Bitwarden Aws
Released:
Cross Platform Bitwarden library and CLI with sudolikeaboss.
Project description
This repo houses both python and rust versions.
source repo lives @ https://fossil.birl.ca/bitwarden-cli/home
But is mirrored to github:
https://github.com/birlorg/bitwarden-cli
Documentation: https://fossil.birl.ca/bitwarden-cli/doc/trunk/docs/build/html/index.html
Historic fun fact: all crypto code had to be written and stored outside
of the USA at one time.
------------------------------------------------------------
EXAMPLE USAGE:
ALIAS bw=bitwarden
GET HELP:
---------
$ bitwarden --help
Usage: bitwarden [OPTIONS] COMMAND [ARGS]...
Bitwarden CLI program.
Options:
--url TEXT
--identurl TEXT
--debug / --no-debug
--db TEXT
--help Show this message and exit.
Commands:
deletedb ***THIS ERASES DATA*** Flush and empty the...
fetch_name fetch by name.
fetch_uuid fetch by UUID.
find find query in username,uri this does a simpe...
login login to server.
logout logout from server, stop agent and forget all...
pull pull all records from server, updating local...
register register a new account on server.
slab run in slab mode.
sql query the local data store using SQL.
status Show various statistics.
$ bitwarden find --help
Usage: bitwarden find [OPTIONS] QUERY
find query in username,uri
this does a simpe python string find i.e.:
if query in username:
but searches against username and first url
You can export it in almost any format you wish with -f
to get the password once you found an entry use fetch_uuid
complicated example:
bw find example.com -f tsv --no-headers | fzf | cut -f 1 | xargs bitwarden fetch_uuid -p
which means: find all entries with example.com in them, use fzf to select
a record and return only the password.
Options:
-f, --format [csv|tsv|json|yaml|html|xls|xlsx|dbf|latex|ods]
--headers / --no-headers
--help Show this message and exit.
---- USAGE:
login:
bw login nobody@example.com
it will prompt you for a password. if you are
a moron, you can specify it with --password <MY PASSWORD HERE> but don't be a
moron.
SLAB mode: 'sudolikeaboss is a simple application that aims to make your life as
a dev, ops, or just a random person who likes to ssh and sudo into boxes much,
much easier by allowing you to access your bitwarden passwords on the terminal.
All you need is iterm2, bitwarden, a mac, and a dream.' - from:
https://github.com/ravenac95/sudolikeaboss
slab command for iTerm2:
export LANG=en_CA.UTF-8;export LOCALE=en_CA.UTF-8; /usr/local/bin/bitwarden slab
if you speak a different language, change the LOCALE and LANG settings above.
We support self-hosted installations just pass --url and --identurl The url will
be saved indefinitely, you do not need to set it every time (not even when you
login again, it will be remembered) see bw login --help for details.
-----------------------------------------------------------------------
SECURITY:
Bitwarden works by having a 'master key' that is computed from your email and
password. This needs to be kept 'safe', but this is a CLI program. We could
store the master key on disk somewhere, but that's a bad idea.
The way we do this is with an in-memory 'agent' that listens on a 127.0.0.1 port
(configurable, but defaults to 6277) see: python/bitwarden/agent.py for all the
details. Bonus if you figure out why that port # :). Ideally on POSIX platforms
it would use a socket on disk somewhere to communicate, but I wanted this to
work on Windows, so this is what we can do.. :) patches welcoome to fix this up
on POSIX.
when you login, it starts up the agent, with a timeout set to the login
access_token timeout in seconds, since we do not currently support re-freshing
the token. At the end of the token lease, the agent will kill itself and stop
running. (this is configurable, but not exported to the CLI yet -- patches
welcome)
The agent requires a token to get the master key from it's in-memory store.
This is currently 16 bytes of os.urandom() on startup and is stored on disk, but
changes every time a new agent runs.details are in python/bitwarden/db.py
This should mostly function fine on Windows, but is currently untested. bug
reports and patches welcome.
-----------------------------------------------------------------------
INSTALLATION
NOTE: the rust and python are 2 different implementations that are not
(currently) tied together. you need not install both, just install one (the
pythone one currently if you want it to work)..
rust installation:
clone the repo (either fossil or git)
cd rust cargo build --release
cp target/release/bitwarden /usr/local/bin/bitwarden
then follow DB setup instructions below.
python installation:
clone the repo (either fossil or git)
cd python
python3 setup.py install
then follow DB setup instructions below.
or better yet, use pipenv.
