I’m going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.
My questions are to those of you who self-host, firstly: why?
And how do you mitigate the risk of your internet going down at home and blocking your access while away?
BitWarden’s paid tier is only $10 a year which I’m happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn’t need any additional hardware.
I use KeePassXC and use syncthing to sync the database to each devise I own. This way I always have the newest version if the database everywhere and don’t need to worry about Internet access at all.
This is what recommend as well. The various KeePasses all to pretty good jobs of merging databases, in case of sync conflicts, and you can utterly ignore whether you’re online or not. Plus, there’s a really fantastic tool, written by a veritable genius of a developer, that lets you use a KeePass DB as a secret service on your desktop.
You delicious bastard! Thanks for the rook tip.
But keepassxc already provides a secret service ootb?
KeePassXC can’t be run in headless mode, and the GUI is tightly coupled to the app. You have to have all of X installed, and have a display running, to run it.
Here’s the runtime dependencies of KeePassXC:
linux-vdso.so.1 libQt5Svg.so.5 libqrencode.so.4 libQt5Concurrent.so.5 libpcsclite.so.1 libargon2.so.1 libQt5Network.so.5 libQt5Widgets.so.5 libbotan-3.so.5 libz.so.1 libminizip.so.1 libQt5DBus.so.5 libusb-1.0.so.0 libQt5X11Extras.so.5 libQt5Gui.so.5 libQt5Core.so.5 libX11.so.6 libstdc++.so.6 libm.so.6 libgcc_s.so.1 libc.so.6 /lib64/ld-linux-x86-64.so.2 libgssapi_krb5.so.2 libproxy.so.1 libssl.so.3 libcrypto.so.3 libbz2.so.1.0 liblzma.so.5 libsqlite3.so.0 libdbus-1.so.3 libudev.so.1 libGL.so.1 libpng16.so.16 libharfbuzz.so.0 libmd4c.so.0 libsystemd.so.0 libdouble-conversion.so.3 libicui18n.so.75 libicuuc.so.75 libpcre2-16.so.0 libzstd.so.1 libglib-2.0.so.0 libxcb.so.1 libkrb5.so.3 libk5crypto.so.3 libcom_err.so.2 libkrb5support.so.0 libkeyutils.so.1 libresolv.so.2 libpxbackend-1.0.so libgobject-2.0.so.0 libcap.so.2 libGLdispatch.so.0 libGLX.so.0 libfreetype.so.6 libgraphite2.so.3 libicudata.so.75 libpcre2-8.so.0 libXau.so.6 libXdmcp.so.6 libcurl.so.4 libgio-2.0.so.0 libduktape.so.207 libffi.so.8 libbrotlidec.so.1 libnghttp3.so.9 libnghttp2.so.14 libidn2.so.0 libssh2.so.1 libpsl.so.5 libgmodule-2.0.so.0 libmount.so.1 libbrotlicommon.so.1 libunistring.so.5 libblkid.so.1
I don’t know why it links to a systemd library. Here are the runtime dependencies of rook:
linux-vdso.so.1 libresolv.so.2 libc.so.6 /lib64/ld-linux-x86-64.so.2
Don’t get me wrong: KeePassXC is one of my favorite programs. But don’t leave it running all the time, and it can’t be run on headless systems.
I see, thanks for explaining. So IIUC, rook is intended for headless systems?
I use it for everything, but then, I wrote it. All of the desktop secret service tools have desktop dependencies (Gnome’s uses Gnome libraries, KDE’s pulls some KDE libraries) and run through DBUS; since I don’t use a DE, it’s a fair bit of unnecessary bloat. And I don’t like GUI apps that just hang around in the background consuming resources. I open KeePassXC when I need to make changes to the DB, and then I shut it down. Otherwise, it hangs out in my task bar, distracting me.
Rook is for people who want to run on headless systems, or want to minimize resources usage, or don’t use a desktop environment (such as Gnome or KDE), or don’t run DBUS, or don’t run systemd. It’s for people who don’t want a bunch of applications running in the background in their task bar. KeePassXC providing a secret service is great, but it’s overkill if that’s most of what it’s providing for you, most of the time.
I don’t think took is for everyone, or even for most people. It’s for people who like to live mostly in the command line, or even in VTs.
For what it’s worth, Bitwarden caches the database for offline use, so it works fine without internet access too. When you get internet access again, it’ll sync with the server.
this is what I do as well, along with file staging so if I corrupt it by accident I don’t lose the entire DB
Currently I have it on my server as grab only, and then normal access on my clients with staging
This is the answer.
I use syncthing to sync between devices.
Agreed with using keepass. If you’re one person accessing your passwords, there’s no reason you need a service running all the time to access your password db. It’s just an encrypted file that needs to be synced across devices.
However, if you make frequent use of secure password sharing features of lastpass/bitwarden/etc, then that’s another story. Trying to orchestrate that using separate files would be a headache. Use a service (even if self-hosted).