1. 27

  2. 14

    If you want to run your own version, I can highly recommend the independent rust server implementation here: https://github.com/dani-garcia/bitwarden_rs

    Very easy to set up and compatible with the browser extensions, android app etc.

    I have been using this for month running it on a raspberry pi behind a VPN at home (with encrypted offsite backup). Works like a charm

    1. 6

      Or, you can use @jcs’s rubywarden.

      1. 1

        I am trying out bitwarden_rs now and do feel the same usability as the mainstream software. do you have any feedback about rubywarden regarding existing features, usability compared to the main software, and mostly, maintenance tips? thanks!

      2. 4

        I run this in a docker container alongside watchtower to keep it up to date. Runs like a champ, I hardly ever have to touch it.

        1. 3

          same here. I am not a fan of docker in general, but trying to compile this myself on a raspi tipped me over the edge towards using docker for this.

      3. 3

        This looks super cool! Thanks for posting it! I’d like to find an alternative to 1Password because they are an evil organization, so going to keep my eyes on this one! :)

        I have a couple questions for anyone who may know and doesn’t mind!

        When I enter the master password, does it go to the server or does it stay on the client? If it stays on the client, does that mean that all someone needs to download my encrypted data is my email address?

        I’d like to use this but also think that the benefit 1Password has is either that the secret key is needed to grab someone’s encrypted data (which could be cracked at any future time) or that the master password is never sent to the server - but trying to figure out which model Bitwarden is taking here!

        Thanks for any responses <3

        1. 6

          When you log in with Bitwarden, the client sends a request to /api/accounts/prelogin, which tells the client which key derivation function to use, and for how many rounds.

          On registration, the Bitwarden server will accept a client-generated asymmetric keypair, with the private key encrypted with the master-password-derived key.

          The client then:

          1. Uses the KDF to derive a key from the master password,
          2. Hashes the master password using this key
          3. Sends the hashed password to the /api/identity/connect/token endpoint.

          The server responds with the previously stored (encrypted!) keypair, which the user can decrypt using their master-password-derived key, and then use this private key to decrypt their passwords. This means that changing the master password only results in re-encrypting the private key, instead of the entire set of password entries that are stored.

          1. 1

            Cool! Thank you for the info! Seems pretty secure, I’m going to make the switch =^.^=

          2. 5

            1password has a very impressive and detailed security design document worth reading for anyone interested in this space. https://1password.com/files/1Password-White-Paper.pdf

            What about 1p is evil btw?

            1. 1

              The organization itself has had questionable layoffs, has been called out by queer people for being a hostile work environment, etc.

              1. 3

                I was considering applying to 1Password, do you have any sources? A cursory web search doesn’t lead me anywhere useful.

                1. 1

                  Hmm… Also can’t find them via search. My guess is that the Twitter feeds I have seen are private followers? If you end up working there, let us know how it goes =^.^=

            2. 1

              With all well known password managers, the master password stays on the client. Anything that did otherwise would be widely ridiculed on the internet.

              Usually servers only give the encrypted data after authenticating (with a different hash of the master password, not the one that derives the encryption key). But IMO if you really trust your password manager, you should explicitly publish the encrypted vault.

              1. 1

                Not LastPass last time that I checked. You give them your password unhashed. It was widely ridiculed and people still use it. Their support team also won’t document their encryption process, saying it’s a “security risk”.