07-26-2019, 11:21 AM
Manage your passwords with Bitwarden and Podman
<div><p>You might have encountered a few advertisements the past year trying to sell you a password manager. Some examples are <a href="https://www.lastpass.com">LastPass</a>, <a href="https://1password.com/">1Password</a>, or <a href="https://www.dashlane.com/">Dashlane</a>. A password manager removes the burden of remembering the passwords for all your websites. No longer do you need to re-use passwords or use easy-to-remember passwords. Instead, you only need to remember one single password that can unlock all your other passwords for you.</p>
<p>This can make you more secure by having one strong password instead of many weak passwords. You can also sync your passwords across devices if you have a cloud-based password manager like LastPass, 1Password, or Dashlane. Unfortunately, none of these products are open source. Luckily there are open source alternatives available.</p>
<p> <span id="more-28543"></span> </p>
<h2>Open source password managers</h2>
<p>These alternatives include Bitwarden, <a href="https://lesspass.com/">LessPass</a>, or <a href="https://keepass.info/">KeePass</a>. Bitwarden is <a href="https://bitwarden.com/">an open source password manager</a> that stores all your passwords encrypted on the server, which works the same way as LastPass, 1Password, or Dashlane. LessPass is a bit different as it focuses on being a stateless password manager. This means it derives passwords based on a master password, the website, and your username rather than storing the passwords encrypted. On the other side of the spectrum there’s KeePass, a file-based password manager with a lot of flexibility with its plugins and applications. </p>
<p>Each of these three apps has its own downsides. Bitwarden stores everything in one place and is exposed to the web through its API and website interface. LessPass can’t store custom passwords since it’s stateless, so you need to use their derived passwords. KeePass, a file-based password manager, can’t easily sync between devices. You can utilize a cloud-storage provider together with <a href="https://en.wikipedia.org/wiki/WebDAV">WebDAV</a> to get around this, but a lot of clients do not support it and you might get file conflicts if devices do not sync correctly.</p>
<p>This article focuses on Bitwarden. </p>
<h2>Running an unofficial Bitwarden implementation</h2>
<p>There is a community implementation of the server and its API called <a href="https://github.com/dani-garcia/bitwarden_rs/">bitwarden_rs</a>. This implementation is fully open source as it can use SQLite or MariaDB/MySQL, instead of the proprietary Microsoft SQL Server that the official server uses.</p>
<p>It’s important to recognize some differences exist between the official and the unofficial version. For instance, the <a href="https://blog.bitwarden.com/bitwarden-completes-third-party-security-audit-c1cc81b6d33">official server has been audited by a third-party</a>, whereas the unofficial one hasn’t. When it comes to implementations, the unofficial version lacks <a href="https://github.com/dani-garcia/bitwarden_rs/wiki#missing-features">email confirmation and support for two-factor authentication using Duo or email codes</a>. </p>
<p>Let’s get started running the server with SELinux in mind. Following the documentation for bitwarden_rs you can construct a Podman command as follows:</p>
<pre class="wp-block-preformatted">$ podman run -d \ <br /> --userns=keep-id \<br /> --name bitwarden \<br /> -e SIGNUPS_ALLOWED=false \<br /> -e ROCKET_PORT=8080 \<br /> -v /home/egustavs/Bitwarden/bw-data/:/data/:Z \<br /> -p 8080:8080 \<br /> bitwardenrs/server:latest</pre>
<p>This downloads the bitwarden_rs image and runs it in a user container under the user’s namespace. It uses a port above 1024 so that non-root users can bind to it. It also changes the volume’s SELinux context with <em>:Z</em> to prevent permission issues with read-write on <em>/data</em>.</p>
<p>If you host this under a domain, it’s recommended to put this server under a reverse proxy with Apache or Nginx. That way you can use port 80 and 443 which points to the container’s 8080 port without running the container as root.</p>
<h2>Running under systemd</h2>
<p>With Bitwarden now running, you probably want to keep it that way. Next, create a unit file that keeps the container running, automatically restarts if it doesn’t respond, and starts running after a system restart. Create this file as <em>/etc/systemd/system/bitwarden.service</em>:</p>
