this post was submitted on 17 Jul 2023
107 points (97.3% liked)

Selfhosted

40438 readers
769 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hi y'all! Sorry for asking so much on this sub! Y'all have been so helpful!

This time, I'm thinking of transitioning from 1Password to a self-hosted option.

Of course I know about Bitwarden, and I'm looking into it now, but are there any other recommendations y'all have? Have y'all heard of and used Passbolt? It seems nice, but it looks like it only does passwords and not other categories like 1Password does.

A few things of note: I'd like it to have different categories, a la 1Password. (Logins, SSN, ID, member card #, etc) Maybe multi-user so I can have an account for my wife. Password generator of course, and I'm not sure if y'all are familiar too much with 1password, but it allows you to customize the fields in each entry. So it starts with the basics (username, password, url), but it allows you to add sections and entries too! I could add a "security" and add my 2FA code on there, my backup codes, etc.

Honestly, that last one is a biggie, so I think I might be talking myself out of moving over now, but I'm sure that AgileBits or whatever the company is called will abandon, if it hasn't already, 1Password 7 with local vaults, in favor of 1Password 8 that only uses 1password subscription accounts.

Sorry for the rant and wall of text. Thank y'all in advance.

Update on July 21, 2023

I decided to self-host Vaultwarden as it was designed to be a lightweight (on resources) version of Bitwarden. For Android, I'm using the "Keyguard" app to access my instance, and the official Bitwarden browser extension on my wife's MacBook. 1password fucked me over, and I had to manually copy every password 1 by 1, luckily I only had ~500 entries.

I'm still doing some research into the best app for android (the official Bitwarden is ugly, and Keyguard is pretty, but I'm still looking around.)

Thank each and every one of you for taking time to answer my question!

top 50 comments
sorted by: hot top controversial new old
[–] BrikoX 63 points 1 year ago (4 children)
[–] [email protected] 9 points 1 year ago* (last edited 1 year ago) (1 children)

I'm reading through it, but maybe you can anwser it faster.

Does this support generating 2FA authenticator codes like 1password does?

[–] BrikoX 22 points 1 year ago (1 children)
[–] [email protected] 3 points 1 year ago

Awesome, thank you for taking the time to a deer my questions.

load more comments (2 replies)
[–] [email protected] 62 points 1 year ago* (last edited 1 year ago) (4 children)

You can install Vaultwarden instead of Bitwarden. Differences between Vaultwarden and Bitwarden by reference.

[–] [email protected] 15 points 1 year ago (1 children)

Is it just me or does that "comparison" make no sense for this thread. It's mostly comparing vaultwarden to the cloud version of bitwarden, not the self hosted version. It only mentions the self hosted version in passing. It doesn't do anything to help someone choose between vaultwarden and self hosted bitwarden

[–] [email protected] 8 points 1 year ago

The article honestly reads like it was written by an AI tool.

[–] [email protected] 9 points 1 year ago

Strongly second vaultwarden, covets so many cases for me.

[–] [email protected] 3 points 1 year ago (2 children)

Not sure why someone would. Bitwarden provides their own self-host repos and docs and is working on a unified container instead of docker-compose scripts for their production stack.

I've been using their stack for the last 6 years and only issues I've ran into were my fault. Also tested their container and will be switching to that soon.

load more comments (2 replies)
[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

Also recommend vault warden its what I've been using for the past year since lastpass dropped the ball.

It has entries for totp, notes, and you can add more fields as needed. Ive been really happy with it

[–] [email protected] 55 points 1 year ago* (last edited 1 year ago) (2 children)

https://keepassxc.org as Password manager and 2FA and https://syncthing.net to sync the database between your devices without a central server.

  • You can have several databases (one for wife, one for you)
  • You can store your 2FA there
  • You can make nested groups of your passwords
  • You can store certificates and other attachments as files or custom fields like backup codes, etc.

Don't use Keepass or KeepassX but the KeepassXC version is the community version most polished and with most functionality.

There are many 3rd party clients which can read/write the keepassx database file like:

Instead of Syncthing you can also use some other file sync if you have it set up already like iCloud, Nextcloud, Dropbox, but Syncthing I find is the easiest set up and forget.

[–] [email protected] 11 points 1 year ago (1 children)

I do this exact same setup but one thing to add to your answer and be aware of is that syncthing is not a backup solution. If you delete the files on one computer, those files will be deleted on the other synced devices. And accidents can happen.

So, as always, take backups.

