šŸŽ„ Video Link

Transcript

Please excuse any grammatical errors. I used a tool to generate the transcript and haven’t had a chance to read through it yet.

Just a few quick updates before we get into it.

I send out a monthly email newsletter ā€” if you want to sign up for that, you can go to sidecideros.com, throw your email in the box, and hit subscribe. While you’re there, you can also check out my podcast, which is called In the Shell. You can find out where to listen at intheshellpodcast.com.

Back on sidecideros.com, I added a small phone icon at the top. If you click on it, it takes you to a page with an up-to-date list of all the apps I use on my Google Pixel running GrapheneOS. So if you’re just getting started or you’re curious about what I use, you can check that out and use it as a reference.

About five months ago, I published a video called The Big Problem with Bitwarden Backups. TL;DR ā€” I was migrating my self-hosted Bitwarden instance to a new server. I set it up, imported my backup (exported using the web interface), and everything seemed fine. But shortly after, I needed an attachment from my vault ā€” I think it was a PDF ā€” and realized that none of the attachments had been imported.

After digging into it and finding a forum post, I learned that Bitwarden backups didnā€™t export attachments at the time. Fast forward to now, and it looks like theyā€™ve fixed that ā€” they even published a blog post about it. Attachments are now included in backups, which is great!

That said, I still donā€™t use Bitwarden. As Bush once said (sort of):

ā€œFool me onceā€¦ shame on ā€” shame on you. Fool meā€¦ we can’t get fooled again.ā€

(Yes, that was a joke.)

Even so, I still recommend Bitwarden for 99% of people. I think itā€™s the best option if you need a cloud-hosted, centralized vault ā€” especially if youā€™re managing passwords for multiple people in your family and donā€™t want to be solely responsible for your data.

As for me, Iā€™ve reached a point in my self-hosting journey where Iā€™m trying to simplify my setup. Bitwarden running in Docker containers is fairly straightforward, but there were some backend elements I wasnā€™t entirely comfortable with. A few times during updates, the service wouldn’t come back up right away. I had to troubleshoot, figure out what changed, make updates, and get it running again.

For something like a password manager, that kind of downtime can be stressful. Thatā€™s why I moved to KeePass.

One of the benefits of KeePass is that your vault is just a single file. That means you can back it up by literally copying it to a flash drive. If you ever need to restore it, you just open the file with KeePass ā€” no need to set up a new instance, import a backup, and go through the login process. You can access your vault from any computer or phone with the app installed. That simple file structure is a big plus in my book.

Quick note before I continue: If you havenā€™t self-hosted anything before, your password manager shouldnā€™t be the first thing you self-host. Start with something less critical, get your backup plan in place, and then maybe consider self-hosting your password manager.

So back to KeePass ā€” itā€™s simple. I use KeePassXC on desktop and KeePassDX on Android. One thing to keep in mind is that unlike Bitwarden (which provides a complete ecosystem from the same company), KeePass is more fragmented. But once everything is set up, you donā€™t really have to think about it.

The interface is straightforward. I really like the password generator ā€” you can choose between passwords and passphrases, and it includes a default word list (you can add more if you want). I do wish it had a username generator, though ā€” thatā€™s one feature it lacks.

Creating new entries is simple. You can attach files, and since everything is stored in that one file, you donā€™t have to worry about exporting attachments separately.

KeePass also supports MFA. I use YubiKeys for this ā€” specifically the 5C model. Every time you make a change, KeePass prompts you to touch the YubiKey for confirmation. I also have a Nano YubiKey that I leave plugged into my computer, which makes it more convenient. This adds a layer of protection against automated attacks since physical touch is required for authentication.

Thereā€™s a browser plugin for KeePass, but I found it a bit clunky and stopped using it. Instead, KeePass has a feature called Auto-Type. You select an entry, click Perform Auto-Type, and it types your credentials into the active window. I donā€™t personally use it ā€” I just copy and paste.

On my phone, I also avoid keyboard integration ā€” I just copy and paste there as well, and it works fine for me.

You might be wondering how I sync across devices now that Iā€™m not using a centralized setup. I do 95% of my work on my laptop, so I only make changes there. Then every few days, I manually transfer the updated password database to my phone and tablet using LocalSend.

You could sync your KeePass database to a cloud service and install the client on each device ā€” I actually have mine synced to Seafile, which I also self-host ā€” but I still prefer the manual method. It keeps things simple, and I havenā€™t had any issues with it.

So while I still think Bitwarden is a fantastic choice for most people, if you’re into self-hosting, KeePass is absolutely worth checking out.

If you have any questions or comments, feel free to leave them down below ā€” and Iā€™ll see you next time.