Recently, I did a complete overhaul of my old password management system. This is a fancy way of saying I got tired of storing password hints in an Excel spreadsheet and decided I needed a real password management system. If you are security-minded like me and have a ton of different usernames and passwords, Bitwarden is an awesome solution. In this guide, I will go over how to Install Bitwarden with Docker, on a Synology NAS. This is part of my Synology Diskstation Series where I discuss all of the cool features and things you can do with a Synology NAS. If you’re in the market for one, check out my recommended models on Amazon just below!
What is Bitwarden?
Bitwarden is an open source password management application. The company offers a free web application where you can create an account and store your credentials on their system. As a security minded company, they take the security of your data very seriously. Your credentials are secured with encryption before ever leaving your device. However, what sets Bitwarden apart from other password services is that they have created and containerized their stack for deployment in your own private environment using Docker. This means if you have a system that can run Docker like a Linux or Windows PC or server, you can easily deploy your own version of Bitwarden with your data locally stored and secured.
Bitwarden provides this guide for installing on any system, but if you want to install Bitwarden on your Synology NAS, keep reading.
A Few Notes & Prerequisites
From start to finish, the task of installing a web application on a system can seem daunting because there are many individual pieces that need to come together in the right order. You will need to have some of those pieces setup, or ready to be set up before starting this guide:
1) Have your Synology Diskstation already accessible from the internet over HTTPS. This means you will need to have a domain name, DNS records and SSL certificate set up. If you have not done that yet, check out my guide here: Synology Diskstation SSL with Let’s Encrypt.
2) An understanding of reverse proxies and CNAME DNS records. This is important if you want to host more than one externally-available service on your Synology.
3) An understanding of Linux command line and an SSH client (I am using PuTTY).
4) Obtain a Hosting Installation ID and Key from Bitwarden.
First, we need to create a CNAME DNS record with our domain registrar. The CNAME record should point to whatever subdomain you want to use for Bitwarden. For example “bitwarden.yourdomain.com”.
Next we need to create the SSL certificate specifically for Bitwarden.
1) Log into your NAS and navigate to Control Panel > Security > Certificate.
2) Choose “Add a new certificate”.
3) Choose “Get a certificate from Let’s Encrypt”.
4) Enter your domain name and a valid email address. Also, enter your DDNS hostname as “Subject Alternative Name” if you are using a DDNS service instead of a public IP. Click apply and make sure you get the certificate.
You’ll need to create a reverse proxy entry to access Bitwarden through “subdomain.yourdomain.com”. If you don’t, when you try to visit your subdomain you’ll probably just land on your Synology’s login page. The reverse proxy entry tells the Synology where to redirect incoming requests for “subdomain.yourdomain.com” which will be the Bitwarden webpage on a separate port.
1) Navigate to Control Panel > Application Portal > Reverse Proxy.
2) Click Create, and enter the following information, substituting your subdomain and domain name:
Port: 5001 (or whatever port you have for HTTPS in your DSM Settings). Note, if you have HTTPS redirect enabled, you must enter the specific port that DSM listens on for HTTPS. If you use 443, the secure connection will fail when you are outside of your home network.
Destination: HTTP, localhost, port 8123. Click OK.
Assign the Certificate
Now you can assign the certificate you created earlier to your reverse proxy entry.
1) Navigate to Control Panel > Security > Certificate.
2) Click the drop-down next to your reverse proxy entry and select the certificate.
Open the Synology Package Center and install the Docker app. After it is installed and running make a note of where the docker folder is in File Explorer. Mine was under /volume1/docker.
Installing the Bitwarden Stack
Now we are at the point where we can begin installing the application or rather, the containers that Bitwarden has put together.
Start up your SSH client and log into your Synology with the built-in admin account and password. If you follow best practices, you may have already disabled this account so re-enable it temporarily if that is the case. Also (and it should be obvious) you need to have SSH turned on so go to Control Panel > Terminal and do that if needed.
Once you are logged in, elevate to root and re-enter your password:
sudo su –
Change directories to your docker folder:
Import the install package:
curl -s -o bitwarden.sh \ https://raw.githubusercontent.com/bitwarden/core/master/scripts/bitwarden.sh \ && sudo chmod u+x bitwarden.sh
Run the install script:
Enter the following information as the installer prompts you:
Enter the domain name…
Do you want to use Let’s Encrypt to generate…
Enter “n” for no. We already have our certificate.
Enter your installation id and key…
Enter the ID and key you got earlier.
Do you have a SSL certificate to use…
Again, enter “n” for no.
You will see a “WARNING” message but that is ok. The reverse proxy is handling our SSL certificate.
HTTP Port Change
There are some additional changes that the installer either does not prompt for or does not do in this version of Bitwarden. Leave the SSH terminal open and switch to the Synology DSM screen.
Open File Explorer on your Synology and download a copy of the config.yml file at /volume1/docker/config.yml. The line for HTTP port needs to be changed to match our reverse proxy. Change it to 8123 and clear the value for HTTPS:
Save your changes. In File Explorer, rename the original config.yml to config.yml.bak. Then upload your edited config.yml file to the /volume1/docker/ folder.
Create Supporting Directories
Next, you need to create some folders manually since the installer does not do this for some reason. Switch to your SSH terminal and make sure you are still in the docker directory: /volume1/docker.
The following directories need to be created under /docker/bwdata so make sure you are in the docker folder when running these commands. Also, double check the /bwdata folder to see if any of these directories were actually created. The guides I followed mentioned some folders may have been created but that was not the case for me.
Use the mkdir command to make the following directories (or make sure they are already there):
Now you can try starting Bitwarden.
If you encounter any errors such as “path does not exist” be sure to create that directory and try again. Errors relating to port bindings may also occur if you have another service listening on the specified port. Google is your friend in that case. You can also try running ./bitwarden.sh update and then restart Bitwarden itself to see if that helps.
The initial startup will take a minute or so to pull the containers to your NAS. Once finished, you can open the Docker app on Synology and see if all of your containers are running normally. If they are, try visiting the subdomain address you created for Bitwarden.
Update the Database
Before you create an account, you must update the database:
Last Items to Consider
At this point Bitwarden should be up and running. However, a few more things can be done.
After creating your account (or however many accounts you want), you should disable new registrations by editing /bwdata/env/global.override.env. Change the below line to “true” so that new accounts cannot be registered. This does not remove the button to register, but when someone tries to register, it will fail.
Save your changes to global.override.env and upload to the proper folder.
Additional commands (including update command):
Another note worth mentioning is that I had issues using the Docker application to turn the containers on and off. I could turn them all off but they would never all turn back on properly. I found that I had to use the command line to do this. Thankfully, they auto-start when the NAS boots up so if your system goes offline unexpectedly, when it comes back on the Bitwarden application stack will start back up.
If you’ve followed this far and gotten everything up and running, congratulations! Bitwarden has made managing my passwords a breeze. I have access over the web and have also installed their mobile app with fingerprint authentication. Now I can have my passwords anywhere I go.
I hope you’ve enjoyed this guide on How To Install Bitwarden with Docker and Synology. Thanks for reading and check back soon for more content in the Synology Series. My next post in this category will discuss how to securely back up your Synology data to the cloud, including your Docker containers!
Disclaimer: This guide has been paraphrased from an older guide on the Synology forums but includes changes that I encountered with my setup. https://forum.synology.com/enu/viewtopic.php?p=544605