Bitwarden

Installing bitwarden on Synology Diskstation

Until lately I had been using 1Password as my trusted password manager. I had been using it since 1Password 4 and lately bought the upgrade to 1Password 7 for Mac and Android. Syncing between devices was done by using Dropbox. It was pretty easy. But then it was time to share some passwords with my wife. I was looking the possibilities. Creating 1Password vault and shared it per Dropbox, or using the 1Password for families for 4,99 USD per month. Other alternatives, such as Lastpass, Dashlane and Bitwarden, are subscription model and you need to upload your password to their server.

But Bitwarden advertises itself as open source and can be self-hosted. But although it’s self-hosted, you have to pay the monthly subscription to use all the features. Then I came to an unofficial implementation of the Bitwarden server written in Rust, called bitwarden_rs. It has all the official Bitwarden’s features minus the subscription.

Since bitwarden_rs has a docker image and my Synology Diskstation 218+ can run docker application, why not try to host it on Synology 🙂

Docker bitwarden_rs

First install Docker from the Package Center. After that run the Docker package, go to Registry and search for bitwardenrs and download the image. I use only the bitwardenrs/server image. It will save your data in a sqlite3 database.

docker search

After the image is downloaded, let’s launch it.

docker container setting

I’ll name it bitwardenrs-server and then let’s click the advanced settings so we can mount a volume…

docker volume setting

and create a new port mapping. This port will be used later to create a reverse proxy, so the instance is reachable from the internet.

docker port setting

Before we run the docker image, let’s finish setting up the reverse proxy and create a Let’s Encrypt certificate so it is reachable from the internet. To do so, let’s open Application Portal in the Synology Control Panel, then go to Reverse Proxy.

reverse proxy on synology settings

Reverse proxy setup

Let’s create a new reserve proxy setting. In Hostname put your domain (e.g. bitwarden.domain.tld). Set port to 443 (https). In the destination section, hostname is localhost and port is the port number you set in the docker settings.

setup reverse proxy synology

After setting the reverse proxy, we stay in Control Panel and do the Security. In the Certificate panel, generate a Let’s Encrypt certificate for the domain you choose before in the Reverse Proxy setting.

setup let's encrypt certificate

That’s all. Start your Bitwarden_rs docker and your Bitwarden server will be available under the domain you choose earlier, assumed you already managed to set DNS for the chosen domain to your router IP and you set port redirect on your router, to route port 443 to your Synology NAS.

If bitwarden is reachable and you’ll get bitwarden login mask. User creation is open to anyone. So you’ll be better deactivate this.

bitwarden login

There are some way to deactivate user registration:

  • per docker environment
  • per bitwarden admin panel

To disable registration, just go back to the container setting in docker, and set SIGNUPS_ALLOWED to false. Then restart the container. The create account button is still visible, but user gets an error if they try to register themself.

deactivate signups environment settings

Another way is using the bitwarden admin panel. On this panel there’re more settings you can change. To enable the admin panel, go to the container setting and set ADMIN_TOKEN environment parameter. As value set to some token.

Then go to bitwarden and add /admin in the URL (e.g. bitwarden.domain.tld/admin). In the login mask, enter the admin token you set earlier. There you can disable the create account. The settings will be written in a config.json file in the docker volume. So secure this file.

admin token environment settings

See the wiki of bitwarden_rs to get more documentation on the docker environment settings. See https://github.com/dani-garcia/bitwarden_rs/wiki

14 thoughts on “Installing bitwarden on Synology Diskstation”

  1. Hello,

    Forgive my English. First of all, thank you for this great tutorial.

    But I have a question. To make the backup, we only have to back up the data directory we set up?

    1. not quite. you can backup the attachment directory as it is, but you can’t just copy the sqlite database file. I use bruceforce/bw_backup image to create sqlite dump file. I’ll write a how-to some day 🙂

  2. Hi, nice tutorial. You use reverse proxy, but if i only want to use it into the LAN so without external access from the internet and i want to use a selfsigned Certs?
    I don’t want to use a reverse proxy. i used to call in browser the sinology ip and use the local ports that docker assign to the container. It worked for a while without https but now it is mandatory the use of https and ssl. I want to use self signed certificate made into sinology. Any advices?

    1. You could create and import a self signed certificate in Synology. Or put a nginx docker before the bitwarden and set the self signed certificate in the nginx container. Don’t forget to import your self signed certificate in your client (OS or browser).

    2. You have to set the DOMAIN URL parameter to http://your_syno_IP:bitwarde_port
      “http://172.16.10.10:6603”

      2 way to do that:
      by environment Variable (i still didnt descover the Domain URL variable name
      accessing Bitwarden ADMIN PANEL:
      first add Environment variable “ADMIN_TOKEN” = “Your admin panel passxord”
      The go to “your_IP/admin and set the parameters.

      Hope this help.

  3. Hi, thanks a lot for the great tutorial. I would like to ask you how to update Bitwarden since it’s installed in Docker and will they release new updates? Thank you.

    1. Hi,

      just updated my installation yesterday. Following steps are done:
      * download the latest image
      * while downloading, take notice of the ports, volume and environment parameters. compare with the config.json. maybe some of the environment parameters are in the config.json, so you don’t need to set them again
      * if the image is downloaded, stop and remove the bitwarden container
      * create a new container based on the latest image and set the ports, volume and environment parameters

  4. Hi,
    Invite multiple people. But how?

    Thank you for your good instructions.

    I installed Bitwarden_rs on my Synology and can also access it from home.

    I wanted to invite a second person, unfortunately Bitwarden does not send out an email.

    Do you have to configure SMTP in the NAS or what settings have to be configured on the NAS so that several people can use Bitwarden.

    1. Hi,
      did you enable invitation? See Github
      Did you check the SMTP configs?

      In config.json I found following settings:

      "invitations_allowed": true,
      "smtp_host": "MAIL-DOMAIN",
      "smtp_ssl": true,
      "smtp_explicit_tls": false,
      "smtp_port": 587,
      "smtp_from": "FROM_EMAIL",
      "smtp_from_name": "Bitwarden_RS",
      "smtp_username": "USERNAME",
      "smtp_password": "PASSWORD",
      "smtp_timeout": 15,

  5. Hi,

    First, thank you for a great article! I tried creating an account but nothing happens when I hit SUBMIT. I didn’t disable account creation through the environment settings.

    Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *