Just a guy doing stuff.
- 0 Posts
- 22 Comments
Ah, I’ve generally run my VPN primary exit node in a public cloud infrastructure host like Digital Ocean or AWS in order to provide a separate public IP from the rest of my stuff, and not give out my home IP to public Wi-Fi and such.
I like docker, as long as you use a good orchestration tool it’s a good way to declaratively define what should be running on your server, using a compose file or similar. There are a lot of benefits to the overhead of learning it, including running multiple instances of the same service on one machine without conflicts, and the ability to force your hosted apps to store all of their data in nice neat packages you can easily back up with something like Duplicity or Volumerize.
I actually run my containers on a small kubernetes cluster using VMs running k3s atop Proxmox, with persistence handled by a hyperconverged ceph cluster. All probably very overkill but it’s fun to play with and performs incredibly. Most folks can get away with a single server running containers with simple docker compose.
Started with the Surface Duo 2, if you count it, and now I’m using the Galaxy Z Fold 4.
I suppose I could also count the LG G8x too, possibly?
So many because my company buys phones for me every couple years and I like the flexibility of the folding screen. I’m convinced that anyone who says they don’t want one just hasn’t used one yet. It makes such a huge difference to my mobile experience honestly. Games, documents, multitasking, web browsing, media consumption… It’s all so much better on a device that folds in half lol.
It is open source - but the server essentially locks you out of various functionality unless you create an account with Bitwarden and provide a valid subscription token.
Sure, you can fork it and excise that code from it… but that’s too laborious and potentially error-prone, imho.
If I were to selfhost bitwarden again, I’d go with Vaultwarden, which claims to be fully compatible and has no such requirements.
I use KeepassXC on desktop and KeepassDX on Android, and I’ll step up to your questions for it, specifically:
Do they save your passwords locally or in the cloud?
Locally, as a file. I sync my file to a selfhosted Nextcloud instance so I can use it across devices. Other folks use Syncthing or even less-trustworthy services like Google Drive or Dropbox. The file is encrypted with a password, so as long as you choose a nice long encryption key phrase (Such as a long sentence or string of 10-15 random words).
If locally, what if I want to sign in on another device?
Do I own that device and trust it? If so, I just get the file from Nextcloud (either via sync or via browser download).
Do I not own that device and trust it? If so, still a couple of options. If you’re on Android and rooted, there are various tools that will let you plug your phone into a USB port, pretend it’s a USB keyboard, and auto-type your passwords. Even some non-root options for having your phone pretend it’s a bluetooth keyboard to do the same. There’s also devices like http://inputstick.com/ that don’t require root.
Personally, though? I just show the password on my phone and type it out. I rarely ever need to do that kind of thing, so it doesn’t affect me much.
What if I lose the device I have my passwords on?
Sync the file, not a problem. Assuming you have your phone setup with a screen lock and device-level encryption.
What if they hack my device?
Who is “they”? There’s no “they” to get access with Keepass, so I’m going to assume you just mean “a bad actor”. In that case, if someone gets access to your device, you should assume you’re pwned, and follow your plan for when/if that happens (You do have an “I was pwned” plan, right? right?).
That said, the encrypted password database remains encrypted at rest on your disk - And thus it’s highly unlikely for someone to gain access to your password database even if they get access to your device. They are much likely to pilfer browser cookies for access tokens and the like.
If in the cloud: How can I know the service is not stealing my information?
Keepass: File is encrypted, good luck to the cloud storage service.
Others, cloud-based: The “trustworthy” among these cloud services encrypt the file client-side, and only use the server-side as a place to store an encrypted database file and/or for features like sharing passwords (usually by splitting out a copy into a “partial” database and sharing that). I would feel comfortable telling a family member to pay for and use an open-source service like Bitwarden, because that’s what it does. I, however, am more paranoid than that and refuse to use such a service.
Primarily because they could, at any time, decide to sneak in some kind of backdoor that would ship my passwords to them unencrypted… and no thanks.
If I can access it anywhere, wouldn’t that mean it also needs a password?
Of course. That’s why you make your password manager password something super long and memorable for you but hard to guess for others. My current passphrase, for example, is a 19-word description of a memorable event that occurred during a tabletop RPG session, followed by the numerical date of that session. Completely unguessable for others, very easy for me to remember.
Wouldn’t that make it twice as unsafe as it would only take one password to access the rest?
Only if your master password is easily guessed or cracked. In most cases, the master password is used as an encryption key, so the longer the better - Which is true regardless of whether the file is local or through a cloud service.
Many (keepass included) also have support for requiring physical 2FA keys, or specific GPG encryption keys or the like. This is, I think, the least of your worries tbh.
I also consider the selfhosting of the files as a good thing - I run my own Nextcloud server, which means my password database is 100% private to me alone, only present on my hardware and I don’t have to trust a third-party to store it. Sure, it’s encrypted. but … an encrypted file on someone else’s servers is still an attack surface that I don’t have to deal with when I host it myself.
I like to support devs, too - But I don’t like being forced into paying for access to features already present in software that is running on my own hardware. The code is already on my machine, I should be able to run it.
That’s my biggest complaint about Bitwarden - I want to share passwords with my wife, and they want to charge me money for that even when I host it myself.
In case anyone else found the claim of “all internet traffic” dubious - Some clarification: What they mean when they say “internet traffic” is not “internet traffic.” They are referring to web traffic, as in the number of web page loads that occurred via HTTP and HTTPS, whether that’s API calls or opening pages via web browsers.
That doesn’t include traffic from other protocols (tor, VPNs, gaming traffic, etc), and only includes page loads from websites from which Imperva was able to gather analytics data.
New members means newly active paid subscriptions in runescape terms