Security and privacy are increasingly large concerns for a lot of people, and data breaches and leaks have weakened consumer trust in a lot of companies. That, combined with rising costs, have made a lot of cloud services unappealing to people, and for some of us, that may include a password manager. There are plenty of subscription-based (and some free) password managers that offer to keep your passwords safe and make them available to you on all your devices, but that investment can sometimes feel like a little much.

Thankfully, like so many other things, self-hosting can come to the rescue here too. Bitwarden is a relatively well-known password manager, and it also comes in a subscription service, but there's a major difference — you can actually use your own server for a Bitwarden instance, and thanks to a project called Vaultwarden, that's exactly what I did.

Knowing the security risks

Keeping your data safe takes work

Before you get started with something like this, it is worth noting that matching the level of data security that a large company like Microsoft offers is not a trivial task. If you have a NAS at home that you can use to self-host, it takes a lot of work to set up a level of security that could confidently keep any attackers at bay, so that's a risk you should be aware of.

However, this may also be counterbalanced by the simple fact that accessing your NAS in the first place is also a lot more difficult. Someone would likely need access to your local Wi-Fi network to be able to access the NAS, and they would need to know that you have a NAS in the first place if they intend to target you. An attack on your own personal server would have to be highly targeted, and most people will likely never be in the crosshairs of such an attack.

I have a modern Wi-Fi router with proper protection enabled for the network itself, and there are no guest networks set up, so no random person should be able to connect to my NAS. I do have remote access to my NAS, but only through a Tailscale VPN and a reverse proxy, so I'm fairly confident in my setup. That being said, it's far from perfect, and it's just worth knowing the risks before you jump in.

Self-hosting Vaultwarden

It's not that hard

Bitwarden is the name you're likely familiar with when it comes to password managers, being the end-user application you use to access your passwords, as well as the official paid service. But if you want to host your own server for Bitwarden, you're going to need Vaultwarden, which is the name of the server application you use to store your data. I'm using TrueNAS Scale, and Vaultwarden is available directly on the platform's app store, so you just need to start by installing it. You'll need to configure it like pretty much any other TrueNAS app, and the only thing that's really different, and you should keep an eye on, is the Admin Token field. This enables access to the admin portal for Vaultwarden. Otherwise, just fill all the fields as usual. I recommend using a host path for storing the app's data instead of the default ixVolume option since it gives you a little more visibility into where data is stored.

Once you have Vaultwarden up and running, you probably want to hash the admin token, encrypting it in the configuration file. This keeps your admin portal extra safe since simply accessing your NAS wouldn't be able to reveal the password to access the admin portal directly. Though, keep in mind, the admin portal isn't where you get to see your stored passwords, either. You can encrypt the admin token easily by going to your apps list and opening the shell for the Vaultwarden app, using the button shown below.

From the shell, run the following command:

./vaultwarden hash

You'll be asked for your password twice, so enter the admin token both times, and the shell will output your encrypted admin token. Select and copy it. Now, go back to the app list, select Vaultwarden, and then choose Edit. Change the Admin Token field to the encrypted token you just copied. You'll still be able to log in with the same password you set initially, but now that password isn't visible to anyone who might hack into your NAS.

Despite this extra security step, you actually shouldn't need to spend too much time in the admin portal. What you'll want to do is go back to the app list and select Vaultwarden, then choose Web UI, and from there you can create your first user with a dedicated master password. This has no relation to the admin token, so you can set anything you want as the password here. You can create as many users as you want, if you have more people in the house that should be using Vaultwarden and Bitwarden. From there, you can start by importing passwords from a CSV file, which I did by exporting the passwords stored in my web browser. You can also add passwords manually.

Connecting Bitwarden to Vaultwarden

Accessing your passwords (and adding new ones)

Once this is set up, the final step is to install Bitwarden on your client devices. When you first create your account, you're prompted to download the Bitwarden browser extension, which is available on the Chrome Web Store and the Mozilla Add-ons for Firefox. You can also get mobile apps for Android and iOS if you want to access your passwords on those devices. I'd say it's particularly useful here because, whereas your browser can store your passwords for basically every website anyway, smartphones often have you signing into individual apps, and those passwords may not be so easily saved without something like Bitwarden.

When you're signing into Bitwarden, you have the option to choose what server you're signing into. The default will be bitwarden.com, but that's the cloud service. You'll want to change this to the Self-hosted option and then enter the IP address and port of your Bitwarden instance, which is essentially the URL you used to access the web UI above. It will likely be something like https://192.168.1.100:30032.

Because this is a local address, that means you can only connect to your password vault over your local network. If you want remote access, you'll also need to set up Tailscale, but that's a whole other matter. I personally use both Tailscale and a reverse proxy so I can use a custom URL for it, but that's up to your individual needs.

In addition to showing me my saved passwords and offering to save any new ones automatically, Bitwarden is also great because it includes a password generator, too. A lot of browsers have one these days, but Bitwarden's is highly customizable in terms of length and the characters that can be included, so it makes it easier to set secure passwords for my apps and services. It's all saved to my Vaultwarden instance, so it stays safe on my own server and I can access it from anywhere.

Self-hosting is easier than I thought

It's only been a few months since I started getting into self-hosting, and it was scary at first, but I've gotten used to it, and it doesn't feel that hard anymore. Self-hosting my password manager works very well, and I'm glad this option exists, even if it's a bit more work than just buying a cloud service to host it for me.

If you've been thinking about moving away from a paid password manager or you want something you trust more than just your browser's built-in offering, self-hosting Vaultwarden is a viable solution. I'm fortunate enough to have a NAS, but you can also just run it in Docker on any PC you have at home.