http://www.techradar.com/pro/linux March 2020 LXF260 57Password manager TUTORIALS
The Linuxserver
reverse proxy
obtains free
Lets Encrypt
certificates to help
secure your self-
hosted server.BUILD ME UP, BUTTERCUP
development, and this combined with its small
development team means there are still teething
problems to iron out.One password manager to rule them all
Ultimately, however, neither KeePassXC nor Buttercup
can hold a candle to our main recommendation. If
you’re currently using one of the well-known password
managers like LastPass, then you’ll want something
capable of going toe to toe with it. The open-source
alternative we recommend is Bitwarden (https://
bitwarden.com), which has been our password
manager of choice for several years. It has pretty much
all the functionality found in commercial offerings like
LastPass and 1Password, but it’s open source and all
core functionality is free (although we recommend the
$10/year Premium tier to support the project).
Like these proprietary solutions, Bitwarden stores
your passwords on its own cloud servers by default. All
data is encrypted both in transit and at rest, and your
all-important encryption keys remain in your
possession, out of Bitwarden’s reach. You may, however,
be put off by the fact its servers are hosted in the US,
while its growing popularity may see it become an
increasingly tempting target for hackers.
But no matter, because Bitwarden has a not-so-
hidden secret: you can run your own Bitwarden server
to keep tight control over your passwords. The full-
blown version offered on the main website is fiddly and
more suited to organisations, but there’s a lightweight
alternative that’s perfect for individuals or small groups- Bitwarden_rs (‘rs’ refers to the fact it was built using
Rust, a lightweight and efficient programming language).
If you’re happy trusting Bitwarden with your data,
type https://vault.bitwarden.com into your browser
and skip to the next section; if you want to host your
own Bitwarden server, then read on.
Self-hosting Bitwarden servers
The easy bit is installing the Bitwarden_rs server itself –
the PC you plan to host it on will need to be running
Docker and have its own static IP address. Once you’ve
met those criteria, setting it up is as simple as issuing
the following two commands in the Terminal:
$ sudo docker pull bitwardenrs/server:latest
$ sudo docker run -d --name bitwarden -v /bw-data/:/
data/ -p 4000:80 bitwardenrs/server:latest
If everything is configured correctly, you have an
unsecured instance of Bitwarden you can log onto via
Firefox (but not Chrome in its current state) – just type
http://192.168.x.y:4000 (change 192.168.x.y with your
server’s IP address) and you’ll see the same Bitwarden
login screen as found at https://vault.bitwarden.com.
As things stand your server is neither secure nor
accessible from outside your local network. To rectify
this – which will also enable you to access it in Chrome
and any of the Bitwarden apps – you’ll need to perform
several additional steps.
Firstly, you need a domain name pointing towards
your home network’s public IP address – if you have a
domain, why not set up a dedicated subdomain (say
bw.domain.com) for the task? Failing that, sign up for a
free dynamic hostname (try http://www.noip.com).
Secondly, you’ll need to set up a reverse proxy on its
own virtual or physical server with a separate IP addressto secure your connection. Finally, you’ll need to log on
to your router and instruct it to forward ports 80 and
443 to your reverse proxy.
The simplest reverse proxy implementation we’ve
found is another Docker image: Linuxserver
Letsencrypt. You can run this on a regular Linux server
following the instructions (see http://bit.ly/
lxf260letsencrypt for a complete guide), but we set up
ours on our QNAP NAS using Container Station – see
the boxout (page 59) for full instructions.
When setting up your reverse proxy you’ll need to
define your own path to the config folder using the -v
flag – for example, /home/appdata/proxy/. Once your
reverse proxy is up and running, this folder will contain
all your configuration – navigate here and open the
nginx folder inside to reveal two more sub-folders. First,
open site-confs and type sudo nano default to add the
following line to the default configuration file. Place it
somewhere within the main server {} block:
add_header X-Robots-Tag “noindex, nofollow,
nosnippet, noarchive”;
Save and exit. This prevents Google from indexing
your server and making it visible to search engines.
Next, navigate back one level and then open the
proxy-conf folder, inside which you’ll find dozens of
configuration files covering a wide range of different
services, including Bitwarden. To edit the file, type:
sudo nano bitwarden.subdomain.conf.sampleIf you want to sync your password file via your own cloud storage, try
Buttercup (https://buttercup.pw). This has native apps for all
platforms, plus browser add-ons for Firefox and Chrome.
Installable DEB and RPM packages are available via the main
homepage, with a portable AppImage available too (http://bit.ly/
lfxbuttercup). Launch the app, click the Add Archive button to connect
your choice of cloud service. Once connected, click New Archive, give it
a name and click Open In Buttercup to set up your master password.
You can create new logins and organise passwords in groups. But
most of the time you’ll use Buttercup to store online passwords. Click
the Buttercup icon followed by + to link your cloud provider and
access your archive. Whenever you log into a website, look for the
Save In Buttercup pop-up. Click Save and a new tab will open – review
the details, select your archive and group before clicking Save. Look
for the Buttercup icon appearing in online sign-in forms – click here
and you’ll see saved credentials available for inputting with a click.Switching to
Bitwarden
from another
password
manager?
Bitwarden can
import your
passwords
from most
managers – first
log into your
old account and
export the data
in JSON, XML
or CSV format.
