this post was submitted on 13 Oct 2023
147 points (92.0% liked)

Selfhosted

39893 readers
345 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I've always hated the idea of using a subscription/cloud hosting for password management. I feel like I should have a LOT more control over that stuff and I don't really want to hand all my keys over to a company.

All my secrets have been going in a highly encrypted archive with a long passphrase, but obviously that isn't convenient on all devices. It's been fine, I can open it on any computer but it's not super quick. It does have the advantage of being able to put in multiple files, notes, private keys but it's not ideal.

Anyway, finally found something that isn't subscription, and has a similar philosophy - a highly encrypted archive file, and it's open source and has heaps of clients including web browser plugins so it's usable anywhere, and you can sync the vault with any file sync you like.

Thought you guys might appreciate the find, password managers have always been a bit of a catch 22 for me.

Note for android i found keepassxc the best app, and i'm using KeePassHelper browser plugin, and the KeePassXc desktop app as well as the free official one. Apps all seem to be cross platform.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 76 points 1 year ago (4 children)

I cannot stop reading it as keep ass

[–] [email protected] 23 points 1 year ago

It keeps your ass out of negligence I’d say

[–] [email protected] 17 points 1 year ago (1 children)

Girlfriend at the time noticed this on my phone and had some choice questions for me.

[–] [email protected] 5 points 1 year ago

That's half the fun, well actually it's a utilitarian app so pretty much all the fun

[–] [email protected] 3 points 1 year ago

Well you don't want your ass took, at least not without permission.

[–] [email protected] 73 points 1 year ago (5 children)

I personally prefer bitwarden, using a self-hosted vaultwarden. It's free, it syncs, it's easy to use.

[–] [email protected] 12 points 1 year ago

Passphrase generator, simplelogin/addy.io integration and sync.

This makes my life so much easier.

[–] [email protected] 7 points 1 year ago

Same, and the apps work great.

[–] [email protected] 6 points 1 year ago (4 children)

I used to use keepassxc for years. Kept it synced with sync thing, though eventually work blocked networking with sync thing so I swapped to vaultwarden and never been happier.

load more comments (4 replies)
load more comments (2 replies)
[–] [email protected] 27 points 1 year ago (4 children)

I use KeePassXC on my laptop, KeePassDX on my phone and sync them with Syncthing.

This ia pretty sweet

[–] [email protected] 5 points 1 year ago (1 children)

it's so good, wish I'd found it sooner

load more comments (1 replies)
[–] [email protected] 4 points 1 year ago

I have the same setup. It's really neat.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (3 children)

Not bothered about the potential for keyloggers or even OS-level snooping on what is presumably your privacy-free Android device? Personally I would never type the master password into anything other than a computer running a FOSS stack that I control, but perhaps that is excessive caution.

load more comments (3 replies)
load more comments (1 replies)
[–] [email protected] 23 points 1 year ago (2 children)

I installed KeePass(XC) on Android, iOS, Windows, Linux, Mac, for Firefox and Chrome and it's all synced via encrypted cloud share. It even has OTP functionality so you don't have to manually type 2FA codes.

[–] [email protected] 7 points 1 year ago (4 children)

Whats it called on ios? Keepassium?

load more comments (4 replies)
load more comments (1 replies)
[–] [email protected] 15 points 1 year ago* (last edited 1 year ago) (3 children)

Yup, I have been using KeePassXC locally since (one of) the first big LastPass breaches. I thought "password manager company... they know encryption" and then kept some of the most important things stored in my vault including notes of Bitcoin seedphrases etc. Thought "even if they get hacked, they wouldn't let anyone exfil the huge amount of data from the USER VAULT SERVER.... thought "my passphrase is like 25-30 chars long, nobody will crack that"...

5 years after my last login and I find out the breach happened, user vaults were exfil'd, the encryption was absolute shit, and the notes weren't even encrypted.

I don't trust cloud companies to keep promises or know what they're doing today. and anything self-hosted isnt Internet accessable unless it's on dedicated hardware subnetted off and wouldn't matter if it got hacked.

