Bitwarden

Overview

Bitwarden helps you generate, save and manage your passwords safely and securely. Think of it like a book of passwords, locked by a key that only you know.

Why A Password Manager?

Password managers take the hassle out of creating and remembering strong passwords. Passwords are stolen all the time. They can help you with digital inheritance, and they can help to protect your identity. One of the easiest ways to encourage good password hygiene is to deploy a password management solution across your workplace.

Major Features and Benefits
Application Range

 

Initial Configuration

Initial Configuration

Instance Settings

Access the Admin Portal

The System Administrator Portal for your instance is available at https://your.domain.com/admin

Settings to be aware about

If you are the main admin of the instance, it is good to be aware that there are a couple of settings that we do NOT set by default that you may wish to change. In order of appearance...

Allow new signups

2021-08-10-21-52-10-Vaultwarden Admin Panel.png

This may seem counter-intuitive until you realize that we set up the initial user based on this availability. This also lets us easily onboard any additional users onto the instance. However, it is worth looking into as an option to set when creating the instance. However, it does not cause a major attack vector, especially when additional restrictions are introduced. Also, it enables zero data-leakage, as it simply allows an additional account to be enabled on the system.

Set attachment limits

2021-08-10-21-51-51-Vaultwarden Admin Panel.png

Setting attachment limits avoids the really large attack vector from leaving account registrations open, which is to run an instance out of space by uploading very large attachments. This can be set from the instance setup, and from the admin page.

SMTP Email Settings

2021-08-10-21-53-26-Vaultwarden Admin Panel.png

Like most services offered, because there is currently no bundled SMTP service,  this is left blank. However, this can be connected to any email service that you have setup.

Email signup limitations

Implementing the above allows setting the below limitations on signups

image-1628647614573.png

This means that you can require signup emails to be verified for signups, but only to whitelisted domains. This works great if you work in an organization that uses their own domain addresses.

Initial Configuration

Client Settings

Common Settings

Vault Locking

image-1628648629131.png

There are two common settings - when to timeout, and what to do when it gets timed out. The above should be self-explanatory. The settings are different for the Browser Add-On which allows for the timeout to be the screenlock and/or a computer restart. The mobile app allows for an App Restart timeout.

Change Master Password

image-1628649375635.png

There are options on the other clients to do this, but they redirect to the web vault. 

Web App

Display layout

image-1628648758593.png

This allows the web vault to display using the whole width of your screen. Just a nice QOL improvement.

 

Browser Add-On & Mobile Client

Server URL

image-1628650161881.pngimage-1628650070161.png

Your URL should include the `/bitwarden` path at the end of the domain.

 

Unlock with Biometrics/PIN Code

image-1628651168664.png

This allows you to log in using a PIN or biometrics (fingerprint reader on mobile, etc.). This is much more convenient after setting up a device than having to re-type your master password over and over again.

Dark Theme

image-1628650366381.png

The only sane choice.

Auto-Fill

image-1628651550976.png

The explanations are above, but I would suggest setting these the way that seems best to you.

Note that if you don't have the URI saved for a site, but are using Bitwarden anyways, it will prompt you to add it to a new entry instead of the existing one.

Sync

 

image-1628650519668.png

image-1628650467049.png

This is to manually sync the clients. However, the clients sync any time there is a change as described in https://bitwarden.com/blog/post/live-sync/ 

Desktop Client

CLI

Deployment Configuration

Application Interface

How I access this tool, and how it is displayed to me.

Application Interface

Desktop

WebApp

https://bitwarden.com/help/article/getting-started-webvault/ 

In it's most basic form, there is a webapp that users can log into with their browser:

2021-07-12-19-26-01-Bitwarden Web Vault.png

This is most handy as a bookmark in a web browser, or for accessing on public, or otherwise non-typical devices.

This is the best place to perform administrative functions, such as manipulating folders, performing administrative functions, and organizing groups.

NOTE: While a compromised server cannot access your encrypted information, it is able to modify the webapp code that it serves to your browser, potentially injecting malicious code. It is recommended to use platform-native implementations, such as a browser addon, or a desktop or mobile client.

Browser Addon

https://bitwarden.com/help/article/getting-started-browserext/ 

This is where this application really shines. It brings together all of the aspects that you would want in a password manager, including auto-fill, new login creation, and of course random password generation.

The addon button looks like this, and will indicate with a popup number whether it has an auto-fill match for the site in the current tab:

2021-07-12-19-30-36-Projects · Dashboard · GitLab.png

Clicking on that button will bring up a minimized version of the web app, which looks very similar to the mobile app, and allows you to perform almost all functions that you would need to consume the service. However, the web app is still the best place to access the more advanced functionality.

