Bitwarden Mozilla
1. Security & Encryption
A good password manager stores your data securely by using strong encryption to protect your data while it’s on your computer, on the password manager’s server and moving between the two. Deciphering this encryption is almost impossible when password managers use industry-standard encryption like Advanced Encryption Standard. We also checked for up-to-date security methods, two-factor authentication and whether the password manager ever had a third-party security audit.
2. App Compatibility
Password managers aren’t very useful if you can’t use them everywhere, so we compared the types of hardware and software Bitwarden and KeePass were compatible with. We looked at three types of compatibility, which included compatibility with operating systems on desktops and laptops, browsers and iOS and Android for mobile devices.
3. Usability & Ease of Use
Pick a strong password for your master password. I use the Bitwarden passphrase generator with three words, a numeral, and punctuation, which yields over 40 bits of entropy. Set up 2FA for both your new secure email and the Bitwarden account. Secure your master password and 2FA recovery data externally.
Bitwarden for Firefox could be one particular option amongst dozens of other similar solutions. It works like others but for free Now this extension's most valued asset is its price. Mar 17, 2021 Bitwarden is the easiest and safest way to store all of your logins and passwords while conveniently keeping them synced between all of your devices. Password theft is a serious problem. The websites and apps that you use are under attack every day.
We compared Bitwarden and KeePass on ease of set up and use because a good password manager should be simple to download, set up and create a list of your passwords. The interface should also be easy to operate, so you can generate new, stronger passwords and autofill usernames and passwords on logins. We also checked how well they worked with biometric logins for users who have face or fingerprint scanning on their phone, laptop or tablet.
4. Password Sharing
While password sharing is a common feature for paid password managers, it’s not always offered in free ones. We researched secure sharing capabilities and how many people could share at a time. This feature is especially important for families who want to share online accounts or bill pay sites or companies who need to share email, social media accounts or other account logins.
5. Price
The cost for password managers run the gamut from free to $90 annually or more, depending on how many people are sharing the application. Most password managers advertise a monthly subscription price, but fees are usually billed annually. Any paid password manager should offer unlimited password storage, but free applications often do as well, so we researched storage capacities along with cost.
In this blog post I’ll be covering how to install a self hosted Bitwarden server as a password management solution using Docker on a Raspberry Pi. We will get two containers running (Bitwarden server) and (Nginx reverse proxy). I’ll also go into hardening the Bitwarden configuration and applying 2FA for log-ins.
What is Bitwarden?
Bitwarden is an open-source password management solution. It supports almost all major systems. The version we’re going to be using is the unofficial one created by Daniel Garcia, Github page: https://github.com/dani-garcia/bitwarden_rs. This version of Bitwarden is unofficial but it’s really well made, and just works.
- Raspberry Pi (I’m using a model 3 B+)
- Docker software
- Bitwarden_rs (unofficial version)
- Domain name for TLS certificate
Optional
- Zymkey 4i is a Hardware Security Module for RPi.
To start off with you’ll want to download and install the latest version of Raspbian on your Pi. I personally recommend Raspbian Buster Lite (now called Raspberry Pi OS Lite), since it will be running 24/7 as a server, you don’t really need a desktop environment nor the default office suite packages that are included. Make sure that the device is connected to the internet and contains the latest packages, I also like to enable SSH during the initial installation process and harden the sshd_config configuration file.
I will cover how to install Zymbit zymkey 4i IoT security module in a future post.
Docker
We are going to be running BitWarden as a Docker container. Docker makes it an easy and simple to manage containers, which we can easily upgrade in the future. The image we are going to be use is available on https://hub.docker.com/r/bitwardenrs/server.
Download and install Docker software with following on the Pi:
Give the user permission to run Docker (pi is the default user):
Make sure Docker start on every system boot:
Restart your Raspberry Pi
Once restarted, your Raspberry Pi should be ready to move onto with the configuration.
Now that we have all the necessary applications installed we can continue with the configuration. We will first set up a Bitwarden container, as well as the Nginx reverse proxy container. Later on we’ll configure a Dockerfile to start all containers at once, I will be using a custom docker-compose file, found here.
A quick overview of what we’re going to do:
- Pull the latest
bitwarden_rsimage from Docker hub - First Start-up
- create a new account
- enable two-factor authentication
- Stop the container
- disable new registrations
- disable admin panel
- enable HTTPS support
- Start the container with the new options + nginx
Pulling image from Docker Hub
The Docker image we’re going to use is by https://hub.docker.com/r/bitwardenrs/server. You can find the source code on https://github.com/dani-garcia/bitwarden_rs. You also no longer need to use the tag bitwardenrs/server:raspberry for Raspberry Pi systems.
To pull the image with Docker:
First Time Start-up
After downloading the docker image you would want to choose a folder to mount a volume on the host system for persistent storage. The directory that I have chosen is located /bw-data. This is where all of our encrypted passwords will be stored, along with other web files.
To run the container for the first time:
Your Bitwarden web server will be accessible at: http://IP-ADDRESS>:60888. You can change the external port number by modifying the previous command (-p). Go ahead and register an account and log-in. To enable 2FA follow the steps below.
Go to Settings:
Select Two-step login and the type of 2FA you want to use. For example Authenticator app:
Then enter your code. You can now stop the container and move on to the next stage. Locking down your Bitwarden server and including a Nginx reverse proxy server.
Hardening Process
In the next step we’ll be going through the process of hardening our server for actual use. We’ll be covering how to set up a Nginx reverse proxy and also install a certificate.
To keep things organised I’ve created a folder called bitwarden which stores all configuration files and folders, the structure looks like this:
Dockerfile
Bitwarden Mozilla Web
This Dockerfile was created to ease the installation process. It contains two containers with some configuration options. You will have to change these to suite your own environment. The environment variables for the Bitwarden container are for my own personal preference.
nginx.conf
The nginx.conf file I use for the reverse proxy for Bitwarden. Within each server configuration update listen 60888 and server_name bitwarden.example.com; to suit your own preference. You can leave the rest as it is.
ssl.conf
This file will be included by the previous nginx.conf. You need to replace the options ssl_certificate, ssl_certificate_key, and ssl_trusted_certificate to suit your own domain name.
dhparams.pem
To generate a 4096-bit Diffie-Hellman parameter with openssl, type:
Certificates
DO NOT USE THE DEFAULT HTTP PORT FOR YOUR PASSWORD MANAGEMENT!
To use the official Bitwarden app on say an iPhone with your self-hosted environment you need to use a valid TLS certificate. If you don’t the OS will throw an error and refuse the connection since the certificate isn’t valid. A workaround may be to add your self-signed certificate (not tested) to the trusted list on each device. A better approach would be to generate a valid TLS certificate.
For Let’s Encrypt there are two main methods of verification (excluding TLS-ALPN-01): HTTP-01 and DNS-01. If you’re like me with an ISP that uses a heavily NATed network then you can’t really use the first option. So I’ll be using second option which requires a domain name.
Bitwarden Mozilla Windows 10
Download and install certbot with:
Run certbot with DNS as the preferred challenge:
I’d recommend you to obtain a wildcard certificate instead of a single subdomain certificate. This way you don’t need to reveal your Bitwarden server to the world, since there’s a public record of every Let’s Encrypt registered certificate.
Starting and Stopping
We will be using docker-compose along with the docker-compose.yml file to start and stop containers.
To start your set-up, type (-d makes it run in the background):
To stop the containers, type:
Thanks
Bitwarden for creating an awesome password management solution.
Dani Carcia for creating a port of Bitwarden.
Let’s Encrypt for free certificates for everyone.