vaultwarden

Important note: If you are using the old mprasil/bitwarden image, you need to migrate to the newer bitwardenrs/server to access the new releases, the images are compatible so you can follow the instructions on updating the image from the wiki.

• Initial support for PostgresSQL! 🎉 Currently still a bit untested and without docker images
  • To compile enable the postgresql feature (cargo build --features="postgresql")
  • Currently there are no migration guides available, but check the previous release for some tips about migrating to MySQL
• Added new icon blacklisting option, to block all non global IPs (ICON_BLACKLIST_NON_GLOBAL_IPS)
• Added SQLite binary in the SQLite images, to enable backup option
• Admin page scripts are loaded locally instead of using a CDN
• Added CORS support
• Added docker healthcheck
• Added email 2FA
• Updated web vault to 2.12.0

This is a big one!

Important note: If you are using the old mprasil/bitwarden image, you need to migrate to the newer bitwardenrs/server to access the new releases, the images are compatible so you can follow the instructions on updating the image from the wiki.

MySQL Support! 🎉

• To enable you need to use the bitwardenrs/server-mysql image, instead of the current one.
• If you are self compiling, enable the mysql feature (cargo build --features="mysql")
• A SQLite -> MySQL migration requires manual steps, the short version is:
  • Start the bitwarden_rs MySQL instance to generate the database tables (don't create any users). Wait until the log prints Rocket has launched from http://x.x.x.x:xx, then stop the service.
  • To move the data from SQLite to MySQL, for this you can use:
    • The sqlite and mysql command lines: https://github.com/dani-garcia/bitwarden_rs/issues/497#issuecomment-511827057
    • Navicat Premium (paid): https://github.com/dani-garcia/bitwarden_rs/issues/497#issuecomment-498036811
    • MySQL Workbench (untested): https://dev.mysql.com/doc/workbench/en/wb-migration-overview-supported.html

Other stuff

• Added backup option in the admin panel for the SQLite backend, remember to transfer those copies to separate drives!
  -Updated HaveIBeenPwned API to V3, which requires a paid API key: https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/
• Added option in admin panel to remove users two factor authentication, in case of loss or bug
• Allowed explicitly defining the SMTP authentication mechanism
• Added notification email when a user logs in on a new device
• Updated web vault to 2.11.0
• Added proxy support for the icon fetching service
• Other bug fixes

• Fixed broken U2F in Chrome 74+
• Added images to email
• Updated dependencies

• Duo is now available as a 2FA option, both configurable globally and per-user
  • To enable it globally, check the .env template, and then leave the fields empty when enabling it per-user.
• Updated web vault to 2.10.0
• Added option to control the log level: LOG_LEVEL
  • Valid values from more to less noisy are "trace", "debug", "info", "warn", "error" and "off"
• Now there is no need to compile the application a different way to enable syslog support, simply set USE_SYSLOG to true.
• Now DATA_FOLDER affects CONFIG_FILE when set through the environment
• Improved endpoints for Admin API
• Other fixes

• Secrets are now hidden by default in the admin panel.
• Now the version is shown in the top right corner of the admin page.
• Read only settings are also shown in the admin panel, but not editable.
• Added option to admin panel to force resync users, useful after restoring an old backup.
• Implemented multiple U2F support, with custom names and compromised checks.
• Emails now also include an HTML version next to the plaintext version. It's up to the email clients which one to show now.
• Updated vault to 2.9.0
• Implemented constant time comparison for admin password and two factor remember and recover tokens.
• Added more config options:
  • Icon download timeout
  • Hide routes mount points, enabled by default
  • Disable WAL (not recommended, only for network filesystems that have problems with WAL enabled)
  • Disable Admin token (unsafe, only use when behind another authentication scheme).
  • Use wrapped TLS for email, when STARTTLS doesn't work.
  • Icon downloader domain blacklist, to block anything that might be sensitive, lik other servers in the local network.
• Updated dependencies and fixed minor bugs

