We consider Bitwarden as a passwords keeper for our project with the main goal to have an ability to have separated access to secrets by user roles and/or ACLs.
I.e. Pass or KeePass are good for self-usage by one person but they have no main things – a normal web-interface and role-based access to data. There are 1Password/LastPass of course, but they keep data on their own servers which is not too good for me.
Bitwarden is Opensource and can be used as a Cloud-based version or can be installed on your own server.
It has personal Free-version and paid with additional features.
Besides the personal usage, it can be used for Business with user roles – will try it later.
The home page is here>>>.
The main things I did like in Bitwarden:
- has desktop applications for для Linux, macOS, Windows
- all browsers extensions
- applications for Android and iOS
- RESTful API (in Enterprise version), i.e. theoretically can be used from Jenkins to populate its secrets
- has CLI utilities
- MFA authorization
- roles/groups based access (Enterprise version)
- File Storage
- data import from other passwords managers (Chrome, KeePass, 1Password etc)
Quick installation documentation available here here>>> and full – here>>>.
In this post, Bitwarden will be installed on an AWS EC2 instance with additional EBS volume mounted to /bitwarden
where Bitwarden will store its data and which will be backed up by AWS Data Lifecycle Manager.
On the EC2 will have NGINX running as a frontend and SSL sessions with a certificate from Let’s Encrypt will be terminated here.
Although Bitwarden is running in a Docker Compose stack with its own NGINX and Let’s Encrypt certificates support – I’ll do it in a more traditional way, i.e. NGINX on a host will proxy requests to the NGINX in the Bitwarden’s stack, and this NGINX in its turn will proxy requests to its internal services.
Contents
- AWS
- Creating EC2
- Creating EBS
- Security Group
- Mounting EBS
- DNS
- The host’s set up
- Let’s Encrypt
- NGINX
- Docker and Docker Compose
- Bitwarden installation
- Bitwarden configuration
- Email configuration
- Registration in the Bitwarden
- Bitwarden Admin and users
- Users settings
- Working with Bitwarden
- Chrome plugin
- Linux desktop
- Import from KeePass
- Multi-factor authorization
- Backuping and restoring Bitwarden storage
AWS
Creating EC2
Will use Debian here. AMIs can be found here>>>.
At first, I started t3.nano but this wasn’t enough – an instance just hangs up after starting Bitwarden which is not surprising knowing that fact that it uses MSSQL and has 9 containers running. And Bitwarden itself is Bitwarden is .NET application written in C#.
Run an EC2 with the t3.medium type:
$ aws --profile bm-backend ec2 run-instances --region eu-west-1 --image-id ami-01820e22b83de8d0d --key-name setevoy-testing --instance-type t3.medium --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=bitwarden-dev}]'
Get its Availability Zone:
$ aws --profile bm-backend ec2 describe-instances --region eu-west-1 --filters "Name=tag:Name,Values=bitwarden-dev" --query "Reservations[\*].Instances[\*].[Placement.AvailabilityZone]" --output text
eu-west-1a
Creating EBS
Create an EBS volume (by default the standard i.e. HDD will be used, if you want to have SSD – add --volume-type gp2
):
$ aws --profile bm-backend ec2 create-volume --region eu-west-1 --availability-zone eu-west-1a --size 5 --tag-specifications 'ResourceType=volume,Tags=[{Key=Name,Value=bitwarden-dev-ebs}]'
Here we set the same region (--region eu-west-1
) and the same Availability Zone (--availability-zone eu-west-1a
) where the ЕС2 was started and the disk size is 5 GiB.
Get this EBS ID:
$ aws --profile bm-backend ec2 describe-volumes --region eu-west-1 --filters "Name=tag:Name,Values=bitwarden-dev-ebs" --query "Volumes[\*].VolumeId" --output text
vol-0621e68897eb2a3d8
And ID of the EC2:
$ aws --profile bm-backend ec2 describe-instances --region eu-west-1 --filters "Name=tag:Name,Values=bitwarden-dev" --query "Reservations[\*].Instances[\*].InstanceId" --output text
i-0ac18e298768e2c4b
Attach this EBS to the EC2:
$ aws --profile bm-backend ec2 attach-volume --region eu-west-1 --volume-id vol-0621e68897eb2a3d8 --instance-id i-0ac18e298768e2c4b --device xvdb
Security Group
Create a Security Group – here via WebUI to make it quickly.