<pre class="wp-block-preformatted">[Unit]<br />Description=Bitwarden Podman container<br />Wants=syslog.service<br /><br />[Service]<br />User=egustavs<br />Group=egustavs<br />TimeoutStartSec=0<br />ExecStart=/usr/bin/podman run 'bitwarden'<br />ExecStop=-/usr/bin/podman stop -t 10 'bitwarden'<br />Restart=always<br />RestartSec=30s<br />KillMode=none<br /><br />[Install]<br />WantedBy=multi-user.target</pre>
<p>Now, enable and start it <a href="https://fedoramagazine.org/howto-use-sudo/">using </a><em><a href="https://fedoramagazine.org/howto-use-sudo/">sudo</a></em>:</p>
<pre class="wp-block-preformatted">$ <strong>sudo systemctl enable bitwarden.service && sudo systemctl start bitwarden.service</strong><br />$ <strong>systemctl status bitwarden.service</strong><br />bitwarden.service - Bitwarden Podman container<br /> Loaded: loaded (/etc/systemd/system/bitwarden.service; enabled; vendor preset: disabled)<br /> Active: active (running) since Tue 2019-07-09 20:23:16 UTC; 1 day 14h ago<br /> Main PID: 14861 (podman)<br /> Tasks: 44 (limit: 4696)<br /> Memory: 463.4M</pre>
<p>Success! Bitwarden is now running under system and will keep running.</p>
<h2>Adding LetsEncrypt</h2>
<p>It’s strongly recommended to run your Bitwarden instance through an encrypted channel with something like LetsEncrypt if you have a domain. Certbot is a bot that creates LetsEncrypt certificates for us, and they have a <a href="https://certbot.eff.org/instructions">guide for doing this through Fedora</a>.</p>
<p>After you generate a certificate, you can follow the <a href="https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-HTTPS">bitwarden_rs guide about HTTPS</a>. Just remember to append <em>:Z</em> to the LetsEncrypt volume to handle permissions while not changing the port.</p>
<hr class="wp-block-separator" />
<p><em>Photo by </em><a href="https://unsplash.com/@cmdrshane?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"><em>CMDR Shane</em></a><em> on </em><a href="https://unsplash.com/search/photos/password?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"><em>Unsplash</em></a>.</p>
</div>
<div><p>You might have encountered a few advertisements the past year trying to sell you a password manager. Some examples are <a href="https://www.lastpass.com">LastPass</a>, <a href="https://1password.com/">1Password</a>, or <a href="https://www.dashlane.com/">Dashlane</a>. A password manager removes the burden of remembering the passwords for all your websites. No longer do you need to re-use passwords or use easy-to-remember passwords. Instead, you only need to remember one single password that can unlock all your other passwords for you.</p>
<p>This can make you more secure by having one strong password instead of many weak passwords. You can also sync your passwords across devices if you have a cloud-based password manager like LastPass, 1Password, or Dashlane. Unfortunately, none of these products are open source. Luckily there are open source alternatives available.</p>
<p> <span id="more-28543"></span> </p>
<h2>Open source password managers</h2>
<p>These alternatives include Bitwarden, <a href="https://lesspass.com/">LessPass</a>, or <a href="https://keepass.info/">KeePass</a>. Bitwarden is <a href="https://bitwarden.com/">an open source password manager</a> that stores all your passwords encrypted on the server, which works the same way as LastPass, 1Password, or Dashlane. LessPass is a bit different as it focuses on being a stateless password manager. This means it derives passwords based on a master password, the website, and your username rather than storing the passwords encrypted. On the other side of the spectrum there’s KeePass, a file-based password manager with a lot of flexibility with its plugins and applications. </p>
<p>Each of these three apps has its own downsides. Bitwarden stores everything in one place and is exposed to the web through its API and website interface. LessPass can’t store custom passwords since it’s stateless, so you need to use their derived passwords. KeePass, a file-based password manager, can’t easily sync between devices. You can utilize a cloud-storage provider together with <a href="https://en.wikipedia.org/wiki/WebDAV">WebDAV</a> to get around this, but a lot of clients do not support it and you might get file conflicts if devices do not sync correctly.</p>
<p>This article focuses on Bitwarden. </p>
<h2>Running an unofficial Bitwarden implementation</h2>
<p>There is a community implementation of the server and its API called <a href="https://github.com/dani-garcia/bitwarden_rs/">bitwarden_rs</a>. This implementation is fully open source as it can use SQLite or MariaDB/MySQL, instead of the proprietary Microsoft SQL Server that the official server uses.</p>
<p>It’s important to recognize some differences exist between the official and the unofficial version. For instance, the <a href="https://blog.bitwarden.com/bitwarden-completes-third-party-security-audit-c1cc81b6d33">official server has been audited by a third-party</a>, whereas the unofficial one hasn’t. When it comes to implementations, the unofficial version lacks <a href="https://github.com/dani-garcia/bitwarden_rs/wiki#missing-features">email confirmation and support for two-factor authentication using Duo or email codes</a>. </p>
<p>Let’s get started running the server with SELinux in mind. Following the documentation for bitwarden_rs you can construct a Podman command as follows:</p>
<pre class="wp-block-preformatted">$ podman run -d \ <br /> --userns=keep-id \<br /> --name bitwarden \<br /> -e SIGNUPS_ALLOWED=false \<br /> -e ROCKET_PORT=8080 \<br /> -v /home/egustavs/Bitwarden/bw-data/:/data/:Z \<br /> -p 8080:8080 \<br /> bitwardenrs/server:latest</pre>
<p>This downloads the bitwarden_rs image and runs it in a user container under the user’s namespace. It uses a port above 1024 so that non-root users can bind to it. It also changes the volume’s SELinux context with <em>:Z</em> to prevent permission issues with read-write on <em>/data</em>.</p>
<p>If you host this under a domain, it’s recommended to put this server under a reverse proxy with Apache or Nginx. That way you can use port 80 and 443 which points to the container’s 8080 port without running the container as root.</p>
<h2>Running under systemd</h2>
<p>With Bitwarden now running, you probably want to keep it that way. Next, create a unit file that keeps the container running, automatically restarts if it doesn’t respond, and starts running after a system restart. Create this file as <em>/etc/systemd/system/bitwarden.service</em>:</p>
<pre class="wp-block-preformatted">[Unit]<br />Description=Bitwarden Podman container<br />Wants=syslog.service<br /><br />[Service]<br />User=egustavs<br />Group=egustavs<br />TimeoutStartSec=0<br />ExecStart=/usr/bin/podman run 'bitwarden'<br />ExecStop=-/usr/bin/podman stop -t 10 'bitwarden'<br />Restart=always<br />RestartSec=30s<br />KillMode=none<br /><br />[Install]<br />WantedBy=multi-user.target</pre>
<p>Now, enable and start it <a href="https://fedoramagazine.org/howto-use-sudo/">using </a><em><a href="https://fedoramagazine.org/howto-use-sudo/">sudo</a></em>:</p>
<pre class="wp-block-preformatted">$ <strong>sudo systemctl enable bitwarden.service && sudo systemctl start bitwarden.service</strong><br />$ <strong>systemctl status bitwarden.service</strong><br />bitwarden.service - Bitwarden Podman container<br /> Loaded: loaded (/etc/systemd/system/bitwarden.service; enabled; vendor preset: disabled)<br /> Active: active (running) since Tue 2019-07-09 20:23:16 UTC; 1 day 14h ago<br /> Main PID: 14861 (podman)<br /> Tasks: 44 (limit: 4696)<br /> Memory: 463.4M</pre>
<p>Success! Bitwarden is now running under system and will keep running.</p>
<h2>Adding LetsEncrypt</h2>
<p>It’s strongly recommended to run your Bitwarden instance through an encrypted channel with something like LetsEncrypt if you have a domain. Certbot is a bot that creates LetsEncrypt certificates for us, and they have a <a href="https://certbot.eff.org/instructions">guide for doing this through Fedora</a>.</p>
<p>After you generate a certificate, you can follow the <a href="https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-HTTPS">bitwarden_rs guide about HTTPS</a>. Just remember to append <em>:Z</em> to the LetsEncrypt volume to handle permissions while not changing the port.</p>
<hr class="wp-block-separator" />
<p><em>Photo by </em><a href="https://unsplash.com/@cmdrshane?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"><em>CMDR Shane</em></a><em> on </em><a href="https://unsplash.com/search/photos/password?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"><em>Unsplash</em></a>.</p>
</div>