Accessibility option on Bitwarden is not working even though I toggle it on. And it seems that Bitwarden app is fine and the main issue is on MIUI's accessibility settings' bug. I'm using Redmi Note 8 Pro. Bitwarden is an open source password manager. Your vault is encrypted with your master key, so even if your server is compromised the hacker will only get some unreadable gibberish.
Bitwarden is an open source password manager. Your vault is encrypted with your master key, so even if your server is compromised the hacker will only get some unreadable gibberish. Hosting your own Bitwarden server can be useful if you are paranoid about the server security and want to be in full control, or want the premium features for free because you have a webspace anyway.
Bitwarden Docker Autostart
Note
The installation of the official bitwarden server repository via docker is heavy, difficult and relies on docker, which isn’t supported at uberspace due to the fact of shared hosting. In this guide we’ll use the Rust implementation Bitwarden_rs of the Bitwarden API, so you can still use the official clients.
Note
For this guide you should be familiar with the basic concepts of
License¶
Bitwarden_rs is released under the GNU General Public License version 3 or any later version.
Prerequisites¶
We’re using Node.js in the stable version 14:
If you want to use Bitwarden_rs with your own domain you need to set up your domain first:
Installation¶
Install Bitwarden_rs¶
Clone the repository into your home directory. It will create the directory ~/bitwarden_rs
automatically.
Warning
At the moment (current date: 24.07.2020) there is an unofficial patch of some dependencies that have not yet made it into all the official repositories. You can find the discussion about it on GitHub. Therefore you have to use a special branch to install bitwarden_rs currently. Make sure to check back and update your installation, once all dependencies have been updated.
In order to build bitwarden_rs successfully you’ll need to set an environment variable pointing to the sqlite3 header files:
cd
into the automatically created folder and create the data
directory:
Build the server executable:
Note
If that doesn’t work the first time and the build failed, just try again until it’s done.
In the next step we will download the latest build for the web vault. Check this page for the newest build number and replace it in the following snippet:
Note
If you don’t want to use the web-vault feature (web-app access to your vaults) for any security reasons you can skip this step. Please note that without the web-vault, newly created users can’t verify their email address. So it would be best to disable the web-vault after you’ve created your user accounts. Add the following line to your env
file later if you do so:WEB_VAULT_ENABLED=false
Generate an openssl-base64
key now and save it temporarily, you’ll need it in the next step.
Use your favourite editor to create ~/bitwarden_rs/.env
with the following content:
Replace the mail placeholder variables with your valid IMAP credentials, otherwise the bitwarden_rs server will not be able to send you mail notifications or tokens to verify newly created user accounts.SMTP_USERNAME
and SMTP_PASSWORD
must be the login data from a valid mail account. Replace the server domain with your final URL.
Note
You can configure any type of service here, you’re not limited to an uberspace IMAP user. If you prefer e.g. gmail refer to their documentations for SMTP_Port
etc. accordingly.
You can edit other options, look into .env.template to see a list of available options.
Configuration¶
Setup web backend¶
Note
Enter the port 62714
as configured in the env
file before.
If you want to use a subdomain refer to the web-backend manual.
To make the application accessible from the outside, configure a web backend:
Setup web vault¶
Now it’s time to test if everything works. If there is no error, you are good to go. You should be able to access your vault on https://isabell.uber.space
Setup daemon¶
Use your favourite editor to create ~/etc/services.d/bitwarden_rs.ini
with the following content:
After creating the configuration, tell supervisord to refresh its configuration and start the service:
If it’s not in state RUNNING, check your configuration.
Finishing installation¶
Your done. Point your Browser to your installation URL https://isabell.uber.space
and create your user. You can access the admin panel via https://isabell.uber.space/admin
and log in using the openssl token you created during the installation process.
Best practices¶
Backing up your vault manually¶
You can create a backup of the database manually. cd
to your project folder, create a folder to store the backup in and use the given sqlite3 backup command. This will ensure the database does not become corrupted if the backup happens during a database write.
Note
You could run this command through a CRON job everyday - note that it will overwrite the same backup.sqlite3 file each time. If you want to save every version of the backup, please read further.
Alternatively, you can do the backup with a timestamp and it can be useful if you don’t want that the CRON job overwrites the backup file. $(date+%Y-%m-%d)
in the file name in the following command will generate a name with current year, month and day.
Restore up your vault manually¶
Before you restore a database backup make sure to stop the service:
To restore your database simply overwrite db.sqlite3
with backup.sqlite3
or the one with a specific timestamp. After replacing the file successfully you can restart the service again.
Hardening¶
Bitwarden Docker Autostart
Disable registration and invitations¶
By default, bitwarden_rs allows any anonymous user to register new accounts on the server without first being invited. This is necessary to create your first user on the server, but it’s recommended to disable it in the admin panel (if the admin panel is enabled) or with the environment variable to prevent attackers from creating accounts on your bitwarden_rs server.
Use your favourite editor to edit ~/bitwarden_rs/.env
and add the following content:
Note
While through this setting users can’t register on their own, they can still be invited by already registered users to create accounts on the server and join their organizations. This does not pose an immediate risk (as long as you trust your users), but it can be disabled in the admin panel or with the following environment variable:
Bitwarden Autostart
In addition to SIGNUPS_ALLOWED=false
you can create an except for specific domains. Make sure to sue this setting only in addition to SIGNUPS_ALLOWED=false
!
Warning
be careful using this feature. At the moment the emails are currently not checked, meaning that anyone could still register, by providing a fake email address that has the proper domain. So at the moment this is more security by obscurity. This seems to be fixed in an upcoming release, so make sure to check the feed regularly to stay informed about the newest version.
Disable password hint display¶
bitwarden_rs displays password hints on the login page to accommodate small/local deployments that do not have SMTP configured, which could be abused by an attacker to facilitate password-guessing attacks against users on the server. This can be disabled in the admin panel by unchecking the Showpasswordhintsoption
or with the environment variable:
Use your favourite editor to edit ~/bitwarden_rs/.env
and add the the following content:
Update¶
Note
Check the update feed regularly to stay informed about the newest version.
Updating bitwarden_rs is really easy. Just stop the server, pull everything and download the new web vault, build the executable and start the server again. To get the download link for the newest version of the web-vault look here web-vault-feed.
After creating the configuration, tell supervisord to refresh its configuration and start the service:
If it’s not in state RUNNING, check your configuration. You can check the service’s log file using supervisorctltail-fbitwarden_rs
.
Acknowledgements¶
This guide is based on the official bitwarden_rs documentation as well as the bitwarden_rs guide from Tom Schneider.
Tested with Bitwarden_rs 1.16.3 and Web-Vault v2.16.0b, Uberspace 7.5.1.0
Written by: Achim | pxlfrk <hallo@pxlfrk.de>