It never made sense to me to put password managers in the cloud. Regards to what you intend it to do, you’re making it accessible to a wider audience than necessary. And yet, I’m using iCloud. It’s time for a change.
I’m thinking of just running a locally hosted password manager on my home server and letting my devices sync with it somehow when I’m at home. I have a VPN into my home network when I’m away that automatically triggers when I leave the house, so even that’s not that big an issue, but I’m really not familiar with what’s gonna cleanly integrate with all my stuff and be easy to use. All I know is I wanna kill the cloud functionality of my setup.
I already have a jellyfish server so I figured I would just throw this onto that. Any suggestions?
You must log in or register to comment.
Sandpass on sandstorm
It’s dated, but phenomenal (and secure)
I switched to Bitwarden after the LastPass stuff a couple years ago, and I just got around to installing Vaultwarden on my TrueNAS system at home. Using a single Cloudflare Tunnel to handle secure external connections for that and other services like Emby easily. Took a little bit to setup following some guides, but has been working flawlessly for me and some friends. You can use the regular Bitwarden apps and extensions since they natively support self hosting.
KeepassXC + Syncthing. Using for 2+ years no issues. Have separate database files for each device and merge them as needed.
I look at it like this:
- I don’t absolutely trust the security of my server. Sure, it hasn’t had a breach…yet, but that possibility is inevitable, given the amount of bots that keep trying to get in by the minute. It’s secure, yes, but is it secure enough to entrust the keys to my bank account, my business ventures, et al? IF somebody got the key to my Lemmy account, it would be bothersome, but not cataclysmic since all online accounts are silo’d with only a couple that are linked.
- Bitwarden spent a lot of time and money building a large infrastructure that is, imho, far more secure than my little server. Bitwarden has a pretty good track record. They have had some vulnerabilities, even as recent as '23 but these have been remediated.
- Confirmation bias…I’ve been using Bitwarden for untold years now and have never had an issue, other than the recent UI theming schema that was so castigated by users that they offered a way to switch back.
While hosting my own password manager would fit right in with the rest of my selfhosting, I think sometimes it’s better to defer to more secure options when dealing with highly sensitive data.
I use GNU pass synced through an internal Gitea. Have wireguard to sync remotely. Works pretty good, I would recommend not setting an expiration on the key, the git history keeps the old encryption anyways.
This is the way to go… though I’ve moved from pass to go pass which is basically the same thing but written in go and looks to be better maintained… also moved from gitea to forgejo since I think gitea has had some maintainer changes over the last couple of years that may not have been in the spirit of remaining fully FOSS
Why not use KeepassXC? It’s a completely local encrypted db but it integrates with cloud storage apps like nextcloud for sync. It has plugins for integration with Firefox and KeepassAndroid is pretty smooth on the current Android OS.
Shamelessly shilling my OSS project, rook. It provides a secret-server-ish headless tool backed by a KeePass DB.
- Headless server
- Optional and convenient integration with the kernel keyring (on Linux), for locking the server to only provide secrets to the user’s session
- Provides a range of search, list, and get commands
- Minimal dependencies and small code base make rook reasonably auditable
You might be interested in rook if you’re a KeePassXC user. Why might you want this instead of:
- Gnome secret-server, KDEs wallet, or pass? rook uses your (a) KeePass DB, while most other projects store secrets in their own DBs and require (usually manual) sync’ing when passwords change.
- One of the browser secret storage? Those also keep a bespoke DB which needs to be synced, and they’re limited to browser use. Rook supports using secrets in cron jobs or on the command line (e.g. mbsync, vdirsyncer, msmtp, etc, etc).
- KeePassXC? KeePassXC does provide a secret service that mocks Gnome secret-service, but you have to keep KeePassXC (a GUI app) running even if you only rarely use the UI. Rook can also be used on a headless machine.
- The KeePassXC command line tool? That requires entering the password for every request, making it tedious to use and impractical for automated, periodic jobs.
