I don't care about raising prices, I'm worried about the new CEO having a PE mindset. That means Bitwarden will now focus on extracting value while the product stagnates and degrades in quality. Time to jump ship before their security and quality goes down the drain.
Not my project but Vaultwarden is an open source (in Rust) alternative backend for Bitwarden. I believe its been around a while, and is still maintained.
https://github.com/dani-garcia/vaultwarden
Question for anyone self-hosting vaultwarden: how reliable is it and how do you harden it?
I'm thinking about running it in a container (Podman Quadlet with systemd) behind a VPN, with daily backups with borg. Anything I'm overlooking here?
I’ve used Vaultwarden for at lesst 7 years, I’m sure for longer but I’m not sure how long.
Never had an issue with Vaultwarden itself. Restored from backups several times for a variety of reasons (migrating host, corrupt hard disk, re-installs) and that always worked first try.
In regards to hardering, the wiki has a good guide: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Gu....
That guide is wild. By default it allows public registration, shows password hints, requires a reverse proxy for robust TLS but then passes tokens via GET params, runs in the container as root. Recommends fail2ban because it doesn't have any coverage against brute force. Recommends using a custom path for security.
This feels less like a guide on hardening Vaultwarden than a guide on why I should be skeptical about it.
I’m not an expert with web sockets or web development - but re: Get Params, Vaultwarden has to follow the API of the upstream Bitwarden implementation:
https://github.com/dani-garcia/vaultwarden/discussions/1549#...
The upstream also had this issue, which appeared to be closed without a PR:
https://github.com/bitwarden/server/issues/3650
Requiring a reverse proxy for TLS is pretty standard, but the rest of those findings are egregious (if they haven't been addressed yet.)
Those problems are endemic to all web apps.
e.g. You can’t just provide software to people that obtains TLS certs on their behalf: you have no idea how their infra is setup.
Hosting any app on your own infra is a serious skill set.
Since it's authored by the vaultwarden collaborators, I would not trust the project any bit of my passwords.
Pretty similar experience for me, albeit I've only been managing it for about a year.
Restore from backup testing was straightforward. We haven't had any problems w/ the application itself.
I used that that hardening guide for my setup. The one I manage is exposed to the Internet and I'm bringing traffic into it via a reverse proxy.
I have my vaultwarden running on a container on my home-lab server acessible only from Tailscale. The container itself is only accessible as its own node on my Tailscale private network and can’t be reached any other way (there are no inbound port forwards for the container itself, tailscale handles this)
My phone and laptop both use tailscale to access this and a few other containers I have set up similarly. I also have tailscale ACL rules to limit just “me” or whomever I want to allow to use it (family etc) also on my tailnet.
Backups are encrypted and stored locally as well as to AWS glacier.
I love it and it works great.
I've got it running in an LXC container. Other than occasionally updating it, it's been entirely trouble free (I did need to work to get it out of the Docker container but that's a problem most won't have). Honestly one of the most useful and low trouble self-hosted apps I've used next to Dokuwiki. As far as hardening, I have not done a huge amount, but it lives on my LAN and is only reachable via VPN from the outside, which again works surprisingly well even with my Android phone.
I just take ZFS snapshots. I've restored a couple of times that way just to test DR and it worked pretty well.
I've never had a reliability issue with Vaultwarden. Hosted it 5+ years now. Even with random off/on of the server and other bumps in the road in life, the Docker container I run has had no issues with hosting. The user interface is friendly but can be just a little slow.
Mine is not exposed to the public internet, though some friends of mine do. I use a VPN when I need to access fresh data from the home server, otherwise both the Firefox client and Android client will generally keep a cache of the last data pull when they had connection (so it wasn't an issue the 4 or so years I didn't have a VPN yet).
> how do you harden it?
By not exposing it to the wider internet. When I use a client (iPhone, browser, etc.) while on the home network, it syncs. While off the network, the last synced data is still there. That's been good enough for me.
When the server can’t be accessed, you can’t create a secret, right? This has been quite annoying in my experience. I’d still recommend Bitwarden clients with self-hosted Vaultwarden.
Mobile wireguard clients are very good as a solution to the access problem.
> Anything I'm overlooking here?
Not technical, but the person behind that project now works for Bitwarden so there's some risk of a rugpull. Of course it's OSS but you'll need to trust a fork or maintain it yourself if said rugpull happens.
