this post was submitted on 28 Sep 2023
73 points (100.0% liked)

Selfhosted

40006 readers
622 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Objective: Secure & private password management, prevent anyone from stealing your passwords.

Option 1: Store Keepass PW file in personal cloud service like OneDrive/GoogleDrive/etc , download file, use KeepassXC to Open

Option 2: Use ProtonPass or similar solution like Bitwarden

Option 3: Host a solution like Vaultwarden

Which would do you choose? Are there more options ? Assume strong masterpassword and strong technical skills

top 50 comments
sorted by: hot top controversial new old
[–] marcos@lemmy.world 28 points 1 year ago* (last edited 1 year ago) (1 children)

Keepass + syncthing.

Don't let your vault go unencrypted through the cloud.

[–] aBundleOfFerrets@sh.itjust.works 5 points 1 year ago (2 children)

Your vault is always encrypted very securly except when in RAM. There is no security concern with uploading it directly to the cloud.

load more comments (2 replies)
[–] observantTrapezium@lemmy.ca 23 points 1 year ago

I'm very happy with self-hosted Vaultwarden.

[–] tlf@feddit.de 21 points 1 year ago (2 children)

I use option 1 with Syncthing for a distributed cloud solution

load more comments (2 replies)
[–] Heavybell@lemmy.world 19 points 1 year ago (2 children)

Keepass fIle in my own nextcloud instances, synced to my phone so I can also use keepass2android. This way if something happens I at least have another copy of it, beyond my backup system.

[–] creed10@lemmy.world 6 points 1 year ago

that's actually exactly how I have my setup. I just use syncthing to keep everything dynamically backed up as I add passwords. my main login password is memorized and not written down anywhere so I think I'm good

[–] krush_groove@lemmy.world 2 points 1 year ago

I do the same, but synced to Dropbox from computers and phone.

I have the Proton password manager as well but not sure yet if I'll do a full swap over.

[–] ippokratis@lemmy.ml 14 points 1 year ago* (last edited 1 year ago) (3 children)

Vaultwarden behind mutual tls and reverse proxy and https://github.com/oguzhane/bitwarden-mobile until https://github.com/bitwarden/mobile/pull/2629 is merged

But honestly all services you mentioned are worthy.

Anything that fits your needs imao

load more comments (3 replies)
[–] mojo@lemm.ee 12 points 1 year ago

I used to self host Bitwarden, but didn't want the hassle of securing it and updating it properly and consistently. So I just pay $10 for bitwarden premium and I get to support the company.

[–] Shayeta@feddit.de 10 points 1 year ago (1 children)

I've used Option 1 with my Nextcloud and it works perfectly. Other options seem more apropriate when you need scale, many user each with their own vault.

[–] captain_obvious@lemmy.wtf 4 points 1 year ago

Stupid me, didnt even remember using nextcloud instead of commercial clouds. I like it

[–] jameskirk@startrek.website 10 points 1 year ago

Option 2. It's the most robust. You'll never lose it (provided you have the redundancy), you can use it offline, you can transfer it using a USB pen, it's available in all platforms, including web. I've been using this for 8+ years, on my phone, desktop, laptop, company computer, etc. I store it on a personal cloud (and on each machine, of course, by syncing).

[–] avidamoeba@lemmy.ca 7 points 1 year ago

Option 2: 1Password

[–] 01011@monero.town 7 points 1 year ago

Host your own bitwarden

[–] Arkhive@lemmy.blahaj.zone 7 points 1 year ago (1 children)

I do keypassXC and Syncthing. It’s cross platform with only a couple bucks needed for lifetime access to all all necessary features depending on platform. Besides I use Syncthing for a bunch of other stuff as well, so it fits right into my flow. I’m considering moving to a command line tool simply called Pass, and still syncing with Syncthing, but I’ve yet to pull the trigger on that switch yet.

[–] butter@midwest.social 3 points 1 year ago (1 children)

I also do keepassxc, dx on Android, and syncthing to keep them updated. What is it you paid for?

load more comments (1 replies)
[–] TechieDamien@lemmy.ml 7 points 1 year ago (1 children)

Option 4: levy existing tools such as gpg and git using something like pass. That way, you are keeping things simple but it requires more technical knowledge. Depending on your threat model, you may want to invest in a hardware security key such as a yubikey which works well with both gpg and ssh.

