Self hosting your own password vault (vaultwarden, haproxy, docker)

An IT guy

2 min read
Self hosting your own password vault (vaultwarden, haproxy, docker)
Photo by Jason Pofahl / Unsplash

My family and I have been using 1Password for a few years now. I started looking at what options are available for a complete DIY solution. I settled on using Vaultwarden. The rest of my "home lab" provides the foundation on which this is built. The hypervisor I'm using now is Proxmox (4 nodes) with SDN, along with two FreeBSD based firewalls I built from scratch (as I got sick of the web interface to OPNsense) and of course everyone needs a good reverse proxy so haproxy.

As a family we share multiple accounts and passwords. A few times other members of my family have forgotten their master passphrase, i.e. the one single passphrase they must remember. In 1Password being the "owner" of our family unit, I can reset others master passphrase if needed. Bitwarden has a similar concept, called Emergency Access.

In thinking about the overall security posture, I think the best way to set this up for my family use is the following:

  • The first user will be the head of the household, so to speak. This user will own the organization that all other members will belong to.
  • No one will actually use this account on daily basis
  • The master passphrase will be many characters in length, for example: private-boaster-turbofan-overboard-erasure-duration-ravioli-anyway
  • The master passphrase will be printed out and stored in a fireproof safe
  • 2FA will also be enabled, either YubiKey or OTP (unsure which at this time)
  • Each family member can, if the wish, deletegate this account to have Emergency Access to their vault, in case they forget their master passphrase.

Vaultwarden has an admin section, that is /admin that must be protected. I created an ACL in haproxy to limit access to that URL. Specifically I'm using the following as the backend configuration for this service.

backend vault
	mode http
	acl networks_always_allowed src 192.168.1.0/24
	acl restricted_page path_beg /admin
  	http-request deny if restricted_page !networks_always_allowed
	server vaultwarden x.x.x.x:443 ssl check

This prevents access to the /admin page unless the source is coming from inside my network. I also followed the instructions about securing the admin page but since I have a reverse proxy in place, having it provide another layer of protection is a good thing. I am using SSL between the proxy and the server, using a self-signed certificate.

Note -- if you want to have push notifications to your mobile devices then you will need to create a free account at bitwarden.com and get an installation ID and install key. YOUR sensitive data is never sent to their cloud.

Read more