Bitwarden VS Vaultwarden

Hi.

I’ve subscribed Bitwarden for some time now, but I wanted to self-host it on my own dedicated server.
But when using the official installer, docker is setup with >10 docker container with ram usage > 1GB.

Then I tried vaultwarden, and although both websites look identically, the vaultwarden server uses near-to-none ram in a single instance.

Can somebody explain if it’s possible to setup bitwarden with a small footprint for just normal family-usage? Can somebody say something about vaultwarden? Does bitwarden cooperate with the vaultwarden creator? Or is it adviced to better ignore vaultwarden because of unknown security?

Best regards,
X

Hey @XploD, Vaultwarden is not connected to the team behind Bitwarden.

The Bitwarden team has a lite version of Bitwarden in the works but no ETA at this time, stay tuned for future updates :+1:

1 Like

Hello @XploD and welcome,

It’s a wonderful question and one that has come up from time to time. Often some members here have inadvertently installed Vaultwarden thinking it was the official release without realizing.

To say Vaultwarden is a fork of Bitwarden is something that makes it easy to understand but truly Vaultwarden is a completely separate project and the code-base is mostly written in RUST.
Vaultwarden is only a compatible backend server, and still requires the use of the official Bitwarden clients. This is similar to self-hosting your own official Bitwarden service, and is mostly aimed at small businesses, families, and tech hobbiest and tinkers.

Vaultwarden was previously known as Bitwarden_RS, aka Bitwarden written in RUST. As I understand the creators of Bitwarden requested the name change due to the confusion and the developers of Vaultwarden try to explicitly state the differences and official support channels vs Vaultwarden support.
Bitwarden of course is an Open-source project, so all the code is available for any one to create their own fork, or compatible service such as Vaultwarden. Such is the nature of open-source.
As I understand Bitwarden’s main focus of business is towards those Teams, MSP, and Enterprise users who can afford to pay a reasonable cost for protecting digital assets, while maintaining a low cost for individuals and familes and at a bare minimum an ostensive free plan for the most basic of password management and security.
Vaultwarden themselves even acknowledge the need to support the “upstream project” Official Bitwarden, as without them there would be no clients, or even Vaultwarden to begin!

While I do not believe there is any inherit security risk with Vaultwarden, as all encryption of your passwords and vault data happen client-side and thus are encrypted on your device before ever being sent to the server. This means that an encrypted vault lands on either Bitwarden or Vaultwarden.
The main concern is that while I do not believe there would be any intentional malice, Vaultwarden has a significantly smaller dev team working on their project. This leads to longer times between updates, and review and QA for merging public additions to the code from other users is unknown.

Bitwarden has had an extensive code review and audit, which verifies the cryptography of Bitwarden and the security around the code that prevents any possible vulnerabilities. While RUST is very good for being memory safe from what I understand, an inexperienced coder could still inadvertently introduce a security flaw into Vaultwarden. While the code is open-source, things like code audits by a professional company costs $$$ lots of money and so Vaultwarden has not had such any type of extensive audit of their code and the security.
Bitwarden also commits to ongoing security audits and assessments, and participates in a bug bounty program via Hacker one.

I have tinkered with both, but I would not personally run Vaultwarden full time as a password manager for me or my family.
While I do not think that the Bitwarden team would do anything to intentionally hinder Vaultwarden the fact remains that it is still an unofficial 3rd party software that is built on an entirely different code base and has been made to be a compatible backend server.

As Bitwarden continues to change and add features both in terms of server features and client features, these every increasing updates could and have been shown to break things between Vaultwarden and Bitwarden.
Without a good recent backup, you are left to the mercy of the developers of Vaultwarden to play “catch up”.

Vaultwarden in and of itself also does not provide for HTTPS and typically is set up with some type of reverse proxy solution to terminate the client connection and pass that traffic to the unencrypted Vaultwarden container.
This means that without the proper set up someone sitting in between and listening “on the wire” so to speak may be able to capture plain-text login details etc.
If you opened this up to the public facing internet to possibly be easily accessible by your family too, this could spell a number of issues.

Ultimately I believe that Vaultwarden is a good project, fun to tinker with, and could be used if needed, but you should know the pros and cons.
When it comes to my password security, and the ease of use for my friends and family I simply would choose to let Bitwarden maintain their infrastructure and security while knowing any updates and changes will always continue to work without possibly losing access to critical data.
If you require premium features the cost for such is fairly cheap, thankfully those big companies help to subsidize the cost so Bitwarden can continue to provide such great features as a competitive cost.

PS. Sorry if this was a bit scatterbrained going from topic to topic, just giving my 2¢.
May try to pretty this up to better highlight the differences between the two.

5 Likes

Thanks for sharing the thorough overview! I’ve revised my comment to remove ‘fork’.

Thank you very much for your details. I dropped vaulwarden and switched to bitwarden self-hosted.

1 Like