A word on IPv6. Initially, when bitwarden didn’t work during my first attempts, I was confused by the output of netstat. It showed, that the destination socket for https was only bound to tcp6. This shouldn’t be a problem, though, because bitwarden also sets up a couple of iptables rules (# iptables -L). However, if you think it might be a problem on your machine, try the following things in your /etc/sysctl.conf

At one point, I even completely disabled IPv6 via the kernel command line. However, that introduced even more problems.

Introduction

Over the past few months, I’ve been working to transition to as many self-hosted applications as I can. Self-hosting applications is a secure way to control your data on your terms as well as to get it moved off of the public cloud.

When the opportunity presented itself to install Bitwarden I decided it was time to give it a try and write up a Bitwarden review.

What is Bitwarden

Bitwarden is a FOSS (free and open-source) password manager that you can download and self-host. The self-hosted option supports multiple users, organizational password sharing, synchronization between the server and mobile and desktop applications, two-factor authentication as well as any other feature that the average user may need.

Installation of Bitwarden on Docker

Most of my self-hosted applications run in Docker on a cluster of Raspberry Pi 4’s. If you need to install Docker on your Raspberry Pi you can view the steps to install it here. After some research, I found a Docker image that was compatible with the arm7hf architecture for the Raspberry Pi. The image you need to pull from the Docker Hub bitwardenrs/server:raspberry. This container includes an SQLite database that works well for installations that support a small number of users.

The docker run code you can run in your terminal is below:

If you want more details about running Bitwarden in Docker on a Raspberry Pi, you can check out this post.

Bitwarden Web Vault

Once you have the Docker container up and running, you can visit to the Bitwarden web vault. From here you are able to create your first account. After you create your account and log in you will be presented with the vault screen.

From here you can add your passwords, identities, credit cards, and notes. The web vault interface is very clean, modern, and easy to use. In can organize your items into folders and add them to a shared organization so you can share those passwords with other users.

When you add an item, you are able to add your typical username and password. URL’s can also be included so Bitwarden browser extensions can recognize and auto-fill the login fields. Bitwarden also can act as a second-factor authenticator app for websites that support it, all you have to do is enter the Authenticator Key (TPOP) when you are adding an item.

The application also has the ability to attach files and create custom fields in the add item screen to meet additional needs for more advanced use cases.

Browser Extensions

Bitwarden has browser extensions that allow you to manage and use your passwords from directly within your internet browser. They have extensions for all major browsers, with the exception of Safari due to limitations within MacOS Catalina.

Browser Extension Setup

When you first open the Bitwarden browser extension you will be presented with the login screen. If you have are running a self-hosted version of the application, then you need to click the settings icon on the top left-hand corner of the extension. Once you click this icon, you’ll be presented with the below screen that allows you to enter the address of your installation. For most installations, you only need to enter the URL in the top field. You can fill out the remaining fields if you have a more advanced installation.

Browser Extension Usage

Once the browser extension is installed and connected to your server, the Bitwarden browser extension will automatically begin syncing your passwords. When you log in to websites that are not in your Bitwarden password manager, then it will automatically ask if you want to add the login to the database. This feature ensures that keeping your database up to date is much less painstaking.

You can also use the secure password generator that is built-in to the Bitwarden browser extension to create more secure passwords for the websites that you use. You can adjust the options to create more complex passwords with special characters. Once you settle on a password complexity level, just copy and paste the given password into the online form and hit submit.

When you visit a website, the extension will recognize that website and attempt to fill the login fields. If the website does not support automatic filling of the login fields, all you have to do is click the extension icon and you’ll see a list of available login information for the website that you are viewing.

The browser extension also syncs with the server on a regular basis, this means that if you need to look up any of the information that you have stored in Bitwarden, all you have to click the extension and click search.

Desktop Applications

Bitwarden desktop applications are also available for Windows, Mac OS, and Linux. They are very similar to the Bitwarden Web Vault and sync frequently with the Bitwarden Server. The desktop applications are fully featured, responsive applications that can be used to work with your password database in a local desktop environment. The Bitwarden Desktop applications also allow you to work with your data offline as they do not require a constant connection to the Bitwarden server.

Conclusion

Once you have Bitwarden set up, it really is a set-it and forget-it solution to managing your passwords. The application itself does not require much maintenance for small local installations. Currently, my installation contains over 700 items. This application has been the easiest to learn and since it is hosted from home, it is one of the most secure ways to store your passwords. I believe that Bitwarden is the best free password manager that can be easily self-hosted in a docker environment.

I hope you enjoyed this Bitwarden Review. If you have any questions, or suggestions, please leave a comment below.

Related posts: