Using a password manager is one of the most important steps you can take to improve your personal security. By avoiding password reuse across multiple websites, password managers greatly reduce the risk of cascading compromise of your accounts from a leaked and reused password. They are also very convenient as they allow you to autofill your passwords and sync them effortlessly between devices.
Syncing your passwords in the cloud is completely secure – it uses clever cryptography to ensure that only you can decrypt your password vault. Today we're introducing Vaultwarden, an open source, self-hosted alternative to Bitwarden. We'll cover this in more detail later, but Vaultwarden is essentially a performance-focused rewrite of the existing Bitwarden server instance.
This is a great place to make your passwords accessible across your network, and could be a good option for internal passwords, like those for your home lab, NAS, or media server. There are also some serious security concerns that we'll cover, but first, here's how to get your Vaultwarden server up and running on a Raspberry Pi. We'll be using Docker, so these instructions will probably work just fine on most devices running Docker.
Related
Guide to Linux Containers: An Introduction to Containers
Containers have been a buzzword for years… but what exactly are they?
Should you install Vaultwarden on your Raspberry Pi?
When installing Vaultwarden on your network, you must consider security concerns.
Before we get into how to install Vaultwarden on your Raspberry Pi, you should be aware of some serious security concerns. By hosting a program like this yourself, you are taking responsibility for the security of your instance. This includes things like regular updates, hardening the machine it's running on against attacks, and ensuring good security practices in general. Unless you're an expert, we don't recommend exposing your Bitwarden instance to the internet. Your devices should still be synced, but only when you're at home. Remember that when you're outside the home, a local copy of your passwords will still be available on your devices.
Bitwarden has long supported hosting your own instances, but offers no security guarantees. While Vaultwarden is a legitimate project, there are security concerns about running a third-party alternative to the FOSS Bitwarden version.
You may have previously known Vaultwarden as Bitwarden_rs. The name has been changed to avoid any potential trademark or branding issues.
What is Vaultwarden?
Vaultwarden is an open source recreation of the original Bitwarden server in Rust, a low-level but memory-safe programming language known for its performance.
How to install the Vaultwarden server on your Raspberry Pi
Docker simplifies the installation of Vaultwarden
Source: Unsplash
There are a few prerequisites to this process. Vaultwarden won't work without HTTPs (and you shouldn't use it without it), so you'll need to generate some HTTPs certificates for a domain you own, or generate some self-signed certificates that you can pass to Vaultwarden. We wouldn't recommend using self-signed certificates in the long run, but it's possible to start with.
Requirements:
- A Raspberry Pi with a compatible operating system (we tested it on the Pi 3 with Raspbian)
- A set of SSL/HTTP certificates, either for a domain or self-signed
As mentioned earlier, we will be using Docker to install Vaultwarden on your Raspberry Pi. Docker is a containerization platform that simplifies software deployment. This saves a lot of complex build steps. Follow the steps below to install Docker on your Pi. For this tutorial, we will be using Raspbian on a Raspberry Pi 3.
- First, make sure your system is up to date using the following two commands.
sudo apt-get update sudo apt-get upgrade
The first line updates the version information of your configured repositories and the second installs any available operating system updates.
- Install the required dependencies for the Docker Engine.
sudo apt-get install apt-transport-https ca-certificates curl software-properties-common
- You can then install Docker's official GPG key using the following command. This will allow your package manager to check that downloads from the Docker repository are signed and verified.
curl -fsSL https:
- Add the official Docker repository to your package manager's sources.
echo "deb [arch=armhf] https://download.docker.com/linux/raspbian $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list
- Update your package database to ensure that all current packages are available.
sudo apt-get update
- Install Docker using the Apt package manager.
sudo apt-get install docker-ce
- Verify that Docker is installed by testing the “Hello World” container.
sudo docker run hello-world
- Next, we want to enable Docker to run automatically at startup.
sudo systemctl enable docker
Once Docker is fully installed and running, we can start setting up your password repository. We will be using an unofficial but upstream image called Vaultwarden. This is a lighter, alternative implementation of the Bitwarden server rewritten in Rust. There is an option to use the official image, but we prefer this one due to its lightweight nature. However, this must be considered with security considerations; this image is maintained by a third party.
Source: DockerHub
First, start the process by getting the latest Vaultwarden Docker image and then proceed with the following steps.
sudo docker pull vaultwarden/server:latest
- For testing purposes, I used RocketSSL to get it working, but in the medium term, we recommend you set up a reverse proxy or similar with Nginx. However, for testing Vaultwarden, the following will suffice. This will create a Docker volume with your SSL certificates with
-v ./:/ssl/
and then passes it to RocketSSL by setting some environment variables.sudo docker run -d --name vaultwarden -e ROCKET_TLS='{certs="/ssl/public.pem",key="/ssl/private.pem"}' -v ./:/ssl/ -v /vw-data/:/data/ -p 443:80 vaultwarden/server:latest
This will start Vaultwarden on port 443 (HTTPs) and all data will be stored under /vw-data/ on the host computer. This command will start the container in detached mode, that is, in the background. You can check the logs for Vaultwarden with:
sudo docker logs vaultwarden
- You should now be able to connect to your Vaultwarden instance through your web browser. If you are unsure of your IP address, you can of course check it via command.
sudo ip addr
- The web interface should be accessible via HTTPS at the IP address of your Raspberry Pi, for example: https://192.168.0.20.
Enter your email address and log in to your account.
- Voilà! Now you have your own self-hosted Bitwarden-based security instance that you can access from any device in your house.
Vaultwarden is ideal for making your passwords accessible across your entire network
I'm a huge fan of Vaultwarden (and the self-hosted version of Bitwarden as well). It's a great way to make your passwords accessible across your entire network, from servers to your mobile devices. This means you don't need ten different logins, and you can easily share different accounts and password sets with users across your entire network if you want.
Vaultwarden is also ideal for avoiding installing a plugin or app on every device you store your passwords on. It's a great alternative to running Bitwarden on your local machine, especially if you have a lot of devices or need easy access to a lot of new devices like virtual machines or containers. Just be sure to keep everything up to date and follow best practices to protect your privacy.