upvote

points

by antran2213 hours ago |
comments
upvoteby gchamonlive12 hours ago|
next
[-]
Yes, but vaultwarden isn't something you can casually run by yourself without some careful thinking. You are hosting secrets whose longevity is important, so if deploying yourself, take good care of backups and do regular drills, so you validate that the backups work, that they aren't corrupted and that you keep a copy off-site.
reply
upvoteby antran221 hours ago|
parent|
next
[-]
Actually, I didn't have any careful planning when I started out self-hosting Vaultwarden. I didn't even have system backup (was just a script kiddie back then, didn't even know about 1-2-3). I have to migrate my instance 3-4 times. But because I'm just hosting Vaultwarden for myself, I can export the whole account from one of the Bitwarden clients (either the extension or mobile app) and reimport it in the new instance. Because I always have at least three devices with active use connected to my Vaultwarden instance, for me this also counts as 3 off-site backup that can be used to re-instate the whole setup.

It is surprisingly very durable and maintenance-free even for a script kiddie like me to maintain. My advice is (at least when it comes to Vaultwarden) don't think too much about this, just selfhost it, at least for yourself. You'll probably be able to manage it when something happen.

reply
upvoteby inexcf11 hours ago|
parent|
prev|
next
[-]
Me and some friends have each been hosting vaultwarden casually for years now. What problem do you see? I mean if the Server goes down and gets completely corrupted, worst case, all my devices still have the version of the vault they recently used. Technically every device has it's own backup of the vault.
reply
upvoteby gchamonlive10 hours ago|
parent|
next
[-]
If I stay offline for more than 30 days, can I still access my local passwords? Honest question, because if that's the case it's nice, but I think you'd need to somehow authenticate before accessing your local vault.
reply
upvoteby inexcf10 hours ago|
parent|
next
[-]
Thanks for making me check. Did not know this: "Offline Vault sessions will expire after 30 days. Except for mobile client applications, which will expire after 90 days." But for me that is enough time to feel safe, still will do backups regularly.
reply
upvoteby DANmode6 hours ago|
parent|
prev|
[-]
If you’re self-hosting,

and not using their official clients,

your database stays functional in perpetuity.

reply
upvoteby gchamonlive5 hours ago|
parent|
[-]
Which client? Is there a unofficial client for android that doesn't expire?
reply
upvoteby venusenvy477 hours ago|
parent|
prev|
[-]
You need a VPS, correct? Are there any concerns about hardening your VPS from attackers? I worry about my ability to harden a public - facing service that is handling something so critical for myself.
reply
upvoteby noAnswer6 hours ago|
parent|
next
[-]
Don't make it public facing! Put it behind a VPN!!
reply
upvoteby DANmode6 hours ago|
parent|
prev|
[-]
Use a host that takes care of this for you.

My host has prebuilds for Vaultwarden.

reply
upvoteby hypeatei12 hours ago|
parent|
prev|
next
[-]
You should be doing regular exports/backups of your vault regardless of how it's hosted. Bitwarden could go belly up tomorrow and lose all their stored vault data.
reply
upvoteby armchairhacker12 hours ago|
parent|
prev|
next
[-]
Is there anything stopping a commercial Vaultwarden host?
reply
upvoteby dolmen9 hours ago|
parent|
next
[-]
That already somewhat exists.

Reimplementing the server side is the easy part.

But a commercial offer will need rebranding the client, and maintaining forks is much more involved. As long as Bit warden publishes the sources ...

reply
upvoteby seanclayton11 hours ago|
parent|
prev|
[-]
Competing with the authority bitwarden the company has over the bitwarden open source project. That's just the first thing off the top of my head. Very few people go to the competitor offering the exact same thing but with less say on the popular codebase.
reply
upvoteby unethical_ban12 hours ago|
parent|
prev|
[-]
IMO a paper print-out of all passwords and backup codes is the most reliable backup. No bit-rot, no third party, and "degradation" is obvious - fire, flood, etc.

Theft is also usually obvious.

If self-hosting, keep at a separate location than your hard drives.

reply
upvoteby 11 hours ago|
parent|
[-]
deleted
reply
upvoteby MaKey5 hours ago|
prev|
next
[-]
> If you are (like me) somewhat paranoid about the fact that Vaultwarden hasn't got a proper security audit on its codebase [...]

It was audited in 2024: https://www.heise.de/en/news/Password-manager-BSI-reports-cr...

reply
upvoteby jerf12 hours ago|
prev|
next
[-]
I'm running Vaultwarden because while on the one hand I'd like to just pay a company to make my password problem go away, I don't know who I can actually trust to not try to take advantage of the fact they have all the keys to all my kingdoms at some point. I see some people complaining about "Private Equity", with justification, and before that it was the "Harvard MBA" mindset, where businesses are encouraged to think of their customers as a resource to be stripmined rather than relationships to cultivate.

I don't like being considered a resource to be stripmined by any company, but some are worse than others by the nature of our relationship. I do not need a company greedily looking at my bank password, my Google password, my brokerage account password, and even having them be tempted to look at my set of passwords with them and start valuating which password they can "intermediate" and charge me more for using. I don't even want them pondering the question of how they can break exports ("oops, sorry, passkeys can't be exported because $SECURITY_BLATHER, guess you won't be migrating" - to be fair, while I think Bitwarden had that for a bit I believe it's no longer true, but AFAIK it is true of other things that will hold passkeys for you) so that they can extract the value of my passwords to me.

I don't trust Private Equity or the Harvard MBA mindset to be allowed to hold on to my passwords. I don't trust any company holding passwords to not eventually be acquired by PE/HMBA types looking to stripmine my passwords. I don't trust any company that is, once you trace the entire value chain down, basically taking out real debt with my passwords as collateral. They get the money, I get the risk. Hard pass.

So I'm not happy about self-hosting my password vault in some sense... but who else can I trust?

reply
upvoteby dolmen9 hours ago|
parent|
[-]
As long as you continue to use (and upgrade) the Biwarden client apps, you should consider that BW could have the keys of your garden: they have control of decryption and encryption code, so that code could leak the key, whatever the server.
reply
upvoteby renegade-otter13 hours ago|
prev|
next
[-]
I am very happy self-hosting Vaultwarden. I got really tired of being a refugee of one password manager or the next. Either the price goes up, or the service goes away. I am looking at YOU - Dropbox.
reply
upvoteby buggeryorkshire13 hours ago|
prev|
[-]
I don't think the clients are open source?
reply
upvoteby zeroonetwothree12 hours ago|
parent|
next
[-]
I don’t understand why people post incorrect statements that are trivial to check
reply
upvoteby mctt13 hours ago|
parent|
prev|
[-]
Form the article; "The real safety net is that Bitwarden’s clients are Apache 2.0 licensed."
reply