Local Vaultwarden on macOS

Recently, I was evaluating Vaultwarden server

Vaultwarden, according to its documentation is:

An alternative server implementation of the Bitwarden Client API.

In my case, the target was to find something that will allow me to share some passwords with my family – passwords for streaming services, to be precise. Vaultwarden gives you around 40$ of savings a year, comparing to Bitwarden, if you plan share password between family members. And, it works with Bitwarden client. Anyways, here are the steps to make it work on macOS.

— Generate SSL certificate —

First of all, you have to generate self signed certificate for your server. You can do it following way

> openssl genrsa > key.pem
> openssl req -new \
  -x509 \
  -addext "subjectAltName=DNS:bw.test" \
  -key key.pem > certs.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:PL
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:bw.test
Email Address []:

Above, I assume that bw.test is the domain name of the host. Make sure to add it to your /etc/hosts file.

127.0.0.1	bw.test

— Start Docker container with Vaultvarden —

Make sure to put all certificate related files inside some directory (e.g. vw-certs)

vw-certs
|-- certs.pem
`-- key.pem

Make sure to create a directory for Vaultvarden’s data (e.g. vw-data). Note that vw-data should be empty before you start the container. Vaultwarden will handle its content by itself.

vw-data
|-- db.sqlite3
|-- db.sqlite3-shm
|-- db.sqlite3-wal
|-- rsa_key.pem
`-- tmp

Now, you are ready to start your instance

> docker run -d --name vaultwarden \
  -e ROCKET_TLS='{certs="/ssl/certs.pem",key="/ssl/key.pem"}' \
  -v `pwd`/vw-certs:/ssl \
  -v `pwd`/vw-data:/data \
  -p 443:80 \
  vaultwarden/server:latest

— Add certificate to Keychain Access and trust it —

In order to make Bitwarden client application happy with your self signed certificate, you need to add certs.pem into Keychain Access (login items) and trust it.

— Run Bitwarder client and point at your server —

Now, you can create your first user account, e.g.: a@a.a.

— You can now access Vaultwarden from web browser and UI —

Note! It seems like adding an organisation is only possible from Web interface. Once you create it there, Bitwarden client will be able to see it.