Solved Bitwarden_rs

nebulon

Hi all,

we've just pushed the initial version of the Bitwarden_rs app. This is the Rust implementation from https://github.com/dani-garcia/bitwarden_rs which is fully compatible the official client apps. The app also comes with the official web-vault interface. We have chosen this over the official API implementation, since that uses mssql and other .net assets, which are too hard to package at the moment.

Code: https://git.cloudron.io/cloudron/bitwardenrs-app
App store link: https://cloudron.io/store/com.github.bitwardenrs.html

The app is explicitly packaged without Cloudron user management, since by design it requires their own user passwords. More details on that can be found in the forum thread https://forum.cloudron.io/topic/1082/bitwarden-self-hosted-password-manager

Please test the app and give feedback here or create an issue in our app package repo. Once we ironed out all the edges, we will mark it as stable.

And of course many thanks to @iamthefij and @fbartels to have bootstrapped the whole packaging for us.

will

Woohoo! great work guys!

jdaviescoates

@nebulon excellent, looking forward to testing this!

A Former User

@nebulon said in Bitwarden_rs:

https://forum.cloudron.io/topic/1082/bitwarden-self-hosted-password-manager

works like a charm. Thanks a lot.
Here is the link how to change the browsers' extension path: https://help.bitwarden.com/article/change-client-environment/

iamthefij

Thanks @nebulon! I'm just realizing that we should be able to improve the experience by using making the default env be SIGNUPS_DOMAINS_WHITELIST=$CLOUDRON_MAIL_DOMAINS, so signups can only be from the the domains that the users have configured for email. A few caveates though, I'm not sure how that variable gets set if you use a relay and it also looks like only $CLOUDRON_MAIL_DOMAIN is set for me, maybe because I have only one email domain.

doodlemania2

If I disable signups, and enable invitations...how do I send an invitation?

will

@doodlemania2 you dont. Have your peeps sign up and disable/enable as needed.

nebulon

@iamthefij hm that is a useful env variable to mention for sure, but I am not sure if it is confusing for users, since by far not all are also using the Cloudron mail server. The app also only sees the mail domain it is installed at, so that might be even more confusing as a default setting.

iamthefij

@nebulon yea. I wondered that. It would be nice if there was a similar env for any configured domain, not just email.

nebulon

I've put up a new release mentioning the SIGNUPS_DOMAINS_WHITELIST variable in the config.env template and marked the app now as stable!

will

@nebulon So butwarden RS is probably going to need more documentation than normal. So recommended parts:

• Go into detail on proper setup, invites, env configs, etc...
• Explain the admin panel and how to secure it (change the pw, proper settings, etc...)
• Recommend encrypting Cloudron backups due to them now containing the keys to the castle.
• Perhaps recommend offline backups for password database and how that would happen.

Its not a whole lot, but any of those details not configured properly could screw somebody hard, leaving vulnerable, or locked out of their passwords.

AWESOME work guys, I've been waiting on this one for a long time and it works better than expected!

thetomester13

This is awesome and much awaited, thanks!

Quick question: if I've been using the self-build version of the Bitwarden_rs app for a while, are there easy upgrade instructions to switch over to the official App Store version now?

will

@thetomester13 Export your passwords delete the self built bitwarden, install the Cloudron version, make an account, configure to your liking, import your exported password list.

necrevistonnezr

@will said in Bitwarden_rs:

@thetomester13 Export your passwords delete the self built bitwarden, install the Cloudron version, make an account, configure to your liking, import your exported password list.

That doesn’t work for attachments...

will

@necrevistonnezr ouch

d19dotca

@will In addition to what @necrevistonnezr mentioned, it also doesn't necessarily help in cases where we're hosting passwords for friends or family. As in that case we'd have to walk them all through it step by step individually (at least for those who aren't super tech savvy anyways), so it'd definitely be awesome if we could find a proper migration path so that users don't really need to do anything.

will

@d19dotca Agreed, however, I wouldnt be using self built builds for friends and family. Unstable/Beta builds are for testing a feedback, not production use.
Every moment the devs spend supporting beta builds are moments they could be spending working on the next big thing.

d19dotca

@will That's why my example is "friends and family" not "paying customers". I don't think anyone is asking Cloudron devs alone to support beta builds. In fact, it really doesn't matter what the source is in this case, as long as it's the same app (Bitwarden_rs). For example, what would be the case if I had been hosting my own Bitwarden_rs app (as I did two years ago or so before I started using Cloudron) and then eventually wanted to migrate to the Cloudron-version of the app because I started using Cloudron?

It's a valid question to ask for some assistance from all the keen Bitwarden users who are in this thread and likely some in similar situations, some more tech-savvy than others who can maybe try to put together a bit of a guide, much like I did for WordPress migrations from other servers to Cloudron.

will

@d19dotca I don't wanna get in the weeds. If anyone could help you, that would be awesome.
I don't think you're running the unstable from Cloudron right? Which build do you use when you built it yourself? Maybe I can find something.

d19dotca

@will I'm not currently running it for anyone at this moment. I did a year two back before ever using Cloudron and then started to use the Bitwarden build from @iamthefij when I was teaching myself how to deploy custom apps to Cloudron which worked for me at the time, but I definitely didn't trust myself as I was still new with Cloudron so never used it in any production level. haha.

I'm just making a point that there are some valid use-cases where it'd be great to have a migration guide from anybody who's got a lot of experience with Bitwarden_RS already, regardless of where the source is located because not all sources are going to be beta builds on Cloudron. And at the app level (not even Cloudron) simply exporting a json file isn't enough for those who have attachments nor is that process really user-friendly for those who aren't very computer savvy (I'm thinking my mom for example, I'd love to be hosting her passwords and fully plan on doing it, but what if I need to eventually migrate the instance? How do I make it so that there's no impact to her and I take all the load instead?), so a guide would be great if anyone's come across one or already been pushing through a similar situation that can share some insights.

It's likely more an app-related question than a Cloudron question for sure, but there are many keen Bitwarden admins on here who may already have the experience to share some insight with how to migrate bitwarden_rs instances.

If I can do this myself, I'll be happy to write up a guide. Maybe I'll make this a project in a week or two. I assume we'll need to just identify the critical files that hold all that info and replace the ones in our Cloudron instances with them in the /app/data directory (so it's not overwritten).

will

@d19dotca Yeah man, guess I came off too heavy handed. Any info from the wise elders of Cloudron is worth having for sure!

necrevistonnezr

There's some discussions here: https://github.com/dani-garcia/bitwarden_rs/issues/497#issuecomment-511827057

iamthefij

@d19dotca The high level will be to do a sql dump of the database and then restore it on the new system.

d19dotca

@iamthefij Yes, I agree. Though the attachments aren't in the sqlite DB itself, are they? I assume there's a directory we need to bring over too.

necrevistonnezr

A simple export from the earlier bitwardn app (courtesy of @fbartels) and import into this app did not work for me:

Apr 24 09:41:40 172.18.0.1 - - [24/Apr/2020:07:41:40 +0000] "GET /healthcheck HTTP/1.1" 200 173 "-" "Mozilla (CloudronHealth)"
Apr 24 09:41:43 [2020-04-24 07:41:43][request][INFO] POST /api/ciphers/import
Apr 24 09:41:43 [2020-04-24 07:41:43][response][INFO] POST /api/ciphers/import (post_ciphers_import) => 400 Bad Request
Apr 24 09:41:43 172.18.0.1 - - [24/Apr/2020:07:41:43 +0000] "POST /api/ciphers/import HTTP/1.1" 400 1521 "https://bit.domain.tld/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:76.0) Gecko/20100101 Firefox/76.0"
Apr 24 09:41:50 172.18.0.1 - - [24/Apr/2020:07:41:50 +0000] "GET /healthcheck HTTP/1.1" 200 173 "-" "Mozilla (CloudronHealth)"

necrevistonnezr

@d19dotca said in Bitwarden_rs:

@iamthefij Yes, I agree. Though the attachments aren't in the sqlite DB itself, are they? I assume there's a directory we need to bring over too.

In both cases, attachments are located in app/data/attachments with unique identifiers as filenames. I don't know if those UIDs remain the same after an export/import (which currenlty fails, see above)

scooke

@necrevistonnezr I had similar (the same?) errors and ended up exporting portions of the db and importing said portions, like only the As, then the Bs, etc. Then the importing worked.

necrevistonnezr

I managed to migrate from my current bitwarden instance (BW OLD) to the cloudron app (BW NEW) as follows:

1. Disable 2-Factor Authentification for BW OLD (this is important!). I also removed "Organizations" in Bitwarden, I don't know if that's important, too.
2. Open the terminal for BW OLD, go to app/data/
3. Zip your attachments: zip -r attachments.zip attachments/
4. Dump your existing sqlite database: sqlite3 db.sqlite3 .dump > sqlitedump.sql
5. Drop schema creation and metadata from your dump, leaving only your actual data: grep "INSERT INTO" sqlitedump.sql | grep -v "__diesel_schema_migrations" > mysqldump.sql
6. Still in the terminal view, hit the "Download" button (top right), enter the path to the attachments and the SQL dump (app/data/attachments.zip and app/data/mysqldump.sql) and download them.
7. Open the terminal for BW NEW, go to app/data/.
8. Still in the terminal view, hit the "Upload to /tmp" button (top right), upload the previously downloaded attachments.zip and mysqldump.sql
9. Move uploaded files to data folder: mv /tmp/attachments.zip /app/data/ and mv /tmp/mysqldump.sql /app/data/
10. Unzip your attachments: unzip attachments.zip and rm attachments.zip
    11.Import SQL Dump: mysql --user=${CLOUDRON_MYSQL_USERNAME} --password=${CLOUDRON_MYSQL_PASSWORD} --host=${CLOUDRON_MYSQL_HOST} ${CLOUDRON_MYSQL_DATABASE} < mysqldump.sql (Enter like that, don't replace the variables with your username or password)
11. Hit "Restart"

You can now login with your Bitwarden credentials. All passwords and the attachments shoud be there.

apatheticatitude

I looked into self hosting a Bitwarden instance myself a few months ago, but decided to wait for Cloudron to implement it. Excited to see it land!

I have a couple of questions about the differences between this version and the 'standard' self-hosted one from Bitwarden itself. For one, normally the user has to provide an an installation key upon set-up which doesn't seem to be the case here.
And it seems as though this version has access to premium and organisation features that users normally have to pay for, even while self-hosting.

How does this implementation get around these? Is it possible the instance will break eventually or slowly fork away from the official Bitwarden server?

d19dotca

@apatheticatitude This already is a fork away from the official Bitwarden app. Bitwarden_RS is a fork of Bitwarden, written in Rust and allows for the premium features by simply removing parts of the code that would otherwise require a key / license. Any app that’s fully open source, one can technically remove any requirements to pay for it through modification to the code.

d19dotca

@necrevistonnezr That’s fantastic! Very detailed. Glad you were able to make that work.

fbartels

@d19dotca said in Bitwarden_rs:

This already is a fork away from the official Bitwarden app

That is not quite right. A fork implies that at some point in time bitwarden_rs and the official server shared the same code, but have diverged since then. (And at at least one side won't include that changes of the other)

Bitwarden_rs is an implementation of a backend component that exposes the exact same API towards the frontend.

Some parts that require payment in the official server have been made available in _rs anyways. Other less heavily used parts are even missing.

