Password managers are very useful utilities that store (and generate) unique and lengthy passwords. Many utilities exist to store passwords locally (pass, EncryptionWizard, etc), but I need my passwords synced across several devices. Dozens of password managers exist that perform multi-device sync. But, many services require storing passwords on their servers. Some allow storing encrypted stores on your cloud (Dropbox, OneDrive, etc). However, I want my password stores to exist 100% under my local control. ARM development boards, like the Beagle Bone Black Wireless, provide a nice low-cost, low-power platform to run a password manager store. Additionally, the device can be easily powered down to take the password store offline. A Raspberry Pi should also work, but I was lacking one on hand.
Yes, with the official docker image or with bitwarden-rs. Just give it a local only address and no internet access. Then you can sync devices only when ok your internal network, or you can manually export your vault and import it on another device. This is accomplished by only decrypting the vault locally in program memory on demand, only transporting the vault to servers in encrypted form, and ensuring that authentication with the Bitwarden servers is via private secure (HTTPS) communication channels.
Bitwarden is the only open source password manager I've discovered that allows self-hosting the server and also provides open source iOS, Android, Linux, OS X, and Windows clients. Unfortunately, the official Bitwarden server does not support ARM because of a
mssql dependency. Joshua Stein wrote a nice Ruby server supporting the Bitwarden API that can be self-hosted on ARM devices. (Servers written in golang and Rust also exist.)
Running rubywarden on the Beagle Bone Black Wireless only allows syncing passwords between devices when they are on the same network as the BBBW. Trading the 'inconvenience' of local-only sync for 100% control of my password store is well worth it, in my opinion.
Note: 8bit Solutions LLC has graciously open sourced Bitwarden. Show your support for open source companies by purchasing a premium membership even if you self-host. High quality software does not write itself.
- Install dependencies
# apt-get install bundler libsqlite3-dev
# gem install bundler
- To slightly improve security, a utility account named
rubywardenwill be used to run the server.
# adduser --disabled-password --disabled-login rubywarden
$ cd /opt
# git clone https://github.com/jcs/rubywarden
# chown -R rubywarden /opt/rubywarden
# sudo su rubywarden
Create the necessary directory structure for
$ cd rubywarden
$ mkdir -p db/production
Install the necessary ruby dependencies
$ bundle install
Before the first run, the
rubywardendatabase must be initialized
$ env RACK_ENV=production bundle exec rake db:migrate
rubywardendoes not allow new user sign-up unless the environmental variable
ALLOW_SIGNUPSis true. To launch the server and allow sign-ups run the following command. Subsequent launches do not require the environmental variable.
$ env RACK_ENV=production ALLOW_SIGNUPS=1 bundle exec rackup -p 4567 config.ru
Bitwarden provides a variety of client installs. Choose the appropriate one and click the gear icon on the splash screen to add the self-hosted server.
- Create an account and start managing passwords! Note: If testing with the iOS client, please read the dedicated iOS section below.
Bitwarden Local Only Connection
It's really useful to have
rubywarden run when the BeagleBone is powered up. Writing a systemd unit file to provide startup functionality is fairly straightforward.
/etc/systemd/system/rubywarden.service and add the following:
Enable and start the service. Use
journalctl -u rubywarden to debug any issues.
Compatility with iOS app
The Bitwarden AppImage seems to function just fine without
rubywarden using HTTPS. By default, it is only using HTTP. However, the iOS client requires HTTPS.
In order to support HTTPS, the Apache webserver (already running on the BBBW) will be configured to serve HTTPS and function as a proxy to the
rubywarden server. Since
rubywarden is not internet accessible, Let's Encrypt certificates don't make sense; instead a self-signed certificate will be used for HTTPS. In order for the self-signed certificate to be usable on iOS, a Certificate Authority certificate will need created and installed on the iOS device.
Note: Apple changed trusted certificate requirements in iOS 13 requiring an
extendedKeyUsage flag to be set in the certificate.
Create the CA certificate
$ openssl genrsa -out rubywardenCA.key 2048
$ openssl req -x509 -sha256 -new -key rubywardenCA.key -out rubywardenCA.crt -subj /CN='rubywarden CA'
rubywardenCA.crtcertificate to the iOS device via e-mail and follow the prompts to install. After installation, use the Settings app to navigate to
General->About->Certificate Trust Settingsand toggle
rubywarden CAon. This means that iOS will treat any certificate signed by the CA as a valid HTTPS connection.
