Until lately I had been using 1Password as my trusted password manager. I had been using it since 1Password 4 and lately bought the upgrade to 1Password 7 for Mac and Android. Syncing between devices was done by using Dropbox. It was pretty easy. But then it was time to share some passwords with my wife. I was looking the possibilities. Creating 1Password vault and shared it per Dropbox, or using the 1Password for families for 4,99 USD per month. Other alternatives, such as Lastpass, Dashlane and Bitwarden, are subscription model and you need to upload your password to their server.
But Bitwarden advertises itself as open source and can be self-hosted. But although it’s self-hosted, you have to pay the monthly subscription to use all the features. Then I came to an unofficial implementation of the Bitwarden server written in Rust, called bitwarden_rs. It has all the official Bitwarden’s features minus the subscription.
Since bitwarden_rs has a docker image and my Synology Diskstation 218+ can run docker application, why not try to host it on Synology :)
First install Docker from the Package Center. After that run the Docker package, go to Registry and search for bitwardenrs and download the image. I use only the bitwardenrs/server image. It will save your data in a sqlite3 database.
After the image is downloaded, let’s launch it.
I’ll name it bitwardenrs-server and then let’s click the advanced settings so we can mount a volume…
and create a new port mapping. This port will be used later to create a reverse proxy, so the instance is reachable from the internet.
Before we run the docker image, let’s finish setting up the reverse proxy and create a Let’s Encrypt certificate so it is reachable from the internet. To do so, let’s open Application Portal in the Synology Control Panel, then go to Reverse Proxy.
Reverse proxy setup
Let’s create a new reserve proxy setting. In Hostname put your domain (e.g. bitwarden.domain.tld). Set port to 443 (https). In the destination section, hostname is localhost and port is the port number you set in the docker settings.
After setting the reverse proxy, we stay in Control Panel and do the Security. In the Certificate panel, generate a Let’s Encrypt certificate for the domain you choose before in the Reverse Proxy setting.
That’s all. Start your Bitwarden_rs docker and your Bitwarden server will be available under the domain you choose earlier, assumed you already managed to set DNS for the chosen domain to your router IP and you set port redirect on your router, to route port 443 to your Synology NAS.
If bitwarden is reachable and you’ll get bitwarden login mask. User creation is open to anyone. So you’ll be better deactivate this.
There are some way to deactivate user registration:
- per docker environment
- per bitwarden admin panel
To disable registration, just go back to the container setting in docker, and set SIGNUPS_ALLOWED to false. Then restart the container. The create account button is still visible, but user gets an error if they try to register themself.
Another way is using the bitwarden admin panel. On this panel there’re more settings you can change. To enable the admin panel, go to the container setting and set ADMIN_TOKEN environment parameter. As value set to some token.
Then go to bitwarden and add /admin in the URL (e.g. bitwarden.domain.tld/admin). In the login mask, enter the admin token you set earlier. There you can disable the create account. The settings will be written in a config.json file in the docker volume. So secure this file.
See the wiki of bitwarden_rs to get more documentation on the docker environment settings. See https://github.com/dani-garcia/bitwarden_rs/wiki