Vaultwarden: Unofficial Bitwarden compatible server written in Rust

I've been self-hosting this for years now, works flawlessly.

Since Vaultwarden is gaining traction here, also check out this VERY active PR (including custom build/image) for adding SSO via OpenID Connect: https://github.com/dani-garcia/vaultwarden/pull/3899

Vaultwarden is impressive. Years of work without issue. It supports Yubikey now.

Eventually, I ended up using Pass though, since I prefer terminal. Pass doesn’t have any database to break: it’s just gpg and git. With Yubikey, every password needs a touch.

My main issue with Vaultwarden is that there doesn't appear to be any way to migrate a Bitwarden self-hosted instance to it. I run a Bitwarden server for myself and something like 5-10 family & friends so manually migrating everyone's data is tough.

I'd really love to try Vaultwarden as Bitwarden is pretty heavy on the little server it runs on

I evaluated this for a small business but came to the conclusion that self hosting this security critical software would cost more in work hours for initial setup and maintenance than just paying the cloud fees for a few years.

Genuine question, in what scenario is the self hosting setup and maintenance worth it?

Is there a good argument for actually using Rust for such things?

I think Rust is a great language, but I think it shines in contexts where you'd previously have used C or C++. Web apps aren't really one of those contexts, unless they're microservices with extreme performance requirements, and this isn't the case here. Why would one choose to write something like this in Rust over easier-to-write languages like Go?

How does the Bitwarden client handle loss of connection to the Bitwarden or Vaultwarden server?

Last I checked the local cache is gone after so many days, leaving you without your credentials.

A combination of local password manager and a file sync service of your preference seems a good option as well.

I have successfully used this for some time, but migrated away to just pass because synchronizing a pass "db" with syncthing tends to work much better.

When you all self-host this, you also do the following, right?

- Create threat models that identify weaknesses in the design of your self-hosted setup.

- Harden the OS with things like MAC, and harden the container with dropped privs, read-only root filesystem, and outbound network filtering.

- Deploy an intrusion detection system to know if you've been compromised.

- Perform all OS and app patching automatically, or regularly without fail.

- Follow CVE feeds in case a zero day needs to be fixed before the next patch window.

- Arrange for an expert to perform regular penetration tests.

- Deploy a tool that detects and alerts on things like firewall misconfigurations.

- Regularly test your backup and recovery methods, since if you also store 2FA codes and backup codes in there, you could be permanently locked out of your accounts.

After being fed up with AgileBits' (1P's owner) shenanigans (hiding critical threads on their user forum, ignoring customer voices wilfully, being generally dismissive of criticism), I decided to give Bitwarden a try.

I used it in conjunction with Vaultwarden for a year with the idea that I'd evaluate it as a family-wide replacement for 1P.

In the end I went back to 1P.

1P does some things amazingly well. Here's the shortlist:

- It loads quickly. This wasn't the reason I went back to 1P, but it loads an order of magnitude more quickly than any of Bitwarden's clients: Windows, Linux, iOS, Mac. Bitwarden is slow, slow, slow. I was willing to put up with it for freedom. I wanted Electron 1P to be awful. It's not. Electron Bitwarden kinda is...

- The (I can't believe I'm saying this) killer feature: being able to sort passwords by date (or well - being able to sort at all). If you use a password manager long enough, you'll have a lot of passwords. Sometimes you need to find one manually. Bitwarden made this far more difficult than it needs to be. There's no way to sort the passwords. You have to use the (lackluster) search.

- 1P can put your most recent passwords, secrets and make them easily accessible by default. Yep, more sorting issues. This is particularly helpful in my work related to software and infra development. There are often a lot of secrets, especially during spikes. It's nice to not have to hunt for them too much.

- Shared vaults are better with 1P. Easy to move secrets, easy to de-dupe. Etc. etc.

Everything about Bitwarden is fine for a single, technical user, but it's not for sharing secrets with non-technical family members at any scale. It's just too clumsy with too many sharp edges.

I really, really wanted to leave 1P behind. But I came back to it. And I don't regret it.

Unfortunatelly I had to move from Bitwarden after I realised it's sometimes impossible to unlock the password store without connection to server.