Auto-Fill

The auto-fill on the add-on is straightforward. For every login, there is a field named "URI" that accepts one or more entries. This allows the browser to determine which logins are for which site. Once that has been populated, the entry will show up in the "Tab" section of the popup.

NOTE: Don't worry if you don't want to add the URI in advance. You can always search for it, and add it as you are actually using the browser add-on.

Here is a look at what that looks like:

Screenshot from 2021-07-12 20-38-37.png

From here, I am able to select the login that I want. Note that I have several different options since I have several different logins for this same URL. Matching rules can be tweaked as appropriate in the Settings section.

Desktop Client

While all clients are enabled to work offline, the desktop client is especially well-suited, as it should be included in any desktop backups that are taken, while remaining fully encrypted at rest, with decryption done in memory.

Desktop clients also feature biometric unlocks that are able to be used as an alternative for re-entering your master password to unlock it after the initial login.

Command Line Interface

Yes, Bitwarden does have an official CLI client: https://bitwarden.com/help/article/cli/ 

There also exists an alternative implementation here: https://github.com/birlorg/bitwarden-cli

And of course the script that will create the params for a new user to be created written by Andrew: https://gitlab.com/compositionalenterprises/role-compositional/-/blob/master/roles/compositional/files/bitwarden_registration_params.py 

Application Interface

Mobile

https://bitwarden.com/help/article/getting-started-mobile/ 

The mobile interface for this application is pretty much the same as the browser addon - it is meant to be used, and is not necessarily the best for performing administrative functions.

NOTE: For your own protection, mobile apps don't let you take screenshots.

Installs

The applications for Apple and Android are available in the App Store and Google Play respectively.

Note that for Android, the application is also available in the F-Droid repos: https://mobileapp.bitwarden.com/fdroid/ 

Unlock Options

For the initial login, your master password is of course required as it generates the data necessary to retrieve your passwords. However, after the initial login, you have the option of unlocking the application simply with your biometrics or your PIN.

Auto-Fill

The autofill will pop up once you enable it in the settings. The following prompt pops up whenever you click on a password field. This is an example of logging into ebay on a mobile browser:

Screenshot_20210712-203511_Opera.png

From there, it will switch apps to your Bitwarden app, where you can select the application to auto-fill it with. Keep in mind that the auto-fill follows all of the rules of the browser add-on.

Application Interface

Filters on the Home Page

Filters provide a way to look at different items in your vault based on different categorizations and tags. These tags can vary from favorites, to different types, to folders, and lastly to collections. At Compositional Enterprises on a daily basis I use collections to filter down different passwords. Clicking on a collection provides just the entries within that collection. At Home I have everything in folders based on different categories (homelab, work, school, etc..)

image-1624924251833.png

Everyday Usage

Methods and Concepts for how I use this tool.

Everyday Usage

Vault Items

There are four different types of items that can be created in Bitwarden. These are Login, Card, Identity and Secure Note. They are somewhat self explanatory but I will cover them: Login is for a login (website); Card is for a credit card or debit card; Identity is for an identity, this may be good to use for kids or identities such as business entities; and Secure note is very plain in the sense that it has a name and a box for a note. Below are the four different types of items that can be added, note the different available text boxes for each type of element.

Adding a new Element (4 different kinds):

image-1624924395873.png

Adding a new Login:

image-1624924176480.png

Adding a new Card:

image-1624924568447.png

Adding a new Identity:

image-1624924498722.png

Adding a new Secure Note:

image-1624924534511.png

Editing an Item: the one thing to note when editing the item is to ensure you save it after you are done making changes. It is easy to get burned by clicking the X on the top right and then having to reset a password again.

image-1624924217445.png

 

 

 

 

Everyday Usage

Folders and Search

Folders are the essence of organization. They allow you to logically group items for organization. They are a great way to make vault items removed. See Bitwarden's Documentation on folders here for more.

Adding a folder (relatively easy):

image-1629762983441.png

image-1629762955232.png

 

Everyday Usage

Organizations and Collections

Organizations:

Bitwarden Organizations add a layer of collaboration and sharing to password management for your family, team, or enterprise, allowing you to securely share common information like office wifi passwords, online credentials, or shared company credit cards. Secure sharing of Organization-owned credentials is safe and easy. For more information on organizations checkout the upstream documentation.

Viewing organizations can be found on the right hand of the page.

image-1629763450830.png

Within the Organization View:

image-1629763424353.png

Something to note is that all organization passwords in your view will show up with a "shared" Icon:

image-1629763848909.png

Collections:

Collections are Similar to Folders in that they provide a way to logically group items for your organization. For more information on Collections, check out the upstream documentation.

