Bitwarden is an open-source password management software, similar to Keepass and LastPass. It supports clients on all platforms and allows for self-hosting. This article will share how to set up bitwarden_rs on CentOS 7, instead of Bitwarden itself. The differences between the two will be mentioned later. It is recommended for users with a certain level of Linux knowledge to continue reading.

Introduction

I have heard about Bitwarden, a popular open-source password management software, and its reputation online is good. Recently, LastPass has been frequently unable to connect to the server and is very unstable. It has also discontinued support for the Chinese version. Finally, I decided to self-host Bitwarden.

Bitwarden and bitwarden_rs

The bitwarden_rs project is an extension of Bitwarden. bitwarden_rs implements similar functionality to Bitwarden using Rust and both are open-source. However, Bitwarden has more dependencies (such as MSSQL) and consumes more memory. For personal or family use, it is recommended to use the lighter bitwarden_rs. Additionally, bitwarden_rs can also use some advanced features of Bitwarden for free, such as attachment uploads and TOTP.

Installing bitwarden_rs

The author provides a Docker installation method, so we need to install Docker first (Note: Docker is not supported on OpenVZ virtualization). The installation method for Docker is as follows:

# Install Docker
yum -y install docker
# Start Docker
systemctl start docker
# Enable Docker to start on boot
systemctl enable docker

Next, use Docker to pull the bitwarden_rs image and run it:

docker pull bitwardenrs/server:latest
docker run -d --name bitwarden -v /bw-data/:/data/ -p 80:80 bitwardenrs/server:latest

In the above example, port 80 is used. If you have already installed a web server, it may cause conflicts. You can modify the port mapped by bitwarden_rs to another port, such as 8880:

docker run -d --name bitwarden -v /bw-data/:/data/ -p 8880:80 bitwardenrs/server:latest

Configuring reverse proxy

Below is an example of xiaoz's nginx reverse proxy configuration, mainly for accessing bitwarden_rs using a domain name. The content is for reference only and should be modified according to the actual situation:

server
    {
    listen 443 ssl http2;
  # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /data/ssl/youdomain.com.crt;
    ssl_certificate_key /data/ssl/youdomain.com.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    server_name     youdomain.com;
   client_max_body_size 128M;
    location / {
        proxy_set_header  Host  'youdomain.com';
        proxy_pass http://127.0.0.1:8880;
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /notifications/hub {
    proxy_pass http://127.0.0.1:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    proxy_pass http://127.0.0.1:8880;
  }

}

If everything goes well, you should be able to see the Bitwarden interface by accessing your domain name https://youdomain.com.

Issues encountered

Unable to log in with Google Chrome browser?

Some web browsers (such as Chrome) do not allow the use of the Web Crypto API in an insecure context. In this case, you may receive an error similar to Cannot read property 'importKey'. The solution to this problem is to configure HTTPS access.

Configured SMTP for bitwarden_rs but failed to send emails?

xiaoz used SMTP SSL to send emails but was unsuccessful. The solution is to disable TLS: SMTP_EXPLICIT_TLS=true.

Conclusion

bitwarden_rs makes it easy to self-host password management. Bitwarden provides clients on all platforms and is very convenient to use. Compared to Keepass, Bitwarden has a better user interface and more convenient management methods. Compared to LastPass, Bitwarden is open-source and can be self-hosted, eliminating the need to tolerate LastPass' poor network connection.

For those who do not want to self-host, Bitwarden also provides an online service: https://vault.bitwarden.com/#/, where you can directly register an account and use it.

• bitwarden_rs project repository: https://github.com/dani-garcia/bitwarden_rs
• This article refers to the documentation of bitwarden_rs: bitwarden_rs documentation
• Official Bitwarden website: https://bitwarden.com/