this post was submitted on 04 Sep 2023
49 points (96.2% liked)

Selfhosted

40717 readers
365 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Currently I manage my passwords in an archaic but secure way, which is simply to synchronize a directory where I have my Keepass database between my devices, and I say archaic but secure because even if my Nextcloud server hosted on a VPS explode (where I have the database stored) I still have the databases stored locally, so I don't lose anything.

I am currently interested in self hosting Vaultwarden although my biggest drawback is the fact that if my VPS were to fail for example I would not be able to access my database and if I lose access to the database I lose access to all my passwords. a pretty bad scenario.

So I have a question, what can I do to prevent that from happening? Apart from hosting everything on my own hardware of course, for now I prefer to use VPS for different reasons.

top 22 comments
sorted by: hot top controversial new old
[–] russjr08@outpost.zeuslink.net 46 points 1 year ago (1 children)

The Bitwarden clients all keep a cached copy of your password database, which can be viewed even if your server goes offline (you just can't make edits) - you can even export it when that is the case.

However, if you log out of Bitwarden, it erases the local cache off that device, which will require your server to be online in order to retrieve again (or export it from a different device that is still signed in).

[–] Xirup@lemmy.dbzer0.com 9 points 1 year ago (1 children)
[–] InverseParallax@lemmy.world 2 points 1 year ago

Also, you can back up your dB to encrypted json and restore it later.

[–] thelittleblackbird@lemmy.world 20 points 1 year ago (3 children)

May I ask what is wrong with your archaic setup?

I have exactly the same config and I find it easy and reliable for not asking for a change.

Am I missing some points or what is going on?

[–] Swarfega@lemm.ee 10 points 1 year ago

It's not archaic.

[–] Xirup@lemmy.dbzer0.com 2 points 1 year ago* (last edited 1 year ago) (2 children)

I didn't mean to make it sound bad, although now that I read it again it sounds bad.

With "archaic" I wanted to refer to the fact that it is not necessarily the most efficient in my opinion, because for example in the case of Nextcloud, to synchronize my Keepass directory with a directory on my phone I need an external app called FolderSync and there is no "Synchronize when detecting changes" option, every time I make a change I must manually synchronize or wait for a scheduled synchronization to take place, and it is not exactly the most efficient, unlike with Bitwarden/Vaultwarden because synchronization is immediate.

And I know that in KeepassDX for example I can directly access my database and load it from there, but every time I make a single change when entering Keepass it says that "I lost connection to the file" (Something like that) and I have to go manually and choose the file again, I would prefer to have my passwords always in sync.

OK got what you mean.

For avoiding the cases you are describing I use several plugins for the keepass (original flavour) so in my desktop it syncs directly with the cloud.

And in my android I use keepass2androd thst is able to open the database from the cloud too.

Regards

[–] StefanAmaris@kbin.social 1 points 1 year ago

Syncthing can realtime monitor a folder that just has the keepass file and automatically update to any other syncthing enabled devices in near realtime.

Additionally it can be set to keep versions of the file so you can have copies of older versions to hand whenever things go wrong.

The only real catch is to not have the keepass db open on 2 devices at the same time as any changes made in one may be overwritten by the other as file locking isn't a thing in this method.

I've used Syncthing and keepass in this way for many many years

[–] vegetaaaaaaa@lemmy.world 1 points 1 year ago

I have the exact same setup and it's woking fine, nothing wrong with it.

My only gripe with KeepassXC is that you can't share - or so I thought - a subset of passwords from your keepass database with other people, without sharing the full database and master password. But I just read that it is in fact possible

[–] darkknight@discuss.online 13 points 1 year ago* (last edited 1 year ago)

Passwords are cached at the client for a minimum of 30 days as long as you stay logged in. this goes into specific details. (You use the bitwarden client for vaultwarden in case you weren't aware)

Edit:clarification

[–] superbirra@lemmy.world 12 points 1 year ago (1 children)

you should simply back it up. What's the point here?

[–] Swarfega@lemm.ee 5 points 1 year ago (1 children)

Yup.

I pay for Bitwarden premium. I periodically export my database manually. I know others use the CLI to do automated exports.
I save the unencrypted JSON files into a Veracrypt container.

