Bitwarden, which is an open source password manager. There are a few third-party projects written in other languages that follow the project’s API. Further, there is one impressive project bitwarden_rs that re-implements the Bitwarden project in Rust. It features a significantly smaller memory and resource footprint than the original application, which makes it perfect to host on free tier VMs on any of the major cloud providers. Even better, it ships as a public container on Docker Hub, so setting up the application is a breeze.
Since I am most familiar with AWS, I chose to deploy it via Fargate. The Fargate service is not within the typical free tier plan that AWS provides, but as mentioned above, bitwarden_rs does not require a lot of resources. So, a small instance with no auto-scaling or other features should run less than $20 a month.
Let us get started!
We are going to leverage Fargate to do most of the heavy lifting for us. Once you have logged into AWS, navigate to ECS. Then, set up a custom image. With the following parameters:
bitwardenrs/server(ECS will obtain this from Docker Hub)
0.5 GB (512)
0.25 vCPU (256)
Once the image is constructed, Fargate will deploy the image and set up the related infrastructure. This will take a few minutes. Once everything is set up, you will be able to access the front-end of the Bitwarden application by utilizing the DNS provided by AWS. It will be in this format:
By accessing that URL, you should see the Bitwarden login page. However, do not set up an account and login just yet - the content is being served over HTTP and is not secure. We will now configure our infrastructure to utilize HTTPS.
If your domain name was obtained from a Domain Name System (DNS) provider other than AWS, you will need to configure your current DNS provider to use the AWS nameservers. So, let’s do that first:
NSrecord and a
NSrecord should have 4 values in it - these are the namesevers you will need to point your current DNS provider to.
aliastarget of the ALB previously set up by Fargate.
Now that we have DNS managed by AWS, we can use the Certificate Manager to generate a SSL/TLS certificate that we can use with the Application Load Balancer (ALB) and Target Group (TG) that Fargate set up for us.
*.domain.nameto allow subdomains to be scoped into the certificate. This will give you more flexibility if you intend to utilize your domain name for sites other than the
bitwarden_rsserver we are setting up.
CNAMErecord to the Route 53 hosted zone that we created previously. You should see a button that says
Create record in Route 53. Click this and check Route 53 that the record was populated.
Once the HTTPS certificate has been validated, we can now set up our infrastructure to utilize it.
HTTP: 80rule and change the rules to
HTTPS: 443with a status code of
forwardto the target group set up by Fargate. Note - to view your target groups, click on the “Target Groups” link below “Load Balancers” on the left navigation pane within the EC2 module.
Now, we need to edit our existing Security Groups (SG) to allow HTTPS traffic on port 443.
Now that we have set up our AWS infrastructure to handle traffic to the
bitwarden_rs container via HTTPS, let us test it out.
In your browser, navigate to the custom URL (subdomain) that you set up in Route 53. The Bitwarden login screen should appear. Success!
You can now use the Bitwarden CLI, browser app and mobile apps to communicate with the Fargate container.