• Added configuration menu, accessible from the admin panel. This saves the user settings to a JSON file, by default in data/config.json, but configurable with the CONFIG_FILE environment variable.
• Added templating support for emails, can be added to $DATA_FOLDER/templates/email, or $TEMPLATES_FOLDER/email, if configured. Check here for examples.
  • Added reload templates option, useful during development. Set RELOAD_TEMPLATES to true to enable.
  • The templates use the Handlebars format.
• Improved icon downloader, now we don't use the upstream server anymore.
• Added option to disable icon download, set DISABLE_ICON_DOWNLOAD to true.
  • Note that icons already in the cache will still be served. With this, if ICON_CACHE_TTL is set to 0, the cached icons will not expire.
• Admin panel improvements:
  • Organization, 2FA status and disabled user badges
  • Deauthorize user sessions button
  • Now using templates
• Added Feature-Policy header.
• Created recovery code when registering a YubiKey
• Now the .env file is only read from the current directory.
• Other fixes and dependency updates

This is minor fix release

• Enabled Yubikey support on AArch64
• Fixed error when editing cipher with attachment
• Fixed error incorrectly hiding cipher when deleting attachment
• Added unofficial server warning

• Implemented new admin panel, available at /admin
  • To use it, you need to set the ADMIN_TOKEN variable to authenticate
  • Note: The old admin_email functionality has been removed
• Added email invite functionality
• Web vault updated to v2.8.0
• Fixed AArch64 build, disables Yubikey support
• Implemented TTLs for the icon cache
• Improved error handling
• Bug fixes

We have started a Wiki! All info that used to be in the Readme should now be there. The wiki is open to everyone, so if you think something is missing or wrong, we'd appreciate your contribution.

• Revamped logging
  • Logging to file is now supported, set LOG_FILE=/path/to/log
  • Logging to syslog is now supported, for this you need to compile the project with cargo build --features=enable_syslog
  • Important: If you are using fail2ban or similar, you may need to update the filters to the new style.
  • You can also disable it, by setting EXTENDED_LOGGING=false, but this disables logging to file or syslog
• Updated web vault to 2.7.1
• Implemented key rotation and individual attachment keys
• Added yubico support
• Updated rocket web server to 0.4
• Fixed some logout issues
• Fixed some crashed in mobile apps when using 2FA

• Disabled websockets by default, can be enabled by setting WEBSOCKET_ENABLED=true. Note that websockets require some additional setup. More info about that in the README.
• Updated web vault to 2.4.0
• Upgraded sync method to not send equivalent domains when not necessary.
• Bug fixes and documentation changes

• Implemented simple admin panel (invite/delete users) as an organization. Read the Configure server administrator section of the README for more info.
• Add WEBSOCKET_ADDRESS config option
• Updated docker web vault to 2.4.0
• Add dockerfile for aarch64
• Updated dependencies
• Bug fixes

• Partial support for websockets notifications (Go to README for instructions)
• Fixed compilation error with OpenSSL 1.1.1
• Return default prelogin values when the user doesn't exist
• Updated docker web vault to 2.3.0
• Implemented client KDF iterations change
• Updated dependencies

Well, this is a big one. Here are all the changes:

• Display password hints directly on the web, as long as SMTP is not in use. Can be disabled setting INVITATIONS_ALLOWED to false
• SMTP integration, for now only for sending password hints
• Musl docker image
• ARMv7 docker image
• Travis CI integration
• Basic support for KDF prelogin and notification negotiation
• Add IP and username to failed login attempts
• Support passsword history
• Updated web-vault to 2.2
• Cipher import in organizations

• Updated included web vault to version 2.1.1
• Updated dependencies
• Implemented share selected ciphers
• Updated user revision date on changes, to make sync work

• Implemented password hint
• Fixed user revision date
• Improved documentation

• Added missing attachment APIs
• Used WAL journal mode in SQLite to improve concurrency

• Hide organization stuff to unconfirmed users
• Update the links to the Arch package
• Set a default of 10 workers in Rocket, to avoid poor performance in some situations
• Return 404 when a web vault file isn't found

Implemented U2F authentication