I’ve been a fan of 1Password for years. It has served me very well, and I recommend it without reservation to most of my clients. Unfortunately, I had to stop using it because of DoD CMMC requirements. When storing CUI (controlled unclassified information), any cloud service must be either FedRAMP authorized or have FedRAMP-equivalent security. 1Password 8 cannot use local vaults, unlike earlier versions. So I needed to find a different solution.
For the past year or so I’ve been using KeepassXC on my Mac and KeePassium on my iPhone. I synced locally using Mac file sharing. KeepassXC generally works, but doesn’t have 1Password’s seamless ease of use or polish. KeepassXC doesn’t have an extension for Safari, a major omission.
Bitwarden is used mostly as a cloud service, but on-premises hosting is an option. For those who want an official server, Bitwarden, Inc. offers a heavyweight standard server and also a lightweight server in beta. I opted for an open source Bitwarden-compatible server called Vaultwarden, hosted in a Docker container. The Docker image is available here.
Setting up a local Vaultwarden server is not trivial, mostly because of its TLS certificate requirements. I used Traefik to proxy the HTTPS communication between the Bitwarden clients and Vaultwarden. Vaultwarden and Traefik were configured with a Docker Compose file. An additional Traefik configuration file was needed to list the private and public key paths. While commercial X.509 certificates or Let’s Encrypt could certainly be used with Traefik, I used the CA built into macOS to sign my certificate. I’m running a local DNS server so client applications, namely my iPhone, can locate Vaultwarden.
I’m reasonable impressed with Bitwarden/Vaultwarden after my first day of use. It’s much more polished than KeepassXC, but not as slick as 1Password. For those users who are amenable to cloud services, I would still recommend 1Password, even at its higher price. I will be offering Bitwarden/Vaultwarden as a viable option for companies that require on-premises hosting.