@apatheticatitude said in Bitwarden_rs:

Is it possible the instance will break eventually

Possibly. All it takes is larger or unexpected change in the API. So far the bitwarden developer has been friendly towards third party implementations however.

d19dotca

@fbartels Ah yes, I guess technically "fork" wasn't really the right word there. The point I was trying to make is the same though... the source we are using for this app in Cloudron is already not the original/official Bitwarden server project to begin with.

girish

@d19dotca Yeah, I actually want to make the unofficial part a bit more clearer in our app description or maybe even our post install that Bitwarden. Also want to make sure that if paid features are being used, people take up a subscription with the upstream author. My understanding is that the main project is also a small indie company.

yusf

I take it that the mobile apps are incompatible with the former premium features in bitwarden_rs?

d19dotca

@yusf I guess it depends on what features you're referring to. Bitwarden_rs and the official Bitwarden clients (mobile apps, browser extensions, etc.) all support TOTP token storage and file storage, for example, which are both considered premium features (the $10/year if using official vault.bitwarden.com account). Any particular feature you're referring to?

yusf

@d19dotca Organisations, on the iOS client.

Would it work to first sign up for premium on their hosted service, somehow unlocking the app, then switch that to self-hosted?

d19dotca

@yusf It works with organization in the sense that items shared in an organization will show up and you can add new items to an existing organization. One limitation though in the mobile app is that you can’t create an organization, you have to do that in the web app. That’s a general Bitwarden limitation though, not Bitwarden_rs specifically.

Screenshot below shows the test item I created in a test org, and has a share icon next to it to signify its from a shared organization.

Screenshot below shows how to assign to an org. The org I have is called test. The scribbled out option is the personal account. Test is the org.

yusf

@d19dotca Oh, I see. I was looking for the organization as a folder, not as items. Good news.

necrevistonnezr

If a user signs up on my bitwarden instance, the email invite is not sent. Neither if I add a user to an organisation.

config.env looks like this:

# Export bitwarden rs environment variables here to ovveride the defaults
export SIGNUPS_ALLOWED=true
export INVITATIONS_ALLOWED=true
# To only allow users with the same email domain as where the app is installed:
# export SIGNUPS_DOMAINS_WHITELIST=ckfl.net
#export LOG_LEVEL=debug

Or is there a way to manually approve a user?

doodlemania2

That should be working. Check your outbound mail settings and logs to see if it is stuck somewhere?

necrevistonnezr

Indeed, the mail - relayed via sendgrid - was blocked by the recipient email provider mailbox.org:

554 5.7.1 Service unavailable; Client host [167.89.24.164] blocked by RBL; Blocked - see https://www.spamcop.net/bl.shtml?167.89.24.

doodlemania2

Strange that sendgrid got RBLed...but that's going to be something they will need to straighten out.

necrevistonnezr

@doodlemania2 said in Bitwarden_rs:

Strange that sendgrid got RBLed...but that's going to be something they will need to straighten out.

What's troubling IMHO that you don't get any notice on such rejected mails in the sender's mail account. You have to manually check https://app.sendgrid.com/suppressions/blocks

doodlemania2

Yup - that's a sendgrid thing - they do that to help keep spam down, but you may have to pay or something to get the reputation filters up or something?

seeker

So I am curious how bitwarden is working for folks?

timconsidine

@seeker Doing great !
I started using the free version from the official website, and did so for couple years.
I was nervous of moving to the self-hosted version, but it's indistinguishable in performance.

jdaviescoates

@seeker it's great! I prefer it to Last Pass which is what I was using before.

seeker

thank you. I am still a pretty big novice with all of this. Hard trusting myself as the system administrator of something that handles passwords.

scooke

@seeker Just be sure to take advantage of the auto-backup feature of Cloudron, and you'll be fine. One of my backup destinations is the free tier of Scaleway Object Storage, where you get 75GB free.

Plus, every now and then, pay for a cheap VPS for a few dollars a month for just the month, install cloudron on it, use a spare domain, and practice restoring from the backup. Then if something really goes wrong your panic level will be lower since you know how to restore from a backup.

seeker

@scooke said in Bitwarden_rs:

Scaleway Object Storage, where you get 75GB free.

Wow . Never heard of them, but that is a good price.