During creating this SG pay attention on a VPC ID – must be the same as used for your EC2:
Allow access to the 80 port from anywhere to make Let’s Encrypt authorization working.
443 and 22 ports allowed from our office only.
Attache this SG to the EC2 – Networking > Change Security Group:
Mounting EBS
Log in to the server:
$ ssh admin@34.240.14.78 -i setevoy-testing-eu-west-1.pem
Check disks:
$ admin@ip-172-31-36-249:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1 259:0 0 8G 0 disk
└─nvme0n1p1 259:1 0 8G 0 part /
nvme1n1 259:2 0 5G 0 disk
nvme1n1
is our EBS.
Create /bitwarden
directory:
admin@ip-172-31-36-249:~$ sudo -s
root@ip-172-31-36-249:/home/admin# mkdir /bitwarden
Create a partition on the /dev/nvme1n1
:
root@ip-172-31-36-249:/home/admin# sgdisk -n 1 /dev/nvme1n1
Creating new GPT entries.
The operation has completed successfully.
Create a file system:
root@ip-172-31-36-249:/home/admin# mkfs.ext4 /dev/nvme1n1p1
Check partitions now:
root@ip-172-31-36-249:/home/admin# fdisk /dev/nvme1n1
...
Device Start End Sectors Size Type
/dev/nvme1n1p1 2048 10485726 10483679 5G Linux filesystem
Mount it to the /bitwarden
:
root@ip-172-31-36-249:/home/admin# mount /dev/nvme1n1p1 /bitwarden/
root@ip-172-31-36-249:/home/admin# ls -l /bitwarden/
total 16
drwx------ 2 root root 16384 Apr 30 10:15 lost+found
Get partition’s ID:
root@ip-172-31-36-249:/home/admin# blkid /dev/nvme1n1p1
/dev/nvme1n1p1: UUID="5e3972d4-c742-4224-80d6-8239e5201ae1" TYPE="ext4" PARTUUID="929f264c-ac03-4f9f-9071-056c1511de0e"
Using this UUID add a new mount point to the /etc/fstab
with the --nofail
option:
root@ip-172-31-36-249:/home/admin# cat /etc/fstab
UUID=3866caa4-0449-4478-899b-60eb6f71dd26 / ext4 rw,discard,errors=remount-ro 0 1
UUID="5e3972d4-c742-4224-80d6-8239e5201ae1" /bitwarden ext4 nofail 0 0
Unmount partition mounted manually:
root@ip-172-31-36-249:/home/admin# umount /bitwarden/
And mount it back using fstab
:
root@ip-172-31-36-249:/home/admin# mount -a
Check:
root@ip-172-31-36-249:/home/admin# findmnt /bitwarden/
TARGET SOURCE FSTYPE OPTIONS
/bitwarden /dev/nvme1n1p1 ext4 rw,relatime,data=ordered
Can reboot instance now to check mount works properly now.
Also, install all updates:
root@ip-172-31-36-249:/home/admin# apt update && apt -y upgrade && reboot
DNS
Create a domain name to be used:
The host’s set up
Let’s Encrypt
Install client:
root@ip-172-31-36-249:/home/admin# apt install -y git
root@ip-172-31-36-249:/home/admin# git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Get a certificate using standalone authenticator:
root@ip-172-31-36-249:/home/admin# /opt/letsencrypt/letsencrypt-auto certonly -d dev.bitwarden.setevoy.org.ua
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): admin@example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dev.bitwarden.setevoy.org.ua
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/dev.bitwarden.setevoy.org.ua/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/dev.bitwarden.setevoy.org.ua/privkey.pem
...
