Skip to content

Bitwarden (Vaultwarden)

Self-hosted password manager using Vaultwarden on TrueNAS. Compatible with official Bitwarden clients — point them at your own server instead of bitwarden.com.

Server: TrueNAS @ 192.168.2.203
Public URL: vault.saxobroko.com

URL and server setting

Every client needs the custom server URL:

https://vault.saxobroko.com
Access Notes
Public https://vault.saxobroko.com — primary for sync from phone/laptop
LAN Optional direct port via TrueNAS Apps if tunnel is down; same account

Web vault, browser extensions, and mobile apps all use the same URL and one vault account (plus orgs if you add them later).

Clients

Install official Bitwarden apps and set self-hosted environment / server URL before login.

Platform Client Setup
Windows PC @ 192.168.2.200 Bitwarden desktop + browser extension Settings → self-hosted → https://vault.saxobroko.com
Android / iOS Bitwarden mobile Settings → self-hosted environment
Browser Bitwarden extension (Chrome, Firefox, Edge) Same server URL on first login
Web vault.saxobroko.com Full vault when apps unavailable

Unlock with master password; 2FA below for account login. Extension can use PIN/biometric for day-to-day unlock after first master password entry.

Two-factor authentication (2FA)

Protect the vault account with 2FA — losing the master password without recovery is catastrophic.

Method Use
Authenticator app (TOTP) Recommended baseline — store recovery codes in a safe offline place
YubiKey / WebAuthn Supported by Bitwarden for account 2FA — see Yubikey
Email 2FA Weaker; use only as backup if enabled

Organization policies (if used later) can enforce 2FA for all members.

Important: Save 2FA recovery code and master password hint somewhere offline (paper in a safe, not in SaxDocs).

What is stored here

Vaultwarden holds secrets that must never appear in SaxDocs markdown.

Category Examples
Infrastructure TrueNAS admin, UniFi, Cloudflare, Authentik
Homelab apps NPM, Jellyfin admin, Navidrome, qBittorrent Web UI, Sonarr/Radarr API keys
Private trackers Aither and other indexer credentials (referenced in Aither and trackers)
Personal Banking, email, shopping — same vault or separate folders/collections
Emergency ISP account, domain registrar, recovery codes

Use folders/collections (e.g. Homelab, Personal, Finance) so sharing and search stay sane.

Backup

Vaultwarden data lives on the TrueNAS pool (SQLite DB + attachments). Backup strategy:

Layer What
TrueNAS Pool snapshots / cloud sync / periodic dataset backup — see TrueNAS
Vaultwarden export Periodic Tools → Export vault (encrypted JSON) from a logged-in client; store offline
Recovery sheet Master password + 2FA recovery stored physically

Test restore occasionally: import encrypted export into a test vault or verify DB restore on a non-prod instance.

If the vault is gone and there is no export, you re-create every password manually — treat this as tier-zero data.

Admin (Vaultwarden / server)

Vaultwarden admin panel is separate from the Bitwarden user vault.

Task Where
Admin token / panel TrueNAS app env (ADMIN_TOKEN) — access via documented Vaultwarden admin URL on LAN only
User signup Often disabled in production; create users from admin or invite
SMTP Configure in Vaultwarden env for verification emails if signup enabled
Updates TrueNAS Apps → upgrade Vaultwarden image; snapshot DB first

Admin URL and token are in Vaultwarden (bootstrap) or TrueNAS app config — not duplicated here.

Day-to-day password use does not need admin — only user login at vault.saxobroko.com.

Security notes

  • HTTPS only via Cloudflare Tunnel; do not expose Vaultwarden plain HTTP to the internet
  • block no aus on tunnel — same as other homelab hosts
  • Strong master password (passphrase length > complexity theater)
  • Do not store master password in browser “password manager” meta-recursion without 2FA