Control and secure your passwords with Vaultwarden

by · 28/08/2022

The problem


If you are using the most popular social media or news sites. You may have heard of LastPass. A password storage and security utility that lets you keep your passwords secure and accessible from wherever you are. SIKE! It got hacked and data may have been stolen. Although this just happened days ago as seen in The Hacker News article https://thehackernews.com/2022/08/hackers-breach-lastpass-developer.html
Overall the main problem with this idea is you are providing your credentials to a third party and trusting them to keep them secure. Most people of course hate passwords, forget them, don’t change them, use the same password for multiple sites, etc. All bad practices but that’s just how it is.

What can you do?

If you use LastPass, of course, change your password. Seriously change them if you don’t have multi-factor authentications be sure to enable that. But overall this is a small measure to take in such cases as you are not really in control of the security of your passwords.
You can use local password-saving applications that do not rely on any third-party services and be kept locally. Such apps like 1Password, Keepass, etc. So you can keep them on your device and only be able to access them from that device. You can probably see the problem here. If I have an account I use often and the password is stored on my computer but I need to access it from my phone to log in then it becomes a problem. You can have multiple password safes of course and store the password in multiple of them. But that becomes maintenance and if you change the password you have to update the safes as well. That’s just cumbersome. But there are solutions out there where you can host your own password safe without a third party and be in control of it yourself.

Vaultwarden

If you have heard of it you might be thinking Vaultwarden. Why not Bitwarden? You may be right. The fact that I mention Vaultwarden is the fact that it is way more lightweight in terms of computing power required. Bitwarden is much more resource-hungry and may not be applicable if you just want to host a password storage solution just for yourself or for just a couple of people. That’s why Vaultwarden is the better solution because it still relies on the Bitwarden API although written in Rust and can be run on such hardware as a Raspberry Pi 3. So not only is the hardware much cheaper unlike a server but the power draw of the Pi 3 is minuscule so you don’t hike your electricity bill as well for running it.

Features

I have used LastPass sometime in the past. Comparing it to Vaultwarden you can pretty much get the same features you used in LastPass. So first of all there is the Bitwarden app for your phone iOS and Android compatible. So you can use it on your phone, table, etc. There is the PC application and also has the browser extensions like Chrome. So you can use the features in LastPass like auto-fill if you want. You have control of all sorts of settings like you can set the session time out. So you get logged out of the safe after a certain amount of time so it cannot be accessed accidentally. You can set up trusted devices, two-factor authentication, and more.
The best feature probably for those interested in switching over is that you can export your list of accounts and passwords from LastPass and import them to Vaultwarden. There is more but you can read about them on the GitHub page https://github.com/dani-garcia/vaultwarden/wiki

The setup

As mentioned, for this setup I am using a Raspberry Pi 3 running the Buster version of Raspbian to set up Vaultwarden. You can get Raspbian from the Raspberry Pi Foundation https://www.raspberrypi.com/documentation/computers/getting-started.html#setting-up-your-raspberry-pi
A quick image setup video here:

Raspberry Pi image preparation

After booting up you go through the initial setup of the documentation. You then should be ready to go.
For my setup, I use Docker and Portainer to manage my instances and I suggest you do the same because it just doesn’t overcomplicate stuff and keeps it easy and straightforward to manage.

To install Docker refer to the Pi My Life Up page which is a great resource for any Raspberry project and I highly recommend it.
https://pimylifeup.com/raspberry-pi-docker/
Portainer is not necessary but to have a nice GUI interface to manage your containers is quite nice.
https://pimylifeup.com/raspberry-pi-portainer/

While writing this I actually saw that they updated their Bitwarden setup page on the Raspberry and now use Vaultwarden. This is great as it has details not only on the setup of the vault but also on how to set up an Nginx reverse proxy which I would also recommend doing.
https://pimylifeup.com/raspberry-pi-bitwarden/

This also helps you get HTTPS secure connections with SSL certificates. This would also help if you plan to host it on a domain or subdomain if you own one.
Keep in mind when running the containers port numbers mentioned in the guide

    -p 127.0.0.1:8080:80 \
-p 127.0.0.1:3012:3012 \

Check if those ports are not used by anything else if you are already hosting something in your network. You can just change to another one of course.

So you have a Vaultwarden safe running and have access to it. First what you can do is export your existing LastPass password out and import it to your new safe.

This is explained in great detail on the official Bitwarden site:
https://bitwarden.com/help/import-from-lastpass/
Overall you can browse the whole Help page as it talks about all the functions available to Bitwarden which will work with your hosted Vaultwarden instance.

Now you have a working password safe which you can access by multiple devices using the app, browser, or extension. But the problem remains that you can currently access it only from the internal network. If you are away from your home you won’t be able to access your safe or sync to it. You can potentially just Port Forward the port on your router and use your provider’s External IP to connect to it. But that is just not safe. As you expose your password safely to the internet it can become a target for malicious attackers. You can implement white lists of devices or IP addresses that can access it. But something like MAC addresses and IPs can be dynamic and could constantly change becoming a burden.
My solution to this is to not expose the safe to the internet but to use a hosted VPN instead. You can probably guess. But yes Pi My Life Up has your back with this one as well.

WireGuard is a VPN solution that you can also host on your Pi computer.
https://pimylifeup.com/raspberry-pi-wireguard/
The guide goes through setting up a VPN tunnel to your home. Once setting up and setting a custom port you will have to Port Forward it through your router so that your device can access the VPN from anywhere. Refer to your home router’s model and manual on how to port forward. You can use https://portforward.com/ it has many guides available for many different network devices and how to forward ports on them. It’s a great resource and you should utilize it if you have never done this before.
Although the guide mentioned does not use a container to set up WireGuard. You can definitely host it in a container provided by LinuxServer.io https://www.linuxserver.io/blog/routing-docker-host-and-container-traffic-through-wireguard
Hosting your own stuff has many choices and considerations. So choose the one you prefer yourself.

Having a VPN lets you gain access with encrypted authentication to your local network. So you will be able to access your password safely and any other services that are only available on your internal network.

Conclusion

There are plenty of guides and resources out there on how to do this as well and there are different solutions available so you can choose the most preferable to you. The one I mentioned is what I have used and I know how it works. Do keep in mind that once you start hosting something by yourself on your own hardware and network, you are responsible for its security. Which includes the server, application, and network equipment. Have a good authentication mechanism and strong passwords for all your devices. Keep them up to date and backed up.

As always I hope this has helped you and you can now cut off a third-party provider and be in control of your assets yourself.

Buy me a coffee

Tags:

Share

Antanaitis

I always wanted to somehow document my work and ideas. I'm finally writing something.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Archives