[–] KairuByte@lemmy.dbzer0.com 3 points 1 year ago (2 children)

Why use tools not meant for password management, when alternative tools explicitly meant for password management, which have similar levels of security, work just fine?

You’re essentially saying “instead of driving down the road, I like to ride my bike with rollerblades.”

[–] benjacoblee@lemmy.world 2 points 1 year ago (2 children)

I have a set up like this (age, passage, & git). Bitwarden's browser integration works just fine, for the most part. The thing is, some of my passwords are not browser-based, and I spend large amounts of time in the terminal. Using a CLI-tool in this case lets me save a bit of time

load more comments (2 replies)
load more comments (1 replies)
[–] GlassHalfHopeful@lemmy.ca 6 points 1 year ago* (last edited 1 year ago)

I use and prefer option one, but take it a step further in that I host my own cloud service. I used to use Dropbox for years, but we got divorced.

[–] MajinBlayze@lemm.ee 6 points 1 year ago

I used option 1 (KeePass synced to Google Drive) for years. It's nice that you know you have control of your passwords at all times, and as long as you can access your cloud storage account and can download a KeePass app, you can get your passwords. It works reasonably well most of the time, but I was consistently running into edge cases that weren't as smooth as I'd have liked (mostly apps on Android)

I switched to vaultwarden (option 3), and immediately fell in love with things mostly just working. However, since I was hosting it out of my house, I had a bit of a disaster recovery problem. If i had say a fire, I could easily lose all copies of my vault, which would be... suboptimal.

After reviewing the options, I switched to straight bitwarden. I've been happy with the experience, and once I have disposable income, I plan to get pro long enough to have emergency contacts available so my family can still get important passwords in case of the worst.

All options have their pros and cons, but IMO password storage is something that deserves to be given proper consideration.

[–] Chewy7324@discuss.tchncs.de 6 points 1 year ago* (last edited 1 year ago) (7 children)

Option 3: Vaultwarden + Wireguard.

I don't have to worry about attacks from the internet. And a single wireguard connection on my phone sometimes doesn't even appear on the battery stats.

Edit: Browser addons need valid ssl certificates, which I get by dns challenge.

load more comments (7 replies)
[–] flubba86@lemmy.world 5 points 1 year ago

I use option 1, I host my keepass db file on a free secure nextcloud storage account, and use nextcloud client to keep it synced to all my devices. It's available offline on all of my devices too, in case the server goes down. I use KeepassXC on my PCs and KeepassDX on Android, to open the files.

[–] Boring@lemmy.ml 5 points 1 year ago* (last edited 1 year ago) (1 children)

I use keepassXC and sync across my devices with nextcloud and VPN to my home network with wire guard and this setup has never failed me.

I've toyed around with passbolt, and I really want to try because it just looks cool to me, but I keep having trouble with it playing nice with my reverse proxy.

My personal preference is hosting it myself on my own server and using a VPN to get to it. It gives me peace of mind because I'm not a big enough target for someone to try that hard to get my passwords and I'm not exposed to bitwarden or dashlane getting breached.

[–] Mio@feddit.nu 4 points 1 year ago

Keepassxc + syncthing to phone in read only mode and to other machine. So 3 copies on different machine, while one of them is on me

[–] t0m5k1@lemmy.world 5 points 1 year ago (2 children)

Bitwarden+vaultwarden, harden the chosen VPS, set SSH to use keys only, then setup fail2ban for webserver and ssh Also consider putting ffsync on it as well for extra browser benefits.

[–] mhzawadi@lemmy.horwood.cloud 3 points 1 year ago (2 children)

Remember to back that up, and test the back at intervals to make sure they work

[–] Opeth@lemm.ee 6 points 1 year ago

Not watertight ofcourse but I love that the bitwarden clients keep a local copy so if the server ever goes down youve still got access just no sync.

load more comments (1 replies)
load more comments (1 replies)
[–] utopianfiat@lemmy.world 5 points 1 year ago
[–] thesmokingman@programming.dev 5 points 1 year ago

If you work for a company that uses a reasonably good manager such as BitWarden, you should look into whether or not you get it for free or reduced. For the moment, at least, I use Bitwarden because I get it for free (and a families sub to boot!). I know 1password does the same; others might too. Do make sure you’re okay with paying the full price for a period of time in case you get laid off and have to migrate. Also make sure you’re okay with any compromises you make for the price tag. There is no price tag that makes LastPass acceptable, for example.

