Manage your passwords with Bitwarden and Podman

You might have encountered a few advertisements the past year trying to sell you a password manager. Some examples are LastPass, 1Password, or Dashlane. A password manager removes the burden of remembering the passwords for all your websites. No longer do you need to re-use passwords or use easy-to-remember passwords. Instead, you only need to remember one single password that can unlock all your other passwords for you.

This can make you more secure by having one strong password instead of many weak passwords. You can also sync your passwords across devices if you have a cloud-based password manager like LastPass, 1Password, or Dashlane. Unfortunately, none of these products are open source. Luckily there are open source alternatives available.

Open source password managers

These alternatives include Bitwarden, LessPass, or KeePass. Bitwarden is an open source password manager that stores all your passwords encrypted on the server, which works the same way as LastPass, 1Password, or Dashlane. LessPass is a bit different as it focuses on being a stateless password manager. This means it derives passwords based on a master password, the website, and your username rather than storing the passwords encrypted. On the other side of the spectrum there’s KeePass, a file-based password manager with a lot of flexibility with its plugins and applications.

Each of these three apps has its own downsides. Bitwarden stores everything in one place and is exposed to the web through its API and website interface. LessPass can’t store custom passwords since it’s stateless, so you need to use their derived passwords. KeePass, a file-based password manager, can’t easily sync between devices. You can utilize a cloud-storage provider together with WebDAV to get around this, but a lot of clients do not support it and you might get file conflicts if devices do not sync correctly.

This article focuses on Bitwarden.

Running an unofficial Bitwarden implementation

There is a community implementation of the server and its API called bitwarden_rs. This implementation is fully open source as it can use SQLite or MariaDB/MySQL, instead of the proprietary Microsoft SQL Server that the official server uses.

It’s important to recognize some differences exist between the official and the unofficial version. For instance, the official server has been audited by a third-party, whereas the unofficial one hasn’t. When it comes to implementations, the unofficial version lacks email confirmation and support for two-factor authentication using Duo or email codes.

Let’s get started running the server with SELinux in mind. Following the documentation for bitwarden_rs you can construct a Podman command as follows:

$ podman run -d \ 
--userns=keep-id \
--name bitwarden \
-e SIGNUPS_ALLOWED=false \
-e ROCKET_PORT=8080 \
-v /home/egustavs/Bitwarden/bw-data/:/data/:Z \
-p 8080:8080 \
bitwardenrs/server:latest

This downloads the bitwarden_rs image and runs it in a user container under the user’s namespace. It uses a port above 1024 so that non-root users can bind to it. It also changes the volume’s SELinux context with :Z to prevent permission issues with read-write on /data.

If you host this under a domain, it’s recommended to put this server under a reverse proxy with Apache or Nginx. That way you can use port 80 and 443 which points to the container’s 8080 port without running the container as root.

Running under systemd

With Bitwarden now running, you probably want to keep it that way. Next, create a unit file that keeps the container running, automatically restarts if it doesn’t respond, and starts running after a system restart. Create this file as /etc/systemd/system/bitwarden.service:

[Unit]
Description=Bitwarden Podman container
Wants=syslog.service

[Service]
User=egustavs
Group=egustavs
TimeoutStartSec=0
ExecStart=/usr/bin/podman start 'bitwarden'
ExecStop=-/usr/bin/podman stop -t 10 'bitwarden'
Restart=always
RestartSec=30s
KillMode=none

[Install]
WantedBy=multi-user.target

Now, enable and start it using sudo:

$ sudo systemctl enable bitwarden.service && sudo systemctl start bitwarden.service
$ systemctl status bitwarden.service
bitwarden.service - Bitwarden Podman container
Loaded: loaded (/etc/systemd/system/bitwarden.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2019-07-09 20:23:16 UTC; 1 day 14h ago
Main PID: 14861 (podman)
Tasks: 44 (limit: 4696)
Memory: 463.4M

Success! Bitwarden is now running under system and will keep running.

Adding LetsEncrypt

It’s strongly recommended to run your Bitwarden instance through an encrypted channel with something like LetsEncrypt if you have a domain. Certbot is a bot that creates LetsEncrypt certificates for us, and they have a guide for doing this through Fedora.

After you generate a certificate, you can follow the bitwarden_rs guide about HTTPS. Just remember to append :Z to the LetsEncrypt volume to handle permissions while not changing the port.


Photo by CMDR Shane on Unsplash.

Using Software

20 Comments

  1. Nice I’ve been looking for a replacement for Lastpass!

  2. Dave Adelphi

    Steve Gibson (GRC Research) has developed a robust next generation digital identity tool called SQRL (“squirrel”). It’s an elegant solution to the password problem.

    https://www.grc.com/sqrl/sqrl.htm

    • Sounds like an elegant solution, though at this point I doubt it will catch on given it relies on server implementations

      • Dave

        True. The server implementation is simple, essentially a one-liner. There are about 1,300 SQRL testers out there. Hopefully, some of them have the sway to implement it as an alternative authentication method in some more-than-niche markets.

        SQRL, with its trust no one security model and public/private key pairing digital identity system, facilitates a paradigm shift away from the manual login process – a change on par with eliminating urban horse manure.

    • alex

      SQRL sign-in app for Windows.

  3. svsv sarma

    Too many password managers but nothing is safe, secure and simple. I rather use a multi lingual unique pattern than relaying on the system stored password managers.

    • If you want something that’s simple and has been used for over a decade, try KeePass. It’s a file-based password manager that’s very secure

      Patterns can be broken more easily than password managers as passwords get leaked from websites regularly

    • Simone

      pass the Standard Unix Password Manager is best for me

  4. Joe

    Gave Bitwarden a chance after seeing article. Thanks!

  5. chips

    What about gnome keyring/seahorse

    • Gnome Seahorse is not really a Password Manager.

      • Jesse

        What is Gnome Seahorse then?

        What about KDE Wallet?

        thanks,

        JV

    • Andy Haninger

      I put up with seahorse on my Fedora system for a long time before switching to KeePass after using it at work.

      The Seahorse UI does integrate well with the rest of Gnome 3, but that’s about all it has going for it. KeePass allows you to store things like a URL for the site you’re logging in to, notes, attached files, etc, etc. Its database is easily portable to other machines. There may be a way to export/import your Seahorse passwords, but it’s not as simple as copying your .kdb and maybe .key files and bingo you’re done.

      Seahorse is supposedly still an active project, but wow is it pokey.

  6. Sergio

    IMHO the best password manager is pass (https://www.passwordstore.org/) which relies on standard tools such as gpg2 and git.

    • Thomas Preston

      Absolutely, standard tools and text files. I sync mine with macOS and iOS too. I bet there’s an Android client as well.

    • I also use pass for my password management. Easy to use CLI, self-hosted git server, and an Android app for mobile convenience make it quite the thing.

  7. tom

    thanks for the article. it provides a nice and concise introduction to managing passwords on remote servers. personally i use pass, too. together with pass-tomb the file structure is encrypted. with pass-git you can push it to remote repos. i store my private key (to unlock the tomb) on an external device that I have to carry around with me. so a server solution seems attractive to me.

    what I miss to get your concept fully, is a short explanation and link to the podman docs. i dont know at all what podman is or does and how or why i need it.

    • jakfrost

      Podman is a container manager, like Docker, but rootless.

  8. Batisteo

    It’s not clear for me how to use it with the Android app and Firefox extension.

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions