BitWarden - self hosted password manager using vaultwarden/server image

Docker BitWarden - self hosted password manager using vaultwarden/server image

bw.jpg


UPDATE (30/04/2021)
Changed the article to reflect on using the new vaultwarden/server image

UPDATE (03/12/2019):
Added SMTP parameters
UPDATE (10/08/2019):
Added steps for activating LiveSync item feature
UPDATE (28/05/2019):
Edited name of the docker image from mprasil/bitwarden to bitwardenrs/server. The image is identical and the resource is still on track


docker-compose example:

YAML:
version: "3.5"
services:
  bw:
    image: vaultwarden/server
    network_mode: "bridge"
    container_name: "bw"
    ports:
      -  "80:80"
    volumes:
      -  "<path>:/data"
    environment:
      - "SMTP_PASSWORD=password" #add SMTP_XXXX variables to allow public user managment (account reset etc)
      - "SMTP_USERNAME=username"
      - "SMTP_SECURITY=starttls"
      - "SMTP_PORT=587"
      - "SMTP_FROM=from_email"
      - "SMTP_HOST=smtp.gmail.com"
      - "DOMAIN=https://yourdomain.com" #add your public domain name
      - "TZ=Europe/Paris"
      - "SIGNUPS_ALLOWED=false" #true or false if you want to enable or disable public signups
      - "PUSH_ENABLED=true"
      - "PUSH_INSTALLATION_ID=xxxxxxxxxxxxxx"
      - "PUSH_INSTALLATION_KEY=xxxxxxxxxxxxxx"
    restart: always


Considering that there are several people interested in this solution, maybe a quick tutorial on how to run this in docker will help.

Let's start.

1st thing - install Docker via Package center or if your NAS doesn't support it, install it manually by downloading the package from Syno site. After that, you can use the Manual install button in Package Center to install Docker. Keep in mind that this is not 100% supported and some features of docker will still not function. If your NAS is from the '+' lineup, then you are good to go.

This tutorial will focus on a custom vaultwarden/server image that I use as well. Its updated and maintained all the time so there is no need to worry. Support for it can be reached on their Matrix chat channel if needed.

After you have installed Docker open it up and you will land on a similar screen
1.png


Switch over to the Registry tab and use the search field to type in bitwarden. After a few seconds, you should get a list similar to this one.

As you can see vaultwarden/server is the top result for me, if that's not the case with you just find it manually. Select it and hit the download button. A pop-up window will show up asking you what version you want. Select latest and click ok.

Now wait for the image to download and DSM will notify you when it's ready via a system notification.

As soon as that's done, switch over to the Image tab inside Docker. You should see bitwarden image in the list:

2.png


Now that the image has downloaded click on it and press the Launch button on the top.

This action will start the Container creation wizard. So remember, an image creates a container and you can create multiple containers from a single image if you need to. The 1st step in this wizard looks like this:

3.png


Give the container a name, enable resource limit (optional, but I like to use it to control how much ram and cpu priority container needs) and then click the Advanced Settings button (not Next). As it's shown on the image I gave BW container only 50MB of RAM as maximum (it's not gonna use that much anyway) just to be on the safe side. docker has a great benefit in that it can limit resources so that a buggy image/container will not take all of your NAS resources in case there is a memory leak or some nasty bug in the image itself.

Opening the Advanced settings window will show up multiple tabs that need to be configured (not all and not for every container):

4.png


The Auto-restart feature is nice to have ON in case you need to reboot your nas or Docker for that matter and want all your containers booting automatically. Ofc this is an optional setting but still. Regarding shortcuts on the desktop, personally, I don't use it. The desktop in this context is DSM desktop, not your computer desktop. I use Heimdall for all my docker URL needs so this option is OFF (again, you can use it if you choose to do so).

Moving to the 2nd tab, Volume. Now, this is the most important thing that needs to be done when working with containers. Read up on those so that I don't start messing with this tutorial too much, but in short, it means this. If you start working with your container, all information, configuration, data etc, are sandboxed inside the container. This means that after you restart your container (reboot, NAS update, Docker update, docker image update) it will reset itself to initial settings. As a result, all your work will be reset and gone.