The maintainer has said that they've been given permission to maintain it in their free time. All it takes is a bad quarter and the CEO decides they don't want to be supporting a competitor and that goes away. It's possible that a community continuation could happen but I wouldn't rely on something so uncertain for something as important as credentials.
It’s a bad strategy. I am capable so I host an instance of vaultwarden for myself and spouse (only available via our vpn)
But when friends and family ask for my recommendation I send them to Bitwarden and they pay for the service.
If it wasn’t for vaultwarden and the clients being open source I would not be using it nor recommending it.
I’d probably still be using keepass with manual sync and when friends and family ask for suggestions I’d probably shrug and say I don’t trust any of them.
Kind of makes a lot of sense that they wound up working there too.
The expansion of "rugpull" to encompass "a company or open source developer changing the roadmap or level of investment in something they develop" is fascinating.
I think that term refers more to the conflict of interest that now exists.
I touched it never aside from updates and it never failed. I compiled it from sources tho
It's as reliable as you make it.
No matter where Bitwarden ends up, passwords are one of these few things I am very hesitant to self-host. The stakes are just too high, and my knowledge of security has too many unknown unknowns to take that risk.
Personally, I want to avoid the responsibility for hosting it myself. I'm happy to pay for that. But a reasonable amount. Today Bitwarden's price is fine for me, but I worry about what's coming.
It is still maintained, but I believe the maintainer is employed by Bitwarden now, and is working on projects in addition to Vaultwarden.
Is there an alternative frontend as well, or are you still locked in?
https://github.com/doy/rbw Is an alternative Bitwarden cli front end. Probably has plenty of scaffolding to build a GUI frontend based on it.
Edit: Just a bit of googling turned up these as well.
https://github.com/AChep/keyguard-app https://github.com/sgolub/bitclient
There is not an alternative frontend that I'm aware of, but as the article mentions, the clients are Apache 2.0 licensed, so in the event of a rug pull, a fork and rebrand of the clients would be what is needed to restore service.
Better question is how difficult would it be to have keypass use vaultwarden for sync.
Their android app at least is open source and on available on their own f-droid repo
How do you trust that it will be kept maintained and secure?
Don't I have to rely on the OG frontend/GUI components, though? They are one automatic update away from bundling taking custom server address away with important security fixes, in a way that you are damned if you do and damned if you don't.
Technically yes but the frontend is so far open source so forking that is also something that could technically happen if company ever went back on it.
+1
I am a paid subscriber. I am kind of ok with the price increase.
The "coincident" with change of CEO and remove of "always free" tag worries me though.
I just sent them a message along these lines.
I’m happy to pay for good services, but M&A means cost-cutting measures to make the company look good for acquisition and that makes me uncomfortable with letting them store secure data for me.
Switching is going to be a pain.
It is really easy to self-host, and do so securely...
I’m not buying hosting from a password manager, I’m buying security. I don’t have complete confidence that I can secure a self-hosted password manager and it’s not an area where I want to take risks.
It's very simple, just don't make it accessible outside your home network. Clients sync when the server is accessible and use last synced data otherwise.
The effort required to set this up far outweighs the price to pay someone to do it for me.
I pay a cleaner, I have a dishwasher, I pay someone to do my taxes, I pay for companies to host software.
Then again, I never order food and almost never get takeaway, as cooking is nice and I value my food enough to care what goes in it. Cheaper too, easily offsetting what I pay for my password manager.
Tailscale for your laptop, phone, etc. to be able to talk to the other computers when away from your home WiFi. (Optional, but makes syncing easier).
Syncthing, talking to your Tailscale IP addresses if you use it, or your private WiFi network addresses if you don't use Tailscale.
One folder synced, containing keyfile2.kdbx.
30 minutes to set up and then you almost never need to think about it again. If you don't trust Tailscale, you can run a Headscale server or just not use it. And the syncing is entirely run on your machines; your data never ends up written to someone else's SSD.
It's really not much effort.
I mean does it? I have set it up before but I just set it up for my new small office team. I already had an internal server and WireGuard vpn in our office and it took 2 minutes to create a quadlet to run vaultwarden and a few more to configure it. The “hardest” part was training the team on how to use collections.
Give it less than one financial quarter and I guarantee the website will be about “identity for AI agents.”
I'm so fucking tired of jumping ship with these password vault providers. This will be my third jump in so many years.
Exactly what value do they think they have left to extract from me? I'm a paying customer for a product that essentially just stores an indexed list of strings with at-rest encryption.
