home/Projects/kompose/docs/content/5.stacks/vault.md

title, description, navigation

title	description	navigation
Vault - Password Fort Knox	One password to rule them all!	icon i-lucide-lock-keyhole

"One password to rule them all!" - Vaultwarden

What's This All About?

Vaultwarden is your self-hosted password manager - a lightweight, Rust-powered alternative to Bitwarden. It's like having a super-secure vault in your pocket, accessible from anywhere, that remembers all your passwords so you don't have to! No more "password123" or writing passwords on sticky notes. :icon{name="lucide:lock"}

The Security Guardian

:icon{name="lucide:shield"} Vaultwarden

Container: vault_app
Image: vaultwarden/server:latest
Port: 80 (internal)
Home: https://vault.pivoine.art

Vaultwarden is your digital security blanket:

• :icon{name="lucide:lock-keyhole"} Password Vault: Store unlimited passwords
• 🗂️ Secure Notes: Credit cards, identities, documents
• :icon{name="lucide:refresh-cw"} Sync Everywhere: Desktop, mobile, browser extensions
• :icon{name="lucide:users"} Sharing: Securely share with family/team
• :icon{name="lucide:key"} 2FA Support: TOTP, YubiKey, Duo
• 📱 Mobile Apps: iOS & Android (official Bitwarden apps)
• :icon{name="lucide:globe"} Browser Extensions: Chrome, Firefox, Safari, Edge
• :icon{name="lucide:dollar-sign"} Free: All premium features, no limits
• :icon{name="simple-icons:rust"} Rust-Powered: Secure, fast, resource-efficient

Why Vaultwarden vs Bitwarden Official?

Feature	Vaultwarden	Bitwarden Official
Resource Usage	🟢 Tiny	🟡 Heavy (needs MSSQL)
Setup	🟢 Simple	🟡 Complex
Premium Features	🟢 All free	:icon{name="lucide:dollar-sign"} Paid
Compatibility	✅ 100%	✅ 100%
Updates	🟢 Community	🟢 Official

Both use the same client apps - just different servers!

Features That Matter 🌟

Password Management

• :icon{name="lucide:lock-keyhole"} Unlimited Passwords: No caps, no limits
• :icon{name="lucide:search"} Search: Find credentials instantly
• :icon{name="lucide:folder"} Folders: Organize by category
• :icon{name="lucide:tag"} Tags: Multiple ways to organize
• ⭐ Favorites: Quick access to common items
• :icon{name="lucide:file-text"} Notes: Attach notes to any item

Secure Storage Types

• :icon{name="lucide:key"} Login: Username + password combos
• 💳 Card: Credit/debit card info
• 🆔 Identity: Personal info, addresses
• :icon{name="lucide:file"} Secure Note: Encrypted text

Security Features

• :icon{name="lucide:lock"} End-to-End Encryption: Zero-knowledge architecture
• :icon{name="lucide:lock-keyhole"} Master Password: Only you know it
• 📱 Two-Factor Auth: Extra security layer
• :icon{name="lucide:refresh-cw"} Password Generator: Strong random passwords
• :icon{name="lucide:alert-triangle"} Security Reports: Weak, reused, compromised passwords
• :icon{name="lucide:bar-chart"} Vault Health: Check security score

Sharing & Organization

• :icon{name="lucide:users"} Organizations: Team password sharing
• :icon{name="lucide:folder"} Collections: Group shared passwords
• :icon{name="lucide:lock-keyhole"} Granular Permissions: Control who sees what
• :icon{name="lucide:mail"} Emergency Access: Trusted contacts can request access

Configuration Breakdown

Data Persistence

volumes:
  - ./bitwarden:/data:rw

All your encrypted data lives here. PROTECT THIS FOLDER!

Admin Token

JWT_TOKEN=your-admin-token-here

Required to access admin panel. Generate with:

openssl rand -base64 32

WebSocket Support

WEBSOCKET_ENABLED=true

Enables real-time sync across devices!

