Yubico Bitwarden



Bitwarden is an open-source security solution, which means the source code is free for everyone to use. You can even host it on your own server for extra security. For basic features, such as syncing across unlimited devices and storage of unlimited items in your vault, you’ll pay nothing.

  • On Bitwarden I use a different master password to keep the 2FA paradigm: something you know + something you have/are. Using the static password as a master password is like 1½FA. The same goes for the Yubico Authenticator password, if you set one it should be different from the static password.
  • The current testing version of the Bitwardenrs server seems to allow N+1 access attempts to a shared Bitwarden Send resource, when N are configured. For example, when 1 allowed access attempt is configured, 2 visits are allowed before the published Send resource is disabled, when 2 are configured, 3 are allowed, etc. Deployment environment.

1. Security & Encryption

A good password manager stores your data securely by using strong encryption to protect your data while it’s on your computer, on the password manager’s server and moving between the two. Deciphering this encryption is almost impossible when password managers use industry-standard encryption like Advanced Encryption Standard. We also checked for up-to-date security methods, two-factor authentication and whether the password manager ever had a third-party security audit.

2. App Compatibility

Password managers aren’t very useful if you can’t use them everywhere, so we compared the types of hardware and software Bitwarden and KeePass were compatible with. We looked at three types of compatibility, which included compatibility with operating systems on desktops and laptops, browsers and iOS and Android for mobile devices.

3. Usability & Ease of Use

We compared Bitwarden and KeePass on ease of set up and use because a good password manager should be simple to download, set up and create a list of your passwords. The interface should also be easy to operate, so you can generate new, stronger passwords and autofill usernames and passwords on logins. We also checked how well they worked with biometric logins for users who have face or fingerprint scanning on their phone, laptop or tablet.

4. Password Sharing

While password sharing is a common feature for paid password managers, it’s not always offered in free ones. We researched secure sharing capabilities and how many people could share at a time. This feature is especially important for families who want to share online accounts or bill pay sites or companies who need to share email, social media accounts or other account logins.

5. Price

The cost for password managers run the gamut from free to $90 annually or more, depending on how many people are sharing the application. Most password managers advertise a monthly subscription price, but fees are usually billed annually. Any paid password manager should offer unlimited password storage, but free applications often do as well, so we researched storage capacities along with cost.

Bitwarden is an open-source password manager. Using Bitwarden_rs, it is possible to create a self-hosted server, using little resources, enabling you to use all its features.

Bitwarden makes it possible to share and sync usernames and passwords across all devices and webbrowsers.

In this example I’ll be using two pc’s: One for compiling and one for hosting, because the VPS I run this on isn’t powerful enough to compile the binaries.

On compile machine

Install dependencies

Compile bitwarden_rs

Compile vault

Clone and checkout repository

Patch web vault to work with Bitwarden RS

Download the most recent Bitwarden_RS patch for the Bitwarden web vault. This can be done using one of two ways:

A. Download and apply a patch based on the version that you just checked out using git.

B. Does this give a 404 Not Found error? In that case there might not be new changes in the most recent Bitwarden web release that need to be patched in order to work with Bitwarden RS.

  • Go to https://github.com/dani-garcia/bw_web_builds/tree/master/patches.
  • Click on the patch that is closest to the version you checked out in git (visible by executing the command git tag --sort=v:refname | tail -n1).
  • Click on “raw” to get a direct link to the patch file.
  • Download with wget and use git apply.

For example:

Build the web vault

NB: Do not run the following commands as root. Building the web vault will fail.

Copy

on remote host

Use this file as a template. Alter all uncommented variables to match your environment.

Add nginx vault.conf. The following config assumes that you have already installed and configured certbot / letsencrypt and retrieved a certificate.

Set up Fail2ban

If you are using Fail2Ban, you can add this configuration to keep out unwanted guests:

Set up logrotation

Over time, the Bitwarden_RS log file can grow to a significant size. Using logrotate, we can periodically rotate logs.

NB: To view a compressed log file without manually decompressing:

Backup

If you’d like to backup the bitwarden server, please use the following steps to do so

Export the sqlite database:

If you have already set up backups for other services, add these paths to your list of backup targets:

Upgrade Bitwarden RS and web vault

Settings

On build machine

Update system packages

Remove old build and sources

Upgrade Rust

Build Bitwarden RS

Build Bitwarden web vault

Clone Bitwarden web vault repository

Bitwarden Self Hosted Yubikey

Download the most recent Bitwarden_RS patch for the Bitwarden web vault

This can be done using one of two ways:

A. Download and apply a patch based on the version that you just checked out using git.

B. Does this give a 404 Not Found error? In that case there might not be new changes in the most recent Bitwarden web release that need to be patched in order to work with Bitwarden RS.

  • Go to https://github.com/dani-garcia/bw_web_builds/tree/master/patches.
  • Click on the patch that is closest to the version you checked out in git (visible by executing the command git tag --sort=v:refname | tail -n1).
  • Click on “raw” to get a direct link to the patch file.
  • Download with wget and use git apply.

For example:

Yubico
Compile web vault

Copy upgraded binary and vault

On remote / public machine

Update notes

Yubico
  • 2020-07: Improved web-vault instructions, added upgrade steps.
  • 2020-08: Noticed missing nginx config example. Added this.
  • 2020-09: Added some cleanup steps.
  • 2020-10: Updated to latest versions. Added new configuration options. Include MySQL and PostgreSQL backends next to the existing SQLite backend in compile steps.
  • 2020-12: Update to latest versions. Added logrotate config.
  • 2021-04: A reader notified me that the Bitwarden admin Fail2ban regex in /etc/fail2ban/filter.d/bitwarden-admin.conf should be updated. Bitwarden no longer prepends the log entry with “Unauthorized Error: “. This has been corrected.

Docker Compose Bitwarden

Related