So far my company is absolutely fine with Bitwarden availability. I mean, more than a year of intensive usage, and zero perceived downtime ? That’s a solid score among the few SaaS providers that we use today.
However, as a risk manager, I must take every situation in account. Due to the limited features of offline mode, if the web vault ends up down for a while, we might want to switch to an emergency mode with a self-hosted instance having a not-too-old version of collections.
If I understand correctly this doc, I can use our hosted license on an on-premise instance, right ?
Is there any usable “raw sync” mecanism that we could use to periodically download the web vault content and push it into the on-premise instance ? Of course, none of our user’s vaults are to be synced, I’m well aware of the underlying cryptographic notions here. But what about collection data ?
Hi thankfully better offline management and access is in the pipeline and should hopefully come out of the works soon (my hope).
In the meantime the Bitwarden API might be something too look into if you are familiar with and feel comfortable putting together something that could utilize the API.
The Bitwarden CLI will also play into this and scripts can be set up to export organization items for backup, and I’m sure secondary scripts could be used for importing to an on-prem Org as a hotspare.
We indeed have quite some experience with the API and CLI, due to our hand-made collection sync bot, which leverage both mecanism. Although we use the CLI only to create newly added collections, the API not being able to do so, but being able to manage group access (I never understood why in the design process, the collection’s name was deemed sensitive and needing encryption, while the access management is left to the API without encryption).
However my primary question was : do I need a second license to host my hotspare, or do the hosted license can be used to active features on the hotspare while still being valid for the hosted organization ?
Ahh sorry for the miscommunication in understanding here, as I understand yes the license Bitwarden provides will activate all features that are currently being paid for in the premium membership either for personal vaults, or Organization vaults in self-hosted instances.
I have setup and run a small self-hosted instance for testing in my home-lab and use the family premium license.
As expected this activates the same subscription as is paid for in the cloud SaaS (though family members defaults to 6 members in total, you may need to switch license files if you add additional users in the SaaS cloud version of Bitwarden.
Not sure how this is handled but I would assume once you go over your user set allocation and add additional licenses in the Bitwarden cloud, one would need to download a new license file with that user seat limit and update it in the self-hosted instance, but I could be wrong here about this)
Had absolutely no issues issues or warning messages stating that I was currently using the cloud service as well as the self-hosted instance. You can “double dip” so to speak rather than being resigned to one or the other. I guess the assumption is Bitwarden provisions costs for their SaaS users, if there are companies that need to self-host for data compliance or security Bitwarden allows this easily, and those companies are still paying the same rates/user while taking some load off of Bitwarden’s cloud infracturcture, albeit to be fair the hardware requirementes are fairly minumal. If there is special use cases where licensed users such as myself want to run self-hosted to test, or special use cases such as yours in the company for a “hot-spare” Bitwarden does not restrict this.
hello there, i have a similar task to provide an extra instance in case the main one will go down, could you please share with me your realization of this job? how did you solve it?
Being a 170+ seats (and steadily growing) organization for more than a year now, we never encountered any kind of service disruption on the SaaS product. This is absolutely amazing, by the way : we would be more than ok with a few disruptions here and there, this is IT after all and we do understand these things happens. But so far we never had to suffer any problem.
This hot-standby / test environment is still a thing for us, but very low in our priority list. The incredible reliability of the SaaS product makes the hot-standby a very low added-value development for now. I’d say we might eventually come back to it after some incident of some kind, implying some disruption of the web vault and mechanically making the item goes up again in our risk management strategy.
On the more technical side, if your question is about “how to do”, I’m afraid I can’t help since we did not proceed in the end. The provided documentation is quite thorough. When investigating it first, we agreed on sticking to our usual deployment method : Puppet-managed Debian-based virtual machine with Docker containers started/monitored via a Systemd unit. That’s what we usually do, and I see no reason not to do it if we come back to this in the future.
Do you have any kind of more specific problem to figure out ?
Hi! That’s nice to hear you’ve never had an issue with it. We also do want to make it on the virtual machine, and actually, we already have one configured. It’s working flawlessly.
My task was to create another one with a synchronized database. In case the first one will go down, the second one would be immediately available. For now, I see the solution is to constantly on daily basis make backups on the main machine and send 'em through FTP/whatever to the second one and restore them there.
But again, what are the chances, that smth could go wrong with SAAS, I highly doubt
We indeed never went that far in the process. I have no clue on how to handle synced databases, and the license question @cksapp mentionned earlier might also be a concern for you : what happens when you upgrade your license to add more people ? You probably need to download the new license file and re import it in your self-hosted instances.
If I’m not mistaken, I think Bitwarden is using MSSQL, which I have no experience with. However, there is probably some kind of automated replication system available, just like what we can do with PostgreSQL (which is generally our go-to database system). That will not allow you to sync a self-hosted instance with a SaaS instance, but that might allow you to sync two different self-hosted instances.
