I use GNU pass synced through an internal Gitea. Have wireguard to sync remotely. Works pretty good, I would recommend not setting an expiration on the key, the git history keeps the old encryption anyways.
this post was submitted on 29 Jun 2025
40 points (95.5% liked)
Selfhosted
48725 readers
1330 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
Why not use KeepassXC? It's a completely local encrypted db but it integrates with cloud storage apps like nextcloud for sync. It has plugins for integration with Firefox and KeepassAndroid is pretty smooth on the current Android OS.
Shamelessly shilling my OSS project, rook. It provides a secret-server-ish headless tool backed by a KeePass DB.
- Headless server
- Optional and convenient integration with the kernel keyring (on Linux), for locking the server to only provide secrets to the user's session
- Provides a range of search, list, and get commands
- Minimal dependencies and small code base make rook reasonably auditable
You might be interested in rook if you're a KeePassXC user. Why might you want this instead of:
- Gnome secret-server, KDEs wallet, or pass? rook uses your (a) KeePass DB, while most other projects store secrets in their own DBs and require (usually manual) sync'ing when passwords change.
- One of the browser secret storage? Those also keep a bespoke DB which needs to be synced, and they're limited to browser use. Rook supports using secrets in cron jobs or on the command line (e.g. mbsync, vdirsyncer, msmtp, etc, etc).
- KeePassXC? KeePassXC does provide a secret service that mocks Gnome secret-service, but you have to keep KeePassXC (a GUI app) running even if you only rarely use the UI. Rook can also be used on a headless machine.
- The KeePassXC command line tool? That requires entering the password for every request, making it tedious to use and impractical for automated, periodic jobs.
Rook is read-only, and intended to be complementary to KeePassXC. The KeePassXC command line tools are just fine for editing, where providing a password for every action is acceptable, and of course the GUI is quite nice for CRUD.
Yup this is the way. The resulting .kdbx database file is encrypted so you can even synchronize it over an untrusted provider. Otherwise you can use something like syncthing to keep it strictly peer to peer.
this one, OP. no need to introduce the horror that's a:
- hosted app (why?!)
- client app is electron crapware
- the client app doesn't even have full functionality, you have to use the web UI for some tasks
edit: I'm obviously speaking about the bitwarden/vaultwarden horror. keepassXC is none of them things.
KeepassXC is the only thing that makes sense to me.
I don't want all my passwords stored with some huge target like lastpass or bitwarden.
Encrypted local (and synced) DB is the only way.
Bitwarden/vaultwarden is a popular option for selfhosters.
I do this. Plus VPN to have access to passwords when away from home network
just have 1 password for everything, problem solved.
Well, not wrong that it solves the problem, but with data breaches happening frequently, I wouldn't want to repeat 1 single password for all services lol.
Even if companies hash passwords, it's still a gamble whether they are using an up-to-date hash algorithm (or if they do even hash it, lol). Plus, generally best to avoid exposing passwords, hashed or not, in the first place.
I was being facetious. Every site has multiple special requirements to make your password ~~stronger~~ weaker, the odds of being able to use a single one are slim even if you where dumb enough to try.
I do this for sites where I don't care at all about security. One minor tip, that will protect against automated attacks if the password is cracked, is to add part of the website name into the password (e.g "mystrongp4ss!lemworld") .
A human could easily crack it, but automated systems that replay the password on different sites would probably not bother to calculate the pattern.
If just one or those passwords gets leaked you might find a lot of other ones get cracked as well.
It may not be sites that you care about. But using a password manager is a lot less effort and a lot safer than whatever technique the average Joe will come up with.
Any password that leaks which could indicate a potential system ( e.g.: sitename in lower/upper/leetspeak) makes the whole thing even more vulnerable.
Just use something. Bitwarden, vault warden, keepassxc, ...
Knowing my social circle I'd recommend bitwarden. Even paying for it costs a measly 10$/year, while the free version is very usable in itself. And generating passphrases or 32char passwords will be a lot safer than whatever the hell they can come up with.
Just avoid the default browser ones, big tech and LastPass.
Is the data super important to you?
Let someone else host it.
Bitwarden in the cloud.
Agreed. Unless your setup and security practices is flawless, I think passwords are better managed by specialists paid for it.
+1 to this; Time spent on your setup is an important factor too.
The more important your data is, the more time you are going to need to spend maintaining your system to ensure security, backups and fail-overs. Not everyone has luxurious amount of time to spend on their home-lab everyday.
I did self-host bitwarden and it's not that bad to keep updated and running after initial setup (including backups obviously) but it still requires some time and effort to keep it running. And as I was the only user for the service it just wasn't worth the time spent for me (YMMV) so I switched to their EU servers and I've been a happy user ever since.
What I should do is to improve local backps on that, currently I just export my data every now and then manually to a secured storage, but doing it manually means that there's often too long time between exports.
This is how I view password managers too, even though I have my home server backing up
I use keepass (KeepassXC on desktop, KeepassDX on Android but I'm sure there is an IOS client too) I sync the database between all my devices and my server (hub and spoke) with Syncthing
I also use KeepassXC and Synthing together and I am very happy with this combination.