Generate a certificate for Apache to use
$ openssl genrsa -out rubywarden.key 2048
$ openssl req -new -out rubywarden.req -key rubywarden.key -subj /CN=beaglebone.local
$ openssl x509 -req -sha256 -in rubywarden.req -out rubywarden.crt -CAkey myCA.key -CA myCA.cer -days 365 -CAcreateserial -CAserial serial -extfile <(printf 'extendedKeyUsage = serverAuthnsubjectAltName=DNS:beaglebone.local')
The keys created above can be used to perform mitm attacks if they are compromised. To improve security (slightly, the SD card can just be removed from the BBBW) move them to
/root/certs/beaglebone.local/and make the keys read-only.
# mkdir -p /root/certs/beaglebone.local/
# mv rubywarden.* /root/certs/beaglebone.local
# chmod 400 /root/certs/beaglebone.local/*.key
Finally, set up Apache to serve as an HTTPS proxy. Append the following VirtualHost entry to
/etc/apache2/sites-enabled/000-default.confRelaunch Apache with
# systemctl restart apache2.serviceafter making the edits.
Did your security posture improve because of this post? Consider saying thanks by using my Amazon Affilliate URL and help to keep this site ad & analytics free.
Both Bitwarden and Passbolt are open source password managers specifically built for teams. This article will help you decide which one suits you better.
When it comes to finding a password manager that not only works for individual use but allows teams and enterprises better manage and access sensitive information, finding the right password manager can help ease the work flow. Bitwarden and Passbolt are both open source password manager software, that have been specifically designed for teams and allows businesses to host the applications locally or on the cloud. We will cover following topics in this post in order to compare Bitwarden vs Passbolt:
What is Bitwarden?
Bitwarden is a promising open source password manager that has cross platform compatibility including a mobile and web application along with command line interface as well. You can also access Bitwarden on your desktop as it has compatibility with Windows, MacOS, and Linux. As an open source password manager, Bitwarden can be used for individual use as well as at enterprise level. Not only can you host Bitwarden on your servers but it has cloud hosting as well, and with cross device compatibility it can be accessed whenever you need.
What is Passbolt?
Bitwarden Local Only Internet
Passbolt is an open source password manager specifically developed for businesses. The interface has been designed keeping in mind the needs and requirements of small and large team, and it allows an easy and secure management of passwords and sensitive information that needs to be accessed by multiple employees regularly. Passbolt is only available to be used locally on your server and can be accessed through a web browser extension online. As an open source password manager, you can directly install the source code on your server, or host it on Ubuntu, CentOS 7, Digital Ocean and more.
Both Bitwarden and Passbolt provide many features and functionality as open source managers, however they differ in their encryption technique and different client side applications they offer. Here is a rundown:
- Bitwarden provides mobile, web and desktop applications for their users to access passwords at any time. However, Passbolt only provides local hosting for client servers and web browser extensions in order to access passwords online.
- Passbolt has been specifically designed for teams which means that the interface provides a better user experience and overall community benefits that come along with it. Bitwarden on the other hand can be used for both individual and team use.
- When it comes to pricing both open source password managers provide free and premium packages. While Passbolt it free to use for unlimited users, Bitwarden only allows two users on their free plan.
- Encryption is key difference when comparing Passbolt and Bitwarden as the former uses GnuPG algorithm to authenticate users and secure the password database. On the other hand, Bitwarden uses 256 bit AES encryption protocol. Both encryption technologies ensure maximum security and protection of information stored.
- Only Passbolt provides users and group management feature on its free package which makes it easier for teams to categorize and provide a hierarchy to access passwords. Bitwarden has these features but you will have to purchase the plan for Team organization.
- Passbolt has an open API that can be accessed for development purposes however, Bitwarden’s API can only be accessed in its premium package.
Bitwarden Local Only Restaurants
In this post, we tried to go over in detail comparison of Bitwarden vs Passbolt. We discussed the main differences between the two open source password managers and which one provides the most features as a free, easy to use, open source password manager for teams.
Bitwarden Local Network Only
You may find following links relevant: