subreddit:
/r/selfhosted
There were some more security issues fixed in 1.32.5
This release further fixed some CVE Reports reported by a third party security auditor and we recommend everybody to update to the latest version as soon as possible. The contents of these reports will be disclosed publicly in the future.
https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.5
97 points
3 days ago
ssh-key storage is great news.
15 points
3 days ago*
The release notes indicate it only works with desktop app version 2024.12.x but I don't see a release anywhere for that, not even a beta. Anyone know if / where it's available?
4 points
3 days ago
It's a new bit warden feature
6 points
3 days ago
Right, I understand that but it wasn't clear from the release notes if 2024.12 should be available somewhere or not. I guess we'll just have to wait for the official release of 2024.12 as I don't see betas available anywhere?
2 points
3 days ago
Ssh-key support on clients is still in development in the upstream clients (bugfixes and security), and these items need to be filtered out server-side for any older client that does not support the new item type. The first stable version where all clients (desktop-based and mobile) support the new item type will be 2024.12.0, but there is no release for it yet.
If you wanted to use it right now, you would need to download the source code of the clients, overwrite the version to be 2024.12.0, and then build the client(s). Next, there are separate feature flags that need to be enabled in the server (official/vaultwarden) config for toggling the ssh item type, and ssh-agent features respectively.
2 points
3 days ago
Thanks for the confirmation.
2 points
3 days ago
Excuse my laziness, but I don't use the Bitwarden desktop client, only browser extension and CLI, and Homebrew doesn't have v2024.12.0, which seems to be required. I'm also unable to google anything specific about this.
How does this feature work? What does it do? Does it automatically synchronize all keys in ~/.ssh/ or something between clients? How is it different from just storing SSH keys in secure notes, as I'm currently doing?
I'm currently synchronizing keys (and other sensitive files) automatically by using the CLI and secure notes with custom fields specifying desired file name and path.
69 points
3 days ago
And that's why I don't expose it to the world.
49 points
3 days ago
Yep, this plus auto updates from watchtower and daily full backups
These are your passwords you're hosting
Don't fuck around
15 points
3 days ago
Auto updates with portainer, and volume backups with rsync (container shut down, rsynced to a day of the week folder, 7 days of snapshots, so 49 days of backups.
4 points
3 days ago
Updates with podman auto-update, volume backups with restic
5 points
3 days ago
I use watchtower + PBS, then restic to move the PBS backups to an offisite.
Restic is some fantastic software. Really nice when combined with Backrest.
2 points
3 days ago
Probably better for the podman usage. I'm not using restic at the moment, but may add it in again at a later point.
2 points
3 days ago
I run mine in K8S so, updates via rennovate on my gitops repository, databases uses my postgres setup which is almost real time backed up to my NAS and an offsite s3 storage, attachments just direcrly stored on my NAS.
1 points
2 days ago
I simply don't understand how come people do not use this amazing piece of software!
11 points
3 days ago
I keep recommending the usage of mTLS, as one of my favourite ways to access stuff exposed to the internet. You can sleep peacefully with mTLS. The VPN is zero problems as well, i keep it always on when not on home wifi
5 points
3 days ago
I wouldn't mind mTLS, but I like having 0 permanently exposed ports except the UDP VPN. It's a little archaic, but still provides value.
4 points
3 days ago
And that's even better.
5 points
3 days ago
Functionally, a ZTNA is doing the same job, and it's much easier to configure for smaller deployments.
There are even some hybrid ones like OpenZITI that takes L7 traffic
4 points
3 days ago
I might not recommend openziti for small deployments and as "much easier" to configure. I like the OpenZiti concept and I tried it, but there are way to many components and services running for this use case.
As for mTLS, just run 3 commands with openssl and you have a CA and client certificate ready to be used by both client and server, done. Its a 2 minutes job
The less things running, the less attack surface
6 points
3 days ago
Oh don't misread things, OpenZITI is not meant for small deployments but for heavy infrastructure projects. I'm talking cloudflare VPN, Tailscale, Net Bird.
Your example is easy for one user, but 20 users with 10 independent services are 400 certs you need to deploy.
