A password manager is one of the easiest ways to safeguard your online identity against malicious actors and theft. Of the myriad of options available, open-source projects like Bitwarden and Keepass are universally regarded as the most trustworthy.
But what if you want to go one step further? Can you host Bitwarden on a private server to increase your security?
Why Self-Host Bitwarden?
Bitwarden offers a convenient hosted solution for most users that anyone can use for either free or a nominal monthly fee—depending on the feature set you need. Since your passwords are stored in an encrypted format, not even Bitwarden’s developers can access them.
However, more discerning and privacy-oriented folk may still want to have full control over their passwords, encrypted or not. To that end, Bitwarden offers a self-hosted option, which allows you to deploy the entire password management software on your own hardware. The password manager officially supports this "on-premises" option.
The biggest hurdle to self-hosting, however, is finding an always-available computer to deploy the software. While you could absolutely use a spare computer or even a Raspberry Pi as a home server, they are far from reliable.
An off-site service, on the other hand, guarantees uptime. Google Cloud, for instance, guarantees that their servers will be available at least 99% of the time under their Compute Engine Service Level Agreement.
Furthermore, if your server is rendered inoperable, you will be left with no sync destination until you fix it. Spinning up a new cloud server instance, on the other hand, is quick and does not require extensive hardware troubleshooting.
Self-hosting also means that you're in control of your password manager's security. Even if the public Bitwarden service falls victim to a security breach in the future, your database will remain private and unaffected.
Which Cloud Storage Provider Should You Choose?
Google Cloud, Microsoft Azure, and Amazon AWS are the three largest cloud service providers by market share.
Luckily for us, all three also have free tiers—allowing you to host a small number of services at no cost whatsoever. Naturally, there are some restrictions, such as the hardware specifications and geographical location, but they should not matter too much for simply self-hosting Bitwarden.
Out of our three available options, though, Google Cloud is the only service that offers an always-free tier beyond the initial 12-month trial period. The biggest limitation with this server is that it comes with paltry bandwidth and storage allowances. However, since we’re only using it for password hosting, neither of those limitations will be a problem.
More specifically, Google Cloud offers one f1-micro server instance for free, as long as you host it in specific regions. At the time of publication, the options are limited to Oregon, Iowa, and South Carolina.
Even if you live far from these regions, though, Bitwarden's usability won’t be impacted all that much. The physical distance between you and the data center matters much more for applications involving large files such as video streaming.
Finally, Google only provisions 1GB of outgoing network bandwidth for your free instance every month. Bitwarden’s web interface uses a few megabytes of data each time you load it, but simply syncing your passwords regularly should not push you over this limit.
Note: While Google’s Free Tier does allow you to lease hardware for free, you will have to pay a small fee for reserving a static IP address. This is because the internet has already run out of IPv4 addresses. Since demand exceeds supply, Google Cloud currently charges $0.002 per IP address per hour. If you run your Bitwarden server 24/7 for an entire month, you will be billed $1.44.
First Step: Provisioning a Server for Bitwarden
To get started, head over to the Google Cloud console and log into your Google account. Then, navigate to the platform's compute engine section and hit the ‘Create’ button to spin up a new virtual machine instance.
Enter a name for the machine and select one of the aforementioned regions in the dropdown menu. Next, under the Machine configuration section, be sure to select ‘f1-micro’ as your server type. These settings will ensure your server falls under Google’s Always Free tier.
Finally, simply select ‘Debian’ or ‘Ubuntu’ as your virtual machine’s boot image and set a disk size of 30GB—the maximum allowed. After confirming the creation of your new virtual machine, wait a few minutes for it to show up in the list of VMs.
Next, you will have to assign a static IP address to your virtual machine. This way, you can access your Bitwarden instance from the same IP every time. To do this, simply follow this documentation page.
Once you have your static IP, navigate to your domain provider and set up a DNS record pointing to the same address. Instructions for this step will vary depending on the provider you use—simply refer to their documentation.
Assuming you’ve set up everything correctly, your domain name (abc.xyz) will soon point directly to your Google Cloud VM.
We’re now ready to install Bitwarden on this virtual machine! Go back to the list of VMs by clicking here and connect to it by clicking on the SSH button.
Deploy Bitwarden to Your Server
After successfully connecting to your virtual machine, run the following commands to update the base operating system.
Sudo apt-get update
Sudo apt-get upgrade
Then, install Docker by entering:
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh
In case the above installation script fails, either install Docker manually or follow the official documentation.
At this point, all that’s left to do is to download Bitwarden’s Docker image and run it. The following commands accomplish just that:
docker pull bitwardenrs/server:latest
docker run -d --name bitwarden -v /bw-data/:/data/ -p 80:80 bitwardenrs/server:latest
At this point, Bitwarden is fully installed on your server. However, external clients cannot connect to your Bitwarden instance just yet. For that, you’ll have to provide the webserver with a valid TLS certificate. This requirement is to ensure that your passwords remain secure while they are being sent back and forth.
Reverse Proxy and SSL With Caddy
Caddy is an open-source reverse proxy that abstracts most of this complexity for us. As long as your domain is correctly configured, Caddy will automatically generate and renew the required certificates.
To install Caddy via Docker, simply enter the following command:
docker pull caddy/caddy:alpine
Next, create a directory for Caddy to run and store its certificates and files. The second command creates a blank configuration file:
sudo mkdir /etc/caddy
sudo nano /etc/Caddyfile
Paste the following contents:
yourbitwardendomain.com {
reverse_proxy /notifications/hub/negotiate 0.0.0.0:80
reverse_proxy /notifications/hub 0.0.0.0:3012
reverse_proxy 0.0.0.0:80
}
Don’t forget to replace ‘yourbitwardendomain.com’ in the above block with your own domain. Press Ctrl+X to save.
Then, simply initiate the Docker container:
sudo docker run -d --name caddy -v /etc/Caddyfile:/etc/caddy/Caddyfile -v /etc/caddy:/root/.local/share/caddy --net host --restart on-failure caddy/caddy:alpine
And that’s it! Visiting your domain should now bring you straight to Bitwarden—over a secure connection, no less.
If the page fails to load for some reason, you may have missed a step or configured Caddy incorrectly. Remember, Bitwarden will only work on an HTTPS connection, so it cannot be directly accessed by navigating to your server’s public IP address.
Start Backing Up Your Passwords to Bitwarden
Once your Bitwarden self-hosted server is up and running, you're free to begin uploading and safely storing your passwords.
Maxim Zhgulev/Unsplash