Docker BitWarden - self hosted password manager using vaultwarden/server image

[maravac]

I have just done the update to 1.26 (didn't had time over the weekend) with 0 issues.

Looking at the git change log, no breaking changes, but there is one BUG active for users using the outside DB (not your case).

Tested creating, editing and deleting an item with no issues at all.

View attachment 11092

Can you try and make a new contianer and connect it to the existing volume content? Have you tried that?

Didn't try yet, I will try. Can I use the same ports? I suppose yes, but not sure. Also, should I try the Recreate or Duplicate/Edit option (button) from the Portainer? Or delete it completely (both image and container - first backup my settings) and start from the scratch? What would you recommend first?

 

[Rusty]

Can I use the same ports? I suppose yes, but not sure

Ofc, as long as those current one are not in use.

What would you recommend first?

Just nuke the contianer and start fresh. If you have run it via portainer, configure it as a stack (docker-compose), and run it that way.

Then you will be able to reconfigure and recrate as needed.

Example:

version: "3.5"
services:
  bw:
    image: vaultwarden/server
    container_name: "bw"
    ports:
      -  "80:80"
      -  "3012:3012"
    volumes:
      -  "/volume2/bitwarden:/data"
    environment:
      - "SMTP_PASSWORD=password" #add SMTP_XXXX variables to allow public user managment (account reset etc)
      - "SMTP_USERNAME=username"
      - "SMTP_SECURITY=starttls"
      - "SMTP_PORT=587"
      - "SMTP_FROM=from_email"
      - "SMTP_HOST=smtp.gmail.com"
      - "DOMAIN=https://yourdomain.com" #add your public domain name
      - "TZ=Europe/Paris"
      - "WEBSOCKET_ENABLED=true" #Enable this if you want to use the LiveSync feature on port 3012
      - "SIGNUPS_ALLOWED=false" #true or false if you want to enable or disable public signups
      - "ADMIN_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" #add custom string for logging into the admin UI
    restart: always

 

[maravac]

Ofc, as long as those current one are not in use.


Just nuke the contianer and start fresh. If you have run it via portainer, configure it as a stack (docker-compose), and run it that way.

Then you will be able to reconfigure and recrate as needed.

Example:

version: "3.5"
services:
  bw:
    image: vaultwarden/server
    container_name: "bw"
    ports:
      -  "80:80"
      -  "3012:3012"
    volumes:
      -  "/volume2/bitwarden:/data"
    environment:
      - "SMTP_PASSWORD=password" #add SMTP_XXXX variables to allow public user managment (account reset etc)
      - "SMTP_USERNAME=username"
      - "SMTP_SECURITY=starttls"
      - "SMTP_PORT=587"
      - "SMTP_FROM=from_email"
      - "SMTP_HOST=smtp.gmail.com"
      - "DOMAIN=https://yourdomain.com" #add your public domain name
      - "TZ=Europe/Paris"
      - "WEBSOCKET_ENABLED=true" #Enable this if you want to use the LiveSync feature on port 3012
      - "SIGNUPS_ALLOWED=false" #true or false if you want to enable or disable public signups
      - "ADMIN_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" #add custom string for logging into the admin UI
    restart: always

Thanks. As I am not very familiar with the docker-compose mechanism, I just created it via Synology's Docker (downloaded the image again and created a new container). Configured as before, it is running correctly, no data lost.

But I would like to know something. Maybe some of those parameters in your docker-compose example (environment section) could be useful for me to add too. Maybe some of them are important, some are non-mandatory. etc. Could you describe it a bit? Especially those SMTP things (what are they used for?), or WEBSOCKET_ENABLED or TZ (Timezone). Also DOMAIN (is it good to have it in the environment? I don't have it there now, but my bw is accessible from outside via custom (sub)domain now. My actual environment looks like this:

Btw. there are two lines missing now, if I compare to my previous (broken, now deleted) vaultwarden container. These two are:

Not sure, why...

 

[Rusty]

Configured as before, it is running correctly, no data lost.

Glad you got it running again! Looks like something has damaged the container in a way during the update (just guessing here).

In any event, glad you are back on track.

Especially those SMTP things (what are they used for?)

For registration (if allowed), as well as a method of a password reset or lockdown

WEBSOCKET_ENABLED or TZ (Timezone)

Websock is used for the sync mechanisam that works in the background to sync any new item additions with all the clients in any direction (with some limitations that this non-official BW instance has). More details here.

TZ is a timezone, just to keep the contianer in sync regarding time, that might be needed in case a password reset scenario happens.

