Recently, I did a complete overhaul of my old password management system. This is a fancy way of saying I got tired of storing password hints in an Excel spreadsheet and decided I needed a real password management system. If you are security-minded like me and have a ton of different usernames and passwords, Bitwarden is an awesome solution. In this guide, I will go over how to Install Bitwarden with Docker, on a Synology NAS. This is part of my Synology Diskstation Series where I discuss all of the cool features and things you can do with a Synology NAS. If you’re in the market for one, check out my recommended models on Amazon just below!

Entry-level NAS: Synology DS218+ on Amazon
Pro-sumer NAS: Synology DS918+ on Amazon
NAS Hard Drives: Seagate IronWolf NAS 4TB on Amazon


What is Bitwarden?

bitwarden

Bitwarden is an open source password management application. The company offers a free web application where you can create an account and store your credentials on their system. As a security minded company, they take the security of your data very seriously. Your credentials are secured with encryption before ever leaving your device. However, what sets Bitwarden apart from other password services is that they have created and containerized their stack for deployment in your own private environment using Docker. This means if you have a system that can run Docker like a Linux or Windows PC or server, you can easily deploy your own version of Bitwarden with your data locally stored and secured.

Bitwarden provides this guide for installing on any system, but if you want to install Bitwarden on your Synology NAS, keep reading.

 

A Few Notes & Prerequisites

From start to finish, the task of installing a web application on a system can seem daunting because there are many individual pieces that need to come together in the right order. You will need to have some of those pieces setup, or ready to be set up before starting this guide:

1) Have your Synology Diskstation already accessible from the internet over HTTPS. This means you will need to have a domain name, DNS records and SSL certificate set up. If you have not done that yet, check out my guide here: Synology Diskstation SSL with Let’s Encrypt.

2) An understanding of reverse proxies and CNAME DNS records. This is important if you want to host more than one externally-available service on your Synology.

3) An understanding of Linux command line and an SSH client (I am using PuTTY).

4) Obtain a Hosting Installation ID and Key from Bitwarden.

 

Getting Started

First, we need to create a CNAME DNS record with our domain registrar. The CNAME record should point to whatever subdomain you want to use for Bitwarden. For example “bitwarden.yourdomain.com”.

 

Bitwarden Certificate

Next we need to create the SSL certificate specifically for Bitwarden.

1) Log into your NAS and navigate to Control Panel > Security > Certificate.

2) Choose “Add a new certificate”.

3) Choose “Get a certificate from Let’s Encrypt”.

4) Enter your domain name and a valid email address. Also, enter your DDNS hostname as “Subject Alternative Name” if you are using a DDNS service instead of a public IP. Click apply and make sure you get the certificate.

 

Reverse Proxy

You’ll need to create a reverse proxy entry to access Bitwarden through “subdomain.yourdomain.com”. If you don’t, when you try to visit your subdomain you’ll probably just land on your Synology’s login page. The reverse proxy entry tells the Synology where to redirect incoming requests for “subdomain.yourdomain.com” which will be the Bitwarden webpage on a separate port.

1) Navigate to Control Panel > Application Portal > Reverse Proxy.

2) Click Create, and enter the following information, substituting your subdomain and domain name:

Protocol: HTTPS

Hostname: subdomain.domain.com

Port: 5001 (or whatever port you have for HTTPS in your DSM Settings). Note, if you have HTTPS redirect enabled, you must enter the specific port that DSM listens on for HTTPS. If you use 443, the secure connection will fail when you are outside of your home network.

Destination: HTTP, localhost, port 8123. Click OK.

synology

 

Assign the Certificate

Now you can assign the certificate you created earlier to your reverse proxy entry.

1) Navigate to Control Panel > Security > Certificate.

2) Click the drop-down next to your reverse proxy entry and select the certificate.

 

Install Docker

Open the Synology Package Center and install the Docker app. After it is installed and running make a note of where the docker folder is in File Explorer. Mine was under /volume1/docker.

 

Installing the Bitwarden Stack

Now we are at the point where we can begin installing the application or rather, the containers that Bitwarden has put together.

Start up your SSH client and log into your Synology with the built-in admin account and password. If you follow best practices, you may have already disabled this account so re-enable it temporarily if that is the case. Also (and it should be obvious) you need to have SSH turned on so go to Control Panel > Terminal and do that if needed.

Once you are logged in, elevate to root and re-enter your password:

sudo su –

Change directories to your docker folder:

cd /volume1/docker

Import the install package:

curl -s -o bitwarden.sh \ https://raw.githubusercontent.com/bitwarden/core/master/scripts/bitwarden.sh \ && sudo chmod u+x bitwarden.sh

Run the install script:

./bitwarden.sh install

 

Installer Prompts

Enter the following information as the installer prompts you:

Enter the domain name…

subdomain.domain.com

Do you want to use Let’s Encrypt to generate…

Enter “n” for no. We already have our certificate.

