Bring Your Own Password Manager: Portable BitWarden on a Pi Zero

This article is using Vaultwarden, not the Bitwarden server. It's wrongly referring to Vaultwarden as "BYOPM hosts a Bitwarden instance" and "the Docker Image of Bitwarden." It is not, it is hosting a Vaultwarden instance. This is an issue as people using Vaultwarden report bugs to the Bitwarden project, where they can't be helped.

I've seen so many interesting password manager solutions over the years, but I have yet to move away from a Keepass file hosted on cloud storage. I can read and write to it using apps from every device I use: windows and linux PCs, iOS and Android devices. The file is versioned so accidentally clobbering it isn't a concern. There is zero maintenance, and if my home server goes down my passwords are unaffected. If I'm going somewhere without internet and need a backup mechanism of getting to my passwords, I can copy the database onto a memory stick.

Keeping all of my passwords on a failure-prone SD card acting as a boot drive makes me nervous. I think I'd prefer a SyncThing-based solution for self-hosting a Bitwarden Vault or KeePass file... if I wasn't already a happy customer of Bitwarden's hosting solution.

This is an interesting tech stack, but seems heavy-handed for managing such a small amount of raw data (the l&#x2F;p list itself).<p>My solution for the past 14 years has been a simple GPG-encrypted org-mode (text) file. I can get to a password multiple ways from any device. The main way I check one is to open the file in Emacs which prompts for the master password via pinentry. You could also use a keyfile. Usually I just ssh and connect to a tmux session with emacs -nw already running, but I can also decrypt and grep it from the CLI, or clone the private repo its on to do the same locally. I only do anything involving PII or money in a dedicated PureOS VM though, so I generally don&#x27;t jump through any hoops and it&#x27;s relatively transparent.

Seems pretty complicated to me. There’s lots of steps involved which increases the chance of something going wrong. For example, the self signed cert will eventually expire, how easy would it be to renew it? How do I keep this up to date?<p>It would just be a heck of a lot easier to just use KeePass and save the database on a SD card.

An alternative to this is to expose this to your local network and use tailscale to connect to it so you do not have to carry it around while being secure.

honestly to me this falls into the category of LARP security. the entire point of encryption is to move sensitive data across adversarial channels. Meaning, if you trust Bitwarden enough to use it at all there&#x27;s no benefit to not just using their servers (you keep a local copy of your data anyway).<p>If you want to keep your data secure by keeping them on you, just use a notebook. Cheaper than this and works without a power chord.

On one hand, this is incredibly cool, and brings some great security.<p>On the other hand, docker containers on a RPi Zero? What a sad state of affairs we have in 2022.

Using something like an RPI Zero and carrying this around would make more sense if the device had a display and could be airgrapped.

Great write-up, thanks for sharing this!<p>One thing I would add: a self-signed certificate is not adequate for password transmission. In some ways, it&#x27;s even worse than transmitting over clear-text http because it provides an illusion of security.<p>Any actor on your network can man-in-the-middle, provide their own certificate, and you&#x27;d be none the wiser.<p>I&#x27;d suggest provisioning LetsEncrypt leaf-node certificate on a node that can respond to HTTP-01 or DNS-01 challenges (don&#x27;t open your home network to :80 :443 - use a VM in the Cloud to respond to challenges), then transfer the certificate to the Raspberry Pi. <a href="https:&#x2F;&#x2F;letsencrypt.org&#x2F;docs&#x2F;challenge-types&#x2F;" rel="nofollow">https:&#x2F;&#x2F;letsencrypt.org&#x2F;docs&#x2F;challenge-types&#x2F;</a>

I have a general question regarding the BitWarden server: How would you rate the security between using the official BitWarden server and self-hosting Vaultwarden?<p>I am sympathetic (and capable) of self-hosting, but if my instance and my passwords are compromised, the fallout could be catastrophic for me. Am I better of in the long term by just using the BitWarden server and assuming that they have better security than I do, even though they are the even jucier target?

Holy cow, that seems complex!<p>What are the advantages of this setup over carrying a pendrive with am encrypted KeePassXC vault in it?

Now I won&#x27;t lament the overkill in hardware (512MiB RAM for a <i>password manager</i>?), but the lack of protected memory (Smart Card or otherwise) makes this approach imho quite questionable. Lose the device, lose <i>all</i> your passwords?

Something that&#x27;s been on my mind for some time is the seeming inevitability of getting RCE&#x27;d by some innocuous application- web browser, chat app, videogame, whatever. These vluns keep popping up and eventually one might hit me. And if it does, it might come with something targeting keepass and _if_ it does I&#x27;m Fucked with an upper case F.<p>Building a portable terminal that can emulate a keyboard with a reasonable screen for ease of use seems like a fairly reasonable solution.

If you have an old Android phone you might be interested in <a href="https:&#x2F;&#x2F;github.com&#x2F;tejado&#x2F;Authorizer" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;tejado&#x2F;Authorizer</a><p>&gt; <i>Authorizer is a Password Manager for Android. It emulates an HID keyboard over USB and enters your credentials on your target device. Additionally it supports OTP</i>

Seems unnecessarily complicated. I self-host Vaultwarden at home (and expose it to the internet via WireGuard), nice and seamless.

Yeah, it seems to me that if you use a standalone Pi for your self hosted password manager, then why not just run everything as systemd services. I did something similar on a Pi 3 for the CCC congress event last year using NixOS and it&#x27;s been running ever since.

That&#x27;s such a tease. I check RPI-locator daily. Buying a Pi anything in the US is hard now.

So many commenters here are running air gapped solutions on a dedicated device. What&#x27;s your backup story? How quickly can you add a new entry?<p>It just seems like a HUGE hassle and risk of data loss compared to the classic KeepassXC + Syncthing burrito.

There&#x27;s still enough lack of good password-manager infrastructure that I&#x27;ll venture to say that FinalKey is still relevant, even in the face of Ubikey and Fido.

This is cool, but you can just leave it at home plugged into your router. DDNS + Nginx + Let&#x27;s Encrypt might be easier to set up, and definitely easier to use.

Does Bitwarden&#x27;s setup process still involve entering your master key in the browser? This always felt very sketchy to me, for some reason.

Cool idea with the ethernet gadget. If I understood it right, the RPI acts as a virtual ethernet adapter over USB.

The general idea is neat. I wonder why they didn&#x27;t emulate a keyboard instead...

What about using the $4 rp2040 to make an open source yubikey instead?