本文最后更新于 332 天前，其中的信息可能已经有所发展或是发生改变,如有失效可到评论区留言。

Contents

Preface

Regarding password management, I believe it is a headache for most people, including me before. . I have always used two password management systems: one is the password management provided by Google that comes with Chrome, which is for websites; the other is the one that comes with the Mac system, which is for the system itself and installed APPs. In fact, this can also be used, as long as you can ignore the password leakage problem that Chrome often prompts. Regarding password leakage, I have become numb and leaked casually, but I will never change the passwords of so many websites as a lazy person. At most, I will start to use 2 authentications for important websites. Because of the 2 authentications, the passwords are set to be simple, which is convenient for memory. Security depends on 2 authentications. . . As for the passwords of APPs, you can only use the passwords you are used to when setting them. In fact, this is also a helpless move. It is difficult to set complex passwords for so many apps and so many websites. Chrome can also generate complex passwords by itself, but the password management tool that comes with the Mac system does not have this function. . The password management tool that comes with Chrome is sometimes unreliable. The login interface of some websites will not automatically fill in the password, so I have to check it myself in the browser options.

After much thought, I decided to build my own password management system. I could use one solution to solve the password management problems of websites and system apps, and automatically generate complex passwords, while reducing my management costs. After all, I am old and my memory is not as good as that of young people. After investigating Lastpass, KeePass, and Bitwarden, I finally chose the open source self-built Bitwarden. After all, I am committed to building a home data center, and I can definitely build it myself. Bitwarden also supports automatic password generation, as well as import and export functions, which are enough for ordinary people to use. It also supports the deployment of multiple system platforms through the app:

These also completely meet all my needs, that's it!

deploy

Create a folder on the host that needs to be mapped to the bitwarden container

It is customary to first create the -v parameter to mount the required folder:

mkdir -p /docker/bitwarden/data

Deploy bitwarden (Vaultwarden)

Note: The official image of bitwarden on hub.docker has not been updated for more than 2 years. Now we all use the Vaultwarden version, which has a download size of 100M+:

Security should be assured.

The docker run command format is as follows:

docker run --name vaultwarden -d --restart=always \ -v /docker/bitwarden/data:/data/ \ -p 9500:80 \ vaultwarden/server:latest

Publish using an available domain name

Because I need to use this password management system on multiple devices (iPhone, iPad, Windows, Mac), usually this kind of self-built and cross-platform application needs to provide a legally available link to the outside world (no need for port 80 or 443) to allow all devices using this application to connect in various Internet-connected environments (such as NextCloud), and Bitwarden is the same, so it needs to be released to the outside world.

You need to choose the most suitable publishing method according to the actual environment and the reverse proxy you use. You can refer to my previous articles:
1,Docker series uses Docker to build its own reverse proxy based on NPM
2,Linux panel series configure reverse proxy and use non-443 port for publishing
3.Home data center series uses domestic cloud hosting to get free cloudflare to achieve fast access to domestic sites from abroad
4.Home Data Center Series: Use cloudflare to build a website quickly with no public IP in your home broadband (general purpose)

The first and second methods are suitable for environments with public IP but no legal 443 port (home broadband, unregistered cloud host). You need to add a non-standard port after the URL (if you use cloudflare to build a website, you don't need to add a port, but you need to customize the source station port. You can refer to:Home data center series uses cloudflare's Origin Rules to solve the problem of having a public IP but no legal ports 80 and 443 when building a websiteThe third method is suitable for cloud hosts with a record, and the fourth method is suitable for all environments (including environments without public IP), which is also the method I recommend (regardless of whether your environment has a public IP or not, because this method does not require running https traffic directly on the public network).

I will use an article to summarize all the release methods and link to the specific deployment articles for each method in the future, but I need to wait until I finish writing all the relevant prerequisite articles. After all, there are too many knowledge points involved, and I can't finish them all in one article.

Assume that the final domain name is pwd.example.com, which will be used later.

