this post was submitted on 20 Oct 2023
37 points (95.1% liked)

Privacy

31995 readers
663 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
37
(lemmy.ml)
submitted 1 year ago* (last edited 10 months ago) by velox_vulnus@lemmy.ml to c/privacy@lemmy.ml
 

Right now, I'm using Bitwarden's official instance, and I am bothered that I have to use Google's Authenticator app separately for TOTP. Yes, there's also Aegis and 2FAS, but I have no idea about WebDAV servers and also don't want to rely on Google Drive for backup, also because I'm moving away from Google services.

I'm planning to run Vaultwarden on a free instance of render.com, and I wanted to know if this was a good idea? Has anyone over here tried this?

What would happen if Render changes their plans and I lose access to the database? Will I still have access to the last-stored cache on my browser extension and mobile phone? And since I'm running a Rust infrastructure, would it use less of the free plan bandwidth that Render assigns?

Do I also need to purchase a domain? Or can I access the app with Render-affixed URL?

all 20 comments
sorted by: hot top controversial new old
[–] namnnumbr@lemmy.ml 18 points 1 year ago (1 children)

A password manager can be considered critical infrastructure; beyond privacy and uptime/access considerations, you should also consider what happens if you lose all of your data - Do you have backups? Are the backups 3-2-1 redundant? Do you have a ready-to-go docker compose to get yourself up and running locally in a pinch?

I self-hosted bitwarden (vaultwarden) for several years and it became evident to me that it was important enough to use the hosted service - especially as I was already paying Bitwarden to support their open source business.

[–] OminousOrange@lemmy.ca 18 points 1 year ago (4 children)

If your issue is with the authenticator, then why not just switch authenticators? I've been quite happy with Authy over the years.

Sure, self hosting can be more secure, but if it's not on your own hardware, I don't see how moving to render is better. You're still using a third party to host your most sensitive information.

[–] namnnumbr@lemmy.ml 9 points 1 year ago

Authy is lovely in that it just works, but it is hellacious to migrate off of if you change your mind.

I also don’t love that Authy is owned by Twilio, a communications/marketing service company.

[–] ultratiem@lemmy.ca 6 points 1 year ago

This was my thought too. Why are you using Google Authenticator? It’s my understanding that it’s only required to use 2FA with Google specifically because, like Apple, they use their own system.

Just grab any authenticator, like Authy. Problem solved.

[–] Onihikage@beehaw.org 5 points 1 year ago (1 children)

Authy is pretty bad. They had a data breach that exposed users, they make it really hard to migrate your secrets to another app (God help you if you lose your phone), and they're completely closed source.

The best option is probably Aegis Authenticator, but at least do a cursory search for "[authenticator name] controversy" before choosing an authenticator.

[–] OminousOrange@lemmy.ca 2 points 1 year ago

Thanks for the recommendation. I'll look into transitioning to Aegis. Regarding backups, you are able to have another device in case you lose your phone (I also have Authy on my laptop in case that does happen), but the data breach you mentioned said that may have been a weak point. Either way, I'm going to explore Aegis now.

[–] Facebones@reddthat.com 2 points 1 year ago

I'll second Authy, I've never had any issues and it's simple in design which I like.

[–] girsaysdoom@sh.itjust.works 9 points 1 year ago (1 children)

Have you considered using Bitwarden Premium? It has TOTP support and is $10/year currently.

Also, regardless of how your hosting your data, it's probably good to keep a secured backup of your vault or two just in case something unexpected happens.

[–] pe1uca@lemmy.pe1uca.dev 7 points 1 year ago* (last edited 1 year ago) (1 children)

there’s also Aegis and 2FAS, but I have no idea about WebDAV servers and also don’t want to rely on Google Drive for backup, also because I’m moving away from Google services.

If your only issue are the backups, then you can still use aegis with automatic encrypted backup to a folder in your device and then use syncthing to automatically send it to your machine. From there use any other backup solution like duplicati or restic.
(Remember that syncthing is not a backup solution, it should only be used as a way to automatically sync files between devices) (People have had many issues with duplicate, but I've only seen posts about huge amounts of data, for something like aegis backups has been working fine for me)

I'd also recommend you asking in !selfhosted@lemmy.world

[–] Father_Redbeard@lemmy.ml 6 points 1 year ago* (last edited 1 year ago)

I'd pay the $10/yr premium if you can swing it. The emergency contact recovery feature alone was more than worth it to me.

For 2FA, I highly recommend Aegis. I switched from both Google and Microsoft authenticator apps earlier this year and it's been great. I have the backups running automatically and it dumps it into a folder the Seafile is syncing for me. So not only do I have the backups on the server, but on the clients as well. Seafile is then backed up to an encrypted B2 bucket for further redundancy.

[–] BaumGeist@lemmy.ml 5 points 1 year ago* (last edited 1 year ago)

What would happen if Render changes their plans and I lose access to the database? Will I still have access to the last-stored cache on my browser extension and mobile phone?

Yes, the bitwarden client will simply treat it as being offline. You should check the docs on how to migrate to a new server so you can be prepared.

And since I’m running a Rust infrastructure, would it use less of the free plan bandwidth that Render assigns?

No. ~~Bandwidth is up to the network stack to determine, not the programming language. Generally, your app and OS will use as much as avalable unless otherwise throttled.~~

I just looked it up, and their "bandwidth" is not a measure of bandwidth, but a data quota. The answer is still "no" because it's about how much data is transferred in total, which has also little to do with the language in this case. Despite the difference of some negligible amount of bytes of overhead, vaultwarden's limited by the format the database is in. To lower data usage, try reducing how often you automatically sync the clients with your server.

I'm planning to run Vaultwarden on a free instance of render.com, and I wanted to know if this was a good idea? Has anyone over here tried this?

I have not tried this, but i am opinionated: on one hand, self-hosting will always be your most reliable and private option. However, if you have judged other pursuits a more valuable use of your time and mental energy, then it's probably worth the $20/month (or whatever) if and when your server lands in reorganization jail.

The biggest issue would be your privacy, which almost always goes out the door when money comes into the picture.

[–] Vendetta9076@sh.itjust.works 2 points 1 year ago

I can't answer most of these except that as long as the render-affixed URL supports https you should have no issues and if it does die you ahould have the last synced cache in your browser. Been able to use my vaultwarden extensions offline no problem.

[–] herrfrutti@lemmy.world 2 points 1 year ago* (last edited 1 year ago)

As far as I know, you'll have a last syched copy in your cache. Test it with no internet con! Try to export your data without internet.

I'm using vaultwarden for like 4 year now, but on my personal server at home. Btw a raspberry pi is enough to run vaultwarden.

You could take a look at reverse proxys and dyndns services (like duckdns -> free). I started like this. Now I have my own domain, but that is not mandatory!

[–] algenza@sos.nekoweb.my.id 1 points 1 year ago

I don't know about render.com, but as long you have a HTTPS domain, you can just use any domain.
Also, I think many services will notify you about changes of their pricing, so you can just back up the server and move them somewhere before something going up.
Some good info about Vaultwarden is in the wiki, including some installation source, there are docker, binaries, and rust, so you can pick one of them.

[–] danileonis@lemmy.ml -1 points 1 year ago

KeePass + Syncthing works also for OTPs (you can even use OTP without a phone).