Categories
Docker Guides Most Popular Topics Self Hosted Synology

How To Install Bitwarden with Docker and Synology

Recently, I did a complete overhaul of my old password management system. This is a fancy way of saying I got tired of storing password hints in an Excel spreadsheet and decided I needed a real password management system. If you are security-minded like me and have a ton of different usernames and passwords, Bitwarden is an awesome solution. In this guide, I will go over how to Install Bitwarden with Docker, on a Synology NAS. If you’re in the market for one, check out my recommended models on Amazon just below!

Entry-level NAS: Synology DS218+ on Amazon
Pro-sumer NAS: Synology DS918+ on Amazon
NAS Hard Drives: Seagate IronWolf NAS 6TB on Amazon

**Note – This post moved from my old website but the content is still relevant. If you’d like to read through the comments for help with troubleshooting, you can read them here. Old Comments for How To Install Bitwarden with Docker and Synology

What is Bitwarden?

Bitwarden is an open source password management application. The company offers a free web application where you can create an account and store your credentials on their system. As a security minded company, they take the security of your data very seriously. Your credentials are secured with encryption before ever leaving your device. However, what sets Bitwarden apart from other password services is that they have created and containerized their stack for deployment in your own private environment using Docker. This means if you have a system that can run Docker like a Linux or Windows PC or server, you can easily deploy your own version of Bitwarden with your data locally stored and secured.

Bitwarden provides this guide for installing on any system, but if you want to install Bitwarden on your Synology NAS, keep reading.

A Few Notes & Prerequisites

From start to finish, the task of installing a web application on a system can seem daunting because there are many individual pieces that need to come together in the right order. You will need to have some of those pieces setup, or ready to be set up before starting this guide:

1) Have your Synology Diskstation already accessible from the internet over HTTPS. This means you will need to have a domain name, DNS records and SSL certificate set up. If you have not done that yet, check out my guide here: Synology Diskstation SSL with Let’s Encrypt.

2) An understanding of reverse proxies and CNAME DNS records. This is important if you want to host more than one externally-available service on your Synology.

3) An understanding of Linux command line and an SSH client (I am using PuTTY).

4) Obtain a Hosting Installation ID and Key from Bitwarden.

How To Install Bitwarden with Docker and Synology

First, we need to create a CNAME DNS record with our domain registrar. The CNAME record should point to whatever subdomain you want to use for Bitwarden. For example “bitwarden.yourdomain.com”.

Bitwarden Certificate

Next we need to create the SSL certificate specifically for Bitwarden.

1) Log into your NAS and navigate to Control Panel > Security > Certificate.

2) Choose “Add a new certificate”.

3) Choose “Get a certificate from Let’s Encrypt”.

4) Enter your domain name and a valid email address. Also, enter your DDNS hostname as “Subject Alternative Name” if you are using a DDNS service instead of a public IP. Click apply and make sure you get the certificate.

Reverse Proxy

You’ll need to create a reverse proxy entry to access Bitwarden through “subdomain.yourdomain.com”. If you don’t, when you try to visit your subdomain you’ll probably just land on your Synology’s login page. The reverse proxy entry tells the Synology where to redirect incoming requests for “subdomain.yourdomain.com” which will be the Bitwarden webpage on a separate port.

1) Navigate to Control Panel > Application Portal > Reverse Proxy.

2) Click Create, and enter the following information, substituting your subdomain and domain name:

Protocol: HTTPS

Hostname: subdomain.domain.com

Port: 5001 (or whatever port you have for HTTPS in your DSM Settings). Note, if you have HTTPS redirect enabled, you must enter the specific port that DSM listens on for HTTPS.

Destination: HTTP, localhost, port 8123. Click OK.

Synology Reverse Proxy
Assign the Certificate

Now you can assign the certificate you created earlier to your reverse proxy entry.

1) Navigate to Control Panel > Security > Certificate.

2) Click the drop-down next to your reverse proxy entry and select the certificate.

Install Docker

Open the Synology Package Center and install the Docker app. After it is installed and running make a note of where the docker folder is in File Explorer. Mine was under /volume1/docker.

Installing the Bitwarden Stack

Now we are at the point where we can begin installing the application or rather, the containers that Bitwarden has put together.

Start up your SSH client and log into your Synology with the built-in admin account and password. If you follow best practices, you may have already disabled this account so re-enable it temporarily if that is the case. Also (and it should be obvious) you need to have SSH turned on so go to Control Panel > Terminal and do that if needed.

Once you are logged in, elevate to root and re-enter your password:

sudo su –

Change directories to your docker folder:

cd /volume1/docker

Import the install package:

curl -s -o bitwarden.sh \ https://raw.githubusercontent.com/bitwarden/core/master/scripts/bitwarden.sh \ && sudo chmod u+x bitwarden.sh

Run the install script:

./bitwarden.sh install

Installer Prompts

Enter the following information as the installer prompts you:

Enter the domain name…

subdomain.domain.com

Do you want to use Let’s Encrypt to generate…

Enter “n” for no. We already have our certificate.

Enter your installation id and key…

Enter the ID and key you got earlier.

Do you have a SSL certificate to use…

Again, enter “n” for no.

You will see a “WARNING” message but that is ok. The reverse proxy is handling our SSL certificate.

HTTP Port Change

There are some additional changes that the installer either does not prompt for or does not do in this version of Bitwarden. Leave the SSH terminal open and switch to the Synology DSM screen.