Initialize Bitwarden

Create an account and password

Assuming that the domain name of bitwarden has been published according to the previous chapter, and the domain name and port are bitwarden.example.com:55555, use http(s)://bitwarden.example.com:55555/admin to log in:

Since you don’t have an account for the first login, click "Create account" in the red box at the bottom to create an account:

The items in the red box in the above picture are required. "Email address" is required and is the login account. "Master password" is the master password, which is also the only password you need to remember. This password is very important. Please make sure it is complex enough and you can remember it correctly (of course, you can also set a simple and easy-to-remember master password and set up two-step verification in "Account Settings"-"Security" to ensure security). Finally, click "Create account" below to create an account. After creation, return to the initial login page and log in with the email address you just created:

Successful login:

Set language

Simply click "Account settings" in the red box in the upper right corner of the page:

Select "Preferences" in the red box, select "zh-CN" in the red box in "Language", and then "Save":

It will lock and require you to enter the master password to unlock it:

After unlocking, the page changes to the Chinese interface.

Import Passwords

From the "Account Settings" - "Tools" - "Import Data" interface, you can import password text exported by other applications. The "Text Format" in the red box can select the format of the imported text:

Take importing csv text exported by chrome as an example, select the Chrome (csv) option in the red box in "Text Format":

Then select the password file exported by Chrome in the red box, and then click "Import Data" in the red box below:

Similarly, you can import the password file exported by macos:

Each application has a different way of exporting passwords, so it is impossible to list them all here. I will take Chrome and macOS as examples to demonstrate how to export passwords.
Chrome is in the "Settings" of the Google Password Management Tool in the "Settings", as shown in the red box below:

And macos is in "System Settings"-"Password":

Other similar applications are places where you can export passwords, so you need to research them on your own.

Finally, I imported the password libraries of Chrome and macOS, and all the password libraries I usually use are imported:

Install the client

Chrome browser plug-in

Install the plugin

Search for "bitwarden" in the Chrome App Store and install it:

Click the plug-in you just installed in the browser extension bar, and select "Self-hosted" from the drop-down menu button in the red box to the right of "Log in" in the interface:

In the "Server URL" of the page below, fill in the domain name you set previously. If it is an unregistered domain name, add it directly in the form of :port, and then click Save in the red box in the upper right corner:

Enter the email address you filled in when registering your account, and then click Continue in the red box:

After entering the master password set previously, click "Log in with master password" in the red box:

At this point, you can see that the plugin has been linked to the self-built server:

Setting up the Chrome plugin

The default values of the plugin do not work well and need to be optimized.

AutoFill:
The default auto-fill is basically unavailable and needs to be set. Click "Settings" in the red box on the far right of the lower right corner, and then select "Auto-fill" in the red box above:

The two red boxes in the picture below are the settings that need to be changed:

As shown in the figure below, I set the auto-fill shortcut key to command+Q:

The default URI matching detection of the default "primary domain" cannot be correctly detected when there are multiple host names under the same second-level domain name, or when the same second-level domain name has multiple different ports, so I changed it to "host".

Safety:

Here you determine how often you need to enter the master password to unlock the computer. The default is 1 hour. I think personal computers should be set to never do this.

Some tips

The number in the lower right corner of the plugin icon indicates that the website opened in the tab has a matching data:

The built-in send function can send text and files, and can set expiration time, number of readings, password and other information:

Password generator, you can specify the complexity of the password:

send and generator can also be used in the web version.

Client for iOS and iPadOS

Both iOS and iPadOS can be installed directly from the App Store. The interface and steps of the settings are exactly the same as those of the Chrome plug-in. I won’t go into details about them. The key point is to replace the system-level default iCloud password verification:
The setting paths for iOS and iPadOS are both in: "Settings" - "Password" - "Password Options":

If there is a two-factor verification program, select it here, such as my Authy. After the settings are completed, Bitwarden can completely take over the default "iCloud Password in Keychain".

MacOS Client

I don't recommend this because, unlike iOS and iPadOS, even if Bitwarden is installed in macOS, there is no way to select it in the password options. I think it is due to the permission restrictions of macOS. However, installing the client for macOS is not very useful. So I suggest that you can just use the Chrome plug-in for both Mac and Windows.

Afterword

Once all password management is handed over to Bitwarden, the stability of the Bitwarden application becomes the top priority. You can consider running two Bitwarden applications in different local Docker environments, and then doing hot standby locally (through local load balancing), or using the hot standby source station function provided by CDN, and use the Bitwarden in the home data center and the Bitwarden on the cloud host as the main source and hot standby source. In this way, you can ensure that Bitwarden is always online (the method I currently use), but this method needs to take into account the issue of regular synchronization of the password library.

Taking Tencent Cloud as an example, the setting interface is as follows: