Managing passwords is a challenge for most individuals and enterprises. Bitwarden makes this easier by providing a secure and convenient password management service.

While the SaaS version of Bitwarden is handy, self-hosting gives unmatched control and privacy over your sensitive data. This comprehensive guide covers step-by-step instructions as well as expert recommendations for setting up and customizing Bitwarden.

Overview of Bitwarden

Bitwarden is one of the most popular open source password management solutions. Some key highlights:

  • Desktop app, mobile app, browser extensions and web app for convenient access
  • End-to-end AES 256-bit encryption to secure password vaults
  • Open source codebase with third-party security audits
  • On-premise self-hosted deployment options
  • Wide platform and device support including Linux, Windows, MacOS, iOS and Android

Unlike closed source software, the underlying codebase being open source allows transparency and control over your data.

Why Self-Host Bitwarden?

While the Bitwarden SaaS platform provides a convenient way to get started, self-hosting offers significant advantages:

  • Complete data ownership – No third party has access
  • Control over security and availability
  • Customization as per specific needs
  • Cost savings at scale compared to subscription plans
  • Regulatory compliance for enterprises (HIPAA etc)

For individuals as well as large teams, having your password vault on premises is a major benefit specially when managing sensitive information.

Let us look at how to install Bitwarden in a self-hosted environment.

Comparing Bitwarden to Other Self-Hosted Options

Popular self-hosted password managers include Bitwarden, KeePass, Passbolt and Passwall. How do they compare?

Bitwarden KeePass Passbolt
Browser Integration ✔️ Limited ✔️
Mobile Apps ✔️ ✔️ ✔️
Open Source ✔️ ✔️ ✔️
Encryption AES 256-bit AES 256-bit AES 256-bit

While the core encryption model is similar, Bitwarden stands out with it‘s wide platform support, great user experience across apps and browser integration.

Prerequisites for Self-hosted Setup

Before installing Bitwarden, ensure your Linux server meets the following requirements:

  • Ubuntu 20.04 or higher
  • Assigned domain name (example.com)
  • Docker Engine and Docker Compose installed
  • 4 GB RAM minimum
  • 2 CPU Cores minimum

Here is a quick way to get Docker ready on Ubuntu:

$ apt update
$ apt install docker.io docker-compose
$ systemctl enable docker
$ systemctl start docker

Also configure your DNS to point the domain name to the server‘s IP address.

Step 1 – Download Bitwarden Installer Script

Bitwarden provides an official bash script to help bootstrap the installation using Docker.

Download and execute the script:

$ curl -Lso bitwarden.sh https://go.btwrdn.co/bw-sh 
  chmod 700 bitwarden.sh
$ sudo ./bitwarden.sh install

This will launch an interactive installer that covers:

  • Domain name configuration
  • Letsencrypt SSL certificates
  • Database configuration
  • Configuring API keys
  • Building docker images

Follow the prompts to customize your setup as needed.

Step 2 – Managing Bitwarden Containers

The installer script uses Docker Compose to set up the following microservices:

Let us take a look at the purpose of each container:

Container Description
nginx Frontend web server and reverse proxy
admin Angular admin app with UI
api Core API server managing login, encryption etc
identity User identity and access management
mssql Database container running SQL Server

These containers operate together to serve the Bitwarden app. Storage volumes persist the data outside the containers for durability.

Some key files that configure the Docker services include:

docker-compose.yml
nginx.conf
config.json

Step 3 – Access the Bitwarden Web UI

Once Docker finishes building the images and starts the containers, Bitwarden can be accessed at the configured domain using HTTPS:

Register a new account and login to reach the password management dashboard:

Now you can get started with creating secure password vaults!

Storage and Backup Considerations

When self-hosting Bitwarden containers, all the data is persisted in host-mounted volumes in the local disk or attached storage. This includes:

  • SQL Server database files
  • Attachment files
  • Config files

Appropriate storage allocation and backups are important to factor in while planning production deployments.

bitwarden backups

Some recommended approaches to backup Bitwarden data include:

  • Periodic SQL database dumps
  • Filesystem snapshots using etcd or similar tools
  • Cloning storage volumes
  • Syncing volume mounts to remote hosts

Test restores are also advised to ensure recovery works as expected.