Open File Explorer on your Synology and download a copy of the config.yml file at /volume1/docker/config.yml. The line for HTTP port needs to be changed to match our reverse proxy. Change it to 8123 and clear the value for HTTPS:

Bitwarden Config

Save your changes. In File Explorer, rename the original config.yml to config.yml.bak. Then upload your edited config.yml file to the /volume1/docker/ folder.

Create Supporting Directories

Next, you need to create some folders manually since the installer does not do this for some reason. Switch to your SSH terminal and make sure you are still in the docker directory: /volume1/docker.

The following directories need to be created under /docker/bwdata so make sure you are in the docker folder when running these commands. Also, double check the /bwdata folder to see if any of these directories were actually created. The guides I followed mentioned some folders may have been created but that was not the case for me.

Use the mkdir command to make the following directories (or make sure they are already there):

bwdata/core
bwdata/core/attachments
bwdata/ca-certificates
bwdata/logs
bwdata/logs/admin
bwdata/logs/api
bwdata/logs/events
bwdata/logs/identity
bwdata/logs/mssql
bwdata/logs/nginx
bwdata/logs/icons
bwdata/logs/notifications
bwdata/mssql
bwdata/mssql/data
bwdata/mssql/backups

Start Bitwarden

Now you can try starting Bitwarden.

./bitwarden.sh start

If you encounter any errors such as “path does not exist” be sure to create that directory and try again. Errors relating to port bindings may also occur if you have another service listening on the specified port. Google is your friend in that case. You can also try running ./bitwarden.sh update and then restart Bitwarden itself to see if that helps.

The initial startup will take a minute or so to pull the containers to your NAS. Once finished, you can open the Docker app on Synology and see if all of your containers are running normally. If they are, try visiting the subdomain address you created for Bitwarden.

Update the Database

Before you create an account, you must update the database:

./bitwarden.sh updatedb

Last Items to Consider

At this point Bitwarden should be up and running. However, a few more things can be done.

After creating your account (or however many accounts you want), you should disable new registrations by editing /bwdata/env/global.override.env. Change the below line to “true” so that new accounts cannot be registered. This does not remove the button to register, but when someone tries to register, it will fail.

globalSettings__disableUserRegistration=false

Save your changes to global.override.env and upload to the proper folder.

Additional commands (including update command):

./bitwarden.sh install
./bitwarden.sh start
./bitwarden.sh rebuild
./bitwarden.sh restart
./bitwarden.sh stop
./bitwarden.sh updateself
./bitwarden.sh update

Another note worth mentioning is that I had issues using the Docker application to turn the containers on and off. I could turn them all off but they would never all turn back on properly. I found that I had to use the command line to do this. Thankfully, they auto-start when the NAS boots up so if your system goes offline unexpectedly, when it comes back on the Bitwarden application stack will start back up.

Conclusion

If you’ve followed this far and gotten everything up and running, congratulations! Bitwarden has made managing my passwords a breeze. I have access over the web and have also installed their mobile app with fingerprint authentication. Now I can have my passwords anywhere I go.

Thanks for reading and I hope you’ve enjoyed this guide on How To Install Bitwarden with Docker and Synology.

Entry-level NAS: Synology DS218+ on Amazon
Pro-sumer NAS: Synology DS918+ on Amazon
NAS Hard Drives: Seagate IronWolf NAS 6TB on Amazon

Products mentioned are available through affiliate links at no extra cost to you. Using these affiliate links to purchase helps support the blog and allows me to bring you new content. Thank you!

Amazon Associate Program: As an Amazon Associate I earn from qualifying purchases.

Disclaimer: This guide has been paraphrased from an older guide on the Synology forums but includes changes that I encountered with my setup.  https://forum.synology.com/enu/viewtopic.php?p=544605

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

16 Comments
Oldest
Newest
Inline Feedbacks
View all comments
Gene Mills

I actually have HA running in a Docker on port 8123. Would this cause a conflict or can I just change the http port to something like 8124?

Gene

It did work ok. But I ended up deleting the install until I figure out more about securing the NAS to the internet with some kind of VPN.. wasn’t sure if having a password manager exposed like that would be ok

Chris

I believe you can change that. 8123 just came from the documentation that I based this guide on. Give it a try and let me know how it goes. Thanks!!

Johannes

Really great installation guide! Thanks a lot 🙂

Chris

Glad you liked it! Thanks for the comment!!

Keith

It should be noted that if you goof anything up after doing the initial bitwarden.sh install, you may need to perform a bitwarden.sh rebuild… otherwise, when you run bitwarden.sh start, you could get errors (I got one for nginx where 443 was already in use… presumably the initial install had built the nginx configs to use port 443 and did not update them without a rebuild)

Toby

Very useful run through – have you tried using the native DSM docker interface?

Omi

Thanks for the guide – super useful. It would be worth adding that you need to rebuild after updating the config.yml. Question: do I need to manually keep this package up to date, or does docker take care of that for me? If its up to me, what are the commands to do this?

Alexandr

Hello, Chris!
Did you get Admin panel work? i mean bw.domain.com/admin/
I still can’t solve it…

Alexandr

Thanks for answer. I solve mine issue with setting reverse proxy source port to 443 instead of 5001 and appropriate router’s port-forwarding rule. Now it works as well.