After self-hosting Bitwarden for four years, I want to share some of my thoughts and experiences.
Prior Setup #
Before moving to Bitwarden, I used a local KeePassXC setup with syncing. Overall, it worked great and served its purpose effectively. However, I always considered moving to a password manager service for a better user experience, additional features and increased flexibility regarding devices and usage.
I generally have reservations about using a cloud-based password manager. Therefore, I felt self-hosting Bitwarden would be a great way forward.
Beginnings in AWS #
Bitwarden is open source and has excellent documentation for self-hosting.
I started my journey on AWS. Bitwarden comes as a docker-compose deployment. At that time, I evaluated different setups on AWS regarding pricing (EC2 vs. ECS vs. EKS). The cheapest way was a small dedicated EC2 instance with a static IP. Other setups would have required a dedicated load balancer, which would be relatively expensive for such a small project. However, better alternatives might be available now.
At that time, I was running my own OpenVPN instance, which allowed me to easily add security groups to the EC2 instance, restricting access to the Bitwarden instance to myself.
I understand that moving to AWS might conflict with my earlier reservations about using a cloud service. However, I still feel that owning the service myself and just having encrypted data in the cloud is different from using a cloud-based password manager. But everyone might feel differently on this point.
Move to Local Network #
I had the AWS setup for about a year, and it worked great. Observing my usage, I noticed that I basically never saved anything outside of my local network. If you use a Bitwarden client application, you still have a local copy.
So, I decided to move Bitwarden into my local network, giving me full control of the data. The migration went surprisingly smoothly. Bitwarden also provides documentation for a migration. Essentially, you just need to copy the entire bwdata folder to your local server and run a few commands.
I already had dnsmasq running in my local setup. Therefore, I was able to host Bitwarden on my local network using the same domain as before. This allowed me to use the same certificate, avoiding the need to create my own CA and distribute it to all devices using Bitwarden. Self-signed certificates are not trusted by Bitwarden client applications.
This setup worked great, and I still run it today.
Operational Costs #
The operational costs are very low. In these four years, I haven’t encountered a single issue. Bitwarden regularly releases new versions. I generally wait a few days and then update my local instance.
Bitwarden automatically takes nightly database backups. As recommended, I also back up the entire bwdata folder myself.
Conclusion #
Bitwarden is an excellent project. The documentation is great!
I highly recommend it to anyone considering a self-hosted password manager solution. I continue to maintain a Bitwarden premium license to unlock additional features for the self-hosted instance and to support the project.
