Risks of public hosting

1

So uh… I have been switching Password managers a lot. I first used Keeper Security, then LogMeOnce, and then I started using the Bitwarden Extension with the Garuda Linux Vaultwarden instance.

And so I have a few questions about the security of Vaultwarden:

  • Does it have client side encryption? Like, I would like to know, even if the server is compromised, even if there is an atacker intercepting connections, as long as the client is secure will the passwords be secure? Because, as I can imagine, if all information is encrypted and decrypted client side, and everything sent between the client and the server and everything in the server is encrypted, it should be secure.
  • Will I be secure even if someone modifies the Vaultwarden code in the server?
  • Imagine that I hosted a Vaultwarden instance on a server where the server owner can access and modify all files and logs, and the website is http only. Will it still be secure? If everything is encrypted and decrypted client side, it should be, right?
  • In the Garuda Linux Vaultwarden at least, I can view my passwords in the website. Does that mean that the website is decrypting and encrypting stuff locally or remotely in the server?
2

well it should be the same as Bitwarden… “Bitwarden uses AES-CBC 256-bit encryption for your vault data, and PBKDF2 SHA-256 or Argon2 to derive your encryption key. Bitwarden always encrypts and/or hashes your data on your local device before anything is sent to cloud servers for storage. Bitwarden servers are only used for storing encrypted data.” I have not checked though,…

3

Most of the Bitwarden Security Whitepaper should be also true for Vaultwarden.

So Vaultwarden should receive the data mostly encrypted (but not everything is encrypted, eg. user metadata, organizational relationship data, emergency access info, … would be visible for anyone with access to the database).

While the web vault client is running locally in your browser, the code is typically stored on the server, so you would have to trust the provider not to modify it maliciously. (Vaultwarden can be run headless without a web-vault.)