Password Managers: Migrate from LastPass to Bitwarden
Given LastPass has once more been compromised, and this time it has been confirmed that password vaults have been accessed by the attacker, now is a very good time to transition away from it. Personally I feel that Bitwarden is a very strong option for a password manager to transition to. It is open source, you can host it yourself, and their free tier is probably the most generous one there is. So this guide will go over how to transition from LastPass to a self hosted Bitwarden.
Preparing a Domain
In order to have a pleasant experience with self-hosted Bitwarden, we’re going to need a domain to access it at. Free options such as no-ip and duckdns should work fine, or you can buy a domain or make a subdomain of one you already own. I’m personally going with the last option and am going to redact what the domain is. Just make sure you have a domain and it points to your server’s IP.
Setting up the Server
First we’ll set up the Bitwarden instance. It runs in Docker, and doesn’t require much in terms of host resources. So basically any tier of a VPS (Linode, Digital Ocean, Vultr, etc) should be sufficient, or you can host it on your own hardware. Oracle also currently has a weirdly generous free tier on their cloud service, probably attempting anything they can to get some of AWS and Azure’s business.
Once you have a server, step one is installing Docker and Compose. This process will change a bit depending on what flavor your host distro is. I am going to assume Ubuntu for any installs going forward, but once things are installed the process should be the same for any version of Linux.
sudo apt install apt-transport-https ca-certificates curl software-properties-common curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt update sudo apt install docker-ce docker-compose-plugin
This will make sure we always have the latest version of Docker, from the Docker maintainers. And now for some extra setup that is recommended by Bitwarden and Docker. We’ll make a Bitwarden user and add it to the Docker group, so that the container can be ran by that user without being privileged to run commands as root.
Create Bitwarden User and Folder
sudo useradd -m bitwarden sudo passwd bitwarden # make sure to set a strong password. Ubuntu can do adduser to combine these steps sudo groupadd docker # some distros will do this during the install sudo usermod -aG docker bitwarden # add bitwarden to the docker group sudo mkdir /opt/bitwarden # Bitwarden will use this folder for persistent storage sudo chmod -R 700 /opt/bitwarden sudo chown -R bitwarden:bitwarden /opt/bitwarden # only Bitwarden and root can access this folder
su - bitwarden # become Bitwarden cd /opt/bitwarden curl -Lso bitwarden.sh https://go.btwrdn.co/bw-sh && chmod 700 bitwarden.sh ./bitwarden.sh install
Enter your domain, say yes to Let’s Encrypt unless you plan to add SSL some other way, name your database (default will be vault). After that step it will ask you for an installation id. You can get one from https://bitwarden.com/host/. Enter your email and it will give you your ID and key. Paste both in and wait while setup finishes.
Before starting the server, there’s some config stuff that needs to be set. In
/opt/bitwarden/bwdata/env/global.override.env near the bottom are settings for SMTP. I personally used gmail as it is easy to setup and removes the annoyance of running a personal email server:
globalSettings__mail__replyToEmailfirstname.lastname@example.org globalSettings__mail__smtp__host=smtp.gmail.com globalSettings__mail__smtp__port=587 globalSettings__mail__smtp__ssl=true globalSettings__mail__smtp__usernameemail@example.com globalSettings__mail__smtp__password=APP PASSWORD ---- adminSettings__adminsfirstname.lastname@example.org
To generate an app password, you can go to https://security.google.com/settings/security/apppasswords and create one, which you will then paste into that setting. Double check everything is correct, and then we can start the server with:
The first start might take a little bit longer than future ones, but soon after running that command we can access the main webpage of our Bitwarden instance and create an account. If SMTP is working correctly, you’ll get an email from yourself when you make the account.
Transferring Passwords from LastPass
LastPass allows users to export their passwords as a CSV file from their Vault, and Bitwarden is able to import that CSV. In your Vault, at the bottom left click Advanced Options -> Export. Re-enter your Master Password, and then it will give you the CSV.
Now in Bitwarden, in the web UI choose Tools in the top menu -> Import Data on the sidebar. Choose LastPass as the format, and then select the CSV you downloaded.
Once you’ve confirmed everything looks correct, I strongly suggest ending your LastPass subscription and then deleting your account.
To update Bitwarden’s container, you can
su - bitwarden and then run
cd /opt/bitwarden && ./bitwarden.sh update to pull new versions of all the containers. If no one else should be able to make an account after you’ve made yours, edit
/opt/bitwarden/bwdata/env/global.override.env and change
globalSettings__disableUserRegistration=false to true and then restart Bitwarden.
To use the browser extension and applications, on the sign in page click on the Gear icon and then enter the URL of the self hosted instance. You’ll be able to sign in and access your passwords now.