SMTP Configuration

Email for account verification and password hints:

SMTP_HOST=smtp.yourprovider.com
SMTP_PORT=587
SMTP_USERNAME=your@email.com
SMTP_PASSWORD=your-password
SMTP_FROM=vault@yourdomain.com

Signup Control

SIGNUPS_ALLOWED=false

Disable public signups after creating your account!

First Time Setup :icon

1. Start the Stack

docker compose up -d

2. Create Your Account

URL: https://vault.pivoine.art
Click: "Create Account"
Email: your@email.com
Master Password: Something STRONG!

:icon{name="lucide:alert-triangle"} MASTER PASSWORD WARNING:

• Only you know it
• Cannot be recovered if lost
• Write it down somewhere safe
• Use a long passphrase (4+ words)

3. IMMEDIATELY Disable Signups

# Edit .env
SIGNUPS_ALLOWED=false

# Restart
docker compose restart

4. Set Up 2FA

1. Settings → Security → Two-step Login
2. Choose method (Authenticator app recommended)
3. Scan QR code with app (Google Authenticator, Authy, etc.)
4. Save recovery codes somewhere safe!

5. Install Browser Extension

• Chrome/Edge
• Firefox
• Safari

6. Install Mobile App

• iOS
• Android

7. Configure Apps

1. Open app/extension
2. Settings → Change server
3. Enter: https://vault.pivoine.art
4. Login with your credentials

Using Your Vault :icon

Adding Passwords

Via Browser Extension:

1. Visit website and login
2. Extension detects login form
3. Click "Save" when prompted
4. Done! :icon{name="lucide:party-popper"}

Manually:

1. Click "+" in vault
2. Choose "Login"
3. Fill in:
   • Name
   • Username
   • Password (or generate)
   • URL
4. Save

Auto-Fill Passwords

1. Navigate to website
2. Click extension icon
3. Select login
4. Credentials auto-filled!

Or use keyboard shortcut: Ctrl+Shift+L

Generate Strong Passwords

1. Click password field
2. Click generator icon
3. Choose options:
   • Length (12-128 characters)
   • Include uppercase
   • Include numbers
   • Include symbols
4. Use generated password

Search Your Vault

• Search bar finds items instantly
• Search by name, URL, username, or notes
• Filter by type, folder, or favorites

Admin Panel 🎛️

Access at: https://vault.pivoine.art/admin

Admin Token Required (from .env)

Admin Features

• :icon{name="lucide:users"} View all users
• :icon{name="lucide:lock-keyhole"} Disable/delete users
• :icon{name="lucide:mail"} Resend invitations
• 🗑️ Delete accounts
• :icon{name="lucide:bar-chart"} View diagnostics
• ⚙️ Configure settings

Useful Admin Tasks

Disable a User:

Admin Panel → Users → Find user → Disable

View Diagnostics:

Admin Panel → Diagnostics

Shows config, health checks, versions

Sharing with Organizations :icon

Create Organization

1. New → Organization
2. Name it (e.g., "Family Passwords")
3. Choose billing (always free on Vaultwarden!)
4. Create

Invite Members

1. Organization → Manage → People
2. Invite user (by email)
3. They receive invitation email
4. Accept and join

Share Passwords

1. Create collection (e.g., "Netflix")
2. Add items to collection
3. Set permissions per user
4. Members can access shared passwords

Security Best Practices :icon

Master Password

• ✅ Use a passphrase: correct-horse-battery-staple
• ✅ At least 14+ characters
• ✅ Unique (not used elsewhere)
• ✅ Write it down physically
• ❌ Don't store digitally
• ❌ Don't share it

Two-Factor Authentication

• ✅ Enable 2FA immediately
• ✅ Save recovery codes
• ✅ Use authenticator app (not SMS)
• ✅ Consider hardware key (YubiKey)

Vault Hygiene

• :icon{name="lucide:refresh-cw"} Regular security reports
• :icon{name="lucide:search"} Update weak passwords
• 🗑️ Remove old accounts
• :icon{name="lucide:mail"} Use unique emails when possible
• :icon{name="lucide:lock-keyhole"} Never reuse passwords

