Bitwarden Repo



This write-up is a product of my quest to self-host Bitwarden on a free-tier cloud product. Following these instructions, you should have a product that provides you a self-hosted Bitwarden password manager with all the benefits of running it in the cloud. *The only way this might not be free is if you exceed the 1GB egress or have any egress to China or Australia. In this guide I talk about best practices in avoiding this kind of traffic to keep this as free as possible.The end product is a Github repo (link below). The readme.md found in that repo should be enough to get going if you’re not new to projects like this, whereas the text below has a bit more detail if you need it.

  1. Bitwarden Repo Property
  2. Bitwarden Repo Auction
  3. Bitwarden Repo Homes
  4. Bitwarden Fdroid Repo
  5. Bitwarden Reputation

Bitwarden Serverless Current status. In mid-2020 I have stopped using this backend for my own personal purposes and the repository is in best-effort maintainenance mode based on reported issues. I'd be more than happy to hand it over to a dedicated maintainer. Apr 17, 2020 Github Repo here! With everything happening in the world many people are spending a lot more time at home, myself included. The official Bitwarden self-hosted server is located at https. Hi Andrey, oh, I am sorry. It could be now some issue with keychain. Can you please do the following: Check in the keychain if a session-key entry exist. Bitwarden is the easiest and safest way to store all of your logins and passwords while conveniently keeping them synced between all of your devices. Password theft is a serious problem. The websites and apps that you use are under attack every day. Security breaches occur and your passwords are stolen. Bitwarden.txt Last modified: 2021/01/12 18:41 by tuxiii Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International.

Update July 2020 I added a new script and section for rebooting the host vm when updates have been made to the OS, ensuring that the host system stays patched and secure against n-day vulnerabilities.

Update June 2020 I added fail2ban to block brute-force attacks on the webvault and country-wide blocking to avoid egress charges to China and Australia, or to block other countries that you might want. I added countryblock to block entire countries, and I also added a watchtower container as suggested by this comment, thanks ldw.

Update May 2020 Originally I used a home-grown dynamic dns script for Cloudflare, but it won’t be as well supported as ddclient, so I swapped out my script for linuxserver’s ddclient container. My original Cloudflare DDNS script can be found here.

I’ve been meaning to self-host Bitwarden for some time. If you don’t know about Bitwarden, it’s a password manager that’s open source and allows you to host it yourself! Now my encrypted password data is even more in my control. While I have a home server, I want to limit its exposure to the public Internet. Any service you expose to the Internet can become a pivot point to the rest of your internal network.

I saw that Google Cloud offers an ‘always free’ tier of their Compute Engine. Will one shared core and 614 MB of memory be enough for Bitwarden? According to the system requirements Bitwarden requires 2GB of RAM, but reports in its Github issue tracker say that even that is not enough. I went through the trouble of trying it out anyway and it failed spectacularly, the install script couldn’t even finish. There is, however, a lightweight alternative: Bitwarden RS. It’s written in Rust and an ideal candidate for a micro instance.

  • Bitwarden self-hosted
  • Automatic https certificate management through Caddy 2 proxy
  • Dynamic DNS updates through ddclient
  • Blocking brute-force attempts with fail2ban
  • Country-wide blocking through iptables and ipset
  • Container images kept up-to-date with watchtower

Before you start, ensure you have the following:

  1. A Google Cloud account with billing set up (so they can bill you if you use their non-free services)
  2. A DNS provider that is supported by ddclient for dynamic dns support; a list of supported DNS services can be seen hereNote: not all DDNS providers are supported by LetsEncrypt, YMMV

At the time or writing this, Google offers one free Google Compute Engine f1-micro instance with the following specifications:

To get started, go to Google Compute Engine (after doing all the necessary setup of creating a project, and providing billing info if necessary - don’t worry, this will cost exactly $0.00 each month if done correctly) and open a Cloud Shell. You can create the instance manually, but the Cloud Shell makes everything easier. In the Cloud Shell (a small icon in the upper right corner of your Google Cloud console), the following command will build the properly spec’d machine:

You can change the zone if you’d like, however only some have the f1-micro machine-type available. The tags open up the firewall HTTP and HTTPS (HTTP is required later). I’m using the maximum free HDD because apparently I get higher IOPS and it will allow me to maximize the amount of encrypted attachments I can have on this.

I am using the stable Container Optimized OS (COS) for several reasons, primarily:

  1. It’s optimized for Docker containers - less overhead to consume RAM
  2. It’s secure by default - security updates are automatically installed and security is locked down by default

CoreOS was also a contender but it used more memory at idle in my limited testing.

Important: Close the Cloud Shell and continue into into the vm instance SSH shell by selecting it in the Google Cloud Console and clicking the SSH button.