DOMAIN I had since the start and from what I read back in the day was mandatory in order to run it over https to be compatible with the new version of official public BW clients. Looks like if it works for you without it, I could be wrong, but it runs for me just fine, so not sure what to tell you on that.

Btw. there are two lines missing now, if I compare to my previous (broken, now deleted) vaultwarden containe

With 1.26 version (looking at the change log) there were changes that could have been a result of those changes. I wouldn't worry about that too much.

 

[Telos]

can anyone here please help me to fix it without loosing my passwords database (there is not only my user account in bitwarden, but also three more user accounts - my family members - and I really would not like to loose everything).

You should make regular backups of your data. Always.

TZ is a timezone, just to keep the contianer in sync regarding time, that might be needed in case a password reset scenario happens.

I believe this also affects TOTP.

 

[Rusty]

I believe this also affects TOTP.

Indeed! Ty for point that.

 

[maravac]

You should make regular backups of your data. Always.

That's what I mentioned in my post - I have it configured to generat the snapshots and hyperbackups too. But thanks for reminding.

I believe this also affects TOTP.

This makes sense, good to know!

 

[maravac]

Indeed! Ty for point that.

Btw. DOMAIN - should be just domain (f.e. mydomain.com), or full address of the subdomain that I use it for (f.e. bw.mydomain.com)?

 

[Telos]

I have it configured to generat the snapshots and hyperbackups too. But thanks for reminding.

OK, but you also mentioned

can anyone here please help me to fix it without loosing my passwords

Glad to hear you have backups. Still, snapshots and HB aren't the same as a regular export of your Bitwarden database.

 

[maravac]

OK, but you also mentioned

Glad to hear you have backups. Still, snapshots and HB aren't the same as a regular export of your Bitwarden database.

Can it be done automatically (scheduled plan), or manually only from the admin web UI?

 

[Rusty]

Can it be done automatically (scheduled plan), or manually only from the admin web UI?
View attachment 11106

As far as I know, there is no automatic/scheduled export of data the way you can export it manually.

 

[Gerard]

Can it be done automatically (scheduled plan), or manually only from the admin web UI?
View attachment 11106

Is there even a need to do this “Backup Database” if you are doing snapshot replication on the data folder? Which is where the database is located I think.

 

[Rusty]

Still, snapshots and HB aren't the same as a regular export of your Bitwarden database.

This is true, the backup DB is not also the same as Export vault feature. Those should not be mixed as, export Vault do not include file attachments, password history, items in the trash or Sends. You need to export these manually.

Is there even a need to do this “Backup Database” if you are doing snapshot replication on the data folder? Which is where the database is located I think.

Think this started as a comment on Telos suggestion.

Personally, I have some version of my vault export, but not something I do all the time as I rely on the backup and snaps of the whole instance.

 

[BobW]

Is there even a need to do this “Backup Database” if you are doing snapshot replication on the data folder? Which is where the database is located I think.

I do a weekly database-dump via script and dsm task.

 

[Gerard]

So I do regular snapshots of the docker folder that contain the data folder. Additionally I’ll do a manual export of the password vault once in a blue. my curious question here is, does the DB backup in the admin portal duplicate what I’m doing with snapshot replication? If I’m creating a snapshot copy of the folder essentially I’m making a copy of the database, no? Just wondering if I should be doing regular DB backup from the admin portal, but what I’ve seen it just creates a copy of the db into the docker data folder.

 

[Rusty]

If I’m creating a snapshot copy of the folder essentially I’m making a copy of the database, no?

Correct.

Just wondering if I should be doing regular DB backup from the admin portal, but what I’ve seen it just creates a copy of the db into the docker data folder.

imho, no

 

[Gerard]

Correct.


imho, no

Awesome thank you for your insight (from others too!)

 

[Telos]

This is true, the backup DB is not also the same as Export vault feature. Those should not be mixed as, export Vault do not include file attachments, password history, items in the trash or Sends.

Es verdad. As there are several points of disruption possible when running Vaultwarden, I'd rather not find myself without access to my logins, and secure notes. Making a regular vault backup, affords me the ability to access/use the passwords should Bitwarden be inaccessible.

 

[Gerard]

Glad to hear you have backups. Still, snapshots and HB aren't the same as a regular export of your Bitwarden database.

@Telos when you stated “regular export of your Bitwarden database,” do you mean doing a vault export? And if so, which is the preferable format to export (.json or .csv)?

 

[Telos]

which is the preferable format to export (.json or .csv)?

Yes... I should use the term "vault". I select json, as it is the format KeePass (my "go to" password app, after Bitwarden) defaults to when importing Bitwarden accounts. Is it preferable? For me, yes.