Logo Notes publiques de Romain

🔐 Passwords with Self-Hosted Vaultwarden

I used to avoid password managers because centralizing everything felt too risky. If the service got hacked or went down, I imagined losing access to all my accounts at once. What changed my mind was discovering Bitwarden’s architecture and the option to self‑host it through Vaultwarden.

With Bitwarden, everything in the vault is end‑to‑end encrypted. The server never sees my passwords in clear text, and the encrypted vault is cached locally in the browser extension. That means I can still access my passwords even if my server is temporarily offline. This solved my availability fear.

I also wanted full control and open source. Bitwarden’s code is open, and Vaultwarden is a lightweight Rust fork that speaks the same protocol but is fully community‑driven. I host Vaultwarden via YunoHost, which handles installation, backups, upgrades, HTTPS, and the Nginx reverse proxy for me. From my perspective, it turns “self‑hosting a password manager” into something almost trivial.

A pragmatic view on TOTP / 2FA
Bitwarden’s built‑in TOTP support is a killer feature for me. It makes registering 2FA tokens, auto‑filling them, and syncing them across devices incredibly convenient. I know the “ideal” practice is to keep TOTP secrets on a single, offline or dedicated device. But with the number of services now requiring 2FA, that setup becomes fragile and stressful: lose one device, lose everything. Instead, I treat TOTP as a rotating second password that mainly protects me if my static password leaks (for example via phishing). I accept that if my Vaultwarden vault and master password were ever compromised, the TOTP secrets inside would be exposed too. For my threat model, the usability and recoverability benefits are worth this trade‑off.

References