Enter a SSH shell on the new vm instance by clicking the instance’s SSH button. Once you’re in the new shell, clone this repo in your home directory:

Before you can start everything up, you need to set up the docker-compose alias by running the utilities/install-alias.sh script (you can read more about why this is necessary here). The script just writes the alias to ~/.bash_alias and includes it in ~/.bashrc:

.env file

I provide .env.template which should be copied to .env and filled out. Most of your configuration is done in .env and is self-documented. This file is a collection of environmental variables that are read by docker-compose and passed into their respective containers.

Configure fail2ban (optional)

fail2ban stops brute-force attempts at your vault. It will ban an ip address for a length of time (6 hours by default in this configuration) after a number of attempts (5). You may change these options in the file fail2ban/jail.d/jail.local:

This will work out of the box - no fail2ban configuration is needed unless you want e-mail alerts of bans. To enable this, enter the SMTP settings in .env, and follow the instructions in fail2ban/jail.d/jail.local by uncommenting and entering destemail and sender and uncommenting the action_mwl action in the bitwarden and bitwarden-admin jails in the same file.

Configure Country-wide Blocking (optional)

The countryblock container will block ip addresses from countries specified in .env under COUNTRIES. China, Hong Kong, and Australia (CN, HK, AU) are blocked by default because Google Cloud will charge egress to those countries under the free tier. You may add any country you like to that list, or clear it out entirely if you don’t want to block those countries. Be aware, however, you’ll probably be charged for any traffic to those countries, even from bots or crawlers.

This country-wide blocklist will be updated daily at midnight, but you can change the COUNTRYBLOCK_SCHEDULE variable in .env to suit your needs.

These block-lists are pulled from www.ipdeny.com on each update.

Configure Automatic Rebooting After Updates (optional)

Container-Optimized OS will automatically update itself, but the update will only be applied after a reboot. In order to ensure that you are using the most current operating system software, you can set a boot script that waits until an update has been applied to schedule a reboot.

Before you start, ensure you have compute-rw scope for your bitwarden compute vm. If you used the gcloud command above, it includes that scope. If not, go to your Google Cloud console and edit the “Cloud API access scopes” to have “Compute Engine” show “Read Write”. You need to shut down your compute vm in order to change this.

Modify Reboot Script

Before adding the startup script to Google metadata, modify the script to set your local timezone and the time to schedule reboots: set the TZ= and TIME= variables in utilities/reboot-on-update.sh. By default the script will schedule reboots for 06:00 UTC.

Add Startup Script to Metadata

From within your compute vm console, type the command toolbox. This command will download the latest toolbox container if necessary and then drop you into a shell that has the gcloud tool you need to use. Whenever you’re in toolbox, typing the exit command will return you to your compute vm.

From within toolbox, find the utilities folder within bitwarden_gcloud. toolbox mounts the host filesystem under /media/root, so go there to find the folder. It will likely be in /media/root/home/<google account name>/bitwarden_gcloud/utilities - cd to that folder.

Next, use gcloud to add the reboot-on-update.sh script to your vm’s boot script metadata with the add-metadatacommand:

If you have forgotten your instance name, look at the Google Cloud Compute console or find it with the toolbox/gcloud command # gcloud compute instances list

Confirm Startup Script

You can confirm that your startup script has been added in your instance details under “Custom metadata” on the Compute Engine Console.

Next, restart your vm with the command $ sudo reboot. Once your vm has rebooted, you can confirm that the startup script was run with the command:

You should see something like these lines in the log:

Now the script will wait until a reboot is pending and then schedule a reboot for the time configured in the script.

Bitwarden Repo Property

If necessary you can run the startup script manually with the command $ sudo google_metadata_script_runner --script-type startup --debug, and get the status of automatic updates with the command $ sudo update_engine_client --status.

Security

Use docker-compose to get the containers started:

Normally, you’d include a -d, as in $ docker-compose up -d, however the first time is nice to see the initial startup. You should see the caddy service attempt to use ACME to auto-negotiate a Let’s Encrypt SSL cert, for example. It will fail because you don’t have DNS properly set up yet, which is fine. It will keep trying.

If you need to open another SSH session to continue, do that from the Google Cloud Console.

DDNS is optional in the sense that you can manually set your DNS record to your ephemeral address, but I don’t know how often Google gives you a new address. Furthermore, LetsEncrypt has a problem with some DDNS providers, so having a real DNS provider like Cloudflare, etc, may be necessary.

Google charges for static IPs, but their ephemeral IPs are free.

Before you can get an SSL cert issued by Caddy/LetsEncrypt, you need a DNS record that points to your Google Cloud vm. You’ll notice in your logs that Caddy/LetsEncrypt will keep trying with the ACME protocol.

Dynamic DNS is supported using ddclient through the ddclient docker container. The ddclient container provides a configuration file at ddns/ddclient.conf that you must edit to work with your particular DNS provider. Their GitHub repo here contains documentation on configuring ddclient and the ddclient.conf file.

