My own "justification" is that while self-hosted is my main personal store, I maintain a paid but empty account with Bitwarden. Said empty account on their servers is to be the emergency access person for family members' personal official vaults. So, they get some money for a license out of me, without the server usage.
I subscribed for two reasons: 1. To support their efforts and 2. They accept Bitcoin (and of course I paid with Bitcoin although the whole payment processing was garbage).
Similar here... I also trust them to maintain their service slightly better than I trust myself to do so. I like supporting the project in general as well.
Same here too for personal/family vaults. Have been using the bitwarden cloud offering in professional context too.
vaultwarden, or bitwarden-rs as it used to be called, have been working flawlessly for years on my side, updates always work just as expected, and it supports a lot of organizational features too.
But I felt like it was better to trust bitwarden’s cloud for professional stuff, just for the reliability.
I did too, and liked it until it taught me a valuable lesson about self hosting things. I started using the project while it was still called bitwarden-rs. Apparently they were told to rename by Bitwarden (understandable).
My setup was based on their Docker images, and thinking it was the safest option I had set up Watchtower to automatically update to the latest image nightly to get the latest security patches. But then I discovered that the bitwarden-rs image had not been updated for _months_ because of the rename.
So basically I was hosting my whole password database in this, and I had suddenly lost security updates without realizing.
Btw, I'm not blaming neither Vaultwarden or Bitwarden. But if you're going to self-host something this security critical, just be sure that you definitely monitor it _manually_ to make sure you're not on some unpatched vulnerable version some months down the line.
Better to put everything in git and run your own renovate bot which will create PRs for you to review and also pull in the changelogs to the PR itself so you can check for breaking changes.
stavros|1 year ago
westonmyers|1 year ago
csomar|1 year ago
tracker1|1 year ago
lcof|1 year ago
vaultwarden, or bitwarden-rs as it used to be called, have been working flawlessly for years on my side, updates always work just as expected, and it supports a lot of organizational features too.
But I felt like it was better to trust bitwarden’s cloud for professional stuff, just for the reliability.
kivle|1 year ago
My setup was based on their Docker images, and thinking it was the safest option I had set up Watchtower to automatically update to the latest image nightly to get the latest security patches. But then I discovered that the bitwarden-rs image had not been updated for _months_ because of the rename.
So basically I was hosting my whole password database in this, and I had suddenly lost security updates without realizing.
Btw, I'm not blaming neither Vaultwarden or Bitwarden. But if you're going to self-host something this security critical, just be sure that you definitely monitor it _manually_ to make sure you're not on some unpatched vulnerable version some months down the line.
OptionOfT|1 year ago
E.g. you deploy with DATABASE_URL=x
This becomes DATABASE_URL=x PYTHON=3.0.0
You did not set the Python one, the image did via ENV.
Now a new version comes out with PYTHON=3.1.0.
Watchtower doesn't know which ENVs you set and which ones came from the container as docker inspect exposes them in the same way.
So now Watchtower deploys the new version (which only has Python 3.1.0) with DATABASE_URL=x PYTHON=3.0.0.
And stuff stops working.
I use an ansible playbook which maintains the only ENV vars that need to survive an update.
MrOwen|1 year ago
Better to put everything in git and run your own renovate bot which will create PRs for you to review and also pull in the changelogs to the PR itself so you can check for breaking changes.
johnflan|1 year ago
+ I really enjoy this era of self-hosted tools.
ErneX|1 year ago