Rook is read-only, and intended to be complementary to KeePassXC. The KeePassXC command line tools are just fine for editing, where providing a password for every action is acceptable, and of course the GUI is quite nice for CRUD.
Yup this is the way. The resulting .kdbx database file is encrypted so you can even synchronize it over an untrusted provider. Otherwise you can use something like syncthing to keep it strictly peer to peer.
Bitwarden/vaultwarden is a popular option for selfhosters.
I do this. Plus VPN to have access to passwords when away from home network
Is the data super important to you?
Let someone else host it.
Bitwarden in the cloud.
This. And to add to what other commenters have said, by using Bitwarden and paying for their Premium plan (very cheap, just $10/month), even if you don’t use all their features, you’re supporting a good project. It’s critical infrastructure, I think the price is more than fair.
Either way, you should always make periodic backups from any cloud service you use, encrypted of course.Agreed. Unless your setup and security practices is flawless, I think passwords are better managed by specialists paid for it.
This is how I view password managers too, even though I have my home server backing up
just have 1 password for everything, problem solved.
I use keepass (KeepassXC on desktop, KeepassDX on Android but I’m sure there is an IOS client too) I sync the database between all my devices and my server (hub and spoke) with Syncthing
I also use KeepassXC and Synthing together and I am very happy with this combination.
One tip that I have, if you are worried about the security of the database file being shared, is to get 2 Yubikeys and use these, along with a strong passphrase, to protect the database file.
theres also the option of using a “key file” with Keepass, which can be any file, an mp3, an ebook or whatever, and then you select that file when youre entering your password. so as well as someone trying to brute force your password they also have to guess what key file youre using, which would be next to impossible if you had a folder full of hundreds of files
Same boat for me, works great! I got the NFC Yubikeys which work fine with Android.
Been usingthe same setup for years as well and Im happy with it, never had any issues with it
I’ve been using various versions of keepass for ever. Until recently I had the database on Google drive. It’s now local and sync’d with syncthing. It’s a bit “different”, but once you get used to it, it works very well.
I don’t really see the problem with having the password manager in the cloud if it is protected by 2FA. I tried vaultwarden (self hosted) about a year ago and the showstopper was that I couldn’t store a new password when off LAN or without first connecting the VPN. I am sure there are on demand vpn type services, but it was clunky. It would have been great it if would work locally on the phone then sync the password to the vault when it came back online
Self hosting a password manager is great, but be sure to read up on keeping it secure, and don’t store anything important in it until you have working, tested backup solution. And re-test it frequently in a non-destructive way.
If you lose your password storage to a disk failure or something, you’re gonna be hurting for a while.
If you don’t have a hard requirement of it being fully (!) OpenSource, then I would recommend Enpass. Relatively pleasing UI that runs native on Win, Mac, Linux, Android and iOS. It has browser plugins for Chrome and Firefox that talk directly to the running fat client (so no multiple authentication with different browsers necessary).
The password db is completely local, but it offeres several sync mechanisms like WebDAV or Dropbox or also iCloud; basically whatever can store files. If it’s a NAS in your home, it simply will sync once you are back home.
It also offers “WiFi Sync”, in which case you designate one machine running Enpass as the server and link other clients to it, then you don’t even need to run a separate hosting for it (but that machine needs to be on and running Enpass when you want to sync, obviously).
It’s basically a less open but much more convenient and beautiful KeePass(XC).
i have keepass on only one device. i don’t mind looking up individual passwords and typing them in manually when on other devices.
on the device which hosts keepass, the app is hidden and hoops must be jumped to reach it.
i back up the encrypted password database once a month to a cloud service as insurance against me losing that one device.
it’s not the most convenient setup but i sleep so much easier for it.
using passphrases instead of passwords can make this a lot easier as well. a lot of times i just glance at a passphrase on my phone and then type the whole thing in one go into my laptop
Seafile or nextcloud
