It was one of the easiest to setup and it works flawlessly. I’m a bit paranoid about losing my data even with the backups… Any recommendation?

  • MrPasty@lemmy.sebbem.se
    link
    fedilink
    English
    arrow-up
    14
    ·
    2 years ago

    The nice thing about syncing services like Vaultwarden is that all your synced devices kind of act like backups. You should still keep proper backups too, of course, but this makes me sleep a bit better at night at least.

    • unknowing8343@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 years ago

      Yeah, this too… like… I have Bitwarden synced in different computers/phones, so at least most of the passwords will still be somewhere.

    • untilyouarrived@lemmy.gtfo.social
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 years ago

      Same. Like, I’m relatively confident in the systems I have running, but not so confident that I’d trust them with my most important passwords.

    • idle@158436977.xyz
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 years ago

      I just periodically export my vault every few months, it’s compatible with bitwarden. Absolute worst case scenario I can just sign up and import my vault, and maybe lose a password or 2,whoch can most likely just be reset anyways.

      • PlutoniumAcid@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 years ago

        Same for email. I can’t afford it to be down for days while I stress out about fixing whatever it was that I broke.

        • dustojnikhummer@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 years ago

          Actually on premise self hosting email is just stupid these days. I do have my domain email set up with a local provider, but I don’t use it. Again, email is crucial and I don’t trust myself

  • lost@kbin.social
    link
    fedilink
    arrow-up
    9
    ·
    2 years ago

    I use vaultwarden as my bitwarden backup. I pay for bitwarden premium because it’s too critical of a service for me to not pay for access/support the service, or to expect my self hosted option will be sufficiently reliable enough.

    That said, as a backup option, I run the vaultwarden addon in home assistant and just periodically do a manual export from bitwarden and import to vaultwarden. This is usually good enough for me, but glad to see this thread with some other options. Will be exploring some of these too!

    • myogg@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      2 years ago

      The way I justify self hosting is that every device I use it on has an offline backup so downtime isn’t overly important.

    • flynnguy@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      2 years ago

      Oooh, I like this idea… I’ve thought about running vaultwarden but like you I pay for bitwarden premium because I think it’s critical for me and I like the service and want to see them continue. Using it as a backup, then I can still support them and run my own backup.

  • danA
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    2 years ago

    For backups, I have two storage VPSes (one in Los Angeles and one with a completely different provider in Canada), and have an individual backup to each one. I’m using Borgbackup for that.

    Borg lets you enable an “append only” mode for particular clients such that even if an attacker were to gain access to your client system, they couldn’t delete your backups. This is a common issue with rsync/rclone solutions.

    Borg dedupes across all backups, so you can have months of daily backups without using a lot more disk space. Neither rsync nor rclone can do this.

    Don’t forget to test your backups by doing a data recovery run - act as if your data was lost, and try to set everything up again, maybe on a VM or something. If the backups aren’t tested, you don’t really have backups :)

    • PlexSheep@feddit.de
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 years ago

      I use both too for all my stuff, didn’t know of an append mode.

      Do you perhaps have a good solution for backing up backups on another system? I’d like to store the repo of my vps on my Homeserver.

      I currently have set up a cromjib that downloads the newest backup repo every week using SFTP, then deletes the old one if everything is fine.

      I should do some testing that goes beyond just looking at files in my backup through.

      • danA
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 years ago

        I’d like to store the repo of my vps on my Homeserver.

        You could probably just run Borg on your home server too? Whatever is creating the backups would then back up to both the VPS and the home server.

        The Borg team recommends against using tools like rsync and SFTP to create copies of Borg repos, instead preferring separate repos: https://borgbackup.readthedocs.io/en/stable/faq.html#can-i-copy-or-synchronize-my-repo-to-another-location

        • PlexSheep@feddit.de
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 years ago

          My homeserver runs borg, but how would I go about backing the remote server up? I read somewhere that sshfs would be an option, but that involves opening my ssh for root login, which sounds a bit sketchy IMO.

          • danA
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 years ago

            Borgbackup runs via SSH, so you just need the client to be able to reach the server via SSH. You don’t need root login, and in fact I’d recommend a separate user per system being backed up so that one client can’t access another client’s backups.

            I haven’t automated setup of backup repos yet, so I’ve copied a part of my personal “new server setup” document below: (alice is the name of the client system and bob is the name of the server system)

            1. On the client system, generate an SSH key for root, if one doesn’t already exist. Don’t set a password.
            ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "root@alice.example.com"
            
            1. On the backup server, add a user and create the backup directory:
            adduser backup-alice --disabled-password
            mkdir /data/backup/alice
            chown backup-alice:backup-alice /data/backup/alice
            chmod 0700 /data/backup/alice
            mkdir ~backup-alice/.ssh
            
            1. On the backup server, create an authorized_keys for the user (in ~backup-alice/.ssh/authorized_keys), containing the public key you generated in step 1:
            command="borg serve --append-only --restrict-to-path /data/backup/alice",restrict ssh-ed25519 AAAAC3Nz....... root@alice.example.com
            

            (--append-only enables append-only mode. --restrict-to-path means the user is only allowed to access that one repo. The ,restrict after the command but before the SSH key means the user is only allowed to run borg, nothing else, so for example the same credentials can’t be used to SSH in for an interactive session)

            1. On the client system, create the Borg repo and backup key:
            borg init --encryption=keyfile-blake2 backup-alice@bob.example.com:/data/backup/alice
            

            (it’ll prompt for an encryption passphrase. Make it long and keep a copy in safe place)

            1. On the client system, export the repo key and keep a copy in a safe place:
            borg key export backup-alice@bob.example.com:/data/backup/alice key
            cat key # copy and paste it somewhere safe
            rm key
            
            1. Install and configure borgmatic for automatic backups.
  • Klox@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    2 years ago

    I regularly hear it’s great. Has anyone moved from KeePass? I haven’t read anything that makes me think I should move on from KeePass. I have maybe ~4-5 clients and merging databases has been very easy since no client is offline for too long.

