The peace of mind in having all your sensitive data under your control is totally worth it.
I used to have some illusions that "if I self host, I am in control", and "if I don't connect my home infra to the internet, I am safe". Later I realized neither is true.
I can't trust all the consumer grade devices in my network, I don't trust a software just because it is open source. And I don't have time to keep up with all the security patches and do security auditing / vulnerability scan routinely...etc.
It is fine to self host hobby stuff for fun, but professionally managing sensitive data is a full time job.
An attacker can justify allocating a lot of resource to pwn bitwarden.com. If you manage to break into the vaults you're bound to find something juicy, just because of how large the target is.
Or you could decide to pwn me. Figure out where my bitwarden is hosted, what my config looks like, what mistakes I might have made setting it up, then maybe find a way in. Then it's just the start, since the passwords are encrypted on disk, so at best you have access to an encrypted sqlite database. Now you need to find a way to get me to leak my vault key. Maybe I sometimes use the web interface? Maybe not. Who knows.
After all of that you may realize that all of my passwords are either not super important or require some form of 2FA, therefore wasting your time.
But hey, you can log into my hacker news account!
Security through irrelevancy.
If you want to really get paranoid, pass it all through wireguard or ssh tunnels, but for bitwarden at least it's all client side encrypted anyways, you could probably run it on a very out of date system without issue.
The situation with Bitwarden is a bit different though. Secrets are encrypted on the clients, the server never sees decrypted data.
Personally I think hosting the server locally doesn't give much benefit because I'm more likely to screw things up than Bitwarden is on that front.
For example, one day a malicious maintainer could flip a switch that simply updates the docker image to send thousands of peoples’ entire vault somewhere and then disappear, no?
Edit: Noting that there have been discussions about the default number of iterations. https://github.com/bitwarden/jslib/issues/52
You can patch the bitwarden client (and also take the opportunity to remove the spyware they have embedded in it, as well), or use a program like LuLu or Little Snitch to block it from communicating with anything but your own selfhosted bitwarden_rs instance.
1) if you worry about people replacing the docker image you are using, build your own. It's not hard. Alternatively, use a specific version of the docker image by specifying the version or the hash (if you are really paranoid). Of course after you review the Dockerfile. Minimum at least glance through the Dockerfile.
2) bitwarden has import/export functionality (client side) so if your server disappears for whatever reason, you can still export your passwords from the client side.
3) if you don't trust the OSS code, audit it or at least look through it. That's the whole point of OSS. Build it from source if you must. File bugs. Look at the issue tracker. You can choose not to but if something happens it's your problem; not somebody else's problem.
4) The vault is encrypted and the server never handles or sees the decrypted content (see 3 to verify this). Other people's ability to break that encryption depends on you using a secure master password.
5) Or just pay Bitwarden to host passwords for you and rely on their terms of use, SLAs, support, good reputation, and what not. That's probably the best option if you want ass coverage for professional usage. Their pricing is very reasonable for small setups. And probably sharing passwords with a large group of users is just a spectacularly bad idea to begin with. A couple of key users, should cost you max 20/month. Not really worth dedicating devops time for self hosting unless you have a really good reason to. If you do, see 1-4.
Thats an outright fantasy, every day I rely on like 50 pieces of software written in 20 different languages and frameworks. They are updated multiple times a month. How many man hours would it take? 1000 a week?
Proffesional developers couldn't find heartbleed for years, you really think anyone would notice a hidden backdoor in software like this withing a year?
Unless you review the source code of everything you use, and compile it yourself, there’s always that risk.
What prevents Postgres mainteners to just still all your DB ? Nginx mainteners to redirect your web traffic ?
Ultimately, it boils down to a balance between trust in the author, the community or your own checking process.
Also this is only a risk if you use the provided Web vault. If you use the desktop, mobile or browser extension clients, it would require both Bitwarden LLC and dani garcia to conspire against you as the server doesn't control code those clients run and the API only provides it data in encrypted format.
