theodolite

NICHOLAS CARRIGG

Self-Host Your Own Password Manager

Password managers are the digital version of a safety deposit box. Just as most people choose to put their money or valuables in a vault managed by a bank, the majority of password manager users choose private companies to keep their passwords safe. It makes sense to store physical assets in a building with advanced security and insurance. But for digital assets like passwords, a more federated approach using open-source solutions may be a smarter approach if for no better reason than you are much less of a target than a large corporation that maintains the valuable passwords and personal information for millions of users. This means hackers are much less likely to go after the encrypted password file hosted on your little cloud service running at home or on a very private server (VPS). But more than this, self-hosting gives you the opportunity to use open-source software, which is vetted by a much larger community than the proprietary code of a password management corporation.

Step 1: Set-up NextCloud

You can certainly host a password manager without a cloud, but in my opinion, this removes the entire reason for their convenience. The ability to sync passwords between devices (smartphones and laptops) is extremely beneficial. My preferred solution for this is the Free and Open Source (FOSS) program called NextCloud.

NextCloud has all the features of the more commonly used proprietary solutions (OneDrive, Google Drive, etc.), but it costs you nothing (dollar or personal data-wise). I chose to set mine up on an old laptop turned into a server running in my basement. You can also install it on a VPS. These were the instructions I followed to setup my installation. Just make sure you install the server version on the server, and then the client versions on your other devices.

In future posts, I will outline other useful things you can do with a NextCloud server, such as integrating it with Jellyfin to create your own personal streaming service.

Step 2: Set-up WireGuard

Your cloud-based password vault will not serve much purpose if it is only accessible on your home WiFi network. As I mentioned above, hosting it on a VPS allows access from anywhere. But if you want to host it from a machine in your own home (as I do), and you do not want to setup a domain for that server (which I do not), then WireGuard allows you to "tunnel in" to your home network from the outside. In 2022, many people are familiar with this concept in the form of a Very Private Network (VPN) client they use to work remotely. WireGuard uses a similar principle: it creates an encrypted tunnel to your home IP address that makes NextCloud consider your remote phone or laptop think you are on your home network. As such, so long as WireGuard is enabled, you can sync your files--including your passwords.

Again, I will provide a link to the instructions on the WireGuard website. There are many other uses to this technology that I will touch upon in future posts.

Step 3: Install KeyPassXC

With your NextCloud server running and your WireGuard tunnel setup, you can now install the password manager. I use KeyPassXC, which uses *.kdbx files to store your passwords. You do not need to install it on the server, but only on the machines you actually need to access the files from. Instead, the server will simply hold the files for syncing in NextCloud. Once you install the program on your laptop, save the database file in a NextCloud folder that your other devices have access to. You will need to use a single password to lock the vault up. Obviously, you do not want to lose this, and you want it to be very secure.

For mobile devices, I recommend the app KeePassDX, which can read and sync *.kdbx files. Another nice thing about this app in particular is that you do not need to type the master password in more than once. After that, you can use an unlock pattern to re-open the vault.

Worth Your While!

I have used the above mentioned setup for almost a year now, and I will never go back to writing passords down in a notebook or using a corporate password manager that gets subject to annual cyber attacks. It is a weekend project at most, and also sets you up to create many other useful tools in the future.