I’m keen to self-host Vaultwarden. I trust my VPS provider to keep my VPS up, but don’t trust that they (or anyone else who manages to get access) don’t do malicious things.
Fortunately, the Bitwarden clients don’t need to trust the server, since the vault entry passwords are encrypted/decrypted locally.
The web client is served by the server, which I don’t trust. Fortunately I can avoid using that, and instead just use the web extension and mobile clients.
The one flaw is that actions such as adding passkeys rely on the web client.
Is there a way to fully use vaultwarden, without trusting the server-provided web client?
Alternatives considered:
- Temporarily run the web client locally when needed, and have that act against the server. Not too fiddly to setup a local reverse proxy to do this.
- Figure out how to do everything via plain HTTP requests and do that with curl.
- Just use the web client and hope nothing has been compromised. Could do. Hoping to avoid that.
- Find a more trustworthy VPS. Alas, I’m trying to remove trust here.
- Host the server at my home. Alas, I’m trying to avoid self-hosting at home.
- Add a FR for vaultwarden web client to include signatures, like GitHub - tasn/webext-signed-pages: A browser extension to verify the authenticity (PGP signature) of web pages