Bitwarden is an open-source password manager that allows you to deploy your own private password management server.
Preface#
Google Chrome / Edge, etc., have their own password management features, which can automatically fill in login forms, etc. This is great, but not always ideal. For example, when I don't want it to automatically fill in, it always fills in my email address @猫猫. Moreover, the login accounts and passwords saved by the browser can be easily phished, which is very insecure. I want to have my own password manager, but buying those paid services is too expensive for me. I have to admit that some paid password managers are really good. So I chose Bitwarden, which can be deployed on my own server and is easy to migrate data. However, the official "System" is cumbersome and bloated, and it requires purchasing a paid version ID and key to unlock the advanced features of the paid version, which is not very cool. So, I found "vaultwarden", which basically replicates all the features (including the advanced features that require payment to unlock), and it also supports two-factor authentication (TOTP verification code), which means I don't need to install Google OR Microsoft's password manager separately. It's really comfortable.
Start#
Deploy#
To begin, you need Docker + Docker-Compose + Nginx (or any web server capable of reverse proxy) + SSL certificate.
Docker-Compose Version: >= 2.x
Docker Version: >= 20.10.x
The official example uses the docker command, which is good, but not very convenient to manage. I highly recommend using docker-compose, which is more intuitive and convenient to manage.
docker-compose.yml example
version: '3.8'
services:
key:
container_name: key-server
image: vaultwarden/server:latest
environment:
- TZ=Asia/Shanghai # Timezone
- SIGNUPS_ALLOWED=false # Allow user registration
- WEBSOCKET_ENABLED=true # Enable Websocket
- ADMIN_TOKEN= # Admin panel token, access route /admin
- SMTP_HOST=smtp.qiye.aliyun.com # SMTP server address
- SMTP_FROM= # STMP source, can be ignored
- SMTP_PORT=587 # Port for sending emails, usually 587, default is fine
- SMTP_SECURITY=starttls # Use TLS, default is fine
- SMTP_USERNAME= # SMTP email username
- SMTP_PASSWORD= # SMTP email password
volumes:
- ./data/keycos:/data # Mapped volume for data persistence
ports:
- '8080:80' # Mapped ports
- '3012:3012'
networks:
- key-network
restart: on-failure:16
networks:
key-network:
driver: bridge
With the docker-compose.yml file, it's quite simple. Fill in the information in the docker-compose.yml file and run the command.
Note: For the first startup, the `SIGNUPS_ALLOWED` should be set to `true`. After you have finished registering, change it to `false` and recreate the container.
sudo docker compose up -d # For version 2.x
sudo docker-compose up -d # For version 1.x, still compatible with 2.x
You may wonder why the port 80 is not directly exposed. This is not very secure, so we need to use Nginx for reverse proxy.
Reverse_Proxy#
To set up reverse proxy, expose Nginx to prevent direct identification of the backend service and make it easier for us to set up a WAF to intercept illegal requests.
Reverse proxy + website configuration file example:
# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server 127.0.0.1:8080;
keepalive 2;
}
upstream vaultwarden-ws {
zone vaultwarden-ws 64k;
server 127.0.0.1:3012;
keepalive 2;
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name vaultwarden.example.tld;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name vaultwarden.example.tld;
# Specify SSL Config when needed
#ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
#ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
#ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
client_max_body_size 128M;
location / {
proxy_http_version 1.1;
proxy_set_header "Connection" "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://vaultwarden-default;
}
location /notifications/hub/negotiate {
proxy_http_version 1.1;
proxy_set_header "Connection" "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://vaultwarden-default;
}
location /notifications/hub {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Forwarded $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://vaultwarden-ws;
}
# Optionally add extra authentication besides the ADMIN_TOKEN
# Remove the comments below `#` and create the htpasswd_file to have it active
#
#location /admin {
# # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
# auth_basic "Private";
# auth_basic_user_file /path/to/htpasswd_file;
#
# proxy_http_version 1.1;
# proxy_set_header "Connection" "";
#
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
#
# proxy_pass http://vaultwarden-default;
#}
}
Now we have set up the reverse proxy. However, considering that various clients and desktop applications need to access via HTTPS or WSS, we also need to deploy an SSL certificate. As for how to apply for and install an SSL certificate, I won't go into detail here. Many experts have written detailed guides on Google.
Use#
In the browser, we can use the Bitwarden extension. Search for Bitwarden, install it, and remember to set it to your own server when logging in.
For example:
You only need to set the server address, and the same applies to other client operations. The browser extension can also be linked with the desktop application for unlocking. This feature is amazing! It supports quick unlocking with fingerprint (Windows Hello), and can also automatically recognize fillable forms on mobile devices. The unlocking method can be set to fingerprint unlocking. Of course, PIN code unlocking is also supported!
You can also access /admin to enter the super administrator interface for management. The token for this has already been passed as an environment variable in the docker-compose.yml file. I recommend using a token with high complexity.
For example:
➜ ~ openssl rand -hex 48
50f2830c5331dc624d761188b686e3ff87edaa1bd7c82f09003902cc978151d93559a9c713291f13bbaa1d199a253e53
You can generate a token with high complexity and write it into the docker-compose.yml file. Then recreate the container and you can access the /admin management interface.
End#
Enjoy your private password management server! The browser extension can also fill in forms. Enjoy it!
A few days later, I happily cleared the saved login passwords and filled forms in Edge and Chrome. This thing is so comfortable to use!
This article is synchronized and updated to xLog by Mix Space.
The original link is https://www.timochan.cn/posts/jc/deploy_own_password-manager_server