Great LastPass alternative – securely self host your own password manager with Bitwarden(_rs)
You are looking for a LastPass alternative? Recently LastPass changed their free tier – which was a less than popular decision which makes it pretty much unusable for many users. Fortunately I use a very different solution to store my passwords and here I am sharing how to do this: just host a password manager yourself. Ditch LastPass and instead use the great self hosted password manager Bitwarden.
LastPass alternative or why you should self host your password manager
I am not a huge fan of storing data as important as all your password in an external service. Of course it is convenient but you basically give control over your whole (online) life to someone else. And even if they do not deliberately misuse this data it is enough for them to make one mistake in securing it. Managing all this important data makes them a great target.
Or imagine for a second – the totally unrealistic – idea that the company hosting your data just decides to randomly change their payment policies 😉
Instead I am personally a huge fan of self hosting these kind of important services. With todays technology like Docker and cheap computers like the Raspberry Pi it is easier than ever before.
I have written here about my small smart home server which runs Docker(-compose) and is pretty easy to set up. Just follow the guide and run this docker-compose file from my GitHub repository. I do also have access to a bigger server which runs all kinds of software for family and friends. It also uses a Linux distribution and hosts all the software in Docker containers. Installation of Bitwarden was pretty simple with this setup. Here is how to do it.
How to install Bitwarden_rs with Docker
First lets talk about how Bitwarden works. Bitwarden can be used just like any online hosted service by paying a monthly fee (or using the free version to give it a try). It is open source which I personally really like for such an important piece of software. The best part is though that all official clients allow you to switch to a self hosted server instead of using theirs.
Bitwarden vs bitwarden_rs
So we can host our own Bitwarden server. But how exactly? There is a pretty extensive documentation on how to do that provided by Bitwarden. Personally I found it overly complicated as I was just looking for something I could include in my already running Docker-compose setup.
Instead I found Bitwarden_rs a Bitwarden compatible server written in Rust and also open source. While it is not official or developed by the company behind Bitwarden for me it worked really well and the installation is much easier.
Running bitwarden_rs via Docker-compose
So lets install bitwarden_rs. First you need a Server that is able to run Docker. While MacOS and Windows are now able to do that just do yourself a favor and use a Linux based system. Ubuntu or Debian server distributions are pretty good and easy to setup and use.
Next you need to install Docker. This can usually be done via the packet manager of the distribution you choose. Once it is done you need to also install Docker-compose. Sometimes this can also be done via the packet manager, sometimes (like on the Raspberry Pi) it is a little bit more complicated. For the Pi I described it here.
// test if docker and docker-compose are running
docker --version
docker-compose --version
// if you are Linux and don't want to use sudo for everything add your user to the docker group
sudo groupadd docker
sudo usermod -aG docker $USER
// restart the terminalNow we can finally use Docker to start our Server. Created a bitwarden.yml file with this content:
version: "3.3"
services:
bitwarden:
image: bitwardenrs/server
restart: unless-stopped
ports:
- 5080:80
- 3012:3012
volumes:
- ${DATADIR}/bitwarden/data:/data
environment:
WEBSOCKET_ENABLED: 'true' # Required to use websockets
SIGNUPS_ALLOWED: 'false' # set to false to disable signups
ADMIN_TOKEN: ${BITWARDEN_ADMIN_TOKEN}This will require you to also create a .env file containing the variables in {}. Mine looks like this
# general
DATADIR=/some/directory/to/store/the/data
# bitwarden
BITWARDEN_ADMIN_TOKEN=ThisIsDefinitelyMyRealPasswordYou should also pay attention to the ports that are exposed here. Port 3012 is used for websocket communication, port 80 for the web interface. Here I redirected it to port 5080 on the outside. You can change it to any port you want to use.
You can now start the server via docker-compose -f bitwarden.yml up -d. Just wait a while and you should be able to open the webinterface on the port you specified. You can also use docker-compose -f bitwarden.yml logs -f to check the logs for the container.
You should now be able to download the official Bitwarden clients for any platform (there are also Apps for Android and iOS) and use them. Before login in make sure to find the option to use a custom server and point it to the machine you are using to host your bitwarden_rs server.
Making your server accessible from everywhere
Now there is one drawback to this approach so far: your server is only accessible inside your network. Great for security but pretty inconvenient. You could use a VPN to access your network from anywhere but I chose to go another route. I pointed a (sub)domain I own to my router (dyndns) and used Traefik as a reverse proxy to point incoming requests to the right Docker container on my server.
Sounds complicated? Well it is but once you understand the concept it is actually pretty easy to set up with Docker. I will write a more in depth article about this but here is the short form: I point password.my-domain.com to my dyndns service. This service always points to my router. The router forwards incoming HTTPS traffic to my server.
On the server runs Traefik (still in version 1) on Docker. This so called reverse-proxy inspects the incoming requests and decides based on the password.my-domain.com subdomain that this needs to be routed to the bitwarden_rs container. It also automatically creates lets encrypt certificates for secure access. Once Traefik is running this setup can actually pretty easily be handled via labels in Docker-compose. This is how it looks like for the Bitwarden server.
version: "3.3"
networks:
traefik_proxy:
external:
name: traefik_proxy
bitwarden_network:
driver: bridge
services:
bitwarden:
image: bitwardenrs/server
restart: unless-stopped
ports:
- 5080:80
- 3012:3012
volumes:
- ${DATADIR}/bitwarden/data:/data
environment:
WEBSOCKET_ENABLED: 'true' # Required to use websockets
SIGNUPS_ALLOWED: 'false' # set to false to disable signups
ADMIN_TOKEN: ${BITWARDEN_ADMIN_TOKEN}
networks:
- bitwarden_network
- traefik_proxy
labels:
- traefik.enable=true
- traefik.docker.network=traefik_proxy
- traefik.web.frontend.rule=Host:password.${DOMAINNAME}
- traefik.web.port=80
- traefik.hub.frontend.rule=Host:password.${DOMAINNAME};Path:/notifications/hub
- traefik.hub.port=3012
- traefik.hub.protocol=wsThe labels tell Traefik to redirect incoming traffic for the password subdomain directly to port 80 on the bitwarden_rs server. No external ports needed actually. The same is dome for password.domain.com/notifications/hub wich is the websocket traffic that is directed to port 3012.
As Traefik itself is run from another Docker-compose file I also crated a custom Docker network called traefik_proxy that connects all containers that should be available via the proxy.
More LastPass alternatives
There are a lot of other password managers out there but Bitwarden is pretty good. I personally often use another program that seems to be even more secure: KeePass (2). It looks pretty old and does not come with a server at all. It works very well though and saves all its data in a encrypted file. I use my own Nextcloud instance to sync this file with my mobile devices, but something like Dropbox should also work. There are Apps for all major platforms supporting this.
Whatever solution you choose in the end: think about security and control as much of it yourself as possible.
