When it comes to open-source password managers, the first project that caught my eye was Bitwarden. Initially, I tried self-hosting it, but it turned out to be quite resource hungry while I had limited hardware. So, I started looking for something smaller, simpler, and completely free.
I realized that even if I self-hosted a Bitwarden instance on my own hardware, I would still need to buy a subscription to keep it going. Before diving into the nitty-gritty details, here’s how I got into this in the first place.
How It All Started
During my college days, I got interested in many things and naturally created a lot of online accounts - so many that I eventually forgot which email I used to sign up or even which accounts I had. This confusion resulted in a breach I didn’t originally know about. Have you heard of Have I Been Pwned? This website changed how I viewed my digital footprint and hygiene when I discovered that some of my personal information had been leaked.
Once something is on the Internet, it’s almost impossible to get it back. That realization forced me to change. For the first time in my life, I bought a subscription to a password manager.
The Subscription Trouble
I chose a prominent password manager company. It was relatively cheap - around 2-3 USD per year (paid annually in INR). But after some time, I forgot to renew my subscription.
This is where things got interesting - I lost access to my passwords on all my devices. Issues piled up, and I only recovered my passwords after renewing the subscription. This experience pushed me toward finding something subscription-free that wouldn’t lock me out if I forgot to renew.
Enter KeePass
My initial choice for a subscription-free manager was KeePass. If you want the ultimate password manager, KeePass is an excellent option with its own pros and cons. Once you set up a system that works for you, there’s no going back.
While using KeePass, I discovered the SSH agent feature by accident - yes, agents existed long before all these modern LLMs! But I also made a silly mistake.
Since KeePass requires syncing the password database across devices, you can use any cloud drive, S3 bucket, or similar. As an idiot, I stored my drive credentials inside the KeePass database itself. One day, when I got logged out of the drive, all local copies were cleared. Sounds relatable?
Trying Bitwarden Alternatives: Vaultwarden
In the aftermath, I looked for alternatives. I found bitwarden-rs (also known as Vaultwarden), a lightweight, open-source Bitwarden-compatible server. I even posted about how to host a Bitwarden server back in 2022. This turned out to be one of the best decisions I’ve made.
For those worried about uptime: you don’t need the server to be online all the time. Once you log in through a client, it holds a full copy of your secrets. I have used Bitwarden clients even when my server was down for almost two months. Today, I run my Vaultwarden instance on a Raspberry Pi lying around my house.
Backups: Simple and Effective
Backups? It’s simpler than it sounds. I made a bash script that runs every day at midnight:
- Shut down the Vaultwarden container
- Zip the entire data folder
- Copy the backup to an external location like an S3 bucket
Most changes come from client apps synced with the server, so the data is always safe. If needed, I can export everything from a client.
Hardware Requirements
Forget beefy servers. A Raspberry Pi with a USB stick is enough to power my password manager. My Vaultwarden instance once ran on an i7 machine with 16GB RAM, which ultimately died. Luckily, I copied the Docker folder to my Pi, and it worked like magic.
Protecting Your Password Manager
Anything that protects the host machine protects your password manager. Keep your machine clean and secure.
Hardening Vaultwarden
Duo Security is an excellent addition for Vaultwarden. It also supports MFA and YubiKeys. Duo worked great until I lost my phone - yes, I am careless sometimes. I had set up MFA recovery options, though. Duo push notifications work smoothly, but if your network blocks outbound connections, check Duo’s docs for endpoints to whitelist.
Where Am I After 3 Years?
I currently manage more than 600 accounts. Some services I used don’t even resolve anymore, so I can safely remove deprecated entries.
How to Run a Similar Setup?
Repeat after me:
- Containers.
- If it works on your machine, it will work on mine.
- Containers.
Congratulations, now you have a working instance.
You may need to decide if your Vaultwarden should be publicly accessible and set up HTTPS or VPN accordingly.
At the end of this journey, you’ll have a secure Vaultwarden instance private to you - ready to store your and your family’s secrets safely.
Special Thanks
I haven’t mentioned the Vaultwarden maintainers anywhere, but they deserve applause. Maintaining this project is incredible.
Fun Hosting Options (Just for Fun)
I don’t personally recommend these because of subscription issues I mentioned earlier, but some places to try hosting Vaultwarden include:
- Uberspace
- Pikapods
- Always Free VMs on Google Cloud Platform or Oracle Cloud Infrastructure
- Any spare machine you have lying around (or get one from OLX or Facebook Marketplace)
Final Words
At the end of the day, you should be able to sleep peacefully after setting this up.
Need Help?
There’s a great community of nerdy, skilled people ready to help at /r/vaultwarden or by raising issues on the Vaultwarden GitHub repository.
Thank you for reading!