Password managers have been around for quite some time now, enabling and securing access to all your login credentials across hundreds of websites, if not thousands. LastPass was a service I used for some time, but the numerous security mishaps and changes in features and subscriptions made me rethink it. Self-hosting a password manager is possible with Vaultwarden, which is a server application for Bitwarden. I have been playing with self-hosted tools for the last year, especially incorporating tools like Jellyfin, NextCloud, Immich, and a few more. So, I decided to pack my bags and switch to a self-hosted password manager overnight.

The project wasn't difficult to implement, as you only need to install Vaultwarden on a server and then import all your passwords from your previous tool. But the networking aspect of it can make you sweat, so I went with a simple Tailscale setup to secure it to some extent. Let's explore how you can set up this lightweight password manager on any system.

Picking a device for Vaultwarden

I chose a Raspberry Pi

You can use Vaultwarden as a Docker container or directly install it on a device. I used Raspberry Pi because it has limited resources and is capable of hosting Vaultwarden, which doesn't need too much memory to work.

Since I use DietPi as my Raspberry Pi operating system, installing Vaultwarden is a simple affair. I used its built-in software installation tool to find and set up Vaultwarden via easy-to-navigate Whiptail menus. I didn't need to type any commands to install or configure Vaultwarden for the first boot.

Vaultwarden works on a default port number, but I double-check before accessing a service every time. DietPi tends to assign different port numbers, and using ss -tulpn command reveals the correct port number for all the installed services.

Setting up Vaultwarden

Overly simplified

Simply open a web browser and type your Raspberry Pi (or system IP of any device), followed by its port number (IP: port number). It will bring up the Vaultwarden server login page. Here, you don't need to do much. Simply create your login credentials and add an email address that you want to use.

After that, you can access your Vaultwarden web server from any device on your local network. Even if you don’t want to use a dedicated app on every device, like a smartphone, you can type the IP:port in a web browser and access your password vault.

Since it's a fresh instance, I needed to migrate all the LastPass passwords from it. I used the service's export feature to create a CSV file containing all passwords. Vaultwarden supports importing via CSV, JSON, and multiple other file formats. I used the Import data option, browsed and selected the CSV file, and then clicked the Import data button.

It takes a few seconds to ingest everything, and after that, you can access your passwords from here. But the work isn't complete. Until now, you have only set up the Vaultwarden server. But reopening the server page every time you need a password is a little time-consuming. So, you can use the Bitwarden browser extension to make it as seamless as your favorite password manager.

Install the extension in your preferred web browser and then use the self-hosted option to allow the extension to pull data from your personal server. You just need to put the same IPaddress:port_number here. Thereafter, you can access your passwords after entering the master password.

The extension makes it easy to auto-login to your favorite websites. I've set up an auto-lock of the vault every 5 minutes for basic security. I've also set up a PIN to help me unlock the vault rather than typing an extremely long master password. Note that the extension will ask to re-login if you close the browser session.

Vaultwarden provides ample tools to analyze your passwords. You can even add an API key to check if it's been exposed in a data breach. I use the password generator tool a lot because websites have become really bothersome with password complexity.

It doesn't feel like a barebones password manager and has most of the features I had with my previous paid tool. But how would I access it outside my network?

Tailscale is a solution

Opening doors for access outside the network

My idea of exposing any self-hosted service outside my local network is Tailscale because it gives you a custom IP address and a secure channel. I've used it on multiple devices and can create and add a new machine to it with a simple login.

Most services work nicely with Tailscale, but some don't. Plex restricts you from streaming media in the free tier, even with Tailscale. Vaultwarden server is accessible via Tailscale, but the mobile app throws a fit every time I want to use it.

The app refuses to connect to the server, citing security certificate issues. It's a huge effort to get certificates to work with the phone, so I've shelved that ordeal for another day. For now, my passwords live on the SD Card with an automated daily backup to an external hard disk.

My passwords on my device

Vaultwarden needs an HTTPS connection to work, but I didn't face that issue on the Raspberry Pi. The mobile app wasn’t accessible without it, so I had to work around it with Tailscale. You will need additional networking efforts to set up a reverse proxy to use with a Docker container and a custom domain. It needs a strategy to implement, but once you do it, your passwords stay with you.