I’m hosting my own instance of bitwarden_rs since many month now. With the recent anouncement by lastpass to drastically limit its free offer, many people are considering moving to Bitwarden.

Besides the offical Bitwarden Server, there’s also the Bitwarden server API implementation written in Rust that’s named bitwarden_rs. It’s light-weight, open-source and can thus be self-hosted. As it implements the official API, bitwarden_rs server is fully compatible with the official clients (Linux, Android).

While it’s providing most of the features of the official server, some are missing (yet). From the missing ones, the only I’d really use is emergency access that allows a third party to access the vault in case I’ve lost access to it (in a safe way of course).

Install and run

Installing an running the server is as easy as :

1
2

docker pull bitwardenrs/server:latest
docker run -d --name bitwarden -e ADMIN_TOKEN=<my_admin_token> -v <path/to/mountpoint>:/data/ -p 8090:80 --restart always bitwardenrs/server:latest

Permanent data storage is located at <path/to/mountpoint>, don’t forget to backup this path ! Most of the data is located inside a SQLite database, in theory there’s no need to shutdown the container to back it up (unless there’s a write access to the database exactly at this moment). For the paranoid, a backup of the DB can be performed by running sqlite3 db.sqlite3 ".backup 'db_20210104.sqlite3'" in the mountpoint directory (i.e. outside of the container)

The admin token is the “password” for the admin page.

The web interface is then accessible over HTTP on port 8090

Serving through nginx

HTTPS access is handled on nginx level which acts as a reverse proxy. More examples, also for other frontends like apache, caddy or traeffik is available in the bitwarden_rs wiki

Relevant configuration snippet is :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

# Allow large attachments
client_max_body_size 128M;

location / {
    proxy_pass http://127.0.0.1:8090;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  location /notifications/hub {
    proxy_pass http://127.0.0.1:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    proxy_pass http://127.0.0.1:8090;
  }

Accessing from command line (npm client)

https://lowendbox.com/blog/getting-nerdy-with-your-passwords-the-bitwarden-command-line-interface/

More details can be found in the bitwarden_rs wiki