NGINX
Install NGINX:
root@ip-172-31-36-249:/home/admin# apt -y install nginx
Generate a key for the SSL:
root@ip-172-31-36-249:/home/admin# openssl dhparam -out /etc/nginx/dhparams.pem 2048
Add a virtual host’s config – /etc/nginx/conf.d/dev.bitwarden.setevoy.org.ua.conf
:
server {
listen 80;
server_name dev.bitwarden.setevoy.org.ua;
# Lets Encrypt Webroot
location ~ /.well-known {
root /var/www/html;
allow all;
}
location / {
# office1
allow 194.***.***.24/29;
# office2
allow 91.***.***.78/32;
# arseny home
allow 188.***.***.48/32;
deny all;
return 301 https://dev.bitwarden.setevoy.org.ua;
}
}
server {
listen 443 ssl;
server_name dev.bitwarden.setevoy.org.ua;
root /var/www/html;
access_log /var/log/nginx/dev.bitwarden.setevoy.org.ua-access.log;
error_log /var/log/nginx/dev.bitwarden.setevoy.org.ua-error.log warn;
# office1
allow 194.***.***.24/29;
# office2
allow 91.***.***.78/32;
# arseny home
allow 188.***.***.48/32;
deny all;
ssl_certificate /etc/letsencrypt/live/dev.bitwarden.setevoy.org.ua/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dev.bitwarden.setevoy.org.ua/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
location / {
proxy_pass http://localhost:8000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 0;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Referrer-Policy "same-origin";
}
}
Check its syntax and reload configs:
root@ip-172-31-36-249:/home/admin# nginx -t && systemctl reload nginx
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Check:
root@ip-172-31-36-249:/home/admin# curl -vL dev.bitwarden.setevoy.org.ua
...
* Connected to dev.bitwarden.setevoy.org.ua (34.240.14.78) port 80 (#0)
< HTTP/1.1 301 Moved Permanently
...
< Location: https://dev.bitwarden.setevoy.org.ua
...
curl: (7) Failed to connect to dev.bitwarden.setevoy.org.ua port 443: Connection timed out
All good.
Connection timed out – as we have no backend running yet.
Docker and Docker Compose
To run Bitwarden need to have Docker and Docker Compose – install them.
Docker:
root@ip-172-31-36-249:/home/admin# curl -L get.docker.com | bash
Check:
root@ip-172-31-36-249:/home/admin# docker -v
Docker version 18.09.5, build e8ff056dbc
Add the admin
user to the docker
group:
root@ip-172-31-36-249:/home/admin# usermod -aG docker admin
Install Docker Compose:
root@ip-172-31-36-249:/home/admin# curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
root@ip-172-31-36-249:/home/admin# chmod +x /usr/local/bin/docker-compose
root@ip-172-31-36-249:/home/admin# docker-compose -v
docker-compose version 1.24.0, build 0aa59064
Bitwarden installation
Go to the bitwarden.com/host and get keys:
Each Bitwarden needs to have own set of those keys.
Download installation, configuration, and management script:
root@ip-172-31-36-249:/home/admin# cd /bitwarden/
root@ip-172-31-36-249:/bitwarden# curl -s -o bitwarden.sh https://raw.githubusercontent.com/bitwarden/core/master/scripts/bitwarden.sh
root@ip-172-31-36-249:/bitwarden# chmod +x bitwarden.sh
This script will download files from the https://github.com/bitwarden/server repository and then will call the https://github.com/bitwarden/server/blob/master/scripts/run.sh script with the install
option.
All options for the bitwarden.sh
:
| Command | Description |
| --- | --- |
| install | Start the installer. |
| start | Start all containers. |
| restart | Restart all containers (same as start). |
| stop | Stop all containers. |
| updatedb | Update/initialize the database. |
| update | Update all containers and the database. |
| updateself | Update this main script. |
| rebuild | Rebuild generated installation assets from `config.yml`. |
Start installation:
root@ip-172-31-36-249:/bitwarden# ./bitwarden.sh install
...
(!) Enter the domain name for your Bitwarden instance (ex. bitwarden.company.com): dev.bitwarden.setevoy.org.ua
(!) Do you want to use Let's Encrypt to generate a free SSL certificate? (y/n): n
1.30.1: Pulling from bitwarden/setup
...
Status: Downloaded newer image for bitwarden/setup:1.30.1
...
(!) Enter your installation id (get at https://bitwarden.com/host): 46ec2f0b-\*\*\*-\*\*\*-aa3f00b8ab41
(!) Enter your installation key: OJ0\*\*\*fDD
(!) Do you have a SSL certificate to use? (y/n): y
...
(!) Is this a trusted SSL certificate (requires ca.crt, see docs)? (y/n): y
Generating key for IdentityServer.
Generating a RSA private key
...
writing new private key to 'identity.key'
-----
Building nginx config.
Building docker environment files.
Building docker environment override files.
Building FIDO U2F app id.
Building docker-compose.yml.
Installation complete
...
