Pretty much exactly a year ago, I switched password managers, from 1Password to bitwarden.
tl;dr. I am a fan... mostly.
I am not going to dwell on the security aspects here, since you can read about them on bitwarden's site, but I was initially hesitant about hosting passwords, even self-hosting passwords, on an Internet-facing system.
Reading the bitwarden documents made me comfortable:
Bitwarden is a zero knowledge encryption solution, meaning you are the only party with access to your key and the ability to decrypt your Vault data.
(The logo is lowercase ("bitwarden") but the website text / documentation is capital case ("Bitwarden"). I've stuck with "bitwarden" here.)
Update 2022-07-03: response from bitwarden
Even though it is Sunday, I got some very rapid feedback from bitwarden, which I reproduce here in full:
Thanks for the feedback!
Offline editing is on the roadmap, so stay tuned!
The team is also working on Bitwarden Lite for running on Raspberry Pi etc..
Regarding having 2 licenses active, your Family plan includes premium for individual users, so you can safely remove the premium one.
Regarding the snap image, I've passed the feedback along to the team.
Thanks for your support and keep the feedback coming 👍
Offline editing and a RPi-flavoured option?! Nice!
It works well... mostly
I tend to use the desktop client (of which, see below), and the browser plug-ins.
I've used it across multiple devices and operating systems - mostly Linux, including the PinePhone Pro, but also Android and iOS - and multiple browsers.
My usage is basic: I am using it as a password manager. I tested the "share" function, but I've not used it for real - although perhaps I should. (Ideally, I'd be able to use that on a different domain, so that I don't have to use the domain I chose for my own vault. I haven't looked into that though.)
I experimented with the command line interface but, again, I haven't used it in anger.
After a year of usage, my basic summary is that bitwarden works well. It works even better when you get to grips with the keyboard shortcuts.
It stays in sync across devices, without needing to store anything on a third party server (although you do use Bitwarden's hosted push relay; I've yet to attempt to run my own, but I'd like to). I love this. This was one of the reasons for moving away from 1Password: the local synchronisation system was very much suboptimal. With bitwarden, it is seamless.
Moving from 1Password was very easy. I don't remember exactly what I did, but my recollection is that I exported from 1Password, using bitwarden's import tool, and it "just worked". I kept 1Password around for a while, just in case, but didn't need to use it.
So overall, a very positive experience.
There are a couple of minor annoyances.
First, the "Default URI match detection" option, in the browser clients, is set to "Base domain" by default, and I prefer "Host", as "Base domain" is too imprecise. But that's probably because I have lots of sub-domains, and changing the setting is a very simple change.
The second one is a bit more of a pain in theory but, in practice, it hasn't proved a problem: you must be online to save or edit an entry:
Most functions of Bitwarden are accessible in offline mode, however you won't be able to make edits to or add vault items, attachments, or sends or import new vault items.
And if you are offline, you get a somewhat cryptic error message:
An error has occurred. Failed to fetch.
As I say, in practice, this hasn't been too much of a problem, mainly because I use bitwarden for managing the usernames and passwords for online accounts, and so I tend to be online when I use it.
Self-hosting is easy... mostly
Self-hosting bitwarden is easy, and the instructions are clear. I'd prefer not to use docker but, in this case, I just went with it. Don't forget the update and backup scripts as a cronjob.
Where I struggled - and, indeed, gave up - was trying to get it working on a Raspberry Pi. I started to tinker with the installation scripts, but I didn't make it work. And that's a shame, as I'd rather have it running on its own Pi. (This was perhaps six months ago; maybe things have changed since then.)
I'm a fan of the commercial model... mostly
I know that some people are not a fan of paying for software, especially Free software, but I am not one of those people. (And I am lucky that I can afford to pay for Free software.)
Bitwarden is free, with some paid-for additional features. One of those features is essential to me, and that is TOTP support. I'm happy to pay for that.
The process is a bit confusing. I needed to create an account on their instance, and then purchase the licence, and then install it on my own instance. But it worked.
However, I've somehow ended up with two licences - an annual $10 premium licence for me personally, and an annual $40 premium licence for a family organisation.
I suspect I somehow got confused when I was trying to sort out a family organisation plan, perhaps having already purchased a personal premium licence.
It's not a big deal, and it is going to take more of my time to resolve it than it is worth, but just be aware of the possibility of making this mistake, so you don't make it too!
The snap image for the Linux desktop client works... mostly
I used the official snap image (
sudo snap install bitwarden). I'm not a fan of snap, but I want my password manager to update itself automatically, and the official .deb is explicitly listed as "No Auto-Updates".
The installation completed successfully, but when I tried to run bitwarden, it did not launch.
The solution was in this post: changing the contents of the .desktop file at
/var/lib/snapd/desktop/applications/bitwarden_bitwarden.desktop, to replace:
Exec=env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/bitwarden_bitwarden.desktop /snap/bin/bitwarden %U
Exec=env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/bitwarden_bitwarden.desktop /snap/bitwarden/current/bitwarden
And then it works.
I guess the number of people using bitwarden on Linux who are not capable of looking in a log file for an error message, and then searching for a solution, is pretty low. But it is a shame that this problem persists after (at least) a year.