Note:ddclient.conf is placed in the ddns/ directory by the ddns container when it is run the first time, and any changes made to this configuration file will automatically be read in by the ddns container, no need to stop and start the container; you will see this shown in the logs.

Cloudflare Instructions

Since I use Cloudflare, I can provide more detail about this step. For other DNS providers, you’re on your own but the documentation for ddclient is pretty helpful.

Edit ddns/ddclient.conf and add the following lines:

Newer commits to ddclient support API tokens which are a better choice than a global key, but those commits haven’t made their way into a full ddclient release, so they haven’t been pulled into the container.

Bitwarden Repo Auction

If everything is running properly (the logs will tell you when it isn’t), you can use your browser to visit the address that points to your new Google Cloud Bitwarden vm and start using Bitwarden! Depending on which bootstrapping method you chose in .env (whether you use the /admin page or have open sign-up enabled), you can create your new account and get going!

You should now have a free self-hosted instance of Bitwarden that survives server reboots with an OS that gets timely security patches automatically.

There’s plenty of tweaking and optimization possible, feel free to make this yours. There were many resources that I used to build this guide, many of them listed below. Feel free to comment with any optimizations or issues that you run across.

Latest version

Released:

Bitwarden Repo Homes

Cross Platform Bitwarden library and CLI with sudolikeaboss.

Project description

Cross Platform Bitwarden library and CLI with sudolikeaboss functionality.
This repo houses both python and rust versions.
source repo lives @ https://fossil.birl.ca/bitwarden-cli/home
But is mirrored to github:
https://github.com/birlorg/bitwarden-cli
Documentation: https://fossil.birl.ca/bitwarden-cli/doc/trunk/docs/build/html/index.html
Historic fun fact: all crypto code had to be written and stored outside
of the USA at one time.
------------------------------------------------------------
EXAMPLE USAGE:
ALIAS bw=bitwarden
GET HELP:
---------
$ bitwarden --help
Usage: bitwarden [OPTIONS] COMMAND [ARGS]...
Bitwarden CLI program.
Options:
--url TEXT
--identurl TEXT
--debug / --no-debug
--db TEXT
--help Show this message and exit.
Commands:
deletedb ***THIS ERASES DATA*** Flush and empty the...
fetch_name fetch by name.
fetch_uuid fetch by UUID.
find find query in username,uri this does a simpe...
login login to server.
logout logout from server, stop agent and forget all...
pull pull all records from server, updating local...
register register a new account on server.
slab run in slab mode.
sql query the local data store using SQL.
status Show various statistics.
$ bitwarden find --help
Usage: bitwarden find [OPTIONS] QUERY
find query in username,uri
this does a simpe python string find i.e.:
if query in username:
but searches against username and first url
You can export it in almost any format you wish with -f
to get the password once you found an entry use fetch_uuid
complicated example:
bw find example.com -f tsv --no-headers | fzf | cut -f 1 | xargs bitwarden fetch_uuid -p
which means: find all entries with example.com in them, use fzf to select
a record and return only the password.
Options:
-f, --format [csv|tsv|json|yaml|html|xls|xlsx|dbf|latex|ods]
--headers / --no-headers
--help Show this message and exit.
---- USAGE:
login:
bw login nobody@example.com
it will prompt you for a password. if you are
a moron, you can specify it with --password <MY PASSWORD HERE> but don't be a
moron.
SLAB mode: 'sudolikeaboss is a simple application that aims to make your life as
a dev, ops, or just a random person who likes to ssh and sudo into boxes much,
much easier by allowing you to access your bitwarden passwords on the terminal.
All you need is iterm2, bitwarden, a mac, and a dream.' - from:
https://github.com/ravenac95/sudolikeaboss
slab command for iTerm2:
export LANG=en_CA.UTF-8;export LOCALE=en_CA.UTF-8; /usr/local/bin/bitwarden slab
if you speak a different language, change the LOCALE and LANG settings above.
We support self-hosted installations just pass --url and --identurl The url will
be saved indefinitely, you do not need to set it every time (not even when you
login again, it will be remembered) see bw login --help for details.
-----------------------------------------------------------------------
SECURITY:
Bitwarden works by having a 'master key' that is computed from your email and
password. This needs to be kept 'safe', but this is a CLI program. We could
store the master key on disk somewhere, but that's a bad idea.
The way we do this is with an in-memory 'agent' that listens on a 127.0.0.1 port
(configurable, but defaults to 6277) see: python/bitwarden/agent.py for all the
details. Bonus if you figure out why that port # :). Ideally on POSIX platforms
it would use a socket on disk somewhere to communicate, but I wanted this to
work on Windows, so this is what we can do.. :) patches welcoome to fix this up
on POSIX.
when you login, it starts up the agent, with a timeout set to the login
access_token timeout in seconds, since we do not currently support re-freshing
the token. At the end of the token lease, the agent will kill itself and stop
running. (this is configurable, but not exported to the CLI yet -- patches
welcome)
The agent requires a token to get the master key from it's in-memory store.
This is currently 16 bytes of os.urandom() on startup and is stored on disk, but
changes every time a new agent runs.details are in python/bitwarden/db.py
This should mostly function fine on Windows, but is currently untested. bug
reports and patches welcome.
-----------------------------------------------------------------------
INSTALLATION
NOTE: the rust and python are 2 different implementations that are not
(currently) tied together. you need not install both, just install one (the
pythone one currently if you want it to work)..
rust installation:
clone the repo (either fossil or git)
cd rust cargo build --release
cp target/release/bitwarden /usr/local/bin/bitwarden
then follow DB setup instructions below.
python installation:
clone the repo (either fossil or git)
cd python
python3 setup.py install
then follow DB setup instructions below.
or better yet, use pipenv.
Common to both, the DB setup:
If you have liquibase and the sqlite JDBC driver,
run tools/lb.sh Otherwise copy over the blank DB (with schema installed) I
include in the tools/ dir the directory it belongs in is platform dependent, run
bitwarden and it will tell you. Alternatively you can put the DB wherever you
like and always prepend --db to your commands (not recommended)
-------------------------------------------------------------------
TROUBLESHOOTING:
export DEBUG=true and then run bitwarden. or bitwarden --debug <cmd>
It will output LOTS
of stuff, some of it is security sensitive, so be careful when you copy/paste
the logs.
either email or reach out via fossil or github tickets.
--------------------------------
TODO planned(code welcome):
* Finish off minimal implementation(MVP) of the python version (add, etc)
* Build and release executables for mac and windows. build Makefile to automate
this.
* Finish off rust crypto and agent, port python version to use rust crypto and
agent
* Add server support (i.e. can also act like a server, so you could for
instance have your local browser and desktop talk locally and work 100%
off-line)
* Fix up documentation in
HTML(http://fossil-scm.org/index.html/doc/trunk/www/embeddeddoc.wiki) and
make prettier.
Goals:
* be a useful bitwarden tool that works on openBSD, debian, macOS and windows
since these are the platforms I spend most of my time on. UI is abysmal,
thanks to @kspearrin for doing that slog, go pay him, I do.
* Be able to work off-line completely if you wish. This mostly works now.
Non-Goals:
* GUI's because writing them is misery. @kspearrin has this well-handled! YAY!
The idea behind the CLI here is to think of the server as a place to push / pull
againt. The local copy of the DB should be resilient and not erase anything
ever without explicitly saying so, so that full historic backups are possible.
think more like revision control. This is not fully fleshed out, at the time
of this writing..
-----------
Contributing:
If you use fossil, just send me a place to pull from or setup a login and
email/contact me and I will give you push rights. if you refuse to use fossil,
you can email me patches. Or you can use github and pull-requests, I guess.
Unless you explicitly state otherwise, any contribution intentionally submitted
for inclusion in the work by you shall be dual licensed as above, without any
additional terms or conditions.
License
Licensed under either of
Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT) at your option.
email: bitwarden @at@ birl.ca