Their official App's autofill on my phone hasn't worked for several months now., I literally have to login to it once every couple hours just to manually copy and paste my usernames and passwords separately. I guess enshitification knows no bounds?
Yep! Feels like a hard truth about the product life-cycle. It may be time to find an alternative to what was a great alternative.
Can anyone name a PE purchase that made a company better?
in my humble opinion, Dominos ?
I'm getting really tired of the enshittification cycle. Learning about android verification and captcha changes recently has been another big frustration point. I moved to android as a more open alternative to apple just a few years ago, and to bitwarden from lastpass around the same time. I would like to just have these infrastructural services work well and quietly without thinking about them for many years. Do I really have to put up with this happening faster and faster for the rest of capitalism? (I think so)
>Do I really have to put up with this happening faster and faster for the rest of capitalism? (I think so)
no, if you relax the qualifier "without thinking" slightly and are okay with thinking for a few hours. There's so many off-the-shelf open source solutions now to just throw on a 5 bucks VPS, it costs you less time and money than switching or the premium plan of most of these individual services.
Bitwarden hasn’t “enshittified” anything. It’s all entirely speculative
Red flags are always speculative.
The point is that if there are only one or two red flags, you can risk assess them and continue as is if the risk is low. But if there are a large number of red flags, then you need to consider your exit strategy as well.
PE's entire modus operandi is enshittification. If there's no enshittification to be done there would be no point in purchasing the company
I don’t wait for companies to enshittify anymore. When they start making decisions that look like they’re heading in that direction, I start looking for alternatives.
Same. Whenever I see a PE acquisition, I immediately shift my purchases (eg namecheap last year)
It has already enshitified. These changes are text book.
- Inclusion and Transparency values made more shitty
- Always free commitment removed. What? It’s right there “always”.
- Shittily hacking old blog post to become nonsensical
- Loss of confidence
- Stalling improvement cycle, no more repairs, just things quietly breaking and going bad.
Looks pretty bad regardless of speculation. There are enough red flags to warrant actions and to consider this another enshitification.
yet. The hallmarks of enshittification are there. We've all been through the cycle of "this product is too good to be true, and provides considerably more value than it costs" "Customer Acquisition/Market Capture" phase. And we know what has to come next. They have to make the product profitable, because you cant just burn up VC money forever.
Does a bear shit in the woods?
Interesting, where are you from? Where does this proverb come from?
I know this proverb as (translating from Polish): You're asking the boar if he's shitting in the forest.
It's an extremely common phrase in the US, along with "Is the Pope Catholic?" Sometimes the two phrases are humorously mixed together.
I've never heard it mixed (not from US)...
"Is bear a Catholic?" doesn't seem very funny.
But a notion that everyone knows how Pope is regularly shitting in the woods absolutely is :)
We say "are bears Catholic?" when in more polite company and we can't get away with asking if the Pope shits in the woods :)
Vendors doing a rug-pull isn't just capitalism. China is adding DRM to AM radio: old receivers won't work. Heck, Soviet WWII ration cards no longer give turmips.
uh, by DRM you mean Digital Radio Mondiale[0], an open digital radio broadcasting standard? sure analog receivers won't work, but hardly a rugpull lol
[0]https://en.wikipedia.org/wiki/Digital_Radio_Mondiale
Yeah? That has to be the worst possible acronym for an open thing.
They're not doing it to increase margin. "Enshittification" or "rug-pulls" aren't when things get worse or things change, they're when the conditions that were used to attract an audience are changed in order to extract more margin after that audience is captured.
The larger exampls to compare them to would be "dumping." Dump subsidized, tariff-free corn in Mexico to make it unprofitable to farm corn in Mexico, and after all of the Mexican farmers go bust, buy their land and raise the price of corn to infinity while cheaping out on the quality of seed and handling. Enshittification. Rug-pull.
I jumped to Bitwarden because of 1P's new pricing doing exactly that.
Circle of live, I guess.
Me too precisely. But after getting acclimated to a self hosted vaultwarden for the backend and beginning to explore some of the 3rd party Bitwarden frontends that implement its API, I’d recommend hanging in there a bit longer. I think there may be a moat around BW already for self-hosting.
What’s next in the circle is keepass I guess? And it’s just not friendly/robust enough yet for me to switch to it with my family who will probably just go back to using the same passwords on multiple sites if they hit resistance in ease of use.
PE? Private Equity is the slippery slope to Public Enshitification.