Next steps, run:
`./bitwarden.sh start`
Bitwarden configuration
The script will save all Bitwarden’s data to the bwdata
directory:
root@ip-172-31-36-249:/bitwarden# ll
total 24
-rwxr-xr-x 1 root root 2535 Apr 30 11:07 bitwarden.sh
drwxr-xr-x 11 nobody nogroup 4096 Apr 30 11:13 bwdata
root@ip-172-31-36-249:/bitwarden# ll bwdata/
total 40
drwxr-xr-x 2 nobody nogroup 4096 Apr 30 11:10 ca-certificates
-rw-r--r-- 1 nobody nogroup 3323 Apr 30 11:13 config.yml
drwxr-xr-x 2 nobody nogroup 4096 Apr 30 11:13 docker
drwxr-xr-x 2 nobody nogroup 4096 Apr 30 11:13 env
drwxr-xr-x 2 nobody nogroup 4096 Apr 30 11:13 identity
drwxr-xr-x 2 nobody nogroup 4096 Apr 30 11:10 letsencrypt
drwxr-xr-x 2 nobody nogroup 4096 Apr 30 11:13 nginx
drwxr-xr-x 2 nobody nogroup 4096 Apr 30 11:10 scripts
drwxr-xr-x 3 nobody nogroup 4096 Apr 30 11:13 ssl
drwxr-xr-x 2 nobody nogroup 4096 Apr 30 11:13 web
The main configuration file is the bwdata/config.yml
.
Also, in the ./bwdata/env/global.override.env
file additional variables can be set, will check them a bit later.
Docker Compose stack will be started using the ./bwdata/docker/docker-compose.yml
file:
version: '3'
services:
mssql:
image: bitwarden/mssql:1.30.1
container_name: bitwarden-mssql
restart: always
volumes:
- ../mssql/data:/var/opt/mssql/data
- ../logs/mssql:/var/opt/mssql/log
- ../mssql/backups:/etc/bitwarden/mssql/backups
env_file:
- mssql.env
- ../env/uid.env
- ../env/mssql.override.env
web:
image: bitwarden/web:2.10.0
container_name: bitwarden-web
restart: always
volumes:
- ../web:/etc/bitwarden/web
env_file:
- global.env
- ../env/uid.env
...
Update the config.yml
file – disable SSL as we have own NGINX with SSL and change HTTP and HTTPS ports:
...
# Docker compose file port mapping for HTTP. Leave empty to remove the port mapping.
# Learn more: https://docs.docker.com/compose/compose-file/#ports
http_port: 8000
# Docker compose file port mapping for HTTPS. Leave empty to remove the port mapping.
# Learn more: https://docs.docker.com/compose/compose-file/#ports
https_port: 8001
...
# Configure Nginx for SSL.
ssl: false
...
Update applications configs:
root@ip-172-31-36-249:/bitwarden# ./bitwarden.sh rebuild
Start Bitwarden:
root@ip-172-31-36-249:/bitwarden# ./bitwarden.sh start
...
Bitwarden is up and running!
Check in a browser:
Check containers:
root@ip-172-31-36-249:/bitwarden# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b196ee0f81ff bitwarden/nginx:1.30.1 "/entrypoint.sh" About an hour ago Up About an hour 80/tcp, 0.0.0.0:5178->8080/tcp, 0.0.0.0:5179->8443/tcp bitwarden-nginx
ef03f591491d bitwarden/admin:1.30.1 "/entrypoint.sh" About an hour ago Up About an hour 5000/tcp bitwarden-admin
d4fa88921cce bitwarden/api:1.30.1 "/entrypoint.sh" About an hour ago Up About an hour 5000/tcp bitwarden-api
408c5f0bd370 bitwarden/notifications:1.30.1 "/entrypoint.sh" About an hour ago Up About an hour 5000/tcp bitwarden-notifications
9bec10bc09d8 bitwarden/icons:1.30.1 "/entrypoint.sh" About an hour ago Up About an hour 5000/tcp bitwarden-icons
f87789cc4da4 bitwarden/mssql:1.30.1 "/entrypoint.sh" About an hour ago Up About an hour 1433/tcp bitwarden-mssql
143370f979c5 bitwarden/web:2.10.0 "/entrypoint.sh" About an hour ago Up About an hour 5000/tcp bitwarden-web
acdc220a7c29 bitwarden/identity:1.30.1 "/entrypoint.sh" About an hour ago Up About an hour 5000/tcp bitwarden-identity
925d047b6321 bitwarden/attachments:1.30.1 "/entrypoint.sh" About an hour ago Up About an hour 5000/tcp bitwarden-attachments
In those containers, Bitwarden will mount directories from the host, for example mssql
:
root@ip-172-31-36-249:/bitwarden# docker inspect bitwarden-mssql | jq .[].Mounts
[
{
"Type": "bind",
"Source": "/bitwarden/bwdata/logs/mssql",
"Destination": "/var/opt/mssql/log",
"Mode": "rw",
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "bind",
"Source": "/bitwarden/bwdata/mssql/data",
"Destination": "/var/opt/mssql/data",
"Mode": "rw",
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "bind",
"Source": "/bitwarden/bwdata/mssql/backups",
"Destination": "/etc/bitwarden/mssql/backups",
"Mode": "rw",
"RW": true,
"Propagation": "rprivate"
}
]
Thus for a backup will be enough just to store the bwdata
catalog.
