In today’s episode, we will be showing you how to install Bitwarden on a Raspberry Pi with remote access. This is episode 12 in our Raspberry Pi Series.
Bitwarden is an open-source password vault. It can be used to securely store all your passwords for various online services including banking information in an encrypted vault. You can use unique passwords for every service as Bitwarden has a built-in password manager. It has E2EE (end to end encryption) and with our set up today supports SSL/TLS communication via a Let’s Encrypt certificate.
Bitwarden has apps for every Operating system available. Android and Apple are also supported. With the aid of a browser extension, it can also auto-fill login forms at a click of a button.
There is a Bitwarden app for all Operating systems and mobile devices as well as addon/extensions for all the major browsers which can autofill logins.
Difficulty=Medium
Prerequisites:
You will need to have followed our previous episodes in our Raspberry Pi Series but if you just want to follow this guide we will give an overview of what you should already have:
- A Raspberry Pi with Raspberry Pi OS installed. We recommend using an SSD for Bitwarden hosting.
- Secured Raspberry Pi.
- A Duckdns account. Or if you want to use your own Domain – A Domain name and a Cloudflare account. A Domain linked to Cloudflare. If you have a Dynamic IP address then both Duckdns & Cloudflare services need a DDNS container installed in Docker and configured correctly to communicate with your online accounts.
- Openmediavault, Docker and Portainer Installed.
- Nginx Proxy Manager Docker installed and configured to accept incoming connections.
- A volume created in Openmediavault to be used for Bitwarden container storage (Appdata folder).
- NGINX Proxy Manager Docker container installed with port 80 and 443 on your Router forwarded.
- Good Internet Connection
Step 1 – Create Bitwarden Appdata folder
Open up a terminal window and SSH into your Raspberry Pi.
ssh -p PORT [email protected]
Once you have established an SSH connection navigate to your “Appdata” folder (if you have not created an Appdata folder previously then you will need to create this first).
cd /srv/DRIVENAME/Appdata/
Now create the Bitwarden data folder.
mkdir bitwarden
Now navigate into the “bitwarden” folder.
cd bitwarden
Now we need to get the “absolute path” of the bitwarden data folder so we can add this to our stack in step two.
pwd
Once you run the “pwd” command you can now copy into memory the output should look similar to this.
/srv/dev-disk-by-uuid-66a2bf8a-bed9-420a-b77d-ba48bcf3f836/Appdata/bitwarden
Step 2 – Create and deploy the Bitwarden stack.
Log in to your Portainer GUI dashboard.
Click on “Stacks” and “Add Stack“.
Add a name for your stack “bitwarden“.
Copy and paste the following docker-compose data into the “Web editor“. Paste your Bitwarden data folders absolute path into the volumes section before the colon. Also, change the port if needed to suit your setup.
Note: Bitwarden_RS has been renamed to Vaultwarden, the new image is located here: vaultwarden/server
---
version: "2"
services:
bitwardenrs:
image: bitwardenrs/server:latest
container_name: bitwardenrs
volumes:
- /srv/dev-disk-by-uuid-66a2bf8a-bed9-420a-b77d-ba48bcf3f836/Appdata/bitwarden:/data/
ports:
- 8484:80
restart: unless-stopped
Once you have finished configuring your stack click on “Deploy the stack“.
Navigate to “Containers” in the left menu.
Your container may say “starting“. This may take some time for the container to deploy this is due to the encryption keys being generated and some other internal processes completing. Please be patient.
Once it has fully deployed it should state “healthy“.
We can test that the container has deployed sucessfully by checking the internal port to see if the Bitwarden login page appears.
Navigate to your browser of choice and enter the following into the address bar.
Note: Please use your Raspberry Pi’s IP address and any custom port you have used.
http://192.168.2.5:8484
We will close this window now as we will not be using bitwarden through the local address. Instead, we are going to use a domain so we can access our Bitwarden vault remotely.
Step 3 – Setting up a subdomain with Cloudflare.
You will need to have an existing Cloudflare account and a domain added to their service. If you have not already done this check out our Episode which will walk you through the process.
Purchasing a Domain name from Namecheap.
Navigate to Cloudflare and log in using your account details. Click on your domain name.
Click on “DNS” tab in the top menu.
In the DNS dashboard click on “Add Record“
Under “Type” select “CNAME” from the drop down menu.
Under “Name” add what name you would like the subdomain to be. In our example, we have named our subdomain “vault“.
Unselect “Proxied” so it turns to “DNS only”
Note: Later on in this guide once we have added our subdomain to NGINX Proxy Manager we will need to come back into Cloudflare and set this setting back to Proxied.
