I went from Keepass synced via NextCloud (self hosted) for years... to trying out Bitwarden (their servers) and found the experience much better... then I switched to Vaultwarden via Docker going through Cloudflare Tunnel (with zero trust email authentication required) and fail2ban added. I'm content with the last option.
I'm currently hosting vaultwarden on my rack, mostly just because I can really. It's easy enough and I have plenty of resources.
Why not Keepass on a webdav server? Both Keepass on the computer and Keepass2Android can open the file directly. If you save it on one it will merge the changes in any other copies you have open.
I've been using option 1 for many many years. It lets me keep control of the encryption, and it's accessible just about anywhere.
I choose keepassXC stored locally
I switched to proton pass after using bitwarden for a couple years
For highest security don't store in cloud or multiple places. Memorize them or keep a separate device that has no intermet access and keep them on that device encrypted/locked
To improve security of option 1 you could use a keyfile, that is either only transferred manually to devices or stored at a second cloud provider.
Apple keychain. Supposedly secure, extremely convenient, may be in the Cloud but not centralized - can’t lose everyone’s credentials at once.
The plug-in for Windows works pretty well too, although I wonder if that puts my confidential data at more risk
Been using option 3 but with Bitwarden for almost 5 years at this point. First started out on a VM in a cloud provider. Now it's in a VM on unraid behind a local HAProxy or Cloudflare tunnel for remote access.
Bitwardens full docker stack provides great daily backups which I've had to restore on occasion or go back to one from months ago to dig out a password for my wife.
Been testing and hoping to move to the unified-container from them soon, assuming I can replicate encrypted backups like their solution.
Option 2, because once you start thinking about the ways your stuff could be stolen ("threat modelling") you'll see that realistically it's the easiest option.
I do 3 and have encrypted backups to Dropbox so I can easy restore/spin up a cloud server if I need to
I like LessPass, essentially you choose one password and then it generates secure passwords for each website, since it uses a predefined generation algorithm it's completely offline and doesn't need syncing it's very secure. However it has the inconvenience of needing to remember the way you spelled the website, but if you stick to something like all lowercase it's fine.
I did option 1 for a number of years but now I'm doing option 3 off a proxmox container and some cloud scripted backup. So far so good.
We just started doing option 3 at work and just keep it behind the firewall. It is going well so far.
I like Enpass. $25 lifetime sub via Stack social. Does the trick. If they ever pull the rug out on lifetime folks, I would go to Bitwarden.
I ended up scoring a free lifetime membership years ago, but is their stuff open source? I never fully trusted it, so I didn't end up using it for anything
Enpass uses the open source library sqlcipher (which is an sqlite fork with encryption). So while Enpass as a whole is not fully open source, you can still exfiltrate your passwords with open source tools, should they ever vanish or radically change their business model. You can then use for example enpass-cli.
That gives me enough confidence to trust in Enpass, since they can't easily hold my data hostage.
It's not open source, so that's an easy deal breaker for some. Considering the vaults are encrypted and Enpass itself stores nothing on their servers, I've been okay with it. The vaults just exist on my phone and wherever I've chosen to back it up (OneDrive, GDrive, Nextcloud, NAS, etc).
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!