Taking a little break from my Meteorological meanderings posts, I wanted to share my experience in switching away from KeePass, which I have used since at least 2007, to Bitwarden, a much more modern open source password manager. I’ve been a fan of the idea of password managers for a long time. They encourage the use of complex passwords that you don’t have to remember and that attackers are unlikely to brute-force; they help to make credential stuffing attacks effectively obsolete; and, these days, they speed up the login processes to various websites using browser extensions and mobile apps.
That said, I’ve been stuck in the past for a while now. While I have no concerns with the security of KeePass itself, the problem is, in order to have the more convenient features like automatic syncing, browser integration, and cross-platform compatibility, I’d have to use various third party tools, forks, implementations, or plugins. That has always made me just uncomfortable enough to avoid. Of course, I couldn’t realistically avoid things like automatic syncing of the password database, so I came up with my own solution of using Box.com to sync the .kdbx file across my devices, while using an offline KeePass-compatible Android app. My reasoning is that, since the KeePass applications function offline and the syncing applications have no concept of what it is they’re syncing, it should be safe enough to avoid potentially unpleasant situations like the sync service knowing a little too much about the password database, or the password manager syncing to something I didn’t authorize. (Yes, these are mostly theoretical concerns, but I like to err on the side of paranoia when it comes to my passwords.)
I’ve been aware of Bitwarden for some time, but I’ve shied away from seriously considering it because it didn’t – and still doesn’t – support modifying password information while offline. I’ve since reconsidered my stance on that and decided that it’s not important enough of a feature to be a deal breaker for me. And besides, it does support offline read access to cached vault data, which should be good enough. I’m still not comfortable letting an informed third party store my password data, which is why I decided to host an instance of Bitwarden_RS at home instead of using Bitwarden’s own cloud hosting service. Bitwarden_RS is a lean implementation of the Bitwarden server, written in Rust. Since all Bitwarden clients have the ability to communicate with self-hosted servers (which, in my book, makes Bitwarden by far the number one modern password manager), I’m able to use the official apps mostly as intended by the developer, while keeping the data as private as it can reasonably get.
Since I didn’t want to expose my Bitwarden_RS instance to the public internet, and I didn’t want to deal with the hassle of VPN connections interfering with routing as they often tend to, I decided to put the server as well as all the clients (including my phone) on a ZeroTier network dedicated to Bitwarden. ZeroTier creates virtual, decentralized software defined networks. I tend to think of it as a lightweight hybrid between a VPN and a LAN connection. In practice, I can create, for example, a 192.168.128.0/24 network and authorize any of my devices to access this network and the other devices on it, as long as they have the ZeroTier One client installed. I haven’t experienced any routing trouble with this setup, unlike traditional VPNs. Adding to this mix some public and private DNS entries pointing to an IP in a non-routable address space and a Let’s Encrypt certificate for those DNS entries, and the end result is a valid HTTPS endpoint that is reachable only on the private ZeroTier network (and my LAN). Unfortunately, I have run into an issue with (surprise!) a VPN connection interfering with ZeroTier, but it’s something that I hope will be resolved soon with a configuration change to the VPN.
Migrating my data from KeePass to Bitwarden was very easy: export the unencrypted KeePass XML file, import it into the Bitwarden vault, and then sdelete the XML file. The only issue I encountered was that Bitwarden ignores binary attachments in its import functionality. Since I had less than ten of these, I simply migrated them manually by looking for
<Binary/> entries in the KeePass XML to determine what they were, and then extracting them through the UI. For people who have many attachments, a tool is mentioned in the GitHub issue linked above that should transfer over KeePass attachments as well as references correctly.
So far, I’ve only had my Bitwarden setup running for a few days, but it seems to be quite stable, and, with the exception of the VPN issue, I haven’t encountered any real problems with it. I’m pretty happy with the Windows and Android apps, as well as with the browser extensions. The auto-fill functionality feels like it’s finally bringing me closer to the state of the art for the convergence of security and convenience, which is very exciting!