That means that in the case of BW, all your imported data, long random passwords that you have defined are gone! Now that you have understood the importance of this let's configure an outside volume that will keep your data safe from this scenario.

5.png


The Volume tab is used to map files or folders from within the container outside to your local shared folder(s) on your NAS. As a result, even if something happens to the container your data will be safe and all you have to do is recreate the container and attach it to the same volume to get access to your data. That's the whole beauty of Docker. Moving your data around regardless of what's hosting your container.

In the image above I have mapped the left side (your NAS folder structure) to the right side (container mount path). The principal is the same. The left side is your local NAS destination where you want container folder data stored.

In the case of this BitWarden image, all data is stored in /data folder as indicated by instructions on the image web page. So to recap, I have mapped docker/bitwarden local path (bitwarden is a subfolder of /docker folder that you will get after you install Docker. Ofc you don't have to use that destination if you don't want to) to /data folder that BW image is using. This, as a result, will mean that all my data will actually be in docker/bitwarden folder on my nas and not sandboxed in the container itself.

You can (and preferred to do so) backup those folders as they are essential unlike the rest of the container that's expendable.

Moving over to 3rd tab - Network. Here you can select networks that you want your container to use. You can make new networks for specific subnets or you can use the default one, bridge. In the spirit of this tutorial just use the bridge. This will mean that all containers using this network will be essentially in a NAT configuration with your NAS. Meaning you will access those apps and services using your local NAS IP address and a custom port defined on the following tab, Port Settings.

6.png


Same as with volumes, ports are configured the same way. Left side localhost ports (on your NAS), right side container ports. DO NOT change the container side numbers, or you will have problems running the container in the 1st place. It can be reconfigured but you will have to do it on the image level, so not important for now. Another reason why this is not needed is that you can use almost any port for the Local port value that you want.

So change auto value to a port of your choosing. The general rule would be to use some non-system/default port like 1024 or above. Keep in mind that if you want to access your Docker containers with a custom domain name on an https/443 port, this is not the place to do it (separate tutorial for that). Atm you want to stick with a custom number (it can be the same as the container one) to get things going.

My example would be 1024 and 1025 for the pair.

The next tab, Links, is not needed for this container to run. So moving to the last one, Environment.

Even though for this particular container even this tab is not needed, there will be a huge number of images that use this section.

7.png


Most variables are case sensitive so be aware of that. In this example, the image has already a number of variables set for us and there is no need to configure any additional. Keep your eye on the image page that you are about to use for any -e switch as that's the env variable that needs to be configured, added or changed to your needs.

UPDATE:
If you do not want to keep signups open to the public (lets say you are running this site on the internet) then be sure to use this variable to keep sigunps closed after your initial creation!

SIGNUPS_ALLOWED=false
This variable is added in the ui the way that SIGNUPS_ALLOWED is typed in "variable" column and false in the "value". Do not use the = sign.

Now that we have gone through all the advanced settings, click Apply and you will close this window. Back in the main window, click Next, review the Summary, and click Apply.

8.png


If you have left the check box next to Run this container after the wizard is finished checked, your container will now be created and started. To verify that all is running well, move to the Container tab in Docker main window to find BW container up and running.

9.png


That's it! All that's left now is to go to your NAS IP address followed by the port number that you have defined to access the user interface.

An example of the URL would be: http://10.100.10.12:80 or whatever port you have defined as a local port for container port 80 (80 would be usually registered as in use).

Now that you have your new BW self-hosted instance running, enjoy it and prepare to make it accessible via the internet using a valid SSL certificate, a custom domain name, and a reverse proxy. More on that in the upcoming tutorial.



Latest updates

  1. VaultWarden 1.29 changes

    UPDATE 09/07/2023 - v 1.29 - Mobile client push With version 1.29, VaultWarden team has added...
  2. Securing the ADMIN_TOKEN

    Previously the ADMIN_TOKEN could only be in a plain text format. You can now hash the...
  3. Docker image change

    The old image bitwardenrs/server is being deprecated and changed with a new official one called...

Latest reviews

Hey Rusty, this is an amazing guide. I have Bitwarden set up successfully with a reverse proxy and SSL cert with no problems. However I had a few questions:

1) I noticed the guide does not mention the setting up of the ADMIN_TOKEN. Is there a reason why you didn't show the admin panel?

2) I added the ADMIN_TOKEN as an environmental variable with a strong pw and I can access it via my bw.domain.synology.me domain. I wanted to ask, can you tell me how I can hide the /admin interface from the internet? When I looked in the Unraid forum on this issue another user mentioned adding the following to the reverse proxy line:

"location /admin {
return 404;
}"

It seems like he's using the command line interface and editing the reverse proxy directly. The link to his instruction is here: https://forums.unraid.net/topic/88086-support-bitwardenrs-bitwarden_rs/page/3/

How can I add something similar to this to my Bitwarden instance that's on Synology? I dont use command line, and am familiar with the GUI. If its not possible in the GUI then I'd definitely want to learn how to go about doing this in the CLI within Synology. Please help!
Upvote 0
Thanks - great info
Upvote 0
Well explained for a Docker newbie
Rusty
Rusty
Tnx, hope it will serve you well.
Upvote 0
Perfect - Well explained and it's working like a charm.
Upvote 1
Thank you very much for creating this tutorial and sharing your knowledge.
Rusty
Rusty
You are most welcome. Happy to help
Upvote 0
great tutorial. Any chance of the completing the https part of the tutorial?
Rusty
Rusty
Thx. There is an option to push it via revers proxy for https implementation but if you are referring to a stand alone https implementation the. I’m not sure if i’ll have the time to do it. There are multiple resources that I wanna add not to mention more articles on my blog just don’t have the time atm. If I’ll get some time I’ll be sure to implement those.
Upvote 0
Excellent tutorial on the typical Syno user level.
Next step would be enhance it with a decription to use the Revere-Proxy for Https TLS termination. Once Https is covered, I am quite sure MFA would be helpfull, as it brings a major security advantage to the table.
Rusty
Rusty
Tnx! There is a RP tutorial as well here on the resource page. Also 2FA is an option in BW but not covered by the tutorial as there are multiple options on that front. Personally I use Authy for all my 2FA steps including BW, works like a charm.
Upvote 1
Thanks to this, I started bitwarden on my NAS too.
But I have one question: what exactly should I do to have my data to be stored in that local "/data" subfolder? I configured it as you described (the only difference, I did not named it /data, instead of this I used /mydata), but In File Station under docker/bitwarden I cannot see any subfolder nor data files...
Thank you.
Rusty
Rusty
So as I posted in the discussion, make sure NOT to change the right side of the volume mount point: keep it like /your_local_destination_of_choice:/data
Upvote 0
Great read.
Upvote 0
Excellent tutorial! Finally, I've installed Bitwarden now waiting for next tutorial to use it over https! :)

Thank you, Rusty!
Rusty
Rusty
Welcome m8! Glad you got it going... Hopefully I'll getaround to write it over the weekend.
Upvote 1

Similar resources

Firefly III - self-hosted manager for your personal finances wwwampy
4.75 star(s) 4 ratings
Updated
FreshRSS: A free, self-hostable news feed aggregator fredbert
Installation and configuration of FreshRSS in docker, using SQLite or PostgreSQL database
5.00 star(s) 3 ratings
Updated
0.00 star(s) 0 ratings
Updated
Restyaboard - self-hosted, open source, Trello like kanban board wwwampy
0.00 star(s) 0 ratings
Updated
Seafile (self-hosted) - a powerful, open source, cross-platform file syncing and sharing service Telos
A powerful, open source, cross-platform file syncing and sharing service
0.00 star(s) 0 ratings
Updated
Tornote - Self-destructing notes (Docker) Rusty
Self-destructing notes written on Go with Stanford Javascript Crypto Library for client-side encrypt
0.00 star(s) 0 ratings
Updated
Back
Top