[–] BastingChemina@slrpnk.net 5 points 1 year ago (2 children)

Bitwarden for me. My password manager is not just for me, it's also a crucial component of my family life so if something happened to me I want my next of kin to be able to access it

For that it needs to be an easy to access solution.

load more comments (2 replies)
[–] IsoKiero@sopuli.xyz 4 points 1 year ago

Personally I'm running option 2 with self hosted bitwarden. Sure, it's a bit more effort to make it work and while it's not perfect that's what I've ended up with. The most convinient thing with that is that I can access my passwords whenever I have internet access with a browser without any need to install any software on the thing I'm using. Obviously that doesn't mean that I'll happily access the vault with whatever free-to-use endpoint I happen to encounter but it also gives an option to access whatever even if I'm borrowing a computer from a (trusted) friend and once I close the private window I used it's gone. And even more often, when I'm accessing my credentials from a family shared computer, I can just log out and I don't need to do any cleanup on the host which might get infected by our kids browsing something malicious or some other breach of security.

With keepassxc I'd need to worry about the database file, which is a bit different than logging out and closing browser. Your usage patterns might be different, but web-based hosting solution works for me.

[–] JakenVeina@lemm.ee 4 points 1 year ago

Option 1, except for the cloud bit. My KeePass file is stored in a restricted shared folder on my home file server, and auto-syncs to my phone on the rare occasion I update it from my desktop.

[–] Curious_Canid@lemmy.ca 4 points 1 year ago

I use option #1. Each instance of KeePass maintains a local file, but updates them automatically whenever it opens or closes. I also back up the file to my personal server automatically, so I have a copy even if the cloud service fails for some reason.

This setup has been serving me well for a long time.

[–] shasta@lemm.ee 4 points 1 year ago (1 children)

I've been happy with Keeper

[–] Seasm0ke@lemmy.world 4 points 1 year ago (1 children)

Same. Zero knowledge is good enough for me tho I may eat them words.

[–] shasta@lemm.ee 3 points 1 year ago

Realistically, I only see 3 risks using Keeper: my device has malware which lets them grab my passwords from my clipboard as I copy them, malware that lets them take control of my device after I've unlocked my password manager, or if the cloud storage is completely wiped out in some freak accident.

1 and 2 are risks for anyone using any password manager. And 3 is extremely unlikely since they use AWS for storage wirh multi-zone and multi-region redundancy, and certainly much more reliable than self hosting.

The risk of actually having your passwords cracked, even if the cloud data is leaked, is practically 0 as long as you have a decent complexity and length master password and 2FA enabled. And the risk is just as low with a MITM attack or other network based interceptors because of the ZK architecture (as you mentioned) and high encryption used.

Anyone promoting other password managers as more secure either aren't considering the risks to data loss due to self hosting or are buying too much into their password manager's marketing. I think it's totally reasonable to prefer other options due to feature support or subscription price though. A couple of features that Keeper had that made me choose it were:

  • Ability to create Records which allows me to store anything including files. This allows me to upload sensitive records like tax returns or other documents you'd traditionally keep in a safe or filing cabinet.
  • Family plan that makes it easy for me to share passwords with people on my plan (great for things like streaming services). This brought the price to a reasonable level.

There might be other password managers now that support these features, as I haven't kept up with them. I subscribed to Keeper about 6 years ago and haven't had a reason to switch. I'm open to suggestions if people know of other managers with better features.

[–] possiblylinux127@lemmy.zip 4 points 1 year ago

I choose keepassXC stored locally

[–] doubletwist@lemmy.world 3 points 1 year ago

I've been using option 1 for many many years. It lets me keep control of the encryption, and it's accessible just about anywhere.

[–] techgearwhips@lemmy.world 3 points 1 year ago* (last edited 1 year ago)

I went from Keepass synced via NextCloud (self hosted) for years... to trying out Bitwarden (their servers) and found the experience much better... then I switched to Vaultwarden via Docker going through Cloudflare Tunnel (with zero trust email authentication required) and fail2ban added. I'm content with the last option.

[–] hamFoilHat@lemmy.world 3 points 1 year ago

Why not Keepass on a webdav server? Both Keepass on the computer and Keepass2Android can open the file directly. If you save it on one it will merge the changes in any other copies you have open.

[–] dogma11@lemmy.world 3 points 1 year ago

I'm currently hosting vaultwarden on my rack, mostly just because I can really. It's easy enough and I have plenty of resources.

load more comments
view more: next ›