Going Global with Load Balancing

For large scale production rollouts, Bitwarden can be deployed across multiple regional endpoints using load balancers.

bitwarden load balancing

This offers high availability, global reach and geo-redundancy for distributed teams with failovers.

Some proven approaches include:

  • Native Docker swarm clusters
  • Orchestrators like Kubernetes
  • Elastic Load Balancers on Cloud platforms
  • NGINX Plus or Haproxy

Care needs to taken with regards to database replication across nodes.

Advanced Configurations for Custom Needs

Once you have Bitwarden up and running, additional hardening and customization is possible for tailoring it to specific team requirements:

Email Integration

Using SMTP, enable options for critical email notifications and reminders. For example, password expiry warnings or suspicious login alerts. Support for Direct and AMP also available.

Example integration using Postfix SMTP relay container:

version: ‘3‘  

services:


postfix:
image: namshi/smtp

restart: always



bitwarden:
links:


    

  • postfix:smtp.gmail.com
    • 




volumes:


    

  • /etc/postfix/main.cf:/etc/postfix/main.cf
    • 

  • /etc/postfix/sasl_passwd:/etc/postfix/sasl_passwd

Complete email integration configuration at https://bitwarden.com/help/smtp

Access Policies

To restrict user access to the Bitwarden installation itself:

  • Configure IP whitelist rules at infra firewall
  • Enable access tokens
  • Reduce unauthenticated endpoints
  • Use VPN tunnel with MFA for management

Example NGINX server block:

server {

listen 80;



allow 192.168.1.77;

deny all;


location / {
proxy_pass http://bitwarden; 
}
}

Maintaining Availability and Integrity

Here are some tips for keeping self-hosted Bitwarden reliable and consistent:

  • Watchdog service checks – Crash recovery
  • Hardware and OS redundancy
  • Version pinning for controlled upgrades
  • Backups with validation testing
  • Monitoring resource consumption
  • Replay attack prevention

Understanding Bitwarden Encryption

Bitwarden leverages industry standards around cryptography to secure password vaults at rest and in transit. Salted hashing and authenticated encryption is intelligently combined to balance usability and protection.

Let‘s analyze the main layers:

  • TLS Channels – HTTPS as well as Bitwarden Access Server provide transport security
  • Vault Encryption Keys – 128-bit keys derived uniquely per user with PBKDF2 from the master password – hard to crack
  • Vault HMAC Signature – Ensures vault integrity with Poly1305 MAC tags – protects against alterations
  • AES-256bit Encryption – Algorithms like AES-GCM encrypt all vault data before storing to disk – providing data confidentiality

Together these mechanisms ensure only a user with the master password can unlock data from a vault while also preventing tampering by attackers. Zero knowledge principles provide robust security.

Scaling Up Performance

Bitwarden is quite lightweight. But at really large enterprise scales you may need to fine-tune things for optimal speed.

Here are some tips:

  • Minimize attachment file sizes like profile pics
  • Enable SQL Server read caching
  • Set client side rate limiting thresholds
  • Horizontally scale DB containers
  • Cache static assets like JS, CSS

Bitwarden performance tuning

As per benchmarks gathered using the standard install, here is an example resource consumption profile:

Container CPU Usage Memory Net Tx/Rx
mssql 35% (1 core) 850 MB 2.3 Mbps / 1.1 Mbps

Careful instance sizing and load testing helps optimize such overhead.

Wrapping Up

Self-hosted systems like Bitwarden enable full ownership over password security – avoiding reliance on external providers. Unfettered control over customization, access as well as backup capabilities allows tailoring solutions to specific needs around compliance or org policies. Carefully implemented encryption guarantees protection for something as sensitive as passwords.

What are you waiting for? Architect your own bitwarden installation now!

Related posts:

  1. Comparing the Top Alternatives to Cricut Design Space
  2. How to Install Fish Shell on Linux
  3. Installing Kodi Media Center on Ubuntu 20.10
  4. The Complete Guide to Using the KDE Partition Manager
  5. Converting Font File Formats in Linux: An Expert Guide
  6. ImageMagick – Advanced Text Annotation and Image Editing
  7. How to Install WebTorrent Desktop on Linux
  8. Harnessing the Power of KDE Connect: An In-Depth Guide for Developers

Similar Posts