Release historyRelease notifications | RSS feed

0.4.0

0.3.1

0.3.0

0.2.4

0.2.3

0.2.2

0.2.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for bitwarden, version 0.4.0
Filename, sizeFile typePython versionUpload dateHashes
Filename, size bitwarden-0.4.0-py3-none-any.whl (23.4 kB) File type Wheel Python version py3 Upload dateHashes
Filename, size bitwarden-0.4.0.tar.gz (23.7 kB) File type Source Python version None Upload dateHashes
Close

Hashes for bitwarden-0.4.0-py3-none-any.whl

Hashes for bitwarden-0.4.0-py3-none-any.whl
AlgorithmHash digest
SHA2566d77a2ba062da9175ab2e6e86e3ccab5861759768ac2cd6175ac003868ab9d9c
MD56475ac5084c436922ddc4b643feaac20
BLAKE2-256f02707a141d81c7f1b8e0b44e7b9b6476f59498051b4bd1ee5c87265142970bd
Close

Bitwarden Fdroid Repo

Hashes for bitwarden-0.4.0.tar.gz

Bitwarden Reputation

Hashes for bitwarden-0.4.0.tar.gz
AlgorithmHash digest
SHA256ef5b06809d3ecc883133b115c3e6c22a1aa76492f46efbe20e0a3f3093c5d902
MD56ca14816bafc2902bfb7982b91997ce0
BLAKE2-2568040fea3195de0d7440499690a5d41423f21f7e07cfad5c3cd5791decc3611cb