Bitwarden Without Docker



Install Docker

Add user(s) to the docker group. The default user would be pi. However, I highly recommend deactivating the default user.

Reboot and then test docker

Install more dependencies

I use a self-hosted bitwarden-rs to manage my passwords, and it works great except using docker to run it was using most of the RAM on my cheap VPS from Vultr. Since bitwarden-rs is just a rust program that uses around 16MB of RAM, it seemed overkill to have docker running around it using over 100MB. What I had before was that I had access inside the network. If I was outside, I could VPN inside and access Bitwarden from there. Not possible to get access without VPN. This must be more secure. Does anyone have this without using Caddy? Hi Gerard, yes, Docker will supply a 172.

Fight With SSL

This is the most annoying part of the story. You can either choose to use letsencrypt or a self-signed openssl-cert. Letsencrypt will only work, if your service will be exposed publicly. Also, letsencrypt is fairly easy to setup, so I will focus on a self-signed openssl-solution.

First, we’ll need a “virtual” certificate authority (CA) that will actually sign our certificate later. If you already have a CA, you can skip this. The first command creates a private key, the second command creates the root certificate of our CA.

Now, we’ll need to create a “client” key and a certificate signing request, which will then be “sent” to our CA.

For the actual signing, we’ll also need an extension file. I ran into problems with OSX and iOS without adding the used extensions during signing. Neither OSX, iOS nor Google Chrome accepted the certificate without those extensions. Create a file openssl.cnf

Replace <hostname> and <ip> with your actual values.

Bitwarden Without Docker

Finally, the actual signing:

The certificate you’ll need to deploy on your devices is the root certificate. Yes, this will also work on iOS.

Install/Configure Bitwarden

We’ll use the bitwarden_rs docker container. It uses sqlite instead of MSSQL, which is not available for ARM.

If docker successfully downloaded the image, you can run it as follows. I simply created a small bash script.

The ROCKET_TLS argument tells bitwarden, where it can find its key and certificate. The values describe paths within the docker container. For these paths to work, we’ll need to supply a volume mapping (-v). The additional volume mapping bw-data is a volume for bitwarden to store its actual sqlite “database” in. Internally, bitwarden will bind to port 80. Since we know/hope it’ll run SSL, we can map internal port 80 to 443.

If everything works, you can reach your bitwarden vaults on https://<hostname>

You’ll most likely run into SSL problems. Good luck.

Backup

Read this article.

Debugging/FAQ

Show running docker containers

Logs and events

Run command within a docker container

Netstat (works w/o actual netstat binary in container. Cool, eh!?)

A word on IPv6. Initially, when bitwarden didn’t work during my first attempts, I was confused by the output of netstat. It showed, that the destination socket for https was only bound to tcp6. This shouldn’t be a problem, though, because bitwarden also sets up a couple of iptables rules (# iptables -L). However, if you think it might be a problem on your machine, try the following things in your /etc/sysctl.conf

At one point, I even completely disabled IPv6 via the kernel command line. However, that introduced even more problems.

Install Docker

Add user(s) to the docker group. The default user would be pi. However, I highly recommend deactivating the default user.

Reboot and then test docker

Install more dependencies

Fight With SSL

This is the most annoying part of the story. You can either choose to use letsencrypt or a self-signed openssl-cert. Letsencrypt will only work, if your service will be exposed publicly. Also, letsencrypt is fairly easy to setup, so I will focus on a self-signed openssl-solution.

First, we’ll need a “virtual” certificate authority (CA) that will actually sign our certificate later. If you already have a CA, you can skip this. The first command creates a private key, the second command creates the root certificate of our CA.

Now, we’ll need to create a “client” key and a certificate signing request, which will then be “sent” to our CA.

For the actual signing, we’ll also need an extension file. I ran into problems with OSX and iOS without adding the used extensions during signing. Neither OSX, iOS nor Google Chrome accepted the certificate without those extensions. Create a file openssl.cnf

Replace <hostname> and <ip> with your actual values.

Finally, the actual signing:

The certificate you’ll need to deploy on your devices is the root certificate. Yes, this will also work on iOS.

Install/Configure Bitwarden

We’ll use the bitwarden_rs docker container. It uses sqlite instead of MSSQL, which is not available for ARM.

If docker successfully downloaded the image, you can run it as follows. I simply created a small bash script.

The ROCKET_TLS argument tells bitwarden, where it can find its key and certificate. The values describe paths within the docker container. For these paths to work, we’ll need to supply a volume mapping (-v). The additional volume mapping bw-data is a volume for bitwarden to store its actual sqlite “database” in. Internally, bitwarden will bind to port 80. Since we know/hope it’ll run SSL, we can map internal port 80 to 443.

If everything works, you can reach your bitwarden vaults on https://<hostname>

You’ll most likely run into SSL problems. Good luck.

Backup

Read this article.

Debugging/FAQ

Show running docker containers

Logs and events

Docker Hub Bitwarden

Run command within a docker container

Install Bitwarden Without Docker

Netstat (works w/o actual netstat binary in container. Cool, eh!?)

A word on IPv6. Initially, when bitwarden didn’t work during my first attempts, I was confused by the output of netstat. It showed, that the destination socket for https was only bound to tcp6. This shouldn’t be a problem, though, because bitwarden also sets up a couple of iptables rules (# iptables -L). However, if you think it might be a problem on your machine, try the following things in your /etc/sysctl.conf

Bitwarden Server Without Docker

At one point, I even completely disabled IPv6 via the kernel command line. However, that introduced even more problems.