Sign in Subscribe
Tools

Selfhost Bitwarden Password manager on Debian Linux using Cloudflare Tunnels

Billy Demourelle

4 min read
Selfhost Bitwarden Password manager on Debian Linux using Cloudflare Tunnels

Password managers are a necessity in today's world. With passwords being breached every day, the requirements to stay secure are constantly increasing. The concern comes from what cloud provider is hosting your passwords/secrets and if they are protecting it correctly (Cough cough...). This guide is to steer away from using cloud providers and to self-host your password manager on your own network whether it's for regulatory reasons, uptime concerns from cloud providers, or to help keep your tools well guarded under your tin foil hat.

Bitwarden is an open-source password management software that can be used from many different cloud providers, or you can selfhost it. Your data is encrypted in a vault using AES 256 and only transmitted through secure channels, providing an end-to-end encryption approach. The great part about Bitwarden is that it is very versatile and supported in many different scenarios. One scenario is integrating with your browser so that you can remove the vulnerable browser password manager and just use the Bitwarden extension.

Installing Bitwarden on Linux

The recommended requirements to install Bitwarden are:

  • Processor - x64, 2GHz dual core
  • Memory - 4GB RAM
  • Storage - 25GB
  • Docker Version - Engine 26+ and Compose

Install Docker and Docker Compose on your Linux instance

In this guide, I am using Debian Bookworm 12. Installing Docker is different for each OS, follow this documentation for reference.

  1. Set up Docker's apt repository, copy and paste the following into your Debian instance:
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
  1. Install the latest version, copy and paste the following:
 sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
  1. Test to make sure docker is installed correctly by running the following hello-world image.
sudo docker run hello-world

If the container runs and you see "Hello from Docker!" then this means the installation worked correctly.

Installing Bitwarden local user and directory

  1. We will begin by creating the Bitwarden user. Set the password to a strong password. 
sudo adduser bitwarden
  1. Create and add the Bitwarden user to the docker group. (The group may already exist)
sudo groupadd docker
sudo usermod -aG docker bitwarden
  1. Create the Bitwarden directory and set the permissions
sudo mkdir /opt/bitwarden
sudo chmod -R 700 /opt/bitwarden
sudo chown -R bitwarden:bitwarden /opt/bitwarden

Bitwarden Installation

  1. Switch to or sign in to the bitwarden user created in the last section and navigate to the home directory.
su bitwarden
cd ~
  1. Download the Bitwarden installation script to the home directory
curl -Lso bitwarden.sh "https://func.bitwarden.com/api/dl/?app=self-host&platform=linux" && chmod 700 bitwarden.sh
  1. Run the installer script
./bitwarden.sh install
  1. As it runs through the script, the following prompts will be
    1. Enter the domain for your Bitwarden instance:
      1. This will be whatever domain (subdomain) you are setting up using cloudflare tunnels
    2. Do you want to use Let's Encrypt to generate a free SSL certificate? (y/n)"
      1. No. Cloudflare uses their own SSL certificates whenever you setup a network tunnel. This way you don't have to worry about managing certificates.
    3. Enter your installation ID:
      1. Register for an installation ID at https://bitwarden.com/host
    4. Enter your installation key:
      1. Register for an installation key at https://bitwarden.com/host
    5. Enter your region (US/EU):
    6. Do you have a SSL certificate to use? (y/n)
      1. No. Bitwarden documentation says this is only for testing purposes but Cloudflare will be providing the certificate so we are still protected.
    7. Do you want to generate a self-signed SSL certificate? (y/n)
      1. No. Bitwarden specifies here that if you don't use a SSL certificate then you will need a https proxy (which is Cloudflare)

After Bitwarden has been installed, follow Cloudflare documentation to setup your Cloudflare tunnel.

Once the tunnel is setup, your Bitwarden instance has been setup!

Further configuration can be reviewed here - https://bitwarden.com/help/install-on-premise-linux/

References

Linux Standard Deployment | Bitwarden
This article guides you through the process of installing and deploying the Bitwarden password manager to a Linux server.
Bitwarden
Create a tunnel (dashboard) ยท Cloudflare Zero Trust docs
Follow this step-by-step guide to create your first remotely-managed tunnel using Zero Trust.
Cloudflare Docs