Selfhosted

It's always good to have redundancy for a house like UPS battery backups BCDR stuff. Vps would be a way to provide redundancy but I would say make it as redundant as possible while in one place then have that whole architecture in a VPS and or some other server a friend has or something

I currently locally host the vault, but I’m realizing that this could cause problems for my family if something were to happen to me. While not technologically inept, if my server at home crashed they would have no idea how to access it, and they would lose all of the passwords.

This is why I refuse to host critical services for friends and family. Many of my friends and family use my Jellyfin server because if something happens to the TV shows and movies, it's not a big deal. But passwords? No thank you.

This really isn't a technical issue, it's more an estate planning issue. The basic concern is if you die, everyone gets locked out. That is where a will, safety deposit box, and named executor come into play.

Whatever credentials and guides needed can be safely stored and upon death that will activates and the executor hands over the access to whoever you are needing. The safest assumption to make in these scenarios isn't that someone won't know how to access the information, it's that they won't even know that information exists.

You also have to remember that there is a lot of things to do after someone dies and that these people would also be mourning. So, with that consideration in mind, try to make the process as seamless as possible. Off-loading to an executor of the estate (someone who is not family) also lets those people close to you mourn without having that final burden.

I run Vaultwarden on a VPS for some family and friends, along with a few other services. The way I have dealt with this is a physical printed out letter that explains the basic setup, where my digital notes/config/dockerfiles are, and most importantly what bills need paid to keep it all running. Next to that is a sealed envelope with recovery passwords to my vault and some other things.

Both of them are kept next to my will in a filing cabinet, so that if I'm hit by a bus my family will have the info on what to do. The system is stable and the bills are on autopay, so they won't have to immediately deal with it, but the instructions are there when ready. As part of it I have designated a friend as my "digital executor" to follow the instructions.

The general outline of the letter is:

To whoever is handling my affairs, thank you for reading this. This letter explains a small collection of computers I run that some friends and family rely on for photos, passwords, and a few other things. Nothing here is an emergency in the first hours or days. The goal of this letter is to help you keep things running long enough for those people to copy their own data out, and then shut everything down cleanly. You do not need to be technical to do the first and most important parts. The later parts will need a technical person, and I name one below.

A companion to this letter is a SEALED ENVELOPE that contains the passwords, keys, and account logins. This letter deliberately contains NO passwords or secrets. If you have this letter but not the sealed envelope, find the envelope before going further - almost nothing can be accessed without it. Checklist of what the envelope should contain is in Section 7.

1. Short Overview
2. Service/Hardware/Users Chart
3. The Bills to Pay
4. The Password Manager
5. What to Do
6. Full Instructions and Notes Location
7. The Sealed Envelope Contents
8. Digital Executor

Honesty you could just write stuff down and put it somewhere safe. Don't overcomplicate what could be a simple solution.

You are running into the ultimate, and ultimately unavoidable, limitation of self-hosting, which is the self.

You should run a VM on the VPS for Vaultwarden, with no other services in the VM except whatever you need to connect to it remotely. Keep it simple. Run an exact copy of the VM on your local server. Have the VPS instance push its database to the local instance regularly, to keep up with any changes that your users make. Make regular backups of the local instance.

When you need to update the software, freeze an image of the local VM and then update the local VM, then when you're sure it's stable, copy the updated local VM to the VPS. If either the local or VPS instance crashes out, you should be able to recover (or reproduce) one from the other.

In the end though, it is functionally impossible to ensure reliability by yourself. Hosting Vaultwarden on a VPS shifts the responsibility for running the underlying server and network connection to the provider, and probably removing the dependence on your residential network connection will be better for your family/users.

You are still the weak point in your system. You need someone else who can log in to your local server, and into the VPS, and perform recovery if needed. There is no technical solution for this. You cannot be the sole admin, and also ensure reliability for other users.

I never get this problem..? Download the backup file and encrypt it and be done. Family has the file and/or the password, done.

All my passwords my family would need from me are in the shared org. I have a document that outlines what they should do if something happens to me. It basically says, shut the servers down, and here is where all the money is and here's my will.

Also included in the document is instructions that they should export their vault from the bitwarden app, create an account on bitwarden.com and import it.

The bitwarden app actually caches the vault. So they should be able to export it even if your server is down.

A VPS is going to have all the same problems as a local server in terms of inexperienced users, and will also add all the extra hassle of managing and paying for the VPS account.

I would say the best options for emergency access are local backups and documentation, which you already have. You could also consider keeping additional copies of essential passwords (like email accounts etc) in a simpler vault like Keepass. Or even physical copies written down in a security envelope in a safe.

If you host it on a VPS and stop paying the invoices, it'll go down anyway. However, AFAIK, Bitwarden client apps cache all passwords - so your family would still be able to access them, but there would be no sync back, of course.

Have you considered using something like a KeePass database on a shared drive? Most modern client apps can sync changes seamlessly and there are browser plugins for all the major browsers.

KISS: Just use something that works using files like KeePass and sync it via WebDAV, OneDrive, Floppy disks or whatever.

I'm not sure why anyone - to this day - keeps using these hosted/remote password manager crapware in the first place.

This is gonna sound obvious, but setup periodic exports of your vault. Run everything locally and secure the exports

I have vaultwarden on my home server and I usually visit it through it's Webinterface because the bitwarden addon for my browser breaks all the time with my vaultwarden instance.

I also have tailscale and a Headscale server so access should be VPN level secure.

I'm gonna be honest, it's quite inconvenient sometimes but it's an ok working setup.

The addon issue gives me the most headaches because it means I have to login like 10 times into the web ui and then search through the passwords every time I am building stuff on my servers.