Self hosted password management with bitwarden_rs

There are a lot of password management solutions out there but to me, it is always a good idea to manage passwords on-premises. By using bitwarden_rs, you can store all your secret info (password, note, two-factor authentication, credit card info) to your own server, even in your tiny raspberry pi .

bitwarden_rs is an unofficial project of bitwarden which is written in Rust. The official self hosted bitwarden package needs minimum 2 GB  ram in order to operate. However, bitwarden_rs needs only 10MB ram and it doesn’t need much cpu usage! More info in reddit.

In this tutorial we will setup bitwarden_rs to google’s always free tier instance running Debian 10. You can follow the same procedure to any server.

Setting up docker & docker-compose

bitwarden_rs needs docker in order to run. So if you don’t have docker & docker-compose installed in your server, please install those first.

1
2
3
4
5
6
7
8

curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh
#Installing docker-compose (https://docs.docker.com/compose/install/)
sudo curl -L "https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
#Adding current user to docker group
sudo usermod -aG docker $USER
exit

Log back to the server again.

Setting up dns & certificates

We will setup a dns record to our domain so that we can visit bitwarden_rs admin panel like this: https://bitwarden.example.tld

First, please create a subdomain/domain which points to your server’s IP address. In my case, I am using cloudflare to do that job

Next, I will setup SSL for this domain. Here I will use cloudflare’s free SSL. However, you can use Let’s encrypt’s free SSL also.

If you use cloudflare & wanted to use cloudflare’s free SSL, please follow the below steps in order to generate certificate and private key.

Please go to SSL/TLS tab and click Origin Server. Now create certificate and key for the domain:

Now copy the generated key and create a new text file and paste the code. Save as **key.pem **(make sure no .txt extension at the end).

Now again, copy the generated private key and create a new text file and paste the code. Save as **fullchain.pem **(make sure no .txt extension at the end also).

Installing bitwarden_rs in server

Now go back to the server and create a directory within your home directory

1
2

mkdir -p ~/bitwarden_rs/ssl
cd ~/bitwarden_rs/ssl

Now transfer key.pem and fullchain.pem files to the ssl directory.

Now go back to the bitwarden_rs directory and create a file named docker-compose.yml

1
2

cd ~/bitwarden_rs
nano docker-compose.yml

Open the file with any text editor you like (I used nano) and paste the following code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

version: '3'

services:
 bitwarden:
  image: bitwardenrs/server
  restart: always
  volumes:
      - ./bw-data:/data
      - ./ssl:/ssl
  ports:
    - 443:80
  environment:
   ROCKET_TLS: '{certs = "/ssl/fullchain.pem", key = "/ssl/key.pem"}'
   LOG_FILE: '/data/bitwarden.log'
   SIGNUPS_ALLOWED: 'true'
   DOMAIN: 'https://bitwarden.example.tld'

Change DOMAIN: ‘https://bitwarden.example.tld’ to your domain name. Save and exit.

Now that we have our docker-compose.yml file ready, let’s run it (make sure that you are in bitwarden_rs folder)

1

docker-compose up -d

The application will start in a few seconds and it will be detached (-d flag) in order to run in background.

Visit https://bitwarden.example.tld. You should see that page. Means your self hosted password management service is ready!

If you need to stop the service

1

docker-compose stop

If you want to delete the service

1

docker-compose down

Please visit bitwarden_rs wiki for more info.