One tip that I have, if you are worried about the security of the database file being shared, is to get 2 Yubikeys and use these, along with a strong passphrase, to protect the database file.
Same boat for me, works great! I got the NFC Yubikeys which work fine with Android.
Been usingthe same setup for years as well and Im happy with it, never had any issues with it
I've been using various versions of keepass for ever. Until recently I had the database on Google drive. It's now local and sync'd with syncthing. It's a bit "different", but once you get used to it, it works very well.
I don’t really see the problem with having the password manager in the cloud if it is protected by 2FA. I tried vaultwarden (self hosted) about a year ago and the showstopper was that I couldn’t store a new password when off LAN or without first connecting the VPN. I am sure there are on demand vpn type services, but it was clunky. It would have been great it if would work locally on the phone then sync the password to the vault when it came back online
Self hosting a password manager is great, but be sure to read up on keeping it secure, and don’t store anything important in it until you have working, tested backup solution. And re-test it frequently in a non-destructive way.
If you lose your password storage to a disk failure or something, you’re gonna be hurting for a while.
If you don't have a hard requirement of it being fully (!) OpenSource, then I would recommend Enpass. Relatively pleasing UI that runs native on Win, Mac, Linux, Android and iOS. It has browser plugins for Chrome and Firefox that talk directly to the running fat client (so no multiple authentication with different browsers necessary).
The password db is completely local, but it offeres several sync mechanisms like WebDAV or Dropbox or also iCloud; basically whatever can store files. If it's a NAS in your home, it simply will sync once you are back home.
It also offers "WiFi Sync", in which case you designate one machine running Enpass as the server and link other clients to it, then you don't even need to run a separate hosting for it (but that machine needs to be on and running Enpass when you want to sync, obviously).
It's basically a less open but much more convenient and beautiful KeePass(XC).
I used enpass for years and was a happy user. one day it prompted me for some re-authentication bullshit security theater. although in that instant it was an easy task, took me all of 10 seconds, it demonstrated a scary amount of power they had as I couldn't bypass it and access my data. from that point on, its days were numbered.
the second issue is the export functionality that was seriously lacking and I had to resort to 3rd party converter tools to convert it to keepassXC; no way that flew by their QC, it had to be intentional.
On mobile I indeed also had that issue once. However I made sure they can't lock me out completely. The db is stored using the opensource sqlcipher, so one can open it and extract everything manually, if absolutely necessary. As long as they don't change this, I am fine. In the worst case that would still be a lot of effort for me, but not impossible.
The export has also improved a lot. You can now also export to JSON which includes all the data one could need.
If you’re happy with how Apple Password works for you, I can recommend StrongBox. It keeps all data in a KeePass2 database and integrates into Apple’s AutoFill API. That means it feels almost native when using it. No browser plugin needed. (At least not for Safari.) And you can decide how you sync the database file.
Seafile or nextcloud
i have keepass on only one device. i don't mind looking up individual passwords and typing them in manually when on other devices.
on the device which hosts keepass, the app is hidden and hoops must be jumped to reach it.
i back up the encrypted password database once a month to a cloud service as insurance against me losing that one device.
it's not the most convenient setup but i sleep so much easier for it.
It's strange how I never see this mentioned anywhere, but there's a way to get unique secure passwords for every site/app without needing to store them anywhere. It's called LessPass, and essentially generates passwords based on 3 fields (site, username, master password) and works relatively well, because the advantages are quite obvious I'll list the potential downsides:
- If one password is compromised or needs changing for whatever reason you need to increase a counter and need to remember which counter for which site (this is less problematic than it sounds, except in places that have a password policy that forces you to change your password periodically)
- Android can store the master password and use fingerprint to input it, but in PC you always have to type your master password which can get annoying.
- You need to change your passwords to this new format, which can take a while, and years down the line you're trying to login somewhere and don't remember if you've already migrated it or not.
You also have to keep track the site and how you spell it. For example is it "Microsoft" or "microsoft"?
And keep track of the current name of the site vs the old name. For example am I signing into Microsoft or Live.com or Xbox?
And keep track of my username. Is it my email? Which email? Which username?
I understand the concept but I think if falls apart fast.
Yup, but most of that is easily solvable by being consistent, e.g. always use lowercase and your email (even if it's not the login for that site). But yes, you need to know to be consistent so it's a good point to make.
Hahaha, that's the point of a password manager. If remembering worked, we wouldn't need any of this.
Also, I have 300+ unique logins.
I have more than 120 electronic identities, impossible to track the counter or to remember the tld of all websites I visit.
The concepts is only useful in a very small and defined scenario.
My point is that of those 120 probably 110 have never been compromised nor forced you to change the password due to expiration policies. The remaining 10 are the ones that require some mental gymnastics, so while the problem exists it's not as serious as it sounds. I probably have more than 120 identities using this method since I've been using it for years, and I don't think I ever had to use the counter, it's a matter of being consistent in how you think about websites, for example if you know how you refer to a site slugify it and use that for the field, so you would use spotify, netflix, amazon-prime.