Password Managers: Migrate from LastPass to Bitwarden

Given LastPass has once more been compromised, and this time it has been confirmed that password vaults have been accessed by the attacker, now is a very good time to transition away from it. Personally I feel that Bitwarden is a very strong option for a password manager to transition to. It is open source, you can host it yourself, and their free tier is probably the most generous one there is. So this guide will go over how to transition from LastPass to a self hosted Bitwarden.

Preparing a Domain

In order to have a pleasant experience with self-hosted Bitwarden, we’re going to need a domain to access it at. Free options such as no-ip and duckdns should work fine, or you can buy a domain or make a subdomain of one you already own. I’m personally going with the last option and am going to redact what the domain is. Just make sure you have a domain and it points to your server’s IP.

Setting up the Server

First we’ll set up the Bitwarden instance. It runs in Docker, and doesn’t require much in terms of host resources. So basically any tier of a VPS (Linode, Digital Ocean, Vultr, etc) should be sufficient, or you can host it on your own hardware. Oracle also currently has a weirdly generous free tier on their cloud service, probably attempting anything they can to get some of AWS and Azure’s business.

Docker

Once you have a server, step one is installing Docker and Compose. This process will change a bit depending on what flavor your host distro is. I am going to assume Ubuntu for any installs going forward, but once things are installed the process should be the same for any version of Linux.

sudo apt install apt-transport-https ca-certificates curl software-properties-common

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt update
sudo apt install docker-ce docker-compose-plugin

This will make sure we always have the latest version of Docker, from the Docker maintainers. And now for some extra setup that is recommended by Bitwarden and Docker. We’ll make a Bitwarden user and add it to the Docker group, so that the container can be ran by that user without being privileged to run commands as root.

Create Bitwarden User and Folder

sudo useradd -m bitwarden
sudo passwd bitwarden # make sure to set a strong password. Ubuntu can do adduser to combine these steps

sudo groupadd docker # some distros will do this during the install
sudo usermod -aG docker bitwarden # add bitwarden to the docker group

sudo mkdir /opt/bitwarden # Bitwarden will use this folder for persistent storage
sudo chmod -R 700 /opt/bitwarden
sudo chown -R bitwarden:bitwarden /opt/bitwarden # only Bitwarden and root can access this folder

Install Bitwarden

su - bitwarden # become Bitwarden
cd /opt/bitwarden

curl -Lso bitwarden.sh https://go.btwrdn.co/bw-sh && chmod 700 bitwarden.sh
./bitwarden.sh install

Enter your domain, say yes to Let’s Encrypt unless you plan to add SSL some other way, name your database (default will be vault). After that step it will ask you for an installation id. You can get one from https://bitwarden.com/host/. Enter your email and it will give you your ID and key. Paste both in and wait while setup finishes.

Before starting the server, there’s some config stuff that needs to be set. In /opt/bitwarden/bwdata/env/global.override.env near the bottom are settings for SMTP. I personally used gmail as it is easy to setup and removes the annoyance of running a personal email server:

globalSettings__mail__replyToEmail=youremail@gmail.com
globalSettings__mail__smtp__host=smtp.gmail.com
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__ssl=true
globalSettings__mail__smtp__username=youreamil@gmail.com
globalSettings__mail__smtp__password=APP PASSWORD
----
adminSettings__admins=youremail@gmail.com

To generate an app password, you can go to https://security.google.com/settings/security/apppasswords and create one, which you will then paste into that setting. Double check everything is correct, and then we can start the server with:

./bitwarden.sh start

The first start might take a little bit longer than future ones, but soon after running that command we can access the main webpage of our Bitwarden instance and create an account. If SMTP is working correctly, you’ll get an email from yourself when you make the account.

Transferring Passwords from LastPass

LastPass allows users to export their passwords as a CSV file from their Vault, and Bitwarden is able to import that CSV. In your Vault, at the bottom left click Advanced Options -> Export. Re-enter your Master Password, and then it will give you the CSV.

Now in Bitwarden, in the web UI choose Tools in the top menu -> Import Data on the sidebar. Choose LastPass as the format, and then select the CSV you downloaded.

Once you’ve confirmed everything looks correct, I strongly suggest ending your LastPass subscription and then deleting your account.

Maintaining Bitwarden

To update Bitwarden’s container, you can su - bitwarden and then run cd /opt/bitwarden && ./bitwarden.sh update to pull new versions of all the containers. If no one else should be able to make an account after you’ve made yours, edit /opt/bitwarden/bwdata/env/global.override.env and change globalSettings__disableUserRegistration=false to true and then restart Bitwarden.

To use the browser extension and applications, on the sign in page click on the Gear icon and then enter the URL of the self hosted instance. You’ll be able to sign in and access your passwords now.