I currently use KeepassXC that is synced through NextCloud. The sync isn’t very elegant, especially on my phone. So I’m looking for a new password manager, which has a native server sync support that I can self host. What do y’all recommend? I need at least a phone app and a browser integration that can autofill.
Have you tried syncthing? It works great with keepassxc.
Vaultwarden is pretty easy to self host.
+1 for Keepass + Syncthing. Free, no cloud, always synced.
Yeah this is me. It’s been just perfect for many years now.
This is faultless for me
Which one? Or both?
Actually keepassdx, and sounding syncthing
Have been using it for 2+ years with 3 devices, no problem
Bitwarden
Bitwarden.
My recommendation: Don’t use Vaultwarden (self hostable server side of bitwarden. Really easy to run and use). Why? You’re not a security personal, and securing your vault isn’t your job. You might do a slight mistake that’ll lead to the compromise of your vault.
The people at Bitwarden have their work dedicated to securing the vaults and all they do is security. And they’ll probably do it better then you. When it comes to serious matter, I prefer to trust the professionals.
Doesn’t the server just hold an encrypted vault? What could go wrong when the server is compromised? Just thinking out loud I don’t know the answer
Let’s say I have an unupdated patch and my server is now vulnerable.
This could really happen. I have work and life to worry about and I might not notice.
This vulnerability, could be in the BW instance itself (say the web server or the backend itself), or in the server itself (say an old OpenSSH version), or another service (NextCloud instance hosted in the same server under a different subdomain).
So, first we see it’s a big attack surface. In any of those entrances an attacker could gain access to my server and with it the vault. It’s a short way from there to install a keylogger on the website where BW is hosted, and get my master password ¯_(ツ)_/¯.
Now take into consideration that I just sat a couple of minutes to think about this, and I’m not a professional in cyber security or web security. Neither blue nor red team. A professional, with more knowledge, time, experience and resources, could probably bring up much more things.
Security is also about backups. 3 Replicas 2 Formats 1 Offsite location
Yep, that’s right. In theory you could share the encrypted DB with the public and not degrade security. (Still don’t do that though…)
I just don’t want any unauthorized persons anywhere near my vaults in general. I also see my vault as a critical service that requires high availability, and I know enough about system administration to know that my network and I are not qualified to provide that.
Just to play devils advocate. Bitwarden.com is a much more valuable target. My instance is behind a VPN. I think its actually far more likely Bitwarden will have a breach similar to LastPass then I will. But I agree with you mostly.
The data stored on Bitwarden’s servers is completely encrypted though, which means a breach will not yield useful data, unlike the plain text storage for LastPass.
I have the ability to selfhost BW so I am interested in counterpoints.
Yes I agree. I was just offering a counter to the statement that Vaultwarden isnt as safe as Bitwarden. They both are encrypted but my vaultwarden instance is a lot less likely to experience a breach than Bitwarden. The guys with real skill are going after Bitwarden not me.
That’s a good point.
Notice, your server is less likely to be targeted. But much more likely to receive a breach once it’s targeted.
It’s helpful to analog. You got gold. Thieves are more likely to target a bank, but if they’ll know of some gold in your house, it’ll be much easier for them to take it from your house rather than from the bank.
And now you have to work and make sure people don’t find out about the gold in your house. Because once they did it’s game over.
Ignoring the security aspect of it Bitwarden is responsible for hosting a fault tolerant, highly available web app.
They have redundant networking, redundant servers, load balancers, redundant databases.
While you could host this yourself to these tolerances it’s work and it’s not free.
If you’re using your password manager to the fullest you have a different password for every resource out there. It’s more than a minor inconvenience if you get locked out of your passwords.
Their service is dirt cheap and it’s absolutely worth every penny.
VW isn’t the self hostable version of BW. It’s a complete rewrite. I don’t know if it is audited in the same way as BW, so I wouldn’t recommend it until you check that. BW can be self hosted as it is. VW is a rewrite with all the premium features unlocked for free
Bitwarden is excellent and the paid plan is very reasonable unlike with others.
For native sync, the two good and reputable alternatives are Bitwarden and Proton Pass
2nding the Bitwarden, absolutely love it. I moved from LastPass years ago and never looked back.
Vaultwarden works really well for me.
KeePassXC. Despite a lot of room for improvement, overall it is pretty powerful & you don’t have to host a server. You can also sync your password file to cloud storage. With VaultWarden, it will store a cache of your passwords on your phone but you wont’ be able to update them away from home unless you also setup port forwarding, dynamic DNS, web server & all that.
I also use Unix pass and self host a git repo over Tailscale to keep it synced across devices. Works like a charm so long as I remember to push whenever I edit a password somewhere.
Good thing the KeepassXC can be used as a 2nd factor authenticator, though it has TOTP only, doesn’t offer HOTP.
Keepass2android should be able to handle nextcloud sync from within the app so that might work better than on device sync. If your done with keepass bitwarden or proton pass are common alternatives
I’ve been using Bitwarden for years now. Their free tier is amazing, they’re rarely down, and it’s open source with extensions and apps for every platform.
I tried Proton Pass for a minute while Bitwarden was offline, but quickly ran back to Bitwarden. Proton’s extension kept logging out for some reason. I didn’t care enough to troubleshoot it.
If you’re on Android I had seen a better UX for synching with the client Keepass2droid than with KeepassXC or KeepassDX.
On iOS maybe try Keepassium.
KeePassXC doesn’t have an official client, does it? Also, KeePassDX has a better UI IMO, is updated much more frequently & is on Fdroid.
I do the exact same thing as OP with KeepassDX at work and works pretty nice so far, since I gave KeepassDX the right acces rights on the nextxloud directory.
What diferences have you figured out so far with Keepass2android in comparison ?
Easier to setup sync for noobs, however this was years ago maybe it has changed since on DX
I like to use SyncThing for my keepass vault. Imo it’s about as simple and elegant as it can get without involving third party services.
I know you’re asking for an integrated sync but this has been flawless for me and only rarely notice a delay between machines including android, linux, and windows (less that 30s in any case)
I use KeepassXC on desktop, KeepassDX on my phone and keep it all synced with Syncthing. Works great
