The nice thing about syncing services like Vaultwarden is that all your synced devices kind of act like backups. You should still keep proper backups too, of course, but this makes me sleep a bit better at night at least.
this post was submitted on 18 Jun 2023
140 points (98.6% liked)
Selfhosted
39282 readers
290 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 1 year ago
MODERATORS
Yeah, this too... like... I have Bitwarden synced in different computers/phones, so at least most of the passwords will still be somewhere.
I use vaultwarden as my bitwarden backup. I pay for bitwarden premium because it's too critical of a service for me to not pay for access/support the service, or to expect my self hosted option will be sufficiently reliable enough.
That said, as a backup option, I run the vaultwarden addon in home assistant and just periodically do a manual export from bitwarden and import to vaultwarden. This is usually good enough for me, but glad to see this thread with some other options. Will be exploring some of these too!
The way I justify self hosting is that every device I use it on has an offline backup so downtime isn't overly important.
Oooh, I like this idea... I've thought about running vaultwarden but like you I pay for bitwarden premium because I think it's critical for me and I like the service and want to see them continue. Using it as a backup, then I can still support them and run my own backup.
I don't trust myself with Vaultwarden honestly. I will just pay for Bitwarden if I need to.
Same. Like, I'm relatively confident in the systems I have running, but not so confident that I'd trust them with my most important passwords.
I just periodically export my vault every few months, it's compatible with bitwarden. Absolute worst case scenario I can just sign up and import my vault, and maybe lose a password or 2,whoch can most likely just be reset anyways.
agree .... one of the services which is just to critical for me to selfhost
Same for email. I can't afford it to be down for days while I stress out about fixing whatever it was that I broke.
Actually on premise self hosting email is just stupid these days. I do have my domain email set up with a local provider, but I don't use it. Again, email is crucial and I don't trust myself
I regularly hear it's great. Has anyone moved from KeePass? I haven't read anything that makes me think I should move on from KeePass. I have maybe ~4-5 clients and merging databases has been very easy since no client is offline for too long.
I went from KeePass to pass to vaultwarden. Sharing passwords is way easier.
I tried it but reverted back to KeePass. I didn't see any advantage with Vaultwarden and having it exposed so brazenly didn't fill me with confidence. When I tried to run in parallel I found that you can't sync vault warden with a keepass DB file. You can import it, but once it's imported you can't keep them in sync. Re-do an import and you end up with everything duplicated - but updated entries... which is the up to date one? If it had better syncing I could see myself using keepass on mobile and vaultwarden on PC. But at the end KeePass is just brilliant as it is and that's fine with me.
load more comments
(1 replies)
Set up a Backblaze B2 account. Make regular backups via RSync (and use encryption.)
10GB free, and dirt cheap after that.
I do this, but on B2 I upload encrypted restic repo. Password manager backup is one of those instances where it's totally worth to have historical copies (for example, 1 weekly copy for the last 6 months), as it consumes very little space while saving the day in case of accidental overwrite or deletion.
Where do you backup the decryption? Is it a memorized password, or a key?
load more comments
(3 replies)
Simple way to build confidence in your backups... test your restores regularly.
For backups, I have two storage VPSes (one in Los Angeles and one with a completely different provider in Canada), and have an individual backup to each one. I'm using Borgbackup for that.
Borg lets you enable an "append only" mode for particular clients such that even if an attacker were to gain access to your client system, they couldn't delete your backups. This is a common issue with rsync/rclone solutions.
Borg dedupes across all backups, so you can have months of daily backups without using a lot more disk space. Neither rsync nor rclone can do this.
Don't forget to test your backups by doing a data recovery run - act as if your data was lost, and try to set everything up again, maybe on a VM or something. If the backups aren't tested, you don't really have backups :)
I've had decent success with using this image to handle my backups: vaultwarden-backup. You can configure rclone to target a variety of providers
I tried Vault warden, but I didn't find it better than KeePass which I have syncing over nextcloud to storage that is mounted over NFS for my desktop and laptop. There are plenty of clients so you can use windows, linux, android etc.
I ran Keepass synced through my Nextcloud for a long time as well, but I switched to Vaultwarden after loosing Passwords due to sync issues. Almost got locked out of an important account. Luckily I noticed it early enough to recover it through my Nextcloud's versioning. But since then I'm too paranoid to rely on a password manager without a reliable syncing mechanism built-in if I'm gonna use it daily on a range of different devices.
Mine runs on a synology nas, and i have a hyperbackup task that copies the data volume up to gdrive every night (encrypted of course).
Also, any device you've synced to vaultwarden will retain the data even if the server is down, and with the addin for firefox for example, you can export that data out.
I ran it for a while but ultimately didn’t trust myself to harden it enough.
how are you doing your backups now? are you using the 3-2-1 backup strategy?
I don't trust vaultwarden, only on the basis that it's unofficial and not as strictly audited. I use the container stack provided by bitwarden behind a cloudflare tunnel and backup the data directory with duplicati to S3. Should be able to do the same with vaultwarden, just try a backup test.
VW is FOSS, so that is not an issue. I trust them, but I don't trust myself
load more comments
(2 replies)
How do you approach remote access?
I run it through an nginx proxy that runs cloudflared through my domain, giving https access with limited worry of various security concerns. Probably not the best setup but was relatively easy to do.
Not OP, but you could setup a wireguard vpn in your home network.
It would require opening up a port on your router for wireguard. and probably use a dynamic dns provider ( duckdns.org or similar ) to get an url.
I don't run Vaultwarden because I don't trust myself, but Container -> Traefik -> dst-nat -> Cloudflare Proxy (don't use this for video).
This post reminded me to finally get around to fixing the error preventing me from setting up TOTP on my self hosted install.
From what I understand of it your passwords and all should be save as it also stores them clientsided. So its more like your sync is down. But dont quote me on that
how about passbolt?
view more: next ›