Common to both, the DB setup:
If you have liquibase and the sqlite JDBC driver,
run tools/lb.sh Otherwise copy over the blank DB (with schema installed) I
include in the tools/ dir the directory it belongs in is platform dependent, run
bitwarden and it will tell you. Alternatively you can put the DB wherever you
like and always prepend --db to your commands (not recommended)
-------------------------------------------------------------------
TROUBLESHOOTING:
export DEBUG=true and then run bitwarden. or bitwarden --debug <cmd>
It will output LOTS
of stuff, some of it is security sensitive, so be careful when you copy/paste
the logs.
either email or reach out via fossil or github tickets.
--------------------------------
TODO planned(code welcome):
* Finish off minimal implementation(MVP) of the python version (add, etc)
* Build and release executables for mac and windows. build Makefile to automate
this.
* Finish off rust crypto and agent, port python version to use rust crypto and
agent
* Add server support (i.e. can also act like a server, so you could for
instance have your local browser and desktop talk locally and work 100%
off-line)
* Fix up documentation in
HTML(http://fossil-scm.org/index.html/doc/trunk/www/embeddeddoc.wiki) and
make prettier.
Goals:
* be a useful bitwarden tool that works on openBSD, debian, macOS and windows
since these are the platforms I spend most of my time on. UI is abysmal,
thanks to @kspearrin for doing that slog, go pay him, I do.
* Be able to work off-line completely if you wish. This mostly works now.
Non-Goals:
* GUI's because writing them is misery. @kspearrin has this well-handled! YAY!
The idea behind the CLI here is to think of the server as a place to push / pull
againt. The local copy of the DB should be resilient and not erase anything
ever without explicitly saying so, so that full historic backups are possible.
think more like revision control. This is not fully fleshed out, at the time
of this writing..
-----------
Contributing:
If you use fossil, just send me a place to pull from or setup a login and
email/contact me and I will give you push rights. if you refuse to use fossil,
you can email me patches. Or you can use github and pull-requests, I guess.
Unless you explicitly state otherwise, any contribution intentionally submitted
for inclusion in the work by you shall be dual licensed as above, without any
additional terms or conditions.
License
Licensed under either of
Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT) at your option.
email: bitwarden @at@ birl.ca
Release historyRelease notifications | RSS feed
0.4.0
The Bitwarden Authenticator is an alternative solution to dedicated authentication apps like Authy, which you can use to verify your identity for websites and apps that use Two-step Login. The Bitwarden Authenticator generates 6-digit Time-based One-time Passwords (TOTPs) using SHA-1 and rotates them every 30 seconds.
- Logging into an AWS account can involve both an account and username field entry. One account can have many usernames. Actual Behaviour Bitwarden reads the 'account' field as the one into which the saved username should be injected on au.
- If you have AWS credentials set up, this should get you a running instance of the API. Just plug the AWS Gateway Service endpoint into your Bitwarden settings. Npm install -g serverless npm install # Feel free to deploy to an AWS region closer to your typical location serverless deploy -region us-east-1 -stage prod.
- Bitwarden, AWS, high availability and Loadbalancers. Hi all, As the topic says, I set up Bitwarden in an AWS-environment, consisting of 1 RDS Server for the Datadabase and 2 EC2 instances for the Webfrontend.
- An alternative implementation of the Bitwarden API based on a AWS Serverless stack.
0.3.1
0.3.0
0.2.4
0.2.3
0.2.2
0.2.1
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Filename, size | File type | Python version | Upload date | Hashes |
---|---|---|---|---|
Filename, size bitwarden-0.4.0-py3-none-any.whl (23.4 kB) | File type Wheel | Python version py3 | Upload date | Hashes |
Filename, size bitwarden-0.4.0.tar.gz (23.7 kB) | File type Source | Python version None | Upload date | Hashes |
Hashes for bitwarden-0.4.0-py3-none-any.whl
Algorithm | Hash digest |
---|---|
SHA256 | 6d77a2ba062da9175ab2e6e86e3ccab5861759768ac2cd6175ac003868ab9d9c |
MD5 | 6475ac5084c436922ddc4b643feaac20 |
BLAKE2-256 | f02707a141d81c7f1b8e0b44e7b9b6476f59498051b4bd1ee5c87265142970bd |
Hashes for bitwarden-0.4.0.tar.gz
Algorithm | Hash digest |
---|---|
SHA256 | ef5b06809d3ecc883133b115c3e6c22a1aa76492f46efbe20e0a3f3093c5d902 |
MD5 | 6ca14816bafc2902bfb7982b91997ce0 |
BLAKE2-256 | 8040fea3195de0d7440499690a5d41423f21f7e07cfad5c3cd5791decc3611cb |
2019-09-20
Recently, I ran across a project called Bitwarden, which is an open source password manager. There are a few third-party projects written in other languages that follow the project’s API. Further, there is one impressive project bitwarden_rs that re-implements the Bitwarden project in Rust. It features a significantly smaller memory and resource footprint than the original application, which makes it perfect to host on free tier VMs on any of the major cloud providers. Even better, it ships as a public container on Docker Hub, so setting up the application is a breeze.
