Self-Host Bitwarden with Docker Compose and backups

Self-Hosting Nov 11, 2020

Last Updated: 07/06/2020

Bitwarden is a very popular password manager. It has the benefits of having E2E encryption and being open source allowing anyone to Self-host.

It's worth giving this one a think before getting started. I have included a little chart outlining some of the pros and cons of Self-hosting.

If you don't have too much Linux/Docker knowledge, I would personally recommend using the official Bitwarden instance at vault.bitwarden.com due to having the availability, reliability, security and it's generally stress-free.

Features Self-host bitwarden.com
Price Energy or VPS cost Free/Paid
Stress Free
Backups Included
Auto Updates
Availability Varies Microsoft Azure (Pretty High)
Unlimited Passwords
E2E Encryption
Own your data

If you're confident, lets get started!
We will be using Vaultwarden, this in an unofficial bitwarden compatable server, but is lightweight compared to the official server.

  1. Install docker.
  2. Setup a Reverse Proxy, two options are linked below.
Caddy v2 Reverse Proxy Simple Setup Guide
What is Caddy? Caddy has a wide range of use cases including: * Web Server * Reverse Proxy * Sidecar Proxy * Load Balancer * API Gateway * Ingress Controller * System Manager * Process Supervisor * Task Scheduler Today we will be installing and setting up Caddy as a Reverse Proxy. This w…
Setting up Nginx Proxy Manager with Docker Compose
What we’ll do: * Install docker * Setup Nginx Proxy Manager This guide is aimed at Ubuntu/Debian systems. Why:To run multiple services over the same port a reverse proxy service is required. Nginx Proxy Manager [https://nginxproxymanager.com/] is a WebUI frontend for thepopular Nginx [https://www.nginx.com/…
  1. Make the directories for the volumes

cd - Go to the home dir
sudo mkdir bitwarden
cd bitwarden
sudo mkdir data

  1. Create docker-compose.yaml file
    sudo nano docker-compose.yaml

Use the following template:

version: '3'
services:
  bitwarden:
    image: vaultwarden/server:latest
    restart: always
    volumes:
      - ./data:/data
    networks:
      default:
        ipv4_address: 10.10.10.6
    environment:
      WEBSOCKET_ENABLED: 'true' # Required to use websockets
      SIGNUPS_ALLOWED: 'true'   # set to false to disable signups

networks:
  default:
    external:
      name: dockernet

Set the ipv4_address to a relevant ip for your docker network.

To create a Docker Network:
sudo docker network create --driver=bridge --subnet=10.10.10.0/24 --gateway=10.10.10.1 dockernet

  1. Start the docker container
    sudo docker-compose up -d
  1. Configure the Reverse Proxy
    Bitwarden operates on port 80 by default.
  1. Visit the WebUI and create a user for yourself.

Backups
Now your bitwarden docker is fully set up, we will get some automatic backups sorted to protect your data. There are multiple different backup techniques you can use. A couple of options are listed below.

Option 1 - Duplicati
Backup your Linux Server with Duplicati (Docker Compose)
What is Duplicati?Duplicati is an Open Source backup client that can run encrypted incrementalbackups to local storage or offsite with support for a large array of differentfile transfer protocols. Supported Storage Protocols: * FTP * OpenStack Object Storage * S3 Compatible * SFTP (SSH) *…
Option 2 - Volumerize

You can use any S3 compatible storage buckets. Some examples:
Amazon S3 (5GB Free)
Azure Blob (5GB Free)
Scaleway Object Storage (75GB Free)

  1. Docker run
sudo docker run -d \
    --name volumerize \
    -v BACKUPCACHE:/volumerize-cache \
    -v BACKUPDIR:/source:ro \
    -e "VOLUMERIZE_SOURCE=/source" \
    -e "VOLUMERIZE_TARGET=s3://S3URL" \
    -e "AWS_ACCESS_KEY_ID=ACCESS-ID" \
    -e "AWS_SECRET_ACCESS_KEY=KEY-ID" \
    -e "PASSPHRASE=ENCRYPTIONPW" \
    -e "VOLUMERIZE_JOBBER_TIME=0 0 3 * * *" \
    blacklabelops/volumerize

Replace the following:
BACKUPCACHE = Cache location - eg /home/USER/backupcache
BACKUPDIR = Directory to backup - eg /home/USER/bitwarden
S3URL = S3 URL - eg s3-us-west-2.amazonaws.com/BUCKETID
ACCESS-ID = S3 Access ID
KEY-ID = S3 Key
ENCRYPTIONPW = This is the password the backup will be encrypted with

This will run an incremental backup at 3AM every day.

  1. Run a full backup
    sudo docker exec volumerize backupFull
  1. To restore
sudo docker run --rm \
    -v RESTOREDIR:/source \
    -e "VOLUMERIZE_SOURCE=/source" \
    -e "VOLUMERIZE_TARGET=s3://S3URL" \
    -e "AWS_ACCESS_KEY_ID=ACCESS-ID" \
    -e "AWS_SECRET_ACCESS_KEY=KEY-ID" \
    -e "PASSPHRASE=ENCRYPTIONPW" \
    blacklabelops/volumerize restore

All done :)

Tags