Self-Hosted Vaultwarden

Getting the homelab more set up meant keeping track of passwords for all of the individual services - although adding SSO with Authentik was a good learning experience, it seemed overkill for the needs of my projects. There was still a need to manage all the credentials for the self hosted services - up to which point I required a password management like bitwarden. There are other offerings out there such as 1Password, but the price point of bitwarden (e.g. freemium) was more inline with my budget.

I was interested in learning more about FIDO 2 and passkeys for authentication - so I purchased myself a couple Yubikeys. Unfortunately bitwarden requires a premium membership for this feature, which led me to look more into self hosted alternatives. (Nothing against bitwarden - I’ll likely end up purchasing the premium subscription anyway to support the project). This would provide me a learning opportunity to test out vaultwarden which is an alternate server implementation of the Bitwarden Client API (it uses rust btw). This is great since it allows me to re-use the same client infrastructure (e.g. bitwarden android app and firefox extension), but I should be able to use my Yubikey as a way to unlock the vault since it is supported out of the box.

It seems pretty straightforward to get setup - leveraging the same docker compose setup I have. It’s as easy as:

  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      - DOMAIN=${DOMAIN}
    volumes:
      - ./vw-data/:/data/
    ports:
      - 8421:80

After the container was running. I was a able to host it at a subdomain and use it an my own self hosted password manager. After registring the Yubikeys, vaultwarden can use that method as a way of 2FA. There’s a bunch I don’t know about WebAuthn - but that seems the direction for passkey based logins in the future: https://bitwarden.com/help/setup-two-step-login-fido/

… Also realized that the feature for passkeys is on the free tier… It’s only the yubikey OTP. So it seems like the yubikey is good for 2FA (on the free tier) https://bitwarden.com/help/login-with-passkeys/#set-up-encryption https://bitwarden.com/help/login-with-passkeys/ https://bitwarden.com/blog/log-into-bitwarden-with-a-passkey/

It also appears that you can set up the passkey for sign on without password. There’s a “Log in with passkey” beta for bitwarden. I was required to initiate the sequence using chrome (e.g. set the key up with a pin), since I guess firefox was not a PRF-capable browser? After setting up with crome, I can log into the vault.bitwarden.com webapp and using only the passkey and pin.

Some other info on PRF: https://developers.yubico.com/WebAuthn/Concepts/PRF_Extension/Developers_Guide_to_PRF.html

Moving forward if I chose to self host this, I’ll put this behind a VPN since not everyone on the internet needs access to the resource. Looking at VPN offerings, there are a couple that could be useful

[ ] netbird [ ] tailscale [x] wireguard

Read other posts

< [Getting Started with Kubernetes] :: [OpenVPN with router] >