Email configuration
Email settings are set in the bwdata/env/global.override.env
file.
We will use AWS SES, update variables:
...
globalSettings__mail__replyToEmail=no-reply@example.com
globalSettings__mail__smtp__host=email-smtp.us-east-1.amazonaws.com
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__ssl=false
globalSettings__mail__smtp__username=AKI***MJI
globalSettings__mail__smtp__password=BKR***z2G
...
Restart Bitwarden (rebuild
needs to be done only after changes in the config.yml
):
root@ip-172-31-36-249:/bitwarden# ./bitwarden.sh restart
In case of email sending problems – check logs in the bwdata/logs/api/Api/
directory or from the bitwarden-api
container
root@ip-172-31-36-249:/bitwarden# docker logs -f bitwarden-api
Registration in the Bitwarden
Now you can register in your Bitwarden installation.
Click on the Create account:
Click Confirm.
Bitwarden Admin and users
Add an administrator mailbox to the bwdata/env/global.override.env
file in the adminSettings__admins=
field.
Note, that the documentation says:
These admin email addresses do not need to be registered with an account on your Bitwarden installation
After logging in with this mailbox – you’ll get an email with a link to proceed authorization to the admin page. This link will be valid for 15 minutes:
...
adminSettings__admins=admin@example.com,anotheradmin@example.com
...
Restart service:
root@ip-172-31-36-249:/bitwarden# ./bitwarden.sh restart
And go to the https://dev.bitwarden.setevoy.org.ua/admin page:
Log in with the mailbox specified in the adminSettings__admins
, get an email, go by the link:
Users settings
Log in using common Log In form and will see usual userspace:
In the Tools you can import data from various passwords managers like KeePass:
Adding passwords manually:
Getting a password:
Working with Bitwarden
Chrome plugin
Install Chrome extension from the Chrome webstore:
Click on the Settings:
Set your server’s URL:
Log in:
And get all your passwords directly from a browser:
Also, it will suggest storing passwords during logins as a usual passwords manager:
Linux desktop
I guess it has clients for any Linux-based systems
In Arch Linux can be installed from AUR:
$ yaourt -S bitwarden-bin
And log in in the same way as in the Chrome extension:
Import from KeePass
Let’s check how import is working
In your KeePass export data to an XML file:
Then go to the Bitwarden – Tools > Import data:
Ready – even with directories structure:
Export can be done in the same way – you can upload data from Bitwarden in a JSON or CSV file and the CSV can be imported to a local KeePass. Such an additional backup.
Keep in mind that the exported file will have all passwords unencrypted.
Multi-factor authorization
MFA can be configured in My account – Two-step Login, everything in a standard way here:
Backuping and restoring Bitwarden storage
Nobody wants to lose an organization’s all passwords so let’s check how backup and restore will works.
As we have /bitwarden
mounted from a dedicated EBS volume then it can be daily snapshotted by AWS Data Lifecycle Manager and then in case of problems – a new volume can be created and mounted to a new EC2 instance with a new Bitwarden installation.
So steps to check are, quickly:
- create a snapshot manually
- create a new EBS using this snapshot
- start a new ЕС2
- attach this EBS and mount it to the
/bitwarden
- obtain a Let’s Encrypt Certificate
- install NGINX, set up a virtual host
- install Docker, Docker Compose
- if a domain was changed – update
/bitwarden/bwdata/config.yml
, change theurl
parameter - run
./bitwarden.sh rebuild
- run
./bitwarden.sh start
- …
- Profit!
That’s all for now.
When will get a trial license – will play with user’s and roles.
Top comments (0)