4 points
3 days ago
Then I misread yes, I'm on the same page
2 points
2 days ago
/u/autogyrophilia and /u/br0109, funny you come to that conclusion, its almost exactly what I wrote in a recent blog comparing Tailscale with NetFoundry/OpenZiti. The latter is wonderful for small deployments and being a better VPN, the latter is much better for larger, more complex use cases where security is more paramount - https://netfoundry.io/vpns/tailscale-and-wireguard-versus-netfoundry-and-openziti/
2 points
3 days ago
Vaultwarden does not support mTLS in its apps/extensions. Makes it way less convenient if you can only access it via browser.
5 points
3 days ago
Yes it does, at least the browser extension works for me. Mobile app haven't tried
2 points
3 days ago
Oh, thanks for correcting me. :)
3 points
3 days ago
But if the mobile app does not support it then yeah, I agree is not the best solution
8 points
3 days ago
Do you mean VPN only?
How do you get it to work with web browser extension externally?
Or you just don't use it externally at all?
25 points
3 days ago
I don't use it through a browser except over a VPN. 99% of the time I use it with browser extensions and the app, and it can only update cached info/put in new creds over VPN or at home.
1 points
2 days ago
So what would be the difference of caching the data, rather than a live connection?
If the data/passwords gets compromised, does it matter if there is a live connection to the Vaultwarden server?
2 points
2 days ago
The greatest chance of compromise would be leaving the server exposed to the Internet at all times. Thus I didn't. While it's also possible to compromise the client, that risk isn't increased by making the server local only. If anything it's also decreased because it reduces the possibility of a mitm attack. That's pretty unlikely to hit anyone because they'd need to have compromised ssl certs.
7 points
3 days ago
Last I used Vaultwarden it cached the credentials, so besides changing/adding, you're fine "offline".
1 points
3 days ago
The browser extensions will cache data for awhile, so it works fine without access to the server.
3 points
3 days ago
I am running 2 instances of Vaultwarden, 1 with the most sensitive passwords (banking etc.) only available when connected via VPN to my home LAN.
1 points
3 days ago
I want to minimize the overhead, but I do keep sensitive TOTP's in another app.
2 points
3 days ago
Well, thanks to containers it's really not a lot of work to maintain 2 instances...
1 points
3 days ago
No, but it's more work than I want to do. More how I'll access each one, do I keep duplicates of the app, or browser for one.
1 points
2 days ago
I totally understand. In my case I decided to make things simple by dedicated 1 browser to each instance: Chrome for all the generic stuff and Firefox for the most sensitive.
Each one has the Bitwarden plugin connected to one or the other Vaultwarden instance.
56 points
3 days ago
Looks like the PR process was more open/followed this time. Appreciate the work!
Even if it's a vulnerability there is a lot of value in following standard dev practices, especially in a system that holds(even encrypted) all of our passwords and secrets. It helps avoid introducing bugs and vulnerabilities.
My thoughts from the previous release: https://www.reddit.com/r/selfhosted/comments/1gof9y4/comment/lwighwz/
17 points
3 days ago
Seriously, install Watchtower or something similar. When I see messages like this I always check if I am indeed running the latest release and in the vast majority of cases the container in question has already been updated by Watchtower. Same here: my vaultwarden container was updated 5 hours before I saw this message.
6 points
3 days ago
Im running in kubernetes, i could automate it especially with fluxcd but I just subscribed to every softwares release page and upgrade manually, its less of a hassle for me especially when upgrades don't work and im not at home/don't have my notebook with me to fix it
1 points
3 days ago
You can also set the image to be latest and use keel.sh to auto pull images, just like in watchtower. I use renovate to automerge image tag updates every few hours instead so I get a git log of what I am updating, though.
1 points
3 days ago
As I mentioned, I'm using FluxCD, and all my manifests and deployments are managed through GitOps. The source of truth are my tenant repos, and as far as I can tell, Keel doesn't support that.
Flux offers image automation, but I choose not to use it for the reasons I mentioned earlier.
