I'm thinking about running it in a container (Podman Quadlet with systemd) behind a VPN, with daily backups with borg. Anything I'm overlooking here?
Never had an issue with Vaultwarden itself. Restored from backups several times for a variety of reasons (migrating host, corrupt hard disk, re-installs) and that always worked first try.
In regards to hardering, the wiki has a good guide: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Gu....
This feels less like a guide on hardening Vaultwarden than a guide on why I should be skeptical about it.
https://github.com/dani-garcia/vaultwarden/discussions/1549#...
The upstream also had this issue, which appeared to be closed without a PR:
e.g. You can’t just provide software to people that obtains TLS certs on their behalf: you have no idea how their infra is setup.
Hosting any app on your own infra is a serious skill set.
Restore from backup testing was straightforward. We haven't had any problems w/ the application itself.
I used that that hardening guide for my setup. The one I manage is exposed to the Internet and I'm bringing traffic into it via a reverse proxy.
My phone and laptop both use tailscale to access this and a few other containers I have set up similarly. I also have tailscale ACL rules to limit just “me” or whomever I want to allow to use it (family etc) also on my tailnet.
Backups are encrypted and stored locally as well as to AWS glacier.
I love it and it works great.
I just take ZFS snapshots. I've restored a couple of times that way just to test DR and it worked pretty well.
Mine is not exposed to the public internet, though some friends of mine do. I use a VPN when I need to access fresh data from the home server, otherwise both the Firefox client and Android client will generally keep a cache of the last data pull when they had connection (so it wasn't an issue the 4 or so years I didn't have a VPN yet).
By not exposing it to the wider internet. When I use a client (iPhone, browser, etc.) while on the home network, it syncs. While off the network, the last synced data is still there. That's been good enough for me.
Not technical, but the person behind that project now works for Bitwarden so there's some risk of a rugpull. Of course it's OSS but you'll need to trust a fork or maintain it yourself if said rugpull happens.
But when friends and family ask for my recommendation I send them to Bitwarden and they pay for the service.
If it wasn’t for vaultwarden and the clients being open source I would not be using it nor recommending it.
I’d probably still be using keepass with manual sync and when friends and family ask for suggestions I’d probably shrug and say I don’t trust any of them.
Edit: Just a bit of googling turned up these as well.
https://github.com/AChep/keyguard-app https://github.com/sgolub/bitclient
I am a paid subscriber. I am kind of ok with the price increase.
The "coincident" with change of CEO and remove of "always free" tag worries me though.
I’m happy to pay for good services, but M&A means cost-cutting measures to make the company look good for acquisition and that makes me uncomfortable with letting them store secure data for me.
Switching is going to be a pain.
I pay a cleaner, I have a dishwasher, I pay someone to do my taxes, I pay for companies to host software.
Then again, I never order food and almost never get takeaway, as cooking is nice and I value my food enough to care what goes in it. Cheaper too, easily offsetting what I pay for my password manager.
Syncthing, talking to your Tailscale IP addresses if you use it, or your private WiFi network addresses if you don't use Tailscale.
One folder synced, containing keyfile2.kdbx.
30 minutes to set up and then you almost never need to think about it again. If you don't trust Tailscale, you can run a Headscale server or just not use it. And the syncing is entirely run on your machines; your data never ends up written to someone else's SSD.
It's really not much effort.
Exactly what value do they think they have left to extract from me? I'm a paying customer for a product that essentially just stores an indexed list of strings with at-rest encryption.
Their official App's autofill on my phone hasn't worked for several months now., I literally have to login to it once every couple hours just to manually copy and paste my usernames and passwords separately. I guess enshitification knows no bounds?
no, if you relax the qualifier "without thinking" slightly and are okay with thinking for a few hours. There's so many off-the-shelf open source solutions now to just throw on a 5 bucks VPS, it costs you less time and money than switching or the premium plan of most of these individual services.
The point is that if there are only one or two red flags, you can risk assess them and continue as is if the risk is low. But if there are a large number of red flags, then you need to consider your exit strategy as well.
- Inclusion and Transparency values made more shitty
- Always free commitment removed. What? It’s right there “always”.
- Shittily hacking old blog post to become nonsensical
- Loss of confidence
- Stalling improvement cycle, no more repairs, just things quietly breaking and going bad.
I know this proverb as (translating from Polish): You're asking the boar if he's shitting in the forest.
"Is bear a Catholic?" doesn't seem very funny.
But a notion that everyone knows how Pope is regularly shitting in the woods absolutely is :)
The larger exampls to compare them to would be "dumping." Dump subsidized, tariff-free corn in Mexico to make it unprofitable to farm corn in Mexico, and after all of the Mexican farmers go bust, buy their land and raise the price of corn to infinity while cheaping out on the quality of seed and handling. Enshittification. Rug-pull.
Circle of live, I guess.
What’s next in the circle is keepass I guess? And it’s just not friendly/robust enough yet for me to switch to it with my family who will probably just go back to using the same passwords on multiple sites if they hit resistance in ease of use.