Bitwarden vs Vaultwarden (RUST, formerly Bitwarden_RS)

Jimbo · November 7, 2020, 9:36pm

What’s the difference between the regular self-hosted Bitwarden and Bitwarden_rs (Rust) that is available on Cloudron? Are there any drawbacks that I should consider?

This app packages Bitwarden RS 1.17.0.

Overview

This is the Rust implementation backend, not the official server backend, but fully compatible with the Client apps.

Bitwarden is a self-hosted password manager. It allows you to store and manage your passwords, credit cards, and other private information in a secure way while still allowing you to access it from your browser, phone, or desktop.

vachan · November 9, 2020, 4:52am

Some links which you can refer to

Jimbo · November 9, 2020, 3:02pm

Thanks for the links. It seems there are no drawbacks in running the rust version. I installed Rust yesterday on my Cloudron instance and it’s running beautifully.

bw-admin · December 24, 2022, 10:46pm

For anyone that is interested, Bitwarden has launched Unified (Beta), providing an additional self-hosting solution, more info here.

Simplify configuration and optimize resource usage (CPU, memory) by deploying Bitwarden with a single Docker image.

Utilize different database solutions such as MSSQL, PostgreSQL, MySQL/MariaDB.

Run on ARM architecture for alternative systems such as Raspberry Pi and NAS servers.

Warning

This is a beta release, which means that this deployment option may be unstable and have issues. If you manage a Bitwarden organization vault, we recommend using the officially-supported, standard deployment option.

Gerardv514 · December 25, 2022, 5:03am

I have some clients that have a synology nas. Within synology is a docker app, where you can search for different images (via docker hub?); it’s pretty easy to do if you’re not familiar with docker command etc.

Are those images one that people submit to dockers registry? Can Bitwarden eventually do the same?

EDIT: Disregard it’s posted now bitwarden/self-host , I thought that was the previous self host option.

XploD · June 23, 2022, 1:10pm

Hi.

I’ve subscribed Bitwarden for some time now, but I wanted to self-host it on my own dedicated server.
But when using the official installer, docker is setup with >10 docker container with ram usage > 1GB.

Then I tried vaultwarden, and although both websites look identically, the vaultwarden server uses near-to-none ram in a single instance.

Can somebody explain if it’s possible to setup bitwarden with a small footprint for just normal family-usage? Can somebody say something about vaultwarden? Does bitwarden cooperate with the vaultwarden creator? Or is it adviced to better ignore vaultwarden because of unknown security?

Best regards,
X

bw-admin · June 23, 2022, 1:14pm

Hey @XploD, Vaultwarden is not connected to the team behind Bitwarden.

The Bitwarden team has a lite version of Bitwarden in the works but no ETA at this time, stay tuned for future updates

cksapp · June 23, 2022, 6:39pm

Hello @XploD and welcome,

It’s a wonderful question and one that has come up from time to time. Often some members here have inadvertently installed Vaultwarden thinking it was the official release without realizing.

To say Vaultwarden is a fork of Bitwarden is something that makes it easy to understand but truly Vaultwarden is a completely separate project and the code-base is mostly written in RUST.
Vaultwarden is only a compatible backend server, and still requires the use of the official Bitwarden clients. This is similar to self-hosting your own official Bitwarden service, and is mostly aimed at small businesses, families, and tech hobbiest and tinkers.

Vaultwarden was previously known as Bitwarden_RS, aka Bitwarden written in RUST. As I understand the creators of Bitwarden requested the name change due to the confusion and the developers of Vaultwarden try to explicitly state the differences and official support channels vs Vaultwarden support.
Bitwarden of course is an Open-source project, so all the code is available for any one to create their own fork, or compatible service such as Vaultwarden. Such is the nature of open-source.
As I understand Bitwarden’s main focus of business is towards those Teams, MSP, and Enterprise users who can afford to pay a reasonable cost for protecting digital assets, while maintaining a low cost for individuals and familes and at a bare minimum an ostensive free plan for the most basic of password management and security.
Vaultwarden themselves even acknowledge the need to support the “upstream project” Official Bitwarden, as without them there would be no clients, or even Vaultwarden to begin!

While I do not believe there is any inherit security risk with Vaultwarden, as all encryption of your passwords and vault data happen client-side and thus are encrypted on your device before ever being sent to the server. This means that an encrypted vault lands on either Bitwarden or Vaultwarden.
The main concern is that while I do not believe there would be any intentional malice, Vaultwarden has a significantly smaller dev team working on their project. This leads to longer times between updates, and review and QA for merging public additions to the code from other users is unknown.

Bitwarden has had an extensive code review and audit, which verifies the cryptography of Bitwarden and the security around the code that prevents any possible vulnerabilities. While RUST is very good for being memory safe from what I understand, an inexperienced coder could still inadvertently introduce a security flaw into Vaultwarden. While the code is open-source, things like code audits by a professional company costs $$$ lots of money and so Vaultwarden has not had such any type of extensive audit of their code and the security.
Bitwarden also commits to ongoing security audits and assessments, and participates in a bug bounty program via Hacker one.

I have tinkered with both, but I would not personally run Vaultwarden full time as a password manager for me or my family.
While I do not think that the Bitwarden team would do anything to intentionally hinder Vaultwarden the fact remains that it is still an unofficial 3rd party software that is built on an entirely different code base and has been made to be a compatible backend server.

As Bitwarden continues to change and add features both in terms of server features and client features, these every increasing updates could and have been shown to break things between Vaultwarden and Bitwarden.
Without a good recent backup, you are left to the mercy of the developers of Vaultwarden to play “catch up”.

