Migrating Password Managers

published: 2023-12-05
tags: password-management software


I've used pass for a few years now, having moved to it from Keepass XC. I primarily used it via a rofi script and I was very happy with it, and I still very much like it, my needs have just changed

When I moved from Keepass I used a script linked on the pass site which, for whatever reason, put each password in it's own folder and used the username as the actual filename. It was something I meant to fix at the time but ultimately never bothered, it didn't really matter since searching for sites with the rofi script searches the whole path anyway. I do sort of regret not fixing it but anyway, moving on.

I never used my phone very much so I didn't really need a password manager that was capable of being used across multiple devices or operating systems but I've recently bought a Surface Pro 9, which I've been very much enjoying, but it's led to me thinking over my workflow and what programs I use. One of the biggest annoyances being passwords. I'll write about the Surface more in the future but before anyone tells me to just sync the password-store directory, my Surface is currently running Windows.

I didn't really go looking for a new password manager, I knew bitwarden was a fairly popular one and I know a couple of people who use it and like it, so it was the first thing I tried. Cloud based password managers aren't something I think I'll ever trust personally, they're probably fine, but I'd rather not.


Luckily, Bitwarden can be self hosted but a cursory look at the install instructions seems that it really wants you to use Docker, which I tend to avoid if at all possible. However, Vaultwarden exists.

Vaultwarden is an unofficial alternative server that's compatible with Bitwarden clients. It's written in Rust and while it, for whatever, doesn't provide precompiled binaries, it's easy to compile yourself, or copy out of the Docker container, if you prefer. Single binaries are my preferred deployment method so I for that alone I found it a much nicer solution. It supports the vast majority of features that the official servers has, except for single sign-on and a couple of enterprise things I don't care about.

Once you've got your binary via your preferred method, it's a fairly standard setup process of making a systemd file and setting up configuration. I didn't configure much, just the listen address, port and the data folder location.

There is one thing though: the web interface requires https. I believe the Bitwarden server implementation is the same and it's related to a browser requirement rather than anything the projects are doing themselves. I'm running Vaultwarden on my local server and don't intend for it, or most things I self host locally, to be accessed outside of my LAN.

I use caddy for my reverse proxy so getting a self signed certificate for it to use was as easy as adding tls internal to the Vaultwarden section. This does mean you have click "Accept" or whatever, whenever you visit it for the first time because it's self signed, but it's not exactly inconvenient, I mostly use it with the clients anyway. In fact, the only reason I even discovered this was because when I was sorting through my passwords, moving and renaming them due to the aforementioned weird import that happened when I moved to pass, I found out that only the web interface lets you select multiple entries at once. Definitely a bit odd.

As for actually using it. It's quite nice. I installed the Firefox add-on on both linux and my Surface, so now I can just use the Ctrl + Shift + L shortcut to automatically enter passwords on websites which is faster than pulling up rofi and searching for the entry each time, it's also my primary method of using it. I mostly don't think about it. I honestly thought I'd end up using the command line client and hooking it up to rofi like I was doing with pass but I haven't felt the need.

Overall, very happy with my new password solution.