Skip to content

Bitwarden

Bitwarden is a server based password manager which is open source and can be used on premise. Certain features require a license which also needs a user registration, even if you only use your own server.

Bitwarden is a good choice when you need to provide a password safe for multiple users and need to grant access based on user groups. It also makes it easy to use passwords on multiple devices since the official clients will synchronize the data with the server.

Clients

Official clients are avaiable for Windows, Linux, macOS, Android and iOS. In addition, there are browser integrations for Google Chrome and Chromium based browsers like Microsoft Edge and Vivaldi and also for Mozilla Firefox, Opera and Safari.

Administration

To get access to the administration of an on-premise installation, add /admin to the URL of the Bitwarden server. This also needs at least one e-mail address configured in bwdata/env/global.override.env like this (multiple addresses can be separated with comma, also see the Bitwarden documentation):

adminSettings__admins=admin@domain.example

The idea is, that you do not use a fixed password for the administration but rather just enter the configured e-mail address and then get a link sent to that address which gives you access to the administration.

Disable registration for new users

If you want to disable the registration for new users, you can do this with the following setting in bwdata/env/global.override.env:

globalSettings__disableUserRegistration=true

Using Bitwarden behind a reverse proxy

Bitwarden can be used behind a reverse proxy, but this needs some additional settings:

In bwdata/env/global.override.env the public domain should be set:

globalSettings__baseServiceUri__vault=https://domain.example

Since Bitwarden usually provides its own webserver, it is configured to use port 80 and 443. This needs to be changed to another port range, for example port 4780 and 4781. Also make sure, that TLS is disabled, since this is provided by the reverse proxy.

The changes need to be done in bwdata/config.yml:

http_port: 4780
https_port: 4781
ssl: false

The webserver should also set a number of headers for the proxy request to make sure that the admin UI does not redirect to localhost when trying to open it using /admin. For Apache this can be done as following:

ProxyPass /.well-known !
ProxyPass / http://127.0.0.1:4780/
ProxyPassReverse / http://127.0.0.1:4780/
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Protocol "https"
RequestHeader set X-Forwarded-Port "443"

# Note: This needs the remoteip module enabled
RemoteIPHeader X-Forwarded-For
RemoteIPHeader X-Real-IP