Bitwarden (Vaultwarden)
Self-hosted password manager using Vaultwarden on TrueNAS. Compatible with official Bitwarden clients — point them at your own server instead of bitwarden.com.
Server: TrueNAS @ 192.168.2.203
Public URL: vault.saxobroko.com
URL and server setting
Every client needs the custom server URL:
| Access | Notes |
|---|---|
| Public | https://vault.saxobroko.com — primary for sync from phone/laptop |
| LAN | Optional direct port via TrueNAS Apps if tunnel is down; same account |
Web vault, browser extensions, and mobile apps all use the same URL and one vault account (plus orgs if you add them later).
Clients
Install official Bitwarden apps and set self-hosted environment / server URL before login.
| Platform | Client | Setup |
|---|---|---|
| Windows PC @ 192.168.2.200 | Bitwarden desktop + browser extension | Settings → self-hosted → https://vault.saxobroko.com |
| Android / iOS | Bitwarden mobile | Settings → self-hosted environment |
| Browser | Bitwarden extension (Chrome, Firefox, Edge) | Same server URL on first login |
| Web | vault.saxobroko.com | Full vault when apps unavailable |
Unlock with master password; 2FA below for account login. Extension can use PIN/biometric for day-to-day unlock after first master password entry.
Two-factor authentication (2FA)
Protect the vault account with 2FA — losing the master password without recovery is catastrophic.
| Method | Use |
|---|---|
| Authenticator app (TOTP) | Recommended baseline — store recovery codes in a safe offline place |
| YubiKey / WebAuthn | Supported by Bitwarden for account 2FA — see Yubikey |
| Email 2FA | Weaker; use only as backup if enabled |
Organization policies (if used later) can enforce 2FA for all members.
Important: Save 2FA recovery code and master password hint somewhere offline (paper in a safe, not in SaxDocs).
What is stored here
Vaultwarden holds secrets that must never appear in SaxDocs markdown.
| Category | Examples |
|---|---|
| Infrastructure | TrueNAS admin, UniFi, Cloudflare, Authentik |
| Homelab apps | NPM, Jellyfin admin, Navidrome, qBittorrent Web UI, Sonarr/Radarr API keys |
| Private trackers | Aither and other indexer credentials (referenced in Aither and trackers) |
| Personal | Banking, email, shopping — same vault or separate folders/collections |
| Emergency | ISP account, domain registrar, recovery codes |
Use folders/collections (e.g. Homelab, Personal, Finance) so sharing and search stay sane.
Backup
Vaultwarden data lives on the TrueNAS pool (SQLite DB + attachments). Backup strategy:
| Layer | What |
|---|---|
| TrueNAS | Pool snapshots / cloud sync / periodic dataset backup — see TrueNAS |
| Vaultwarden export | Periodic Tools → Export vault (encrypted JSON) from a logged-in client; store offline |
| Recovery sheet | Master password + 2FA recovery stored physically |
Test restore occasionally: import encrypted export into a test vault or verify DB restore on a non-prod instance.
If the vault is gone and there is no export, you re-create every password manually — treat this as tier-zero data.
Admin (Vaultwarden / server)
Vaultwarden admin panel is separate from the Bitwarden user vault.
| Task | Where |
|---|---|
| Admin token / panel | TrueNAS app env (ADMIN_TOKEN) — access via documented Vaultwarden admin URL on LAN only |
| User signup | Often disabled in production; create users from admin or invite |
| SMTP | Configure in Vaultwarden env for verification emails if signup enabled |
| Updates | TrueNAS Apps → upgrade Vaultwarden image; snapshot DB first |
Admin URL and token are in Vaultwarden (bootstrap) or TrueNAS app config — not duplicated here.
Day-to-day password use does not need admin — only user login at vault.saxobroko.com.
Security notes
- HTTPS only via Cloudflare Tunnel; do not expose Vaultwarden plain HTTP to the internet
- block no aus on tunnel — same as other homelab hosts
- Strong master password (passphrase length > complexity theater)
- Do not store master password in browser “password manager” meta-recursion without 2FA
Related
- Authentik — SSO for some apps, not the vault itself
- Services on TrueNAS
- Network
- Yubikey