    • blackstrat@lemmy.fwgx.uk
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 years ago

      I tried it but reverted back to KeePass. I didn’t see any advantage with Vaultwarden and having it exposed so brazenly didn’t fill me with confidence. When I tried to run in parallel I found that you can’t sync vault warden with a keepass DB file. You can import it, but once it’s imported you can’t keep them in sync. Re-do an import and you end up with everything duplicated - but updated entries… which is the up to date one? If it had better syncing I could see myself using keepass on mobile and vaultwarden on PC. But at the end KeePass is just brilliant as it is and that’s fine with me.

  • ollie@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    2 years ago

    how are you doing your backups now? are you using the 3-2-1 backup strategy?

    • balance_sheet@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 years ago

      Not really, no. I have an HDD and an SSD both in a same machine. Data in SSD gets copied to HDD everyday. I don’t have any remote backup yet. How do you do your remote backup?

  • bdonvr@thelemmy.club
    link
    fedilink
    English
    arrow-up
    5
    ·
    2 years ago

    Set up a Backblaze B2 account. Make regular backups via RSync (and use encryption.)

    10GB free, and dirt cheap after that.

    • sudneo@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 years ago

      I do this, but on B2 I upload encrypted restic repo. Password manager backup is one of those instances where it’s totally worth to have historical copies (for example, 1 weekly copy for the last 6 months), as it consumes very little space while saving the day in case of accidental overwrite or deletion.

      • bdonvr@thelemmy.club
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 years ago

        B2 gives you an API key, you put that into rclone.

        You setup encryption with rclone which you can make a passkey for, or let it generate. Just make sure to save it somewhere.

        • conrad82@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 years ago

          Yes. It was the “save it somewhere” I was wondering what people do. If you keep it in the same building as the server, a fire could render backups useless.

          I ended up storing it on a separate online service from backblaze

          • bdonvr@thelemmy.club
            link
            fedilink
            English
            arrow-up
            2
            ·
            2 years ago

            I keep it as a “secure note” in my password manager.

            Though I host that myself and back it up to B2…

            Well I’m sure I’d be able to use one of many devices I have that has the vault cached if things go to hell.

  • gaurhoth@lemm.ee
    link
    fedilink
    English
    arrow-up
    5
    ·
    2 years ago

    Simple way to build confidence in your backups… test your restores regularly.

  • Marduk@hammerdown.0fucks.nl
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 years ago

    Mine runs on a synology nas, and i have a hyperbackup task that copies the data volume up to gdrive every night (encrypted of course).

    Also, any device you’ve synced to vaultwarden will retain the data even if the server is down, and with the addin for firefox for example, you can export that data out.

    • balance_sheet@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 years ago

      any device you’ve synced to vaultwarden will retain the data even if the server is down, and with the addin for firefox for example, you can export that data out.

      Never knew that. Now I can sleep.

  • stn@kayb.ee
    link
    fedilink
    arrow-up
    2
    ·
    2 years ago

    I really should give this a go again. I did run it for a little while, but switched to the paid hosted version as I want to have family tied into this and ultimately not be responsible if things go to hell. As long as I have decent redundancy / backup plans in place, it should be alright, though!

    • lost@kbin.social
      link
      fedilink
      arrow-up
      3
      ·
      2 years ago

      I run it through an nginx proxy that runs cloudflared through my domain, giving https access with limited worry of various security concerns. Probably not the best setup but was relatively easy to do.

    • balance_sheet@lemmy.worldOP
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      2 years ago

      Behind Zerotier. Although I’m thinking of just exposing it because honestly if you setup right you kinda don’t have to worry about it that much.

    • conrad82@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      2 years ago

      Not OP, but you could setup a wireguard vpn in your home network.

      It would require opening up a port on your router for wireguard. and probably use a dynamic dns provider ( duckdns.org or similar ) to get an url.

  • SirMaple_@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 years ago

    I’ve been using it for a few months now and love it. I have it on 2 VMs. 1 at home and 1 on my dedicated server in the cloud.

    I have a horribly written script that stops the vaultwarden container on the home VM, it copies the db.sqlite3 files to the VM in the cloud using SCP, copies everything inside the attachments folder using SCP and then starts the container again. I then have the same type of script on the cloud VM that stops the container, grabs the db and attachments from the temp folder and moves them to the correct directories and starts the container.

    I only use the instance on the VM at home, the cloud VM is only used if something has happened to the VM at home. I do the same with my netbox instance.

    I also don’t expose anything to the internet. Everything is behind WireGuard. I have my phone setup with Tasker to automatically connect the tunnel when my phone disconnects from my home WiFi SSID.

  • blackstrat@lemmy.fwgx.uk
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    2 years ago

    I tried Vault warden, but I didn’t find it better than KeePass which I have syncing over nextcloud to storage that is mounted over NFS for my desktop and laptop. There are plenty of clients so you can use windows, linux, android etc.

    • uzay@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 years ago

      I ran Keepass synced through my Nextcloud for a long time as well, but I switched to Vaultwarden after loosing Passwords due to sync issues. Almost got locked out of an important account. Luckily I noticed it early enough to recover it through my Nextcloud’s versioning. But since then I’m too paranoid to rely on a password manager without a reliable syncing mechanism built-in if I’m gonna use it daily on a range of different devices.