Enter your installation id and key…

Enter the ID and key you got earlier.

Do you have a SSL certificate to use…

Again, enter “n” for no.

You will see a “WARNING” message but that is ok. The reverse proxy is handling our SSL certificate.

 

HTTP Port Change

There are some additional changes that the installer either does not prompt for or does not do in this version of Bitwarden. Leave the SSH terminal open and switch to the Synology DSM screen.

Open File Explorer on your Synology and download a copy of the config.yml file at /volume1/docker/config.yml. The line for HTTP port needs to be changed to match our reverse proxy. Change it to 8123 and clear the value for HTTPS:

bitwarden

Save your changes. In File Explorer, rename the original config.yml to config.yml.bak. Then upload your edited config.yml file to the /volume1/docker/ folder.

 

Create Supporting Directories

Next, you need to create some folders manually since the installer does not do this for some reason. Switch to your SSH terminal and make sure you are still in the docker directory: /volume1/docker.

The following directories need to be created under /docker/bwdata so make sure you are in the docker folder when running these commands. Also, double check the /bwdata folder to see if any of these directories were actually created. The guides I followed mentioned some folders may have been created but that was not the case for me.

Use the mkdir command to make the following directories (or make sure they are already there):

bwdata/core
bwdata/core/attachments
bwdata/ca-certificates
bwdata/logs
bwdata/logs/admin
bwdata/logs/api
bwdata/logs/identity
bwdata/logs/mssql
bwdata/logs/nginx
bwdata/logs/icons
bwdata/logs/notifications
bwdata/mssql
bwdata/mssql/data
bwdata/mssql/backups

 

Start Bitwarden

Now you can try starting Bitwarden.

./bitwarden.sh start

If you encounter any errors such as “path does not exist” be sure to create that directory and try again. Errors relating to port bindings may also occur if you have another service listening on the specified port. Google is your friend in that case. You can also try running ./bitwarden.sh update and then restart Bitwarden itself to see if that helps.

The initial startup will take a minute or so to pull the containers to your NAS. Once finished, you can open the Docker app on Synology and see if all of your containers are running normally. If they are, try visiting the subdomain address you created for Bitwarden.

 

Update the Database

Before you create an account, you must update the database:

./bitwarden.sh updatedb

 

Last Items to Consider

At this point Bitwarden should be up and running. However, a few more things can be done.

After creating your account (or however many accounts you want), you should disable new registrations by editing /bwdata/env/global.override.env. Change the below line to “true” so that new accounts cannot be registered. This does not remove the button to register, but when someone tries to register, it will fail.

globalSettings__disableUserRegistration=false

Save your changes to global.override.env and upload to the proper folder.

Additional commands (including update command):

./bitwarden.sh install
./bitwarden.sh start
./bitwarden.sh restart
./bitwarden.sh stop
./bitwarden.sh updateself
./bitwarden.sh update

Another note worth mentioning is that I had issues using the Docker application to turn the containers on and off. I could turn them all off but they would never all turn back on properly. I found that I had to use the command line to do this. Thankfully, they auto-start when the NAS boots up so if your system goes offline unexpectedly, when it comes back on the Bitwarden application stack will start back up.

 

Conclusion

If you’ve followed this far and gotten everything up and running, congratulations! Bitwarden has made managing my passwords a breeze. I have access over the web and have also installed their mobile app with fingerprint authentication. Now I can have my passwords anywhere I go.

I hope you’ve enjoyed this guide on How To Install Bitwarden with Docker and Synology. Thanks for reading and check back soon for more content in the Synology Series. My next post in this category will discuss how to securely back up your Synology data to the cloud, including your Docker containers!

 

Entry-level NAS: Synology DS218+ on Amazon
Pro-sumer NAS: Synology DS918+ on Amazon
NAS Hard Drives: Seagate IronWolf NAS 4TB on Amazon

 

amazon

 

Disclaimer: This guide has been paraphrased from an older guide on the Synology forums but includes changes that I encountered with my setup.  https://forum.synology.com/enu/viewtopic.php?p=544605


15 Comments

REMY · April 15, 2019 at 4:32 am

Hi,

Did you managed to configure smtp correctly to send the verification email ?

I’m struggling with that right now.. It’s the last thing to do and I’m stuck.

Thx

    Chris · April 15, 2019 at 12:09 pm

    Hi and thanks for your comment! No, I never did set up smtp on Bitwarden itself. The only email notification I have comes from the Synology. I have a scheduled task to run the self-update each month and then Synology emails me an alert with the output. I don’t think email on bitwarden is required to complete the setup.

      Marco · May 15, 2019 at 5:19 am

      So mail verification is not necessary for using bitwarden itself?

      And another question. How do I set mobile app and chrome extension to use my local website against the bitwarden one?

      PS: THANK YOU FOR THIS GUIDE! 🙂

        Chris · May 15, 2019 at 8:24 am

        Glad the guide helped you and thanks for the comment!

        1) No, as far as I am aware mail verification is not required for the self-hosted environment although some two-step authentication methods like email code verification may need it. I just use a third party passcode generator and it works fine.

        2) You need to click the gear icon on the app / browser plugin and then specify your self-hosted URL. Make sure to enter the URL so it includes your Synology’s HTTPS port. For example if you used the default HTTPS port of 5001, the url for the Bitwarden server would be “https://bitwarden.mydomain.com:5001”.

    Johannes · June 16, 2019 at 4:57 pm

    Hi, there is a guide on the offical bitwarden website how to set up the smtp server: https://help.bitwarden.com/article/install-on-premise/#post-install-environment-configuration

Tim · May 7, 2019 at 2:44 pm

Note that after making the port change in config.yml I had to run “./bitwarden.sh update”. Without running that I got a port conflict and the nginx inside Docker failed to start.

Also, if someone (me) goes to “subdomain.domain.com” http:// is assumed and the site isn’t found. I added a second reverse proxy sending http://subdomain.domain.com on port 80 to https://subdomain.domain.com on port 443 which avoids that problem. (They’re connection goes through two hops, but it’s fast.)

Great instructions, and thank you! (And I’m finding other ways to use reverse proxies, now that I understand them.)

    Chris · May 7, 2019 at 9:41 pm

    Thanks for the comment and I’m glad my instructions helped. I’ll add a note that that the update script may need to run after the config.yml change.

    For HTTP / HTTPS – if you read through the documentation provided by Bitwarden, you’ll find that they state HTTPS is required, so my assumption is to use HTTPS the first time you try to visit “subdomain.domain.com” per the documentation. There’s no problem implementing a second proxy rule, but I find if I visit the site over HTTPS first, the browser will remember it next time.

      Tim · May 9, 2019 at 7:30 am

      My second proxy hack turns out to be inconsistent, failing sometimes – maybe depending on my browser or even the version of Chrome (maybe most recent Chrome sees it as an insecurity?) In any case, as you say, once a given device has accessed the vault once all is smooth, and folks will normally be using a bookmark or an app, so being careful to use https: really isn’t a burden.

      Thanks again!

Nick · June 9, 2019 at 1:32 am

root@Xpenology:~# cd /volume1/docker
root@Xpenology:/volume1/docker# curl -s -o bitwarden.sh \ https://raw.githubuser content.com/bitwarden/core/master/scripts/bitwarden.sh \ && sudo chmod u+x bitwa rden.sh
root@Xpenology:/volume1/docker# ./bitwarden.sh install
-ash: ./bitwarden.sh: No such file or directory

Ideas? Nothing in the docker volume either

    Chris · June 9, 2019 at 9:45 am

    “No such file or directory” would indicate that “/volume1/docker/” does not have the bitwarden.sh file – meaning the curl command did not complete for some reason. Try running the curl command again and double check your syntax if you are copying & pasting, then list the contents of “/volume1/docker/” in the terminal or just go into the File Explorer on the NAS to see if the script is actually there.

      Dr_Frankenstein · July 7, 2019 at 4:55 am

      Thanks for this guide, the only issue I had was with the CURL command to download the setup script, as it didn’t seem to do anything. So I just grabbed the script and manually saved it to the docker folder. Everything else went perfectly.

        Chris · July 12, 2019 at 10:37 am

        Glad to hear it! Thanks for the comment!

Jerem · August 16, 2019 at 5:34 am

Hi !
I need a little advice, as I’m not really confortable with proxies and all that stuff.
I’m already running a Let’s encrypt certificate with a myds.me domain, to access my DiskStation (drive, moments, and stuff).
Can I use this certificate for the reverse proxy as well ? Or do I have to get another one ?
Because I can’t see the proxy (after having created it), in this step :

“1) Navigate to Control Panel > Security > Certificate.

2) Click the drop-down next to your reverse proxy entry and select the certificate.”

I only see a line with myds.me certificate, nothing referring to the reverse proxy freshly created.

Any help appreciated 🙂

Thanks !!

    Chris · August 16, 2019 at 12:15 pm

    You’re not looking for the proxy in that menu, you’re looking for the second certificate that you need to create. Its the first thing under “Getting Started”. Yes, you will need to get another certificate for bitwarden.

    *Edit – technically, I think you could try to add your bitwarden reverse proxy to your existing certificate however, you would likely get a certificate mismatch warning in your browser and depending on the browser settings, it may not let you bypass it. Also, Bitwarden requires HTTPS to function properly so I don’t know what effect that would have on the function of Bitwarden in the end.

Chris · September 5, 2019 at 12:01 am

It seems there is an issue with the latest version of the Docker image from the Synology Package Center. If you have the package set to auto update and are now having an issue with Bitwarden’s identity container, check out this resolution: https://github.com/bitwarden/server/issues/557#issuecomment-526169067

Leave a Reply

Your email address will not be published. Required fields are marked *