Click “Save” to finish.
In our example we have just created the subdomain “vault.addicted2tech.net“.
We will now check our new subdomain has propagated and is working correctly.
In a Browser, window enter your new subdomain into the address bar and press enter. What you should see here is the NGINX proxy manager’s “Congratulations!” message.
Note: If you do not see this please wait longer for your domain to fully propagate through the DNS system.
Step 4 – Configuring NGINX Proxy Manager to work with the new Subdomain.
Now we have our Bitwarden container installed and our subdomain configured. We now need to add our subdomain to our NGINX Proxy manager so we can link our domain name to our service.
Log into your NGINX Proxy Manager dashboard and click on the “Proxy Hosts” tab.
Now click on “Add Proxy Host“.
Under “Domain Name” add your subdomain.
Under “Forward Hostname/IP” add your Raspberry Pi’s IP address.
Under “Forward Port” add your custom port. In our example we have used “8484“.
Activate the “Block Common Exploits” button so it turns green.
Then click on the “SSL” tab.
In the SSL tab under “SSL Certificate” click where it says “None” to activate the drop down menu.
Select “Request a new Certificate“.
Activate the “Force SSL”, “HTTP/2 Support” and “I Agree to the Let’s Encrypt Terms of Service” buttons so they turn green.
Then click “Save“.
This may take some time. As a Letsencrypt TLS/SSL certificate is being created and added to your subdomain.
Due to a bug in Nginx Proxy Manager you will have to navigate back into your subdomains settings to re-enable some of the SSL settings.
On the NGINX Proxy manager “Proxy Hosts” dashboard. Click on the “menu icon” at the end of your Subdomain. Then click on “Edit“.
Click on the “SSL” tab and then double-check that both “Force SSL” and “HTTP/2Support” are selected. If they are not then please reselect them to “on“. Then click “Save“.
You can now open a browser window and navigate to your subdomain. You should see the Bitwarden Log In page. You should also have an SSL certificate installed which can be noted by the padlock symbol in the address bar.
Step 5 – Adding an account to Bitwarden.
Click on “Create Account”.
Under “Create Account” Fill out the form with your information and set a secure Strong master password. Use something that you can remember as this is the only password you will ever need to memorize. You will also need to use this password regularly to log into your vault.
Note: We also recommend writing down a physical copy of your master password and storing it in a secure location for example in a safe. This can be used in case you ever forget the master password. (This happens more often than people realize).
Click on “Submit” to create your new account.
Now that your account and vault has been created return to the log in screen and enter your new login credentials.
Click “Log In“.
Welcome to your new self-hosted password vault. You can now start adding your accounts and passwords to your vault.
Note: Remember to use your custom server URL when using Bitwarden applications on other devices. You will not be able to use your account on the proprietary Bitwarden servers.
Note: Add all accounts you will need now. Following Step 6 will disable account creation and only reversing the process will enable future account creation.
Step 6 – Securing your Bitwarden server to prevent public account creation.
Navigate to your Portainer dashboard and log in.
Under “Containers” click on “bitwardenrs“.
In the “Container details” under “Actions” click on “Duplicate/Edit“.
Scroll down to the bottom of the page and under “Advanced container settings” click on the “Env” tab.
In “Env” tab click on “add environment variable” .
In the new empty section under “name” add:
SIGNUPS_ALLOWED
Under “value” add:
false
Click on “Deploy the container” to redeploy the Bitwarden container.
Click “Replace” when prompted.
Click on “Containers” in the left menu and wait for the “bitwardenrs” containers state to change from “starting” to “healthy“.
The “Create account” button will still appear on the Bitwarden login page however if someone tries to create a new account it will not work and display an error notice.
Step 7 – Finalizing your subdomain with Cloudflare.
Log back into your Cloudflare account and click on the”DNS” tab.
Click on your subdomain and in the drop down menu click on “DNS only” to change it to “Proxied“.
Then click on “Save“.
This concludes today’s tutorial.
We need your support.
We hope you enjoyed this episode and that it was helpful and you got benefit out of it.
If you did, please consider supporting our channel by Subscribing to our YouTube channel, and liking and sharing our content.
You can also make a donation via Paypal or become a Patreon if you wish to do so.
You can also follow us on Facebook or Twitter.
If you have any questions or any requests please ask in the comments below or on YouTube.
It should be noted that bitwardenrs has changed its name to vaultwarden
Thanks for your comment. Vaultwarden is an unofficial Bitwarden server implementation written in Rust. bitwardenrs the docker images has been deprecated and is now known as Vaultwarden. Thank you for letting us know.