Vaultwarden in and of itself also does not provide for HTTPS and typically is set up with some type of reverse proxy solution to terminate the client connection and pass that traffic to the unencrypted Vaultwarden container.
This means that without the proper set up someone sitting in between and listening “on the wire” so to speak may be able to capture plain-text login details etc.
If you opened this up to the public facing internet to possibly be easily accessible by your family too, this could spell a number of issues.

Ultimately I believe that Vaultwarden is a good project, fun to tinker with, and could be used if needed, but you should know the pros and cons.
When it comes to my password security, and the ease of use for my friends and family I simply would choose to let Bitwarden maintain their infrastructure and security while knowing any updates and changes will always continue to work without possibly losing access to critical data.
If you require premium features the cost for such is fairly cheap, thankfully those big companies help to subsidize the cost so Bitwarden can continue to provide such great features as a competitive cost.

PS. Sorry if this was a bit scatterbrained going from topic to topic, just giving my 2¢.
May try to pretty this up to better highlight the differences between the two.

bw-admin · June 23, 2022, 9:13pm

Thanks for sharing the thorough overview! I’ve revised my comment to remove ‘fork’.

XploD · June 24, 2022, 7:18am

Thank you very much for your details. I dropped vaulwarden and switched to bitwarden self-hosted.

John3 · July 8, 2022, 4:58pm

Where does stuff like BitBetter fit into this mix? Seems to be legal due to the open source nature of Bitwarden, but most people seem to gravitate towards either the full commercial product (Bitwarden) or if they prefer to tinker, Vaultwarden (to run on stuff like Raspberry Pi).

bw-admin · July 8, 2022, 6:34pm

The Bitwarden team does not provide updates or support for unofficial applications.

Bitwarden is free, with paid licenses funding current and future development, and supporting our mandate of protecting everyone’s sensitive information.

cksapp · July 11, 2022, 4:46pm

Hi @John3 and welcome to the community.

Many of us who use Bitwarden are lovers of open-source and security. Bitwarden tends to have a good company culture of the same which makes me gravitate towards it.

Understandably still Bitwarden is a business and needs to keep the lights on to continue to bring us continued progress.
“Devs need computers and coffee to code”
But in all seriousness it becomes a balancing act of sustaining a viable business model while providing free and open-source software and feature sets. This is by no means impossible though, RHEL is a great example, as it is a completely free and open source OS that is widely used. Yet Red Hat remains a sustainable business model by simply providing support, to the tune of a $34 Billion (that’s billion with a “B” ) acquisition by IBM.

As I understand Bitwarden has both a standard AGPL and source available license. The standard free and open-source AGPL license that most are familiar with should allow for the use of most features. However the “source available” license does have a few restrictions. The code is open and the “source available” but for limited circumstances such as testing, and development. Those features covered by the source available licensing are still required to be used with valid licensing of those features in a production environment.

You can see more here.

github.com

bitwarden/server/blob/master/LICENSE_FAQ.md#bitwarden-software-licensing

# Bitwarden and Open Source

The source code for all Bitwarden software products is hosted on GitHub and we welcome everyone to review, audit, and contribute to the Bitwarden codebase.

We believe that making our source code open and available is a defining feature of Bitwarden, and that source code transparency offers critically important customer benefits for security solutions like Bitwarden.

As an open solution, Bitwarden publishes the source code for various modules under different licenses.  We're providing this License Statement and FAQ document as an overview of our licensing philosophy, the specifics of module licensing, and to answer common questions regarding our licenses.

# Bitwarden Software Licensing

We have two tiers of licensing for our software. The core products are offered under one of the GPL open source licenses: GPL 3 and  A-GPL 3. A select number of features, primarily those designed for use by larger organizations rather than individuals and families, are licensed under a "Source Available" commercial license [here](https://github.com/bitwarden/server/blob/master/LICENSE_BITWARDEN.txt).

Our current software products have the following licenses:

*Bitwarden clients:* The core password management code for individual password vaults, including Desktop, Web, Browser, Mobile, and CLI versions, is available under the GPL 3.0 license.

*Bitwarden server:* The main Bitwarden server code is licensed under the AGPL 3.0 license.

*CommCore and SSO integration:* Code for certain new modules that are designed and developed for use by larger
organizations and enterprise environments is released under the Bitwarden License, a "source available" license. The

This file has been truncated. show original

I am not super familiar with BitBetter, though I have come across it in the past. Given that BitBetter modifies the core of Bitwarden services, if this provides for these features and you are using this in a production environment it may violate the Bitwarden licensing terms for some of these enterprise features.
Another thing to be wary of, any software that modifies such low level core files for Bitwarden could possibly be any number of unknown changes unbeknownst to you. I always highly recommend going through and understanding the code and software running on your systems, and carefully vet any software before being installed.

Bitwarden’s main business model though is always those companies and businesses that can afford (albeit in still a fairly generous and competitive pricing structure) the higher monthly cost for business licenses for their users. Maintaining the IP on the features developed specifically for these larger enterprise customers helps to sustain Bitwarden and allow them to continue to provide for new and additional features for the regular average user and families at a low cost, and even a very generous fully-featured tier completely FREE for even the most basic of password management so that all users can better their password hygiene and digital security with little barriers.

John3 · July 12, 2022, 12:21am

That’s a good explanation, thanks. I’ve been trying to get one with little to no success.

grb · October 4, 2023, 12:32pm

A post was split to a new topic: Pricing for business solutions and cost of self-hosting