Bitwarden+vaultwarden, harden the chosen VPS, set SSH to use keys only, then setup fail2ban for webserver and ssh
Also consider putting ffsync on it as well for extra browser benefits.
I like LessPass, essentially you choose one password and then it generates secure passwords for each website, since it uses a predefined generation algorithm it’s completely offline and doesn’t need syncing it’s very secure. However it has the inconvenience of needing to remember the way you spelled the website, but if you stick to something like all lowercase it’s fine.
I’ve never heard of Syncthing, I use Keepass on Windows and my Android, syncing to Dropbox. If I change to Syncthing is it an easy swap, anything I should watch out for?
It lets you connect those devices without necessarily sending all data through your home network when you are remote. (Though that is an option along with many other great features like ssh authentication)
It also uses WireGuard for the backend which is more secure and efficient than openvpn.
I use option #1. Each instance of KeePass maintains a local file, but updates them automatically whenever it opens or closes. I also back up the file to my personal server automatically, so I have a copy even if the cloud service fails for some reason.
This setup has been serving me well for a long time.
Personally I’m running option 2 with self hosted bitwarden. Sure, it’s a bit more effort to make it work and while it’s not perfect that’s what I’ve ended up with. The most convinient thing with that is that I can access my passwords whenever I have internet access with a browser without any need to install any software on the thing I’m using. Obviously that doesn’t mean that I’ll happily access the vault with whatever free-to-use endpoint I happen to encounter but it also gives an option to access whatever even if I’m borrowing a computer from a (trusted) friend and once I close the private window I used it’s gone. And even more often, when I’m accessing my credentials from a family shared computer, I can just log out and I don’t need to do any cleanup on the host which might get infected by our kids browsing something malicious or some other breach of security.
With keepassxc I’d need to worry about the database file, which is a bit different than logging out and closing browser. Your usage patterns might be different, but web-based hosting solution works for me.
If you work for a company that uses a reasonably good manager such as BitWarden, you should look into whether or not you get it for free or reduced. For the moment, at least, I use Bitwarden because I get it for free (and a families sub to boot!). I know 1password does the same; others might too. Do make sure you’re okay with paying the full price for a period of time in case you get laid off and have to migrate. Also make sure you’re okay with any compromises you make for the price tag. There is no price tag that makes LastPass acceptable, for example.
Considering that android is going to prevent users from importing a CA
Edit:
Wait, I think I have my wires crossed.
I think android is removing the ability for apps to install certs.
The user has to manually install a cert, and then select it in the app
Using let’s encrypt is a lot easier to deal with on the client side than modifying CAs, although the initial set up of the server can be a pain in the ass if you’re new to it.
Having gone through all of these options I have thoughts.
Option 1 sounds awesome but will almost always leave you in a situation where you can’t get your logins when you need them in an emergency. You’re always depending on a chain of things. Depending on your situation it may not be a big deal. But this option sucks, imho.
Option 3 sounds amazing because it gives you the control of option 1 with the ease of option 2. But… unless you’re the kind of person that enjoys hosting their own email server you really don’t want this option. Fun in theory but not so much when you realize you now have a 3rd job.
So that leaves option 2. It’s great but you’re depending on someone else. This is the option that most people should choose too, imo. However it lacks some of control and trust that option 1 and 3 have.
Sooooo, that leaves us with option 4, the onion option. Breaking up your data into layers and using different tools for them.
So first and foremost I want my password storage to always be available. For me that means Bitwarden, (though I’m evaluating protonpass currently.) this is the outer layer. Things that can and should be stored here are stored here. I use it to manage web logins and 2FA tokens for those sites. I also use it for storing autofill data eg credit cards. I don’t use it to hold things like my gpg keys.
Next layer is pass. This layer is mostly things that I need to have logins or other information on headless/remote servers. Think self hosted lab services like a mariadb/postgres or backups. This is easily kept in sync with git. This is the layer where I’ll store things like gpg keys and other VERY sensitive data that I need to sync around.
For other things on this layer I use ansible vault. This is mostly used for anything where I need automation and/or I don’t want too or can’t easily use my yubikey for gpg. This is kept in sync with git as well.
Lastly the inner layer I use AGE or PGP. This is for anything else I can’t use the above for. So my Bitwarden export/backups are in this level too. I also use this layer for things that I need to use to bootstrap a system. Think sensitive dotfiles. This can be kept in sync with git as well.
