this post was submitted on 22 Apr 2024
28 points (100.0% liked)

Open Source

31020 readers
594 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

I rely on Bitwarden (slooowly migrating from... a spreadsheet...) and am thinking of keeping a master backup to be SyncThing-synchronized across all my devices, but I'm not sure of how to secure the SyncThing-synchronized files' local access if any one of my Windows or Android units got stolen and somehow cracked into or something. I'm curious about how others handle theirs. Thanks in advance for sharing!

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 5 months ago

I've set up Vaultwarden as I used Bitwarden before that and it made switching very easy. Doesn't get easier than that, synced passwords across all your devices/browsers.

[–] [email protected] 2 points 6 months ago

Pass on Linux with a private git repo with search extensions for gnome and Firefox, and android password store on my phone.

[–] [email protected] 3 points 6 months ago

Reset every time I need to log in

[–] [email protected] 1 points 6 months ago (1 children)

I was using Bitwarden up until I moved my email service to Proton. Now, I just use all their things, but I didn't have any issues with Bitwarden personal. I do have some issues with their organization accounts though.

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago) (1 children)

I do have some issues with their organization accounts though.

Like what? And is Proton Pass open-source?

[–] [email protected] 1 points 6 months ago

Just management things, they don't do nested permissions, removed the ability to have groups auto added to collections and the desktop app has been broken for creating new entries in an organization because it can't for some reason it can't see collections, but that's something that broke in an update and they just haven't fixed for a few versions.

[–] [email protected] 7 points 6 months ago (1 children)

For years I've been using KeepassXC on desktop and Keepass2Android on mobile. Rather than sync the kdbx file between my devices, I have each device access it through the network. Either via sftp, smb, or nfs, but regardless I need to connect to my home's VPN to access it when away from home since I don't directly expose those things to the outside world.

I used to also keep a second copy of the website-tied passwords in Firefox Sync, but recently tried migrating that to Proton Pass because I thought the PIN feature might help, then ultimately decided to move away from that too and start using the KeepassXC-Browser plugin instead. I considered Bitwarden too but haven't tried it out yet, was somewhat deterred by seeing people say its UI seems very outdated.

[–] [email protected] 1 points 6 months ago (1 children)

Is syncing the .kbdx files using Syncthing unsafe?

[–] [email protected] 2 points 6 months ago (2 children)

Syncing files that you may open in both (or more) devices at the same time is unsafe with any service, but you can manage to avoid sync conflicts with KeePass if you do not open the same file at the same time or open the Android app in read-only mode. I've only had like 3-4 conflict files this year and they weren't important.

[–] [email protected] 3 points 6 months ago

@not_amm And I think Keepass (XC) has a merge function which can very easily resolve these conflicts.

[–] [email protected] 1 points 6 months ago (1 children)

Do the files pass through their servers unprotected? I don't really understand how Syncthing works under the hood.

[–] [email protected] 1 points 6 months ago

From https://docs.syncthing.net/users/faq.html#what-is-syncthing (bolding mine)

We believe your data is your data alone and you deserve to choose where it is stored. Therefore Syncthing does not upload your data to the cloud but exchanges your data across your machines as soon as they are online at the same time.

[–] [email protected] 5 points 6 months ago

KeePass on my phone and desktop, with the master file sync'd automatically to the server in my basement.

[–] [email protected] 1 points 6 months ago (1 children)

Proton Pass. If you're comfortable with cloud E2EE managers, it's far more worth it than Bitwarden, since you get unlimited email aliases. Better for privacy and even security. Plus, I trust Proton, they have a phenomenal track record in terms of security and encryption.

[–] [email protected] 1 points 6 months ago (1 children)

they have a phenomenal track record in terms of security

I read that they have bowed to email subpoenas in the past.

[–] [email protected] 1 points 6 months ago

Every company would. They're not going to go out of business over one customer. What's important is that they weren't able to give any important information.

[–] [email protected] 5 points 6 months ago (1 children)

Bitwarden keeps a local copy of the data that can exported if something ever happened to bitwarden. If you want to keep an encrypted backup you can export the CSV and store it on an encrypted drive as a backup but not big worry about syncing it to all devices

[–] [email protected] 4 points 6 months ago* (last edited 6 months ago)

This is the correct answer, every device you use a bitwarden-client regularly on automatically becomes a backup

[–] [email protected] 9 points 6 months ago (1 children)

if any one of my Windows or Android units got stolen and somehow cracked into or something.

This shouldn't be a concern if you're using disk encryption and secure passwords, which is generally the default behaviour on most systems these days.

On Android, you don't need to worry about anything as long as you've got a pin/password configured, as disk encryption has been enabled by default for like a decade now.

On Windows, if you're on the Pro/Enterprise edition, you can use Bitlocker, but if you're on Home, you can use "device encryption" (which is like a lightweight Bitlocker) - but that requires a TPM chip and your Windows user account linked to a Microsoft account. If that is not an option, you could use VeraCrypt instead, which is an opensource disk encryption tool. Another option, if you're on a laptop, could be Opal encryption (aka TCG Opal SED), assuming your drive/BIOS supports it.

TL;DR: Encrypt yo' shit, and you don't need to worry about your data if your device gets stolen.

[–] [email protected] 2 points 6 months ago (1 children)

do not do anything in this post until you have backups that you know run and work.

device encryption is fantastic.

[–] [email protected] 1 points 6 months ago (1 children)

I'm mortified to say I could certainly do more in this regard. Do you recommend a preferred method?

[–] [email protected] 2 points 6 months ago (1 children)

What matters is that the backups are done at the appropriate intervals and verified to be readable.

You can figure out what interval is appropriate. Some people have to make sure every picture is saved, some people are fine losing a month of stuff.

Verifying the backup is valid equally important. You don’t wanna find out it was misconfigured and didn’t get your user directories when you try to restore. Just open one up and look to see every once in a while.

At least fifteen years ago you could set up windows backups through the control panel > backup or something menu. Now on 10 it’s settings > updates and security > backups.

You can click add drive from there and designate a usb or something as your backup drive.

Then set an alarm to make sure you remember to do it at the designated interval.

With android the easiest thing is to sync it to a computer that gets backed up.

You can use cloud services instead of a hard drive too, but often simple and easy to understand is the best place to start.

Do you know why it’s important to have backups before using full disc encryption?

[–] [email protected] 1 points 6 months ago (1 children)

Right, I can imagine that I could lock myself out otherwise. Thanks for the walkthrough!

[–] [email protected] 1 points 6 months ago

The lockout I see most often isn’t from people forgetting a password or key, but from motherboard failure with a key stored in the motherboards tpm or cpu.

[–] [email protected] 5 points 6 months ago* (last edited 6 months ago)

Bitwarden has an import tool. You should be able to convert your spreadsheet into the format they like and import relatively easily.

For backups, you can create encrypted backups through bitwarden. So it shouldn't matter if synching itself is a secure process as what your syncing is already encrypted.

[–] [email protected] 13 points 6 months ago

Bitwarden already stores a local copy on all devices you have it installed. Just make sure you load up those devices from time to time... And guess what, you are probaly already doing that with your phone and laptop (which actually contains generally 2 copies, 1 on your actual client and another for the browser extension. Add a third device for good measure and... Oh, you also have a backup on bitwarden.com, this thing literally backups itself everywhere!

load more comments
view more: next ›