SECURE YOUR
SERVER
The basic Bitwardenrs server is up and
running, but there are key elements
missing: One, there’s no security,
and two, you can’t access the server
outside your local network. To see
what’s required, visit the Bitwardenrs
wiki (https://github.com/dani-garcia/
bitwarden_rs/wiki). The best solution
is to use a third-party certificate such
as Let’s Encrypt, but it’s complicated
to set up—start your search at https://
blog.linuxserver.io/2019/01/15/self-
hosting-bitwarden/.
If, however, you’re not intending
to use Bitwarden on your iPhone or
Android, you can generate your own
self-signed certificate as outlined in
the wiki (see “Using a Private CA and
making SSL certs work with Chrome”)
in conjunction with the domain name
you’re using to point to your server.
This involves OpenSSL, and
Windows users must first download
and install the full version of Win64
OpenSSL (https://slproweb.com/
products/Win32OpenSSL.html)—
choose Win32 OpenSSL and adapt the
commands below if you’re running
Bitwardenrs on Windows 32-bit.
Once installed, type “environment”
into the “Search” box. Click “Set
the system environment variables”
followed by “Environment Variables.”
Click “New” under “System variables,”
name it “OPENSSL_CONF” and click
“Browse File” to select “C:\Program
Files\OpenSSL-Win64\bin\openssl.
cfg.” Once created, select “Path”
under “System variables” and click
“Edit” followed by “New” to insert “C:\
Program Files\OpenSSL-Win64\bin\.”
Click “OK.” You should now be able
to open a Command Prompt window,
navigate to a suitable location (such as
“C:\keys”), then issue the commands
listed to create the required keys.
When generating the “Bitwarden.ext”
file, substitute “Bitwarden.local” with
your own domain name.
Next, switch to the “Enabling
HTTPS” section of the wiki for
additional steps to follow—if you’re
running Bitwardenrs on a NAS, visit
http://www.synoforum.com/threads/378/
(Synology) and https://github.com/
dani-garcia/bitwarden_rs/issues/465
(QNAP) for more help with setting
things up.Docker. Once done, make sure Docker
is running (look for its Notification area
icon), then open a Powershell window
before issuing the following command:
$ docker pull bitwardenrs/server:latest
This downloads the images required
to run Bitwardenrs. The next command
creates a quick and dirty Bitwarden install
that has no security, but works instantly:
$ docker run -d --name bitwarden -v /
bw-data/:/data/ -p 80:80 bitwardenrs/
server:latest
That’s it for basic setup and
configuration. If you now open a web
browser on your PC or any device on your
local network and type “http://192.168.x.y”
(substitute “x” and “y” for your PC’s IP
address), you should find yourself at the
Bitwarden web vault, where you can
create your account and log into it. One
note: Chrome refuses to connect to the
web vault in this configuration (see https://
github.com/bitwarden/web/issues/254).
LINK TO BITWARDENAssuming you’re happy to access the
Bitwarden server exclusively over your
home network insecurely, then you’re
done with setup and configuration. This
configuration allows you to access your
vault securely when outside your home
network (just don’t explicitly log out of
Bitwarden while on the road), but you
won’t be able to sync any new logins
you create with the server until you’re
back inside your network (simply select
“Settings > Sync > Sync vault now” to
force a manual sync if it doesn’t happen
automatically for any reason).
If you want external access to the
server, you first need to configure a
domain to point to your Bitwarden
server—one simple solution is to make
use of a free dynamic DNS service, such
as No-IP (www.noip.com). You also need
to implement HTTPS security with an SSL
certificate—see the final box for details.
In the meantime, existing Bitwarden
users should start by transferring their
passwords from the cloud to their new
server: Log into https://vault.bitwarden.
com, select “Tools,” and click “Export
Vault.” Read the warning, leave “.json”
selected, and enter your master password
again before clicking “Export Vault” again.
Save the file somewhere secure, then log
out, and close the browser tab.
Type your server IP address along with
any required port number—you should
see the same interface as found at https://
vault.bitwarden.com, but this is pointing
to your local server. Log into your new
account, and this time select “Tools >
Impor t data.” Select “Bitwarden (json)” as
the import file format, then click “Browse”
to select your exported file, followed by
“Import.” Wait while it’s uploaded, and
your passwords imported. Once done, you
are ready to start configuring your apps
and browser add-ons.
If necessary, click “Settings” to log out
of your web-hosted Bitwarden account. At
the login screen, click “Settings,” where
you’ll see the fields required to access
your self-hosted environment (if left blank,
Bitwarden defaults to its online servers).
You only need to fill the top field: Enter
“http://192.168.x.y:4000” or whatever your
IP address/port number combo is, click
“Save,” and log in as normal.
From here, Bitwarden should largely
behave as normal—we recommend
visiting “Settings > Two-step login”
in the web vault to set up 2FA using
an authenticator app such as Google
Authenticator or Authy for extra security,
but otherwise you’re done. You have the
flexibility of an online password manager
with the security of knowing exactly where
your passwords are stored.Your Bitwardenrs server requires extra steps to make it secure.
maximumpc.com DEC 2019 MAXIMUMPC 57