Objective: Secure & private password management, prevent anyone from stealing your passwords.
Option 1: Store Keepass PW file in personal cloud service like OneDrive/GoogleDrive/etc , download file, use KeepassXC to Open
Option 2: Use ProtonPass or similar solution like Bitwarden
Option 3: Host a solution like Vaultwarden
Which would do you choose? Are there more options ? Assume strong masterpassword and strong technical skills
Having gone through all of these options I have thoughts.
Option 1 sounds awesome but will almost always leave you in a situation where you can’t get your logins when you need them in an emergency. You’re always depending on a chain of things. Depending on your situation it may not be a big deal. But this option sucks, imho.
Option 3 sounds amazing because it gives you the control of option 1 with the ease of option 2. But… unless you’re the kind of person that enjoys hosting their own email server you really don’t want this option. Fun in theory but not so much when you realize you now have a 3rd job.
So that leaves option 2. It’s great but you’re depending on someone else. This is the option that most people should choose too, imo. However it lacks some of control and trust that option 1 and 3 have.
Sooooo, that leaves us with option 4, the onion option. Breaking up your data into layers and using different tools for them.
So first and foremost I want my password storage to always be available. For me that means Bitwarden, (though I’m evaluating protonpass currently.) this is the outer layer. Things that can and should be stored here are stored here. I use it to manage web logins and 2FA tokens for those sites. I also use it for storing autofill data eg credit cards. I don’t use it to hold things like my gpg keys.
Next layer is pass. This layer is mostly things that I need to have logins or other information on headless/remote servers. Think self hosted lab services like a mariadb/postgres or backups. This is easily kept in sync with git. This is the layer where I’ll store things like gpg keys and other VERY sensitive data that I need to sync around.
For other things on this layer I use ansible vault. This is mostly used for anything where I need automation and/or I don’t want too or can’t easily use my yubikey for gpg. This is kept in sync with git as well.
Lastly the inner layer I use AGE or PGP. This is for anything else I can’t use the above for. So my Bitwarden export/backups are in this level too. I also use this layer for things that I need to use to bootstrap a system. Think sensitive dotfiles. This can be kept in sync with git as well.
Git is the best sync solution imo because you can store it anywhere and use anything to sync that repo. Just throw that raw repo on Dropbox, use ssh with it on a vps, rsync it, etc. you’ll always have it somewhere and on something.
My work flow goes like this Bitwarden -> Apple/Google/Firefox -> Pass -> Ansible -> AGE/PGP
This allows for syncing things as needed and how needed. It also gives you the option of having an encrypted text file if/when everything fails.
I currently host Vaultwarden and use the Bitwarden Android app and browser plugin. What does this have to do with a mail server? I don’t host a mail server and it works fine for me (tried to host a mail server, but got blocked by ISP and would need a business account to request them to unblock it, which costs double what I currently pay for the same speeds).
It wasn’t meant to be taken literally. What I mean by that is if you’re the type of person who enjoys the upkeep of something as critical (though maybe not so much theses days) as email then go ahead and host your own password vault service. I’m not saying it shouldn’t be done and couldn’t be done.
My point is that there’s going to be times where you NEED your password vault and having it be down because something happened at home or your VPS had a problem is a really shitty situation to be in.
Of course there’s work arounds and edge cases to everything too. For me planning and building for those possibilities came down to what can I do that is the most reliable, simple, and boring. Because that’s what most people need with anything that is critical.
IMHO much like backup, password storage should be reliable, simple, and boring. Kinda like flushing a toilet or flipping a light switch.
Oh, got it. That makes sense. Though if I remember correctly, Bitwarden makes a local copy for you, so even if your device doesn’t have internet or your backend is down, you should still be able to enter your passwords, just not create new passwords or sync new passwords from other devices.
I have only been using Vaultwarden/Bitwarden for a short time, but I haven’t had any issues thus far. My house is pretty resistant to power outages (solar + 12 hour battery backup for whole house with no sun), but if something happened with my ISP, obviously there’s nothing I could do. I haven’t tested that case yet. I probably should, though.
Agree 100%. I self-host a lot of services but access to my passwords needs at least 3-nines uptime and the cost of providing that via Azure/AWS isn’t really worth it to me.
That said, I trust Bitwarden way more than I ever trusted Lastpass and I still use option 1 for highly sensitive accounts along with redundant Yubikeys (FIDO2, PIV, and GPG in that order) for anything that supports it.