Think of Collections as Organization-equivalents to the Folders used to organize a Personal Vault, with a few key differences:

- Organizations control access to Organization-owned items by assigning users or Groups to Collections.

- Organization-owned items must be included in at least one Collection.

Note in Compositional Enterprises Instances, the "Move to organization" button will show as "Share" as seen below:

image-1629764372189.png

image-1629764327603.png

Everyday Usage

Send

Bitwarden Send is a secure and ephemeral way to transmit sensitive information to anyone. Sends can include plaintext or file attachments up to 500 MB (100 MB if creating from Mobile). Every Send is assigned a randomly generated and secure link, which can be shared with anyone (including those who do not have Bitwarden accounts) via text, email, or whatever communication channel you prefer. Every Send is: End-to-End Encrypted, Dynamically Ephemeral, Customizably Private. Send documentation can be found here.

image-1629764936973.png

Below is an example of creating a send:

image-1629764716976.png

image-1629764741543.png

image-1629764794465.png

Everyday Usage

Tools

In the Bitwarden Tools section, features such as how your password gets generated, importing data, exporting your vault, and pulling reports are available for customizing your instance.

Password Manager

Password Generator does exactly as it says, it generates a password. It provides the ability to set length, minimum numbers and minimum special. It also provides the ability to generate passphrases with the options to set the number of words, setting a word separator, capitalizing the words, and the ability to add a number.

If you look closely, the clock on the bottom right of the page provides a password history of the most recently generated passwords from the password generator.

image-1627430586667.png

Adding an item from the plugin also provides the ability to generate a new password when signing up using the refresh button on the password field (right most button/link in the password field):

image-1627430702871.png

 

Import Data

An undervalued tool, only likely to be used one time, the Import Data functionality allows you to import from a host of providers including: Bitwarden (Json, csv), Last Pass, Chrome, Firefox, KeePass 2, 1Password, Dashlane and many others.

image-1627431045687.png

 

Export Vault

What goes in may need to come out. Exporting a Bitwarden vault is as easy as setting the File Format, inputting your Master Password, and Exporting your Vault. This can be helpful for migrating to a new instance of bitwarden. Note at Compositional Enterprises we take care of your data and upgrades. These can be held for offsite backups if needed or migrating to a different provider.

image-1627431178868.png

 

 

Everyday Usage

Reports

Reports are helpful for changing up passwords, cycling passwords, and updating anything that may be stale or exposed. Reports can be found under the Tools section of Bitwarden. For information on the reports available, see Bitwarden Password Reports.

image-1627431392453.png

A quick note on the Exposed Passwords Report from Upstream Documentation:

This report uses a trusted web service to search the first 5 digits of the hash of all your passwords in a database of known leaked passwords. The returned matching list of hashes is then locally compared with the full hash of your passwords. That comparison is only done locally to preserve your k-anonymity.

Why use the first 5 digits of password hashes?

If the report was performed with your actual passwords, it doesn’t matter if they were exposed or not, you would be voluntarily leaking it to the service. This report’s result may not mean your individual account has been compromised, rather that you are using a password that has been found in these databases of exposed passwords, however you should avoid using leaked and non-unique passwords.

 

 

 

User Management

User Management

Inviting Users

Who can send invites?

There are two places where users can be invited:

  1. In the global admin "Users" page:

    image-1631063892775.png

  2. An organization admin or owner in the "Manage" section of the Organization:

    image-1631063948453.png

How do invited users sign up?

If an SMTP server is enabled for the server, the invited user's email will recieve a message inviting them to the instance.

If not, they are available to sign up on the regular "Create Account" screen.

What if registrations are disabled?

Even when registration is disabled, organization administrators or owners can invite users to join organization. After they are invited, they can register with the invited email.

https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations

How do I change invites?

The invitation organization name can be changed, and invitations in general can be allowed/disallowed on the "Settings" admin page:

image-1631064243146.png

User Management

Administrative Management

Users

Users can be managed from the "Users" section of the administration page.

image-1631064523917.png

From here, we can see a couple of things, from left to right:

Organizations

Organizations can be managed from the next tab over:

image-1631065228159.png

Basically they can be displayed and deleted. The users and items are displayed in-line.

Advanced Customization

Troubleshooting

Upstream Project

Upstream Project

Links

Official Site: https://github.com/dani-garcia/bitwarden_rs/wiki

Code: https://github.com/dani-garcia/bitwarden_rs

Documentation: https://github.com/dani-garcia/bitwarden_rs/wiki

Updates: https://github.com/dani-garcia/bitwarden_rs/releases

Community: https://bitwardenrs.discourse.group

Container Image: https://hub.docker.com/r/bitwardenrs/server