path: root/infrastructure/roles/vaultwarden/README.md

# Vaultwarden

## Registering to Vaultwarden

Registration is limited to the `@localhost` domain so that only local users can register.
Registration requires email validation.

Visit `/vaultwarden`, select "create account", then use `$USER@localhost` as your email address.

1. Run `mutt`.
1. If this is the first execution of `mutt`, press y to create the mail directory.
1. Locate the "verify your email" message.
1. Press enter to open the email.
1. Press ctrl+b to open the URL viewer.
1. In the URL viewer, you can copy the long verification URL without line breaks.
1. Press q and any key to exit URL viewer.
1. Press d to delete the "verify your email" message.
1. Press d to delete the "welcome" message.
1. Press d to delete the "new device" message.
1. Press q and y to exit and purge deleted messages.

## Security

[The Bitwarden Security Whitepaper](https://bitwarden.com/help/bitwarden-security-white-paper/) says that Bitwarden clients, such as the browser extension, never pass the master password that can decrypt passwords to the Bitwarden server.
Note that root on the system can tamper with the Vaultwarden web vault, but the browser extensions are controlled by Bitwarden.

Therefore, we recommend changing the master password *before* entering any sensitive data in Vaultwarden and not using again the web vault, to ensure that the password cannot be snooped by root on the system.

To share secrets among members, organizations should be created from an account without personal data.

### Running a local web vault

Alternatively, you can run the web vault locally to ensure no one has tampered with the web vault.

1. Download and extract the archive from [the Vaultwarden web vault builds](https://github.com/dani-garcia/bw_web_builds/releases/latest).
1. Copy the [`Caddyfile`](Caddyfile) into the `web-vault` directory.
1. Run `caddy run`.
1. Access your vault at <https://localhost:8443>.