I evaluated this for a small business but came to the conclusion that self hosting this security critical software would cost more in work hours for initial setup and maintenance than just paying the cloud fees for a few years.
Genuine question, in what scenario is the self hosting setup and maintenance worth it?
There really isn't any maintenance besides the occasional update. Setup was also effortless as I've got Caddy setup to reverse proxy containers in my network. I simply define what the subdomain should be for the container and where it can reach it and that's all there is to it.
I've got Vaultwarden setup on one of my servers via Docker and I've got nightly backups of my vault to Dropbox via docker-volume-backup[0], which works wonderfully.
I personally choose to self-host because I already have the infrastructure for it, so might as well put it to good use.
> Genuine question, in what scenario is the self hosting setup and maintenance worth it?
Personal use. Using this avoids the potential of a bitwarden hack (see: LastPass) leaking out all your passwords. You are much less likely a target than a central server like bitwarden.
Another reason for NOT self hosting: I want the passwords for my family to be available in the event something happens to me. The probability of Bitwarden being more resilient (at least mid-term) is much higher than any self hosting solution I would come up with.
If you've opened it once on a device and haven't logged out, the encrypted vault is still available on that device and can be unlocked and read. You just can't modify it. There were bugs in the browser extension that made it log out without the user asking it to, but those should be fixed.
In which client? There's no technical requirement for that to be so.
I do find the Firefox browser extension sometimes logs me out (this is separate to the vault lock timer which just asks for a password, the extension basically resets to asking for a user ID)
I've never had that issue in multiple years with spotty internet. What I have is clients that stay out of date and don't always immediately sync. Even when the Internet is fine. Sometimes even a restart wont force a sync.
This is genuinely an underrated problem. This extends to a bunch of tech things in my life… if our Plex server were to fail everyone would be able to survive but we have a whole smart home setup with Home Assistant and if that fails the lights are going to stop turning on correctly.
I’ve made a pact with a similarly techy friend of mine that should something happen to either of us the other will step in and maintain in the short term, transition to something more hands off in the long term. But I still pay for Bitwarden for that extra level of reassurance.
>in what scenario is the self hosting setup and maintenance worth it?
For me more than anything else, it means that even if Bitwarden goes under then there always be a version I can run myself, at least until the situation becomes untenable and I find a new password manager.
A form of disaster mitigation, if you want to think of it that way.
Not a business here, though using certain self hosted tools has paid off in work as well.
So as a hobbyist, when you have a handful of services you are self hosting, adding another one makes more sense.
And running 5+ different services is probably cheaper in the long term.
If you have the skills, initial setup takes minutes. If you lack the skills, it is a good idea to invest your time into learning those skills, they are very handy if you work in the software development field. It certainly has become very useful at work for me.
For me personally updates, backups, restores and deployments of containers are mostly automated and on average I don't spend more than an hour per month to maintain all of the already running services.
Also I don't see the time as being wasted, since I enjoy doing it. Watching TV or playing video games is probably worse and I still do that as well, same as many other people.
The container itself needed no maintenance at all in my experience. Just update it. The DNS and reverse proxy if you use one are separate though, and depends on your setup.
Here is one scenario where self hosted could be more secure. If Bitwarden is required by a party, they can push bad code to a particular IP address and grab the master key. Not with self hosted, like that.
Perhaps there is also no limit to the total vault attachment storage (there is per password limit at 500 MB), and other limits that might be in Bitwarden.
Evaluating these decisions one by one doesn't make sense. Yes, if you are looking at just the cost of setting up Vaultwarden, there's a significant amount of stuff to learn & practice to keep it up.
But self-hosting scales horizontally. If you already run one service that uses postgres or MySQL, the next service often won't add much of a burden.
For a lot of people, yeah, at present it makes no sense to get started. But the ability to get inertia, to carry the effort, can grow and grow into something really fierce. And even better, there are such good references & starting places out there today. Onedr0p's home-ops is a beautiful example (one among many) of investing hard on really good tools up front, so that the incrental cost of adding and managing new things is fantastically low. Years ago we would have to diy much of this, but today onedr0p can use well known community tools like Kubernetes, Flux ci/CD, gitops, and helm to get it done, to have other smart making the tools of self-hosting better for him. He's still the self hosting, but there's a sizable % of the engineering talent of the world helping to make his self hosting better & easier. That's pretty novel, and pretty excellent imo. https://github.com/onedr0p/home-ops
>Genuine question, in what scenario is the self hosting setup and maintenance worth it?
Maybe if you're a huge org with a dedicated security team and so on, which could easily handle managing such service. I guess at a certain point it would bring cost savings at a scale in comparison to using Bitwarden, where it costs per team member or seat. Inhouse team has fixed costs in comparison.
Of course for smaller orgs or individuals there is little sense in hosting security software yourself. No way you're going to have enough time to manage the service and keep it secure, which is where almost all of such software's value is derived from.
Genuine question, in what scenario is the self hosting setup and maintenance worth it?