Switching from KeePassXC to Bitwarden
#productivity , #security
I have been looking to replace my password management setup for a few months now. Up until now I was using KeePassXC, but I never got around to putting in the work to make it work properly on mobile.
I understand that the standard solution is to just get the file synced on your phone using Dropbox and then install a mobile app which can read the file off of Dropbox. But the idea that all my passwords are in one single file somewhere on the internet (cloud, if you will) is a bit disturbing.
Incidentally, this is also the reason I never got around to using 1password, Lastpass, or other cloud-hosted password managers.
This is not to discount the work that the security folks at these companies are putting in on a daily basis to make their services secure. And I know that my passwords file is encrypted. I've just seen enough mistakes happen and I'd like to avoid being a part of one.
My requirements were fairly simple. I wanted something that
- is open-source
- allows self-hosting
- works on mobile
... in that order.
Turns out that just these 3 requirements narrowed down the search to Bitwarden.
Bitwarden is open source. There's a
core server written in C# and then there
are multiple client apps (iOS, Android, desktop).
The backend appears quite heavy weight. Being written in C# and talking to a SQL server installation, it's not exactly what I would call "deployment friendly". Luckily, they provide a Docker image which you can use to self-host the whole thing.
While this works on a modern machine, I wanted to run Bitwarden on a spare Raspberry Pi connected to my home network where the system requirements are a bit less than what the Docker image requires.
It turns out that I'm not the first person to run into this problem. @jcs
already wrote a Ruby server which is API-compatible with the "official"
Bitwarden backend. This implementation is very lightweight, and completely
doable for the Pi. So all I had to do was create a new
bitwarden user on the
git clone the repository, and then start the server
The only problem left now was setting up a static IP for the Pi so that the desktop client on my laptop and the iOS app on my phone know the (static & private) IP address they should be connecting to. Luckily my modem supported allocating the same IP to devices based on their MAC addresses so this was also easy.
Migrating from KeePassXC
rubywarden includes a script to import existing KeePassXC database files, and it worked without any problems. The script somehow didn't handle my KeePassXC folders very well. So an entry called "Google" in the "Internet" folder was imported as "Internet/Google". Those slashes look pretty annoying, so I took some time out to delete some unused passwords and organize the rest into folders.
Migration was a non-issue, I would say.
The only caveat with this system that I can think of right now is that when you're not at home, you won't be able to save/edit/delete passwords. You'll be able to read just fine, but editing won't work.
The reason is that your client apps are configured to talk to a private IP address (of the Pi in this case). But so far I haven't had the need to save/edit/delete passwords when I'm outside. And reading them works just fine.
If this is important for you, then this is probably the price you pay for keeping the passwords on a machine you can physically look at.
But overall, I find this setup quite nice to work with.