The peace of mind in having all your sensitive data under your control is totally worth it.
I used to have some illusions that "if I self host, I am in control", and "if I don't connect my home infra to the internet, I am safe". Later I realized neither is true.
I can't trust all the consumer grade devices in my network, I don't trust a software just because it is open source. And I don't have time to keep up with all the security patches and do security auditing / vulnerability scan routinely...etc.
It is fine to self host hobby stuff for fun, but professionally managing sensitive data is a full time job.
An attacker can justify allocating a lot of resource to pwn bitwarden.com. If you manage to break into the vaults you're bound to find something juicy, just because of how large the target is.
Or you could decide to pwn me. Figure out where my bitwarden is hosted, what my config looks like, what mistakes I might have made setting it up, then maybe find a way in. Then it's just the start, since the passwords are encrypted on disk, so at best you have access to an encrypted sqlite database. Now you need to find a way to get me to leak my vault key. Maybe I sometimes use the web interface? Maybe not. Who knows.
After all of that you may realize that all of my passwords are either not super important or require some form of 2FA, therefore wasting your time.
But hey, you can log into my hacker news account!
Security through irrelevancy.
If you want to really get paranoid, pass it all through wireguard or ssh tunnels, but for bitwarden at least it's all client side encrypted anyways, you could probably run it on a very out of date system without issue.
And these are just for the integrity of your _encrypted_ data. There are a lot more to do to fully secure your home infra in general. How do you secure your wireguard client key on the go? Do you monitor access logs? What about Guest Wi-Fi access, vlan separation...
I don't know if worrying about all these considered being paranoid. End of day it's about risk management, and personally, the benefits of selfhosting does not justify the effort I will need to put into maintaining it.
The situation with Bitwarden is a bit different though. Secrets are encrypted on the clients, the server never sees decrypted data.
If you're going to host services as home such as your password manager, set up a WireGuard VPN, you can use a Pi and it'll be perfectly sufficient, leave only the VPN open on the internet, VPN in from your phone, laptop, whatever for anything you need access to, and you don't need to rely on Nextcloud or Bitwarden having vulnerabilities discovered in them.
I was using Nextcloud previously for password sync because my password manager needs WebDAV, it was too much to maintain so I wrote a small server in Golang using the WebDAV library and it sits behind NGINX which handles the auth. I run Minio (S3 compatible) for syncing our family photos from our phones and Folder Sync app on Android. They both run on a VM and write out to a ZFS pool.
I have a Pi 3B+ running Raspbian mounted read-only as a WireGuard VPN for remote access, and we use the official WireGuard app. VPN is always on because we have fast, symmetric fibre, and we don't need to worry about trusting public networks.
Personally I think hosting the server locally doesn't give much benefit because I'm more likely to screw things up than Bitwarden is on that front.
For example, one day a malicious maintainer could flip a switch that simply updates the docker image to send thousands of peoples’ entire vault somewhere and then disappear, no?
Edit: Noting that there have been discussions about the default number of iterations. https://github.com/bitwarden/jslib/issues/52
You can patch the bitwarden client (and also take the opportunity to remove the spyware they have embedded in it, as well), or use a program like LuLu or Little Snitch to block it from communicating with anything but your own selfhosted bitwarden_rs instance.
EDIT: Never mind, found it - https://github.com/bitwarden/desktop/issues/552. This isn't exactly an RCE. You can say the same about anything. By your logic Microsoft auto-updates are RCE. Same with pacman/apt-get/yum package managers. Same with pretty much anything else.
I'm not saying they're not valid concerns, however, if you're this worried about all of these things, maybe cloud-based software isn't for you.
1) if you worry about people replacing the docker image you are using, build your own. It's not hard. Alternatively, use a specific version of the docker image by specifying the version or the hash (if you are really paranoid). Of course after you review the Dockerfile. Minimum at least glance through the Dockerfile.
2) bitwarden has import/export functionality (client side) so if your server disappears for whatever reason, you can still export your passwords from the client side.
3) if you don't trust the OSS code, audit it or at least look through it. That's the whole point of OSS. Build it from source if you must. File bugs. Look at the issue tracker. You can choose not to but if something happens it's your problem; not somebody else's problem.
4) The vault is encrypted and the server never handles or sees the decrypted content (see 3 to verify this). Other people's ability to break that encryption depends on you using a secure master password.
5) Or just pay Bitwarden to host passwords for you and rely on their terms of use, SLAs, support, good reputation, and what not. That's probably the best option if you want ass coverage for professional usage. Their pricing is very reasonable for small setups. And probably sharing passwords with a large group of users is just a spectacularly bad idea to begin with. A couple of key users, should cost you max 20/month. Not really worth dedicating devops time for self hosting unless you have a really good reason to. If you do, see 1-4.
Thats an outright fantasy, every day I rely on like 50 pieces of software written in 20 different languages and frameworks. They are updated multiple times a month. How many man hours would it take? 1000 a week?
Proffesional developers couldn't find heartbleed for years, you really think anyone would notice a hidden backdoor in software like this withing a year?
Most people choose to trust certain software providers based on their reputation. But if you have serious doubts and you don't check, that would be your problem.
Whining about an open source project maybe being insecure basically means either check it or don't use it. Nobody is twisting your arm to risk your passwords on some wonky self hosted setup. Your problem if it blows up in your face. That's also what it spells out in a typical OSS license (that would be the section talking about limited liability). That's another thing people tend to not check that they probably should pay some attention to. Using the software means accepting that it's your responsibility.
If like most you are unable to make a sound judgment on this front; consider paying a service provider providing you a service. That would be Bitwarden in this case. They kindly provide a free version even. Easy choice IMHO.
Heart-bleed slipped through the cracks for a while and then certain software providers lived up to their reputation by providing fixes in a timely fashion. And certain others messed up by not doing that. I care more about how developers act when something like this happens than the fact that it happens.
OSS software providers are no different than other providers when it comes to trust. Except you have the option of looking at their code. Lots of people doing that builds trust. I tend to look at things like number of stars, commit frequency, and other things when deciding to use a random Github thing. When it comes to software that is safety critical, I prefer the scrutiny of an active community of developers. That just increases my level of trust.
IMHO Bitwarden's trustworthiness just went up by virtue of there being multiple implementations of the thing and apparently a growing community of users and developers depending on these things. I'm already using it and vastly prefer this over some closed source solution with opaque development processes. I probably would not self host but it is nice to have that option available.
Unless you review the source code of everything you use, and compile it yourself, there’s always that risk.
What prevents Postgres mainteners to just still all your DB ? Nginx mainteners to redirect your web traffic ?
Ultimately, it boils down to a balance between trust in the author, the community or your own checking process.
Also this is only a risk if you use the provided Web vault. If you use the desktop, mobile or browser extension clients, it would require both Bitwarden LLC and dani garcia to conspire against you as the server doesn't control code those clients run and the API only provides it data in encrypted format.
Finally, if you're that worried you can pin the container version by hash and only update when you are confident in the new version
...or they have to do it because of the NSA and weirdly 99% of users don't care or don't have the means to do anything about it.
Companies aren't trustworthy, they are bigger targets but also targets with thicker armor.
I just go with the offline route, KeepassXC runs well enough for me and is compatible with phones. I need to handle data sync myself but it's not like I change or add new passwords every day.
It's not fair to single out just Bitwarden IMO.
The real threat is that someone takes control of the bitwarden browser extension and pushes a malicious update.
That's why I don't use any KeePass extensions. I just don't trust browser enough to be able to get any of my passwords.
I'm thinking about writing my own extension which will communicate with KeePass in a way that suits me (basically: when I'm pressing button in browser, it'll popup KeePass window with search field filled with server domain. Then I can either auto-type password from KeePass or copy it to clipboard, either way I'm only using KeePass and browser extension have no way to get any information.
I'd absolutely use KeePass for a long term storage password vault (with appropriately obscure reminders so I could recall the password), but the ecosystem of many unofficial free implementations for integration into browsers, phones (IIRC), etc. makes me twitch.
Then when you log into somewhere add another secret (which you keep in your head) to the end of the password you stored in Bitwarden.
Switch on 2FA everywhere you can.
Sleep at night.
Instead of a salt, which is random for each entry and has to be stored along the hash, one single pepper is added to each password before hashing and kept secret.
Btw the "custom server" setting is a bit hidden, it is behind the cogwheel in the upper left in most cases.
But that said, it is by far the best product despite this.
Bitwarden clients have the same UX across OSes and platforms ( browser extension, mobile app, thick client". The thick clients are indeed Electron based.
For personal, Bitwarden is much better. Browser plugins just work, android auto fill just works, passwords synchronized across devices, support for auto filling payment information. 2FA support.