[–] [email protected] 7 points 1 year ago (1 children)

Bitwarden for example does public reports and is pretty cheap at 10€ per year. But the base (free) offering is more than enough. The fee is only to have TOTP and a bit of encrypted cloud storage. https://bitwarden.com/help/is-bitwarden-audited/

load more comments (1 replies)
load more comments (2 replies)
[–] [email protected] 14 points 1 year ago* (last edited 1 year ago) (4 children)

Love KeePass. When LastPass enshittened, I went looking for something immune to enshittification. Best money I never spent

load more comments (4 replies)
[–] [email protected] 13 points 1 year ago (2 children)

Are there users that have tried both Keepass and Vaultwarden? I enjoy using Vaultwarden on my Synology but I wonder if it's worth switching to Keepass.

[–] [email protected] 19 points 1 year ago* (last edited 1 year ago) (13 children)

I have both set up right now.

Things I like better about KeePass:

KeePass doesn't use the cloud, you don't have to worry about the server getting compromised or going down because there's nothing public-facing to hack. You always know where your password database is.

KeePass lets you encrypt the database with not only the master password but also using the challenge-response from a YubiKey. That means every time you save your DB the encryption key is rotated and the DB is actually encrypted by two authentication factors.

While both can add custom fields to an entry, I like that KeePass has the option to set fields as protected so their contents are hidden like the passwords.

Things I like better about VaultWarden:

Convenience.

You can log in to your VaultWarden account on any device from the browser. KeePass requires some software to access the DB.

The VaultWarden companion software is just better. It just does autofill better. KeePassXC/DX work well but just not as well as the BitWarden software.

Other thoughts:

Syncing passwords between devices with KeePass requires 3rd party software like SyncThing. If you break/lose/etc your VaultWarden server you could lose all your passwords with it.

Always make/test backups.

load more comments (13 replies)
[–] [email protected] 9 points 1 year ago

I switched from keepass to vaultwarden years ago and for my usage I wouldn't switch back.

I needed to be able to share some passwords with other people. I think the clients are much better. I like having a website available as a backup to access a password. All in one package that works well so I don't need separate mechanism to synchronize between different installations. I like the easy sharing secrets through links and not having to send in cleartext with emails or texts.

And for selfhosting I like that you only need the server only for syncing newly added secrets - if vaultwarden had to be online always I'd switch back.

[–] [email protected] 12 points 1 year ago (4 children)

I prefer the KeePassXC fork as it's written in C++ and not C# so it has better native integration with OSes like Linux, but yeah these are really good solutions with no subscription requirements or necessity to upload to any cloud service.

load more comments (4 replies)
[–] [email protected] 11 points 1 year ago

I have been using KeePass for eight years. Used to just shuffle the file around with Google Drive, now I have it sync'd with Syncthing across a few devices. I use its notes feature to store associated data like S3 keys and it stores my SSH key and KeePassXC can automatically add it to an SSH agent.

I don't really have any complaints about it.

[–] [email protected] 10 points 1 year ago

Been a Keepass user for years and years. Absolutely top notch. There are plugins that can auto fill websites, that can open putty ssh sessions, basically everything you can imagine (or build).

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago) (2 children)

I used to use Keepass (thanks person who said keep ass, I can't not see that now) for many years but started to get frustrated with stuff not syncing properly and a few other reasons I can't remember anymore. But I think I'll have to give it a go again. I've been using Enpass for a number of years and it's been good but I've never liked that it's closed source.

load more comments (2 replies)
[–] [email protected] 8 points 1 year ago

Love KeePass, I use it to store all my passwords including to SyncThing, then I keep my KeePass file in my SyncThing instance so I can recover from a disaster. Definitely nothing could go wrong with that ;-)

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago) (4 children)

What's amusing is I am purposely not paying for bitwarden because of the check against darkweb leaks or whatever type feature when you pay. That's seems like an anti privacy thing. I understand it's a good idea albeit seems to expose a lot of information about you. I would like to do vaultwarden but don't think I can trust self hosting myself without paying monthly for a vps which I don't want to do. Home Internet hosting seems to unreliable to me for something that important.