Finally, if you're that worried you can pin the container version by hash and only update when you are confident in the new version
It's not fair to single out just Bitwarden IMO.
The real threat is that someone takes control of the bitwarden browser extension and pushes a malicious update.
That's why I don't use any KeePass extensions. I just don't trust browser enough to be able to get any of my passwords.
I'm thinking about writing my own extension which will communicate with KeePass in a way that suits me (basically: when I'm pressing button in browser, it'll popup KeePass window with search field filled with server domain. Then I can either auto-type password from KeePass or copy it to clipboard, either way I'm only using KeePass and browser extension have no way to get any information.
Then when you log into somewhere add another secret (which you keep in your head) to the end of the password you stored in Bitwarden.
Switch on 2FA everywhere you can.
Sleep at night.
Btw the "custom server" setting is a bit hidden, it is behind the cogwheel in the upper left in most cases.
But that said, it is by far the best product despite this.
For personal, Bitwarden is much better. Browser plugins just work, android auto fill just works, passwords synchronized across devices, support for auto filling payment information. 2FA support.
bitwarden_rs bundles the upstream JS in its default containers, so it's the same code that you'd be running from bitwarden.com
I do see advantage of being cloud based as a way to avoid database conflicts (in my case 3 windows machines + mobile), but I wonder what can surprise me here. Is bitwarden's browser integration similar to KeepassXC (Keepass helper + KeepasXC-browser)?
Long story short - we use official Bitwarden and are paying for it and couldn't be happier. Bitwarden_RS looks like a cool toy, but I can't see any reason why anyone would run it. It's good for personal passwords, but Bitwarden itself offers free service so there's no need to venture down the self-hosted road.
It's a trust issue. I don't trust my passwords on someone else's server. I don't trust free services to remain free forever. I don't trust paid services to not increase the fees 4x over a few years.
The alternative to bitwardenrs or bitwarden/server is not bitwarden.com for me given the areas I'm concerned with, it's going back to KeePass + Syncthing.
I think the reticence to provide the group features in bitwarden_rs may come from being unwilling to too blatantly step on the toes of Bitwarden LLC by producing a $0 drop in alternative to their paid service. bitwarden_rs is open source and bitwarden/server is _mostly_ open source (Some SSO related features are not), so it seems worthwhile to get along and not need to fork the ecosystem.
They don't have your decryption key, therefore they save encrypted blobs and have no means to obtain your password. This takes care of trust issue - it simply is not an issue and never will be.
Even if malicious employee does something out of the ordinary or "hacker" gets the database, they still have the impossible task of breaking the encryption (which for all intents and purposes is impossible as of right now).
This returns us back to my starting point - there's *no objective* reason to use bitwarden_rs, apart from curiosity and/or convenience. I'm not saying it SHOULD not be used. We are all free to make choices as we see fit and don't need to justify them, however the reasons you listed are not reasons at all because the concerns you have don't exist.
It took a few seconds to add to my portainer (docker) server and now I host my vault and keep it safe within my LAN.
I don’t run the official Bitwarden server because its system requirements are much too high for my liking.
Meanwhile, bitwarden_rs uses ~24MB disk space, ~24MB RAM, and <0.03% CPU on my single-core Vultr box.
Oh yeah, one other practical reason I couldn’t/wouldn’t go with bitwarden.com’s free plan: I’ve got a few TOTP things in my vault, gotta pay for that.
Before installing the rust version I actually went through the code to check that it wasn't doing anything untoward; it wasn't a very thorough review, but it took a couple hours. Given the fact that you don't actually need to trust a Bitwarden server, I'm not too concerned about using an "unofficial" implementation.
[1]: Note that the Bitwarden desktop client has a major remote code execution vulnerability that the developer has closed WONTFIX, so I don't recommend running the stock one without patching that out (as well as the spyware they embed in it).
I can assume you are referring to... the automatic updater? https://github.com/bitwarden/desktop/issues/552