Since I am most familiar with AWS, I chose to deploy it via Fargate. The Fargate service is not within the typical free tier plan that AWS provides, but as mentioned above, bitwarden_rs does not require a lot of resources. So, a small instance with no auto-scaling or other features should run less than $20 a month.
Prerequisites:
- AWS account
- available domain name
Let us get started!
We are going to leverage Fargate to do most of the heavy lifting for us. Once you have logged into AWS, navigate to ECS. Then, set up a custom image. With the following parameters:
- 1: container name: whatever you would like
- 2: image:
bitwardenrs/server
(ECS will obtain this from Docker Hub) - 3: container port:
80
- 4: container protocol:
tcp
- 5: task memory:
0.5 GB (512)
- 6: task CPU:
0.25 vCPU (256)
Once the image is constructed, Fargate will deploy the image and set up the related infrastructure. This will take a few minutes. Once everything is set up, you will be able to access the front-end of the Bitwarden application by utilizing the DNS provided by AWS. It will be in this format:
By accessing that URL, you should see the Bitwarden login page. However, do not set up an account and login just yet - the content is being served over HTTP and is not secure. We will now configure our infrastructure to utilize HTTPS.
DNS configuration
If your domain name was obtained from a Domain Name System (DNS) provider other than AWS, you will need to configure your current DNS provider to use the AWS nameservers. So, let’s do that first:
- In the AWS console, navigate to Route 53. Create a new hosted zone with your domain name.
- Once this has been created, AWS will create two records for you - a
NS
record and aSOA
record. TheNS
record should have 4 values in it - these are the namesevers you will need to point your current DNS provider to. - Update your current DNS provider to use the AWS nameservers.
- Create a record set to use a subdomain of your intended domain. Point this subdomain to an
alias
target of the ALB previously set up by Fargate.
HTTPS certificate
Now that we have DNS managed by AWS, we can use the Certificate Manager to generate a SSL/TLS certificate that we can use with the Application Load Balancer (ALB) and Target Group (TG) that Fargate set up for us.
- In the AWS console, navigate to Certificate Manager.
- Select “Request a public certificate”
- Input the domain name. In most cases, you’ll want to use the format
*.domain.name
to allow subdomains to be scoped into the certificate. This will give you more flexibility if you intend to utilize your domain name for sites other than thebitwarden_rs
server we are setting up. - When your request has been submitted, you will need to add the
CNAME
record to the Route 53 hosted zone that we created previously. You should see a button that saysCreate record in Route 53
. Click this and check Route 53 that the record was populated. - It might take at least 30 minutes, but the certificate should eventually be validated and issued.
ALB / TG / configuration
Once the HTTPS certificate has been validated, we can now set up our infrastructure to utilize it.
- In the AWS console, navigate to EC2.
- On the left navigation column, select “Load Balancers”.
- Select the load balancer created by Fargate. Then click on the “Listeners” tab. By default, Fargate sets up the listener for
HTTP: 80
. - Click “View/edit rules” on the
HTTP: 80
rule and change the rules toredirect
toHTTPS: 443
with a status code of301
. - Next, we will add a HTTPS listener. In the Click “Add listener” and set up the rule to
forward
to the target group set up by Fargate. Note - to view your target groups, click on the “Target Groups” link below “Load Balancers” on the left navigation pane within the EC2 module.
Download | Bitwarden
SG configuration
Now, we need to edit our existing Security Groups (SG) to allow HTTPS traffic on port 443.
- In the EC2 module, click on “Security Groups” on the left navigation pane.
- You should see two SGs set up by Fargate - one for ALB and the other for ECS. For both of these, add “Inbound” rules for the following:
- type:
HTTPS
- protocol:
TCP
- port range:
443
- source:
0.0.0.0/0
- type:
Test it out!
Now that we have set up our AWS infrastructure to handle traffic to the bitwarden_rs
container via HTTPS, let us test it out.
R/Bitwarden - Has Anyone Self-hosted Bit Warden In AWS Using ...
In your browser, navigate to the custom URL (subdomain) that you set up in Route 53. The Bitwarden login screen should appear. Success!
Cached
You can now use the Bitwarden CLI, browser app and mobile apps to communicate with the Fargate container.