[–] superbirra@lemmy.world 1 points 1 year ago* (last edited 1 year ago) (1 children)

yeah, so host a vaultwarden, back it up and you will be happy!

I suggest you don't save unencrypted stuff there is no reason to do so so go and learn about the thing if you want!

[–] Swarfega@lemm.ee 2 points 1 year ago (1 children)

If it's encrypted during the export you can only reimport it back into Bitwarden. If Bitwarden were to disappear I'd like to know my exports can be used to import into other password databases.

[–] superbirra@lemmy.world 0 points 1 year ago

you've kept server keys backupped in a second location, which makes your backups very secure. During recovery you restore vaultwarden then you export your beloved plaintext thing and you reimport somewhere else. It's pretty obvious none of these tools would let you backup plaintext shit and it's a feature man :)

[–] psmt@lemmy.pcft.eu 7 points 1 year ago (1 children)

The bitwarden client caches the database locally, so you can still access your credentials even if your server is down.

[–] Samsy@lemmy.ml 1 points 1 year ago* (last edited 1 year ago)

Scrolled deep to find this correct answer. Idk why people backup vaultwardens database somewhere and often.

I had a crash on the machine where vaultwarden ran. I just did a backup on a connected client "after" the crash. Saved all and rebuild a new vaultwarden, simply import and it runs perfectly without a loss. The server is mostly just a bloated secure syncthing. All data is stored in the apps, too.

[–] anzo@programming.dev 6 points 1 year ago

Depending on which database you have, backup strategy may vary. One lovely approach for SQLite is litestream + backblaze. For a small server like yourself it will fit in the free tier ;)

[–] 7Sea_Sailor@lemmy.dbzer0.com 4 points 1 year ago

Part of the fun of selfhosting is the challenge of figuring these things out and building your solutions. If you decide to go with the selfhosted bitwarden variant, there are a couple of options:

  1. you can directly dump the entire database on a fixed schedule, compress it into a gzip archive, and store it in a separate location on your VPS. These backups take up very little space and can, with the help of a script, be automated very well.
  2. you can use one of the plenty existing bitwarden backup containers that are made for this exact purpose and might offer a more comfortable setup.
  3. with any of these solutions, you'd probably want to pull these backups from your local storage to some remote storage, to ensure that in case of an accidental and complete server wipe, no data is lost / a recent backup is available. this can be done with solutions like rclone, to copy the files from your server to a remote location, like an FTP server you've rented or any cloudstorage you may have available.

There's probably even more options, but these are the ones I could think of quickly. If you have questions or need help regarding any of these, let me know, and I'll send you additional ressources to read through.

[–] PriorProject@lemmy.world 3 points 1 year ago* (last edited 1 year ago)

So I have a question, what can I do to prevent that from happening? Apart from hosting everything on my own hardware of course, for now I prefer to use VPS for different reasons.

Others have mentioned that client-caching can act as a read-only stopgap while you restore Vaultwarden.

But otherwise the solution is backup/restore. If you run Vaultwarden in docker or podman container using volumes to hold state... then you know that as long as you can restart Vaultwarden without losing data that you also know exactly what data needs to be backed up and what needs to be done to restore it. Set up a nightly cron job somewhere (your laptop is fine enough if you don't have somewhere better) to shut down Vaultwarden, rsync it's volume dirs, and start it up again. If you VPS explodes, copy these directories to a new VPS at the same DNS name and restart Vaultwarden using the same podman or docker-compose setup.

All that said, keeypass+filesync is a great solution as well. The reason I moved to Vaultwarden was so I could share passwords with others in a controlled way. For single-user, I prefer how keypass folders work and keepass generally has better organization features... I'd still be using it for only myself.

[–] investorsexchange@lemmy.ca 2 points 1 year ago (1 children)

I used to use your strategy. It works fine. But since I migrated to Nextcloud on a VPS, I use the next cloud password manager. It keeps a copy of the database stored on my device.

Same! The desktop client is not half as good as Bitwarden though, but since they decided to discriminate and sack a worker for his religious belief I am happy to change to NC passwords!