Backup Strategy

# Backup vault data
tar -czf vault-backup-$(date +%Y%m%d).tar.gz ./bitwarden/

# Store backup securely:
# - Encrypted external drive
# - Encrypted cloud storage
# - Offsite location

Emergency Access 🆘

Setting Up Emergency Access

1. Settings → Emergency Access
2. Add trusted contact (email)
3. Set wait time (e.g., 7 days)
4. They receive invitation

How It Works

1. Trusted contact requests access
2. Wait time begins (you get notification)
3. After wait time, access granted
4. You can reject anytime during wait

Use Cases:

• Family member needs access
• You're incapacitated
• Account recovery

Ports & Networking

• Internal Port: 80
• External Access: Via Traefik at https://vault.pivoine.art
• Network: kompose (Traefik routing)
• WebSocket: Enabled for real-time sync

Data & Volumes

Bitwarden Data Directory

./bitwarden/
├── attachments/     # File attachments
├── sends/          # Send feature data
├── db.sqlite3      # Main database
├── db.sqlite3-shm  # SQLite shared memory
├── db.sqlite3-wal  # Write-ahead log
├── icon_cache/     # Website favicons
└── rsa_key.*       # Server keys

:icon{name="lucide:siren"} CRITICAL: Backup this entire directory regularly!

Performance & Limits

Resource Usage

• Memory: ~10-20 MB (yes, megabytes!)
• CPU: Minimal
• Disk: ~50MB + your data

Capacity

• Users: Unlimited
• Items per user: Unlimited
• Organizations: Unlimited
• File attachments: 1GB per user (configurable)

Troubleshooting :icon

Q: Can't log in?
A: Check master password, verify server URL in apps

Q: Forgot master password?
A: Unfortunately, it cannot be recovered. This is by design for security.

Q: 2FA locked out?
A: Use recovery codes you saved during setup

Q: Items not syncing?
A: Check WebSocket is enabled, verify network connection

Q: Can't access admin panel?
A: Verify admin token in .env matches your token

Q: Email not sending?
A: Check SMTP settings, test email server connection

Import from Other Managers

Vaultwarden supports imports from:

• LastPass
• 1Password
• Dashlane
• KeePass
• Chrome
• Firefox
• And many more!

Import Process:

1. Export from old manager (usually CSV)
2. Vault → Tools → Import Data
3. Select format
4. Upload file
5. Import!

Browser Extension Tips :icon

Keyboard Shortcuts

• Ctrl+Shift+L: Auto-fill last used login
• Ctrl+Shift+9: Generate password
• Ctrl+Shift+Y: Open vault

Context Menus

Right-click in password fields:

• Auto-fill from Bitwarden
• Generate password
• Copy to clipboard

Custom Fields

Add extra fields to logins:

• Security questions
• PIN codes
• Account numbers
• Anything you need!

Advanced Features

Send (Encrypted Sharing)

Share text or files securely:

1. Create Send
2. Set expiration
3. Optional password
4. Share link
5. Auto-deletes after use/time

Password Health Reports

Check vault health:

• Weak passwords
• Reused passwords
• Exposed passwords (via haveibeenpwned)
• Unsecured websites (HTTP)

Collections

Organize shared items:

• Team credentials
• Client access
• Project resources
• Department logins

Why Self-Host Your Passwords?

• :icon{name="lucide:lock"} Full Control: Your data, your server
• 🕵️ Privacy: No third-party access
• :icon{name="lucide:dollar-sign"} Cost: Free premium features
• :icon{name="lucide:rocket"} Performance: Local network speed
• :icon{name="lucide:shield"} Security: You control the security
• 🌍 Independence: Not dependent on cloud service
• :icon{name="lucide:bar-chart"} Transparency: Open source, auditable

Resources

• Vaultwarden Wiki
• Bitwarden Help Center
• Password Security Guide

---

"The best password is the one you don't have to remember because it's safely stored in your vault." - Password Wisdom :icon{name="lucide:lock-keyhole"}:icon{name="lucide:sparkles"}