Just random thoughts of mine here.

[–] [email protected] 17 points 1 year ago* (last edited 1 year ago)

because of the check against darkweb leaks or whatever type feature when you pay. That's seems like an anti privacy thing. I understand it's a good idea albeit seems to expose a lot of information about you

For the password leak checks, your passwords are never transmitted. They are one-way hashed locally, and then only the first few characters of the hash are checked against the API provided at https://haveibeenpwned.com which is run and designed by Troy Hunt, one of the most respected people in the cybersecurity industry. He collects major password breaches and makes them available to check against without actually exposing the data. It's perfectly safe and secure.

[–] [email protected] 9 points 1 year ago

The bitwarden clients also work when there's no connection to the server, since they sync the vault. You just can't add any new entries. That means spotty internet is not that much of an issue in terms of using it. It also means, that every device that has a client installed and gets used regularly (to give the client a chance of syncing) is automatically a backup device.

[–] [email protected] 3 points 1 year ago (1 children)

Follow OP's approach. Use a Keepass file. It is offline and can be stored anywhere you can reasonably trust. You just need to sync it if you have many clients but syncthing is great for that.

load more comments (1 replies)
[–] [email protected] 3 points 1 year ago

I host vaultwarden at home. No real need for a vps since your passwords are synced to your phone or laptop(whatever client you're using) and you can just sync it when you're home if you make changes, or setup a VPN (I use wireguard) and sync on demand when needed.

That said, I do sync my database to a vps for dr purposes incase my home server suddenly vanishes... for critical services I follow a 3-2-1 backup rule but it's not absolutely essential.

[–] [email protected] 6 points 1 year ago (3 children)

Are there advantages to this over self hosting Vaultwarden?

[–] [email protected] 11 points 1 year ago

No in my opinion its worse in every way

[–] [email protected] 8 points 1 year ago

Main thing I prefer about KeePass is that it's a straightforward app that creates a file. Self-hosting a database seems just that much more complicated.

[–] [email protected] 4 points 1 year ago

I used to be a KeePass user, but moved away because I was ultimately syncing the database using OneDrive, which I felt at that point it was a cloud password manager, which I didn't like for being open to the internet and entrusting the security of the company hosting it.

And yes, I moved to self hosted Vaultwarden with Tailscale and haven't looked back.

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
NAS Network-Attached Storage
SSH Secure Shell for remote terminal access
VPN Virtual Private Network

[Thread #215 for this sub, first seen 13th Oct 2023, 19:05] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 5 points 1 year ago (1 children)

I don't know if they fixed it, I hope so, but not long ago there was a very dangerous vulnerability that allowed an attacker to bring able to access the master password.

I was using it long time ago, then I discovered Bitwarden and I'm really happy with it. I suggest you to have a look, in terms of UI is better and can be self hosted too.

load more comments (1 replies)
[–] [email protected] 4 points 1 year ago

For decent privacy oriented tool recommendations, here's a list.

https://www.privacyguides.org/en/tools/

https://www.privacytools.io/

There was some drama about the webpages so I'll link both to avoid angry users. Anyway, KeePassXC is on there, which it seems like it's a fork of KeePass, you might want to check it out.

[–] [email protected] 3 points 1 year ago (4 children)

Maybe a silly question, but since I am considering making the jump to a password manager too, I am curious:

If I have a selfhosted server at home that is not connected to the public internet, can I still ise Keepass? Does it have to constantly sync with the server or is it enough that when I get home my passwords are syncing? Could that be a problem?

load more comments (4 replies)
[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

Mine is a 3-lines-script that gpg-decrypts to runtime-dir, opens editor, encrypts back, deletes in runtime-dir. Password done via zenity/yad.

load more comments
view more: next ›