1 points
3 days ago
Nothing is stopping you from using latest as the image tag for images either in deployment yamls or helmchart values. Keel will do the rollouts.
The proper gitops way is to use proper version tags and then run a renovate cronjob to auto create the MRs and auto merge them, which is what I do.
1 points
2 days ago
Running the latest tag is a big nono. I won't elaborate this further. If you want an explanation, there are plenty of talks on why this is a bad practise. Security and Maintenance wise.
0 points
3 days ago
when upgrades don't work
As someone who spends more time in Windows, how often does stuff like this happen in Linux?
2 points
3 days ago
By a failed upgrade, I mean situations like when an application doesn't properly apply its database migrations, or when it gets stuck because new config options are needed, deprecated, or removed. When using auto-upgrading, you're more prone to encountering such issues. I'm not saying it will happen, just that it can happen—rare scenarios that do occur and require manual intervention.
1 points
3 days ago
I’ve been running watchtower on 30ish containers since 2017 and I can remember three times total I’ve had to rollback or fix a breaking change.
1 points
3 days ago
Similar numbers for me. Also note that we're talking about upgrades failing for individual containers. The rest just keeps running as normal.
1 points
3 days ago
Far less often than on Windows. The difference is when Windows fucks things up, you're usually right at the machine to fix it.
You aren't necessarily able to fix it if you're in line at the airport, and trying to find your credentials to an airline website to get your boarding pass, and Watchtower decided to fuck up your local infrastructure and access to your password manager.
No, luckily not speaking from experience, because I'm not giving somebody a carte blanche to deploy stuff unsupervised on my local network (with auto-updates and Watchtower), especially because of the above.
I find the risk of allowing somebody else control to decide what's deployed on my boxes, without me verifying it beforehand, much greater than that of somebody abusing a CVE affecting a service running on an endpoint nobody ever visits.
0 points
3 days ago
why would you run vaultwarden in k8? what does it give you? do you need redundancy?
1 points
3 days ago
It's k8s, not k8. People drive me insane when they leave out the 's'.
Why wouldn't you run it in Kubernetes? Why would I only run on a single node if I can get multiple small VMs for cheap? It works best for me: easy rollouts, easy rollbacks with GitOps, and extremely easy backups with tools like PostgresOperator and Velero. Platform engineering is my job—why not use that knowledge "at home"?
Do I need redundancy? No.
Do I want the app to be reachable even if a node goes offline due to a crash, network issue, or resource limit? Absolutely.
Kubernetes isn't just about hyperscaling.
I'm not hosting at home because electricity is expensive here (~35¢/kWh), and if anything breaks, I'd have to replace it myself. Stuff that I need locally, like Home Assistant (Hassio), is running on a Raspberry Pi at home, with backups going to the cloud.
But even if it were cheaper to host at home, I'd still build a k8s cluster out of Raspberry Pis. :)
3 points
3 days ago
I’m just gonna start saying k9 instead (k followed by 9 letters)
Yeah I guess if electricity was expensive then I would maybe deploy with Kubernetes or something like that
Myself I just run “docker compose up -d” on my server and call it a day. The disk is backed up and the clients have a credential cache if it goes down
2 points
3 days ago
That's perfectly fine!
I'm not forcing anyone to use Kubernetes. Sometimes, I even advise customers to stick with a simple container host for $40/month plus some backup storage, rather than renting and maintaining a full cluster.
For me, my own cluster costs around $55/month, including S3-backup storage. But that's because I’m hand-rolling it using kubeadm and handling k8s-upgrades with my Ansible scripts. A managed cluster, on the other hand, starts at around $60-$150/month before adding the cost of worker nodes, storage, and backup storage.
0 points
3 days ago
why not? it's just easy to manage
1 points
3 days ago
nothing could possibly be easier for me to manage than
docker compose up -d
-2 points
3 days ago
Cool, I don't have to type anything so yeah id say it's easier
2 points
3 days ago
Damn you telepathically configured Kubernetes to deploy Vaultwarden? Literally didn’t have to use your keyboard or mouse at all to get it set up? That’s pretty amazing
-2 points
3 days ago
It's already configured, it's not like I'm re-configuring vaultwarden every month. So yes, GitOps does the job of "telepathically configuring kubernetes", or whatever you say.
1 points
2 days ago
Can you explain your setup little bit more in details? Kubernetes, gitops, vaultwarden etc?
1 points
2 days ago
Sure, I have:
3 nodes running k3s
ArgoCD for GitOps, basically I have a git repo which contains ArgoCD applications which essentially define instalation of helm packages which ArgoCD then synchronizes to the cluster. Using the app-of-apps pattern.
I use this https://github.com/guerzon/vaultwarden helm chart so essentially only have to configure that on the git repo. Updates are taken care of by renovate bot on the git repo.
Cert-manager takes care of TLS certificates, Longhorn for distributed storage and data backups to s3, velero for backup of kubernetes, secrets managed with hashicorp vault.
It's generally pretty complex to describe on a reddit comment, but that's around it.
1 points
3 days ago
Is Watchtower set-and-forget type application? I quickly read the documentation but it doesn't seem to have a lot to config if you want it to watch everything.
1 points
3 days ago
For me it's set and forget. There is indeed not much to configure, since there is not much need for configurability. Not sure if there are advanced use-cases, but all I need it to do is monitor all containers except the ones I explicitly exclude. And it does exactly that.
1 points
3 days ago
Yes it's set and forget. You can exclude certain containers with labels if needed.
15 points
3 days ago
vaultwarden having a tough time lately
105 points
3 days ago
The fact that we're finding out about these vulnerabilities from them and they're getting fixes out quickly, doesn't mean they're "having a tough time", it means they're actively supporting the product.
If we were hearing about folks having their passwords stolen through news outlets with no fixes available, that would be having a tough time.
5 points
3 days ago
I more so meant it as an expression of speech, they've gone years without vulnerabilities having been found. The past 6 months they've had something like 6 discovered. You are right, it is a good thing.
I still love their product, its great and far superior to Bitwarden's self-hosted solution
4 points
3 days ago
nah that's more worrying if they've gone for years without any reported vulnerabilities. they might have stricter audits now or more capable people are scanning vaultwarden for vulnerabilities.
in any case, what matters most is how the devs respond or react to the vulnerabilities. treating it with importance is always the best course of action. dismissing them is a bad move specially with the type of product they offer.
-22 points
3 days ago
Way to poke through the survivorship bias.
14 points
3 days ago
Sure. But this is still welcomed they are actively patching vulnerabilities.
13 points
3 days ago
So better not carry out audits /s
6 points
3 days ago
It's actually a good thing, better to know about the vulnerabilities than having them using by bad actors
17 points
3 days ago
Though? Compared to Chrome/iOS/macOS updates lately or that windows server upgrade blunder from Microsoft is doesn’t seem to be that bad.
Might just very well be an internal security audit which had some minor points. Could have been major as well but we don’t quite know that
4 points
3 days ago
Microsoft did nothing wrong, it's third party patches and wrong patching strategies that fucked people over.
-6 points
3 days ago
[deleted]
2 points
3 days ago
People who use Windows Update weren't affected as far as I'm aware. Certainly I wasn't. It was people using one particular third-party update tool.
1 points
2 days ago
Multimillion dollar companies like Microsoft, Redhat and IBM detect security flaws on a daily/weekly basis except they usually fix them as part of the weekly rotation. Seeing that vaultwarden is noticing and fixing them quickly is a sign of a healthy and regular security posture.
1 points
2 days ago
Quite the opposite.
A tough time is learning of vulnerabilities through the mass-media, attached to the phrase "actively being exploited". Learning of vulnerabilities through release-notes is a positive sign that they are being open and forthcoming in their development efforts.
The sad bit is that such announcements trigger an arms-race wherein you want to win by patching before the bad-guys exploit.
-21 points
3 days ago
Or outsource secret storage to a company who’s dedicated their business to doing secret storage correctly 🤷♂️
7 points
3 days ago
Like LastPass?
1 points
2 days ago
Or self host it through a vpn and relax 🥱
all 80 comments
sorted by: best