I just looked at the requirements to host your own Bitwarden server. Why does a password manager need 2GB of ram (4GB recommended) and 25GB[1] of storage? That seems quite excessive, how much data and traffic does this thing need to handle for me plus family members?
Check out Vaultwarden instead - https://github.com/dani-garcia/vaultwarden.
It is written in Rust and is much lighter on resource requirements.
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
ecce485b8b3a bitwarden 0.06% 46.58MiB / 1.937GiB 2.35% 1.63MB / 28.1MB 17.5MB / 81.9kB 11
I've been considering vaultwarden, question though.
I assume bitwarden's implementation has been more thoroughly reviewed.
Assuming there is a critical bug in vaultwarden, what is the severity/what information is exposed? Is it relatively safe even then because of the E2E?
As well as what sibling said about it being E2EE and just using a standard API for storage, there are awesome tools these days so you can (and I think should) lock down your instance fairly well. Now when I run services like that I access them exclusively via WireGuard or Nebula, no exposure to the public internet at all. It's reliable, dependable and performant enough to pretty much put everything inside of by default. And for something as lightweight as this it should be fine running it at home off of most connections, if you don't have a fixed IP can bounce through even the cheapest VPS instance and still store nothing in the cloud (or run something like Nebula and automate that bit so that it's an encrypted mesh and only a minimal Lighthouse node need be 3rd party). If your instance is just for yourself then even the server can still be another of your devices. Selfhosting absolutely has its challenges and costs but the surface area for exploiting bugs drops a lot when there is no 3rd party or shared environment involved.
Thanks for the explination!
> if you don't have a fixed IP can bounce through even the cheapest VPS instance and still store nothing in the cloud
I've been meaning to look into this with wireguard, but I'm having trouble searching for/finding how to do this. Is "bastion host" what I'd want? Also is there a way to ensure the VPS cannot access the network as well, and just tunnels it essentially?
First, yes a search phrase like that should get you the right terms, though there isn't anything inherently special about it. If multiple systems are connected to one system with wireguard giving them all access to a given subnet is straight forward. As far as the VPS, it can indeed access that subnet too, since it's acting as part of the subnet, but you can use normal firewall rules on the far side internally to control what can talk to what and how. And in this kind of specific instance the WG is more about controller public facing surface area, the Bitwarden/Vaultwarden traffic in flight is itself encrypted.
Second though, having said all that I think if you worried about the VPS bit (or even if not) you should take a look at the Nebula SDN [0, 1] instead. It's built on the Noise encryption framework as well. There, the fixed IP node (the "Lighthouse") primarily acts to let other nodes know their mutual addresses, and they then attempt to form a direct link with no bouncing through a bastion, it's a real mesh. This generally works even if both are NAT'd, and if not it's transparent fallback and still encrypted between them. Depending on distance between nodes this can be a lot lower latency as well. With Nebula you establish an internal CA (super easy built-in tool for it) and that doesn't (and absolutely shouldn't) live on the lighthouse.
I'm fortunate enough to have fixed IPs available to me at home and office and have tended to use WG a lot just because it's had more advanced support and performance in constrained environments for me (kernel support in Linux and now BSDs). Nebula has been super slick though and I've been using it more and more. It makes all this really easy.
Anyway, hope this helps a bit. It's really exciting to me how much open source networking power is now available to everyone. It's a bit of a counter decentralization force IMO to the last few decades push towards central service providers.
----
0: https://github.com/slackhq/nebula
1: https://arstechnica.com/gadgets/2019/12/how-to-set-up-your-o... (note 3 years old, there are now Android/iOS clients as well and things are further refined)