Aug 25, 2024 3 min read

Bitwarden Server: The Ultimate Guide to Self-Hosting

Bitwarden Server: The Ultimate Guide to Self-Hosting
Table of Contents

Bitwarden Server is a self-hosted password management solution that allows users to securely store, manage, and share credentials. It’s an excellent choice for organizations and individuals who prioritize data ownership, customization, and control over sensitive information. In this guide, we'll cover the complete lifecycle of deploying, configuring, and managing Bitwarden Server, including installation, reverse proxy setup, logging, backups, updates, and leveraging its unique features.

Installing Bitwarden Server

πŸ“¦ Docker/Docker Compose Setup

The recommended way to deploy Bitwarden Server is through Docker Compose, which simplifies container management. Here’s how to create and deploy a docker-compose.yml file:

  1. Create a Project Directory:

mkdir -p ~/bitwarden && cd ~/bitwarden

  1. Generate docker-compose.yml:

Use the following configuration to define the Bitwarden Server setup:


version: '3'

services:

bitwarden:

image: bitwardenrs/server:latest

container_name: bitwarden

restart: always

ports:

- "80:80"

- "443:443"

volumes:

- ./data:/data

environment:

ADMIN_TOKEN: "<your-admin-token>"

SIGNUPS_ALLOWED: "false"

  1. Deploy Containers:

Run the following commands to launch Bitwarden Server:


docker-compose up -d

  1. Verify Deployment:

Check the container status to ensure it is running:


docker ps

πŸš€ Manual Installation

For those who prefer not to use Docker, you can manually install Bitwarden Server on a Linux system:

  1. Install Dependencies:

sudo apt update

sudo apt install -y curl sqlite3

  1. Download Bitwarden Binary:

curl -L -o bitwarden https://github.com/dani-garcia/vaultwarden/releases/latest/download/vaultwarden-x86_64-unknown-linux-gnu

chmod +x bitwarden

sudo mv bitwarden /usr/local/bin/

  1. Run the Server:

mkdir -p ~/bitwarden/data

vaultwarden --data-dir ~/bitwarden/data

  1. Access the Application:

Navigate to http://<your-server-ip>:80 to access the Bitwarden Server.

Configuring Nginx as a Reverse Proxy

🌐 Nginx Configuration

To make Bitwarden accessible via a custom domain, configure Nginx as a reverse proxy:

  1. Install Nginx:

sudo apt install -y nginx

  1. Create a Server Block:

Save the following configuration in /etc/nginx/sites-available/bitwarden:


server {

listen 80;

server_name your-domain.com;

location / {

proxy_pass http://127.0.0.1:80;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

}

  1. Enable the Configuration:

sudo ln -s /etc/nginx/sites-available/bitwarden /etc/nginx/sites-enabled/

sudo nginx -t

sudo systemctl reload nginx

πŸ”’ SSL/TLS Setup

Use Let’s Encrypt to secure access to your server with HTTPS:

  1. Install Certbot:

sudo apt install -y certbot python3-certbot-nginx

  1. Obtain a Certificate:

sudo certbot --nginx -d your-domain.com

  1. Automate Renewal:

Add a cron job for automatic certificate renewal:


echo "0 3 * * * certbot renew --quiet" | sudo tee -a /etc/crontab

πŸ› οΈ Testing and Reloading Nginx

  1. Test Configuration:

sudo nginx -t

  1. Reload Nginx:

sudo systemctl reload nginx

Logging and Debugging Bitwarden Server

πŸ—ƒοΈ Enabling Debug Logs

Enable debug logging to trace issues more effectively by setting the log level in the environment variables:


environment:

RUST_LOG: "debug"

Restart the container to apply changes:


docker-compose down && docker-compose up -d

πŸ“„ Viewing Logs

  1. For Docker Containers:

docker logs -f bitwarden

  1. For Manual Installations:

tail -f ~/bitwarden/data/bitwarden.log

πŸ› οΈ Troubleshooting Common Issues

Check for common issues such as incorrect environment variables or firewall restrictions in the logs:


grep -i "error" ~/bitwarden/data/bitwarden.log

πŸ“€ Exporting Logs

Send logs to an external system for analysis:


docker logs bitwarden | nc <elk-stack-ip> 514

Backup and Restore

πŸ—‚οΈ File-Based Backups

Backup your Bitwarden data directory:


tar -cvzf bitwarden-backup.tar.gz ~/bitwarden/data

πŸ”„ Database Backups

Export the SQLite database:


sqlite3 ~/bitwarden/data/db.sqlite3 ".backup bitwarden-db-backup.sqlite3"

πŸ“… Automated Backup Scripts

Create a daily backup script:


echo "tar -czf ~/backups/bitwarden-\$(date +\%F).tar.gz ~/bitwarden/data" > ~/backup.sh

chmod +x ~/backup.sh

echo "0 2 * * * ~/backup.sh" | crontab -

Updating and Upgrading Bitwarden Server

⬆️ Updating Docker Images

  1. Pull the Latest Docker Image:

docker-compose pull

docker-compose up -d

πŸ› οΈ Manual Updates

For manual installations, replace the binary with the latest release:


curl -L -o bitwarden https://github.com/dani-garcia/vaultwarden/releases/latest/download/vaultwarden-x86_64-unknown-linux-gnu

chmod +x bitwarden

πŸ” Checking for Updates

Check the latest version on the official GitHub releases page.

Leveraging Bitwarden Server’s Unique Features

πŸ”§ Enabling APIs

Enable API endpoints by setting the following environment variables:


environment:

ENABLE_API: "true"

API_KEY: "<your-api-key>"

Access the API with tools like curl:


curl -H "Authorization: Bearer <your-api-key>" https://your-domain.com/api

🌟 Advanced Configurations

Enable advanced features like user management or email notifications:


environment:

SMTP_HOST: "smtp.mailserver.com"

SMTP_PORT: "587"

SMTP_USERNAME: "[email protected]"

SMTP_PASSWORD: "your-email-password"

Wrapping Up

In this guide, we’ve covered the end-to-end setup of Bitwarden Server, including installation, reverse proxy configuration, logging, backups, and updates. By following these steps, you can enjoy a secure, self-hosted password manager tailored to your specific needs. Get started today and take full control of your credentials with Bitwarden Server!

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Selfhosted Ninja.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.