Git is the best sync solution imo because you can store it anywhere and use anything to sync that repo. Just throw that raw repo on Dropbox, use ssh with it on a vps, rsync it, etc. you’ll always have it somewhere and on something.
My work flow goes like this Bitwarden -> Apple/Google/Firefox -> Pass -> Ansible -> AGE/PGP
This allows for syncing things as needed and how needed. It also gives you the option of having an encrypted text file if/when everything fails.
Agree 100%. I self-host a lot of services but access to my passwords needs at least 3-nines uptime and the cost of providing that via Azure/AWS isn’t really worth it to me.
That said, I trust Bitwarden way more than I ever trusted Lastpass and I still use option 1 for highly sensitive accounts along with redundant Yubikeys (FIDO2, PIV, and GPG in that order) for anything that supports it.
Option 3 sounds amazing because it gives you the control of option 1 with the ease of option 2. But… unless you’re the kind of person that enjoys hosting their own email server you really don’t want this option. Fun in theory but not so much when you realize you now have a 3rd job.
I currently host Vaultwarden and use the Bitwarden Android app and browser plugin. What does this have to do with a mail server? I don’t host a mail server and it works fine for me (tried to host a mail server, but got blocked by ISP and would need a business account to request them to unblock it, which costs double what I currently pay for the same speeds).
It wasn’t meant to be taken literally. What I mean by that is if you’re the type of person who enjoys the upkeep of something as critical (though maybe not so much theses days) as email then go ahead and host your own password vault service. I’m not saying it shouldn’t be done and couldn’t be done.
My point is that there’s going to be times where you NEED your password vault and having it be down because something happened at home or your VPS had a problem is a really shitty situation to be in.
Of course there’s work arounds and edge cases to everything too. For me planning and building for those possibilities came down to what can I do that is the most reliable, simple, and boring. Because that’s what most people need with anything that is critical.
IMHO much like backup, password storage should be reliable, simple, and boring. Kinda like flushing a toilet or flipping a light switch.
Oh, got it. That makes sense. Though if I remember correctly, Bitwarden makes a local copy for you, so even if your device doesn’t have internet or your backend is down, you should still be able to enter your passwords, just not create new passwords or sync new passwords from other devices.
I have only been using Vaultwarden/Bitwarden for a short time, but I haven’t had any issues thus far. My house is pretty resistant to power outages (solar + 12 hour battery backup for whole house with no sun), but if something happened with my ISP, obviously there’s nothing I could do. I haven’t tested that case yet. I probably should, though.
I use option 1, I host my keepass db file on a free secure nextcloud storage account, and use nextcloud client to keep it synced to all my devices. It’s available offline on all of my devices too, in case the server goes down. I use KeepassXC on my PCs and KeepassDX on Android, to open the files.
I ended up scoring a free lifetime membership years ago, but is their stuff open source? I never fully trusted it, so I didn’t end up using it for anything
It’s not open source, so that’s an easy deal breaker for some. Considering the vaults are encrypted and Enpass itself stores nothing on their servers, I’ve been okay with it. The vaults just exist on my phone and wherever I’ve chosen to back it up (OneDrive, GDrive, Nextcloud, NAS, etc).
Enpass uses the open source library sqlcipher (which is an sqlite fork with encryption). So while Enpass as a whole is not fully open source, you can still exfiltrate your passwords with open source tools, should they ever vanish or radically change their business model. You can then use for example enpass-cli.
That gives me enough confidence to trust in Enpass, since they can’t easily hold my data hostage.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
Host your own bitwarden
Bitwarden+vaultwarden, harden the chosen VPS, set SSH to use keys only, then setup fail2ban for webserver and ssh Also consider putting ffsync on it as well for extra browser benefits.
Remember to back that up, and test the back at intervals to make sure they work
Not watertight ofcourse but I love that the bitwarden clients keep a local copy so if the server ever goes down youve still got access just no sync.
goes without saying.
I like this one as well, technically more challenging though
I use and prefer option one, but take it a step further in that I host my own cloud service. I used to use Dropbox for years, but we got divorced.
I like LessPass, essentially you choose one password and then it generates secure passwords for each website, since it uses a predefined generation algorithm it’s completely offline and doesn’t need syncing it’s very secure. However it has the inconvenience of needing to remember the way you spelled the website, but if you stick to something like all lowercase it’s fine.
Option 1
Option 1, KeePassXC plus SyncThing, done. Works amazing on all my devices.
I’ve never heard of Syncthing, I use Keepass on Windows and my Android, syncing to Dropbox. If I change to Syncthing is it an easy swap, anything I should watch out for?
Keepass on phone, desktop and tablet. Sync serverless via Syncthing.
Yup. Same system here. I really like it.
Same here. Home server to which desktop and phone connect with OpenVPN.
Check out tailscale (or headscale)
It lets you connect those devices without necessarily sending all data through your home network when you are remote. (Though that is an option along with many other great features like ssh authentication)
It also uses WireGuard for the backend which is more secure and efficient than openvpn.
Thx! Will check out.
I use option #1. Each instance of KeePass maintains a local file, but updates them automatically whenever it opens or closes. I also back up the file to my personal server automatically, so I have a copy even if the cloud service fails for some reason.
This setup has been serving me well for a long time.
Personally I’m running option 2 with self hosted bitwarden. Sure, it’s a bit more effort to make it work and while it’s not perfect that’s what I’ve ended up with. The most convinient thing with that is that I can access my passwords whenever I have internet access with a browser without any need to install any software on the thing I’m using. Obviously that doesn’t mean that I’ll happily access the vault with whatever free-to-use endpoint I happen to encounter but it also gives an option to access whatever even if I’m borrowing a computer from a (trusted) friend and once I close the private window I used it’s gone. And even more often, when I’m accessing my credentials from a family shared computer, I can just log out and I don’t need to do any cleanup on the host which might get infected by our kids browsing something malicious or some other breach of security.
With keepassxc I’d need to worry about the database file, which is a bit different than logging out and closing browser. Your usage patterns might be different, but web-based hosting solution works for me.
If you work for a company that uses a reasonably good manager such as BitWarden, you should look into whether or not you get it for free or reduced. For the moment, at least, I use Bitwarden because I get it for free (and a families sub to boot!). I know 1password does the same; others might too. Do make sure you’re okay with paying the full price for a period of time in case you get laid off and have to migrate. Also make sure you’re okay with any compromises you make for the price tag. There is no price tag that makes LastPass acceptable, for example.
Vaultwarden behind mutual tls and reverse proxy and https://github.com/oguzhane/bitwarden-mobile until https://github.com/bitwarden/mobile/pull/2629 is merged
But honestly all services you mentioned are worthy.
Anything that fits your needs imao
That PR might be a while…
https://github.com/bitwarden/mobile/pull/2629#issuecomment-1731457466
Considering that android is going to prevent users from importing a CA
Edit:
Wait, I think I have my wires crossed.
I think android is removing the ability for apps to install certs.
The user has to manually install a cert, and then select it in the app
Edit again:
Yeh, this is what I was thinking of:
https://httptoolkit.com/blog/android-14-breaks-system-certificate-installation/
But, thinking about it now, I doubt it will actually affect the feature
Using let’s encrypt is a lot easier to deal with on the client side than modifying CAs, although the initial set up of the server can be a pain in the ass if you’re new to it.
“But, thinking about it now, I doubt it will actually affect the feature”
It will not
We don’t need to import a custom CA authority here just to insatll a client cert
Having gone through all of these options I have thoughts.
Option 1 sounds awesome but will almost always leave you in a situation where you can’t get your logins when you need them in an emergency. You’re always depending on a chain of things. Depending on your situation it may not be a big deal. But this option sucks, imho.
Option 3 sounds amazing because it gives you the control of option 1 with the ease of option 2. But… unless you’re the kind of person that enjoys hosting their own email server you really don’t want this option. Fun in theory but not so much when you realize you now have a 3rd job.
So that leaves option 2. It’s great but you’re depending on someone else. This is the option that most people should choose too, imo. However it lacks some of control and trust that option 1 and 3 have.
Sooooo, that leaves us with option 4, the onion option. Breaking up your data into layers and using different tools for them.
So first and foremost I want my password storage to always be available. For me that means Bitwarden, (though I’m evaluating protonpass currently.) this is the outer layer. Things that can and should be stored here are stored here. I use it to manage web logins and 2FA tokens for those sites. I also use it for storing autofill data eg credit cards. I don’t use it to hold things like my gpg keys.
Next layer is pass. This layer is mostly things that I need to have logins or other information on headless/remote servers. Think self hosted lab services like a mariadb/postgres or backups. This is easily kept in sync with git. This is the layer where I’ll store things like gpg keys and other VERY sensitive data that I need to sync around.
For other things on this layer I use ansible vault. This is mostly used for anything where I need automation and/or I don’t want too or can’t easily use my yubikey for gpg. This is kept in sync with git as well.
Lastly the inner layer I use AGE or PGP. This is for anything else I can’t use the above for. So my Bitwarden export/backups are in this level too. I also use this layer for things that I need to use to bootstrap a system. Think sensitive dotfiles. This can be kept in sync with git as well.
Git is the best sync solution imo because you can store it anywhere and use anything to sync that repo. Just throw that raw repo on Dropbox, use ssh with it on a vps, rsync it, etc. you’ll always have it somewhere and on something.
My work flow goes like this Bitwarden -> Apple/Google/Firefox -> Pass -> Ansible -> AGE/PGP
This allows for syncing things as needed and how needed. It also gives you the option of having an encrypted text file if/when everything fails.
Agree 100%. I self-host a lot of services but access to my passwords needs at least 3-nines uptime and the cost of providing that via Azure/AWS isn’t really worth it to me.
That said, I trust Bitwarden way more than I ever trusted Lastpass and I still use option 1 for highly sensitive accounts along with redundant Yubikeys (FIDO2, PIV, and GPG in that order) for anything that supports it.
I currently host Vaultwarden and use the Bitwarden Android app and browser plugin. What does this have to do with a mail server? I don’t host a mail server and it works fine for me (tried to host a mail server, but got blocked by ISP and would need a business account to request them to unblock it, which costs double what I currently pay for the same speeds).
It wasn’t meant to be taken literally. What I mean by that is if you’re the type of person who enjoys the upkeep of something as critical (though maybe not so much theses days) as email then go ahead and host your own password vault service. I’m not saying it shouldn’t be done and couldn’t be done.
My point is that there’s going to be times where you NEED your password vault and having it be down because something happened at home or your VPS had a problem is a really shitty situation to be in.
Of course there’s work arounds and edge cases to everything too. For me planning and building for those possibilities came down to what can I do that is the most reliable, simple, and boring. Because that’s what most people need with anything that is critical.
IMHO much like backup, password storage should be reliable, simple, and boring. Kinda like flushing a toilet or flipping a light switch.
Oh, got it. That makes sense. Though if I remember correctly, Bitwarden makes a local copy for you, so even if your device doesn’t have internet or your backend is down, you should still be able to enter your passwords, just not create new passwords or sync new passwords from other devices.
I have only been using Vaultwarden/Bitwarden for a short time, but I haven’t had any issues thus far. My house is pretty resistant to power outages (solar + 12 hour battery backup for whole house with no sun), but if something happened with my ISP, obviously there’s nothing I could do. I haven’t tested that case yet. I probably should, though.
Lastpass /s
Oh God no kill it with fire
I use option 1, I host my keepass db file on a free secure nextcloud storage account, and use nextcloud client to keep it synced to all my devices. It’s available offline on all of my devices too, in case the server goes down. I use KeepassXC on my PCs and KeepassDX on Android, to open the files.
I like Enpass. $25 lifetime sub via Stack social. Does the trick. If they ever pull the rug out on lifetime folks, I would go to Bitwarden.
I ended up scoring a free lifetime membership years ago, but is their stuff open source? I never fully trusted it, so I didn’t end up using it for anything
It’s not open source, so that’s an easy deal breaker for some. Considering the vaults are encrypted and Enpass itself stores nothing on their servers, I’ve been okay with it. The vaults just exist on my phone and wherever I’ve chosen to back it up (OneDrive, GDrive, Nextcloud, NAS, etc).
Enpass uses the open source library sqlcipher (which is an sqlite fork with encryption). So while Enpass as a whole is not fully open source, you can still exfiltrate your passwords with open source tools, should they ever vanish or radically change their business model. You can then use for example enpass-cli.
That gives me enough confidence to trust in Enpass, since they can’t easily hold my data hostage.