— it's a native application (starts instantly on less powerful machines)
— can check your accounts against haveibeenpwnd.com database
— has full browser integration which works flawlessly IME
— can store SSH keys and work as an SSH agent
edit: it does not support synchronization, I misremembered. Sorry.
bitwarden_rs bundles the upstream JS in its default containers, so it's the same code that you'd be running from bitwarden.com
I do see advantage of being cloud based as a way to avoid database conflicts (in my case 3 windows machines + mobile), but I wonder what can surprise me here. Is bitwarden's browser integration similar to KeepassXC (Keepass helper + KeepasXC-browser)?
Long story short - we use official Bitwarden and are paying for it and couldn't be happier. Bitwarden_RS looks like a cool toy, but I can't see any reason why anyone would run it. It's good for personal passwords, but Bitwarden itself offers free service so there's no need to venture down the self-hosted road.
It's a trust issue. I don't trust my passwords on someone else's server. I don't trust free services to remain free forever. I don't trust paid services to not increase the fees 4x over a few years.
The alternative to bitwardenrs or bitwarden/server is not bitwarden.com for me given the areas I'm concerned with, it's going back to KeePass + Syncthing.
I think the reticence to provide the group features in bitwarden_rs may come from being unwilling to too blatantly step on the toes of Bitwarden LLC by producing a $0 drop in alternative to their paid service. bitwarden_rs is open source and bitwarden/server is _mostly_ open source (Some SSO related features are not), so it seems worthwhile to get along and not need to fork the ecosystem.
They don't have your decryption key, therefore they save encrypted blobs and have no means to obtain your password. This takes care of trust issue - it simply is not an issue and never will be.
Even if malicious employee does something out of the ordinary or "hacker" gets the database, they still have the impossible task of breaking the encryption (which for all intents and purposes is impossible as of right now).
This returns us back to my starting point - there's *no objective* reason to use bitwarden_rs, apart from curiosity and/or convenience. I'm not saying it SHOULD not be used. We are all free to make choices as we see fit and don't need to justify them, however the reasons you listed are not reasons at all because the concerns you have don't exist.
Sure they do. The web vault. Plenty of functionality isn't available anywhere else.
You've only attempted to address 1 of 3, and the other reply indicates that there is absolutely attack vectors from bitwarden.com if bitwarden LLC wanted to, was forced to, or was compromised.
It took a few seconds to add to my portainer (docker) server and now I host my vault and keep it safe within my LAN.
I don’t run the official Bitwarden server because its system requirements are much too high for my liking.
Meanwhile, bitwarden_rs uses ~24MB disk space, ~24MB RAM, and <0.03% CPU on my single-core Vultr box.
Oh yeah, one other practical reason I couldn’t/wouldn’t go with bitwarden.com’s free plan: I’ve got a few TOTP things in my vault, gotta pay for that.
Before installing the rust version I actually went through the code to check that it wasn't doing anything untoward; it wasn't a very thorough review, but it took a couple hours. Given the fact that you don't actually need to trust a Bitwarden server, I'm not too concerned about using an "unofficial" implementation.
Each 'service block' is an encrypted file consisting of service name, service password (autogenerated), kv-store, some metadata for regenerating new passwords. The key to each service block is the hash of a primary password. The name of the 'service block' file is the hash of the service name. All of the service blocks are stored together in a folder that can be rsynced wherever.
My worry is obviously in the crypto. While I'm not doing anything too fancy I worry about timing attacks because an attacker will have the full encrypted block so the system is vulnerable to that sort of thing.
Writing them down in a notebook next to your computer. A homebrew system like e-mailing GPG-encrypted files to yourself. Your browser's built in password saving and sync features. A password-protected Excel spreadsheet on your dropbox.
Compared to a notebook, I can access my passwords from my phone if the need arises, and they're encrypted and backed up should I lose my phone.
Compared to a homebrew system, someone else has done the work and made a cross-platform system with nice browser extensions, sensible defaults, and so on.
Compared to my browser's sync features, there's peace of mind because it's not a free feature from a corporation famous for nonexistent customer service and sketchy tracking practices.
Compared to dropbox, the price is trivial (as they only have to store a few kilobytes of data) and it's focused on security.
[1]: Note that the Bitwarden desktop client has a major remote code execution vulnerability that the developer has closed WONTFIX, so I don't recommend running the stock one without patching that out (as well as the spyware they embed in it).
I can assume you are referring to... the automatic updater? https://github.com/bitwarden/desktop/issues/552