[–] [email protected] 4 points 1 year ago (2 children)

Yeah, it always stresses me out when I see people saying that synchthing is a backup solution... (not that OP did here)

[–] [email protected] 3 points 1 year ago

You can configure Syncthing to keep deleted/changed files for some time. So you could connect a Raspberry Pi to store everything read-only.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Well, it's a great alternative for people who can't afford a local server. I just set it to one-way sync from phone to PC for backup, while for KeePass I just enable file versioning and use 2 databases to be safe from accidentally overwriting it.

[–] [email protected] 6 points 1 year ago (1 children)

I use keepassxc and save the DB in WebDAV. Can't imagine it getting easier. Can access it from any device.

[–] [email protected] 1 points 1 year ago (1 children)

Doing pretty much the same thing but using the android app from AuthPass with backup to my Nextcloud. (It uses kdbx to store the passwords)

[–] [email protected] 1 points 1 year ago

I sync webdav via Davx5 to my android. It integrates seamlessly

[–] [email protected] 25 points 1 year ago* (last edited 1 year ago) (5 children)
  • If you only use Linux CLI and live in the terminal: pass
  • If you also use a phone or windows desktop, and already use a reputable syncing service (nextcloud, synching, etc.): keepassXC
  • If you have an always on server, internet accessible that maintains 5-9s of reliability and regular working backupa: host VaultWarden
  • If nothing above applies: use Bitwarden SaaS.

My big problem with VaultWarden/Bitwarden is there are some things (making new passwords) that can only be done while connected. This means exposing your server to the internet and making it highly available. Also, since it's a single point of failure, you need good backups. If your server goes down, you're read only until you create a new instance, which might take a while.

I've been using KeepassXC for about 6 years, synchronized with Syncthing. The database is synced to all my devices and my wife's, and a few satellite devices my friends own in encrypted Syncthing folders. It's easy to merge conflicts if we both make entries at the same time. My database will likely outlive me at this point. I even got my Luddite in-laws using it (alas, synced through Google Drive). Highly recommended.

[–] [email protected] 11 points 1 year ago (2 children)

+1 for KeePass/KeePassXC. Love that you just get a password database file and it's up to you to secure it. I also sync through drive for easy access and use KeePassDX for Android which makes the transition between devices a breeze. Having fingerprint unlock for my passwords on my phone is pretty cash. On my desktop I set up KeePassXC to auto-type my credentials into almost everything I use so I can use a hotkey to log in. Works with any program that you can match a window title to (or URL for websites) which is basically everything. I even have mine set up to enter SSH credentials after I connect in windows terminal using "SSH user@server".

[–] [email protected] 1 points 1 year ago

KeePassXC/KeeWeb + WebDAV is a kick-ass combo that covers every device while also being as simple as possible.

[–] [email protected] 1 points 1 year ago

I am most impressed with how much it just works. Make duplicate passwords? Just works. Share with multiple users? Duplicate key entries? Just works. Want to store or reorganize your DB, change encryption or share with someone else? Just works. Want to use it from your phone, your laptop, your server CLI? There's probably an app, and it probably just works too.

It's such a precious thing, a good DB design paired with good apps (KeepassXC is amazing). Not a lot of tools like that around.

[–] [email protected] 6 points 1 year ago (1 children)

If you have an always on server, internet accessible that maintains 5-9s of reliability and regular working backupa: host VaultWarden

I mean, every client caches your vault. Even if I only had 75% uptime I doubt I'd run into many issues.

[–] [email protected] 1 points 1 year ago

The problem I had when I tried it out last (2 years ago?) was you could only generate passwords when connected to the server. Internet in my region is spotty, so I can't reliably always have access to the server.

Other thing, not mentioned here, is how easy it is to share passwords. They also didnt at the time have a great user story for a common use case: 2-4 people who share all their passwords (me, my wife, and her parents). Setting up an org and multiple users was a bit of a pain, but that was a couple years ago, maybe it's better now!

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

If you only use Linux CLI and live in the terminal: pass

There are frontends to pass [1] for different systems, including mobile ones ;) and probably the official list is not complete.

edit: For CLI I prefer gopass [2]

[1] https://www.passwordstore.org/#other
[2] https://github.com/gopasspw/gopass

[–] [email protected] 2 points 1 year ago (1 children)

I just wonder how easy it would be to sync between clients, KeePass style, because you also have to send your GPG keystore around to all your clients too, right?

[–] [email protected] 1 points 1 year ago

If you already have gpg set up it's quite easy to just sync it with git. Then your server only needs to be online when you want to sync.