Then log into
your Bitwarden
vault through
your browser
and choose
Tools > Import
data to import
the file, which
you should
securely delete
once done.5556March 2 h6r0evlh0vsowtk March 2020 LXF260 57
Password manager TUTORIALS
The Linuxserver
reverse proxy
obtains free
Lets Encrypt
certificates to help
secure your self-
hosted server.BUILDMEUP,BUTTERCUP
development, and this combined with its small
development team means there are still teething
problems to iron out.
One password manager to rule them all
Ultimately, however, neither KeePassXC nor Buttercup
can hold a candle to our main recommendation. If
you’re currently using one of the well-known password
managers like LastPass, then you’ll want something
capable of going toe to toe with it. The open-source
alternative we recommend is Bitwarden (https://
bitwarden.com), which has been our password
manager of choice for several years. It has pretty much
all the functionality found in commercial offerings like
LastPass and 1Password, but it’s open source and all
core functionality is free (although we recommend the
$10/year Premium tier to support the project).
Like these proprietary solutions, Bitwarden stores
your passwords on its own cloud servers by default. All
data is encrypted both in transit and at rest, and your
all-important encryption keys remain in your
possession, out of Bitwarden’s reach. You may, however,
be put off by the fact its servers are hosted in the US,
while its growing popularity may see it become an
increasingly tempting target for hackers.
But no matter, because Bitwarden has a not-so-
hidden secret: you can run your own Bitwarden server
to keep tight control over your passwords. The full-
blown version offered on the main website is fiddly and
more suited to organisations, but there’s a lightweight
alternative that’s perfect for individuals or small groups
- Bitwarden_rs (‘rs’ refers to the fact it was built using
Rust, a lightweight and efficient programming language).
If you’re happy trusting Bitwarden with your data,
type https://vault.bitwarden.com into your browser
and skip to the next section; if you want to host your
own Bitwarden server, then read on.
Self-hosting Bitwarden servers
The easy bit is installing the Bitwarden_rs server itself –
the PC you plan to host it on will need to be running
Docker and have its own static IP address. Once you’ve
met those criteria, setting it up is as simple as issuing
the following two commands in the Terminal:
$ sudo docker pull bitwardenrs/server:latest
$ sudo docker run -d --name bitwarden -v /bw-data/:/
data/ -p 4000:80 bitwardenrs/server:latest
If everything is configured correctly, you have an
unsecured instance of Bitwarden you can log onto via
Firefox (but not Chrome in its current state) – just type
http://192.168.x.y:4000 (change 192.168.x.y with your
server’s IP address) and you’ll see the same Bitwarden
login screen as found at https://vault.bitwarden.com.
As things stand your server is neither secure nor
accessible from outside your local network. To rectify
this – which will also enable you to access it in Chrome
and any of the Bitwarden apps – you’ll need to perform
several additional steps.
Firstly, you need a domain name pointing towards
your home network’s public IP address – if you have a
domain, why not set up a dedicated subdomain (say
bw.domain.com) for the task? Failing that, sign up for a
free dynamic hostname (try http://www.noip.com)..)
Secondly, you’ll need to set up a reverse proxy on its
own virtual or physical server with a separate IP address
to secure your connection. Finally, you’ll need to log on
to your router and instruct it to forward ports 80 and
443 to your reverse proxy.
The simplest reverse proxy implementation we’ve
found is another Docker image: Linuxserver
Letsencrypt. You can run this on a regular Linux server
following the instructions (see http://bit.ly/
lxf260letsencrypt for a complete guide), but we set up
ours on our QNAP NAS using Container Station – see
the boxout (page 59) for full instructions.
When setting up your reverse proxy you’ll need to
define your own path to the config folder using the -v
flag – for example, /home/appdata/proxy/. Once your
reverse proxy is up and running, this folder will contain
all your configuration – navigate here and open the
nginx folder inside to reveal two more sub-folders. First,
open site-confs and type sudo nano default to add the
following line to the default configuration file. Place it
somewhere within the main server {} block:
add_header X-Robots-Tag “noindex, nofollow,
nosnippet, noarchive”;
Save and exit. This prevents Google from indexing
your server and making it visible to search engines.
Next, navigate back one level and then open the
proxy-conf folder, inside which you’ll find dozens of
configuration files covering a wide range of different
services, including Bitwarden. To edit the file, type:
sudo nano bitwarden.subdomain.conf.sampleIf you want to sync your password file via your own cloud storage, try
Buttercup (https://buttercup.pw). This has native apps for all
platforms, plus browser add-ons for Firefox and Chrome.
Installable DEB and RPM packages are available via the main
homepage, with a portable AppImage available too (http://bit.ly/
lfxbuttercup). Launch the app, click the Add Archive button to connect
your choice of cloud service. Once connected, click New Archive, give it
a name and click Open In Buttercup to set up your master password.
You can create new logins and organise passwords in groups. But
most of the time you’ll use Buttercup to store online passwords. Click
the Buttercup icon followed by + to link your cloud provider and
access your archive. Whenever you log into a website, look for the
Save In Buttercup pop-up. Click Save and a new tab will open – review
the details, select your archive and group before clicking Save. Look
for the Buttercup icon appearing in online sign-in forms – click here
and you’ll see saved credentials available for inputting with a click.Switchingto
Bitwarden
fromanother
password
manager?
Bitwardencan
importyour
passwords
frommost
managers– first
logintoyour
oldaccountand
exportthedata
inJSON,XML
orCSVformat.
Thenloginto
yourBitwarden
vaultthrough
yourbrowser
andchoose
Tools> Import
datatoimport
thefile,which
youshould
securelydelete
oncedone.