You can (probably should) use different keys per device, and works wonderfully with Yubikey or other gpg hardware keys if you want extra safety.

[–] [email protected] 1 points 1 year ago (1 children)

Great advice.

Only thing I would add is that it is possible to avoid exposing the Vaultwarden server to the Internet. And, you could use Wireguard for that.

[–] [email protected] 1 points 1 year ago

The issue I found with this approach is that the other big reason to use VaultWarden is for multi-user support. However, then each of your users need the same VPN setup, which can be hard to manage if you support a non-techie or Luddite.

Exposing it to the internet isnt safe, but it's more accessible then setting up VPNs for everyone with proper routing and stuff. The actual Bitwarden service isn't that expensive last time I checked, and I think it's probably the best, simplest solution if you need to support multiple technophobes.

[–] [email protected] 1 points 1 year ago

I highly recommend pass.

It's very easy to just use git to sync, and easy to set up with several different keys, and can be used as a password sharing database in a small devops team.

Since I'm using git to sync, I can easily tell when I've last changed any password and optionally keep a history of passwords I've used.

It fits well with my life in the terminal, and I use browserpass for Firefox integration.

[–] [email protected] 18 points 1 year ago

Another vote for selfhosting a VaultWarden (Bitwarden) setup.

I have had it through a docker container for a while, it's solid, and the browser integration/desktop apps/web access mean my passwords are always close at hand.

[–] [email protected] 12 points 1 year ago (2 children)

I would recommend Bitwarden self-hosted with a subscription. I know it's a unpopular opinion, but they do a great job with the app and let's be real,if nobody financially supports open source development, we are in for trouble.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

There are enough people that don't have the technical knowledge to host their own instance which happily pay Bitwarden to do so. If I host my own software and pay for the servers myself I'm not gonna pay a monthly fee just to be able to use the software. Maybe a one time payment, but definitely no subscription.

[–] [email protected] 2 points 1 year ago

+1 for this, I have an active subscription with Bitwarden, for US$10 a year it's worth many times that in the value and utility it provides me. I considered self-hosting the service but I decided to just stick with the cloud version since they likely have better resilience than my homelab. It'd suck if my home network is down for whatever reason and I need urgent access to my vault without a local copy within reach.

[–] [email protected] 12 points 1 year ago (2 children)

I use KeepassXC and sync the database on my Nextcloud instance. It works really well, as long as you have Nextcloud of course.

[–] [email protected] 4 points 1 year ago

Syncthing will also work with Nextcloud.

[–] [email protected] 1 points 1 year ago

I do the same, except with Seafile. On my phone I use Keepass2Android which has built-in support for syncing a database over WebDAV. Works flawlessly.

[–] [email protected] 10 points 1 year ago (1 children)

I'm using passwordstore + self hosted git server.

Passwordstore uses gpg for the encryption layer which combine fine with ssh (used to connect to the private repo).

I'm using qtpass as gui and there is also a client for Android named password store

[–] [email protected] 3 points 1 year ago

Been doing the same, just leaving my password-store offline, for me this is enough.

[–] [email protected] 10 points 1 year ago (2 children)

I like pass, It's just a wrapper around standard tools - gpg encrypted files in a directory, with git for version control. You can organize the subfolders however you'd like, and store whatever you want in them. You can sync the files across systems however you'd like - copy/paste, rsync, network drive... You can even go as far as to install a git server, e.g. gitlab, and clone, push, and pull into password synchronization bliss.

[–] [email protected] 2 points 1 year ago

And lots of extensions. I like pass-coffin.

[–] [email protected] 2 points 1 year ago

My Pass setup uses an NFC Yubikey, which works on my PC and Android. On Android, Open Keychain can use the key for the ssh connection as well.

The git server for syncing is just ssh with a forced command.

The gpg key itself is backed up on a thumb drive, in case I need to recreate the yubikey.

[–] [email protected] 9 points 1 year ago

+1 for KeePassXC + SyncThing

[–] [email protected] 3 points 1 year ago

I like Buttercup. It's open source and pretty simple to use. I personally just keep mine on dropbox so my mac, linux, ios, windows and android devices can all access it. https://github.com/buttercup/buttercup-desktop

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

enpass for password vault, it has integrated nextcloud sync. for me, adding another selfhosted app wasn't worth it.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

I would say passbolt it the best, if it would have totp support. At least they are working on it. For different categories you can just create multiple folders

[–] [email protected] 1 points 1 year ago

Valutwarden <3

load more comments
view more: next ›