now | writings | rss | github | twitter | contact

Switching from 1Password to Bitwarden

posted to writings on nov 17th, 2017 with tags firefox, nerd, openbsd, ruby, and security and commented on 20 times

I've been using an OpenBSD laptop as my workstation a lot more lately, probably because most of my hardware just works now and I don't have to think too much about it. The touchpad works when I touch it, I can be confident that when I close the lid, the laptop will fully suspend and then fully resume again when I open it, WiFi works all throughout my house (although it's not terribly fast), and my web browser is fast and stable. What amazing times we live in.

In the past, one thing that frequently kept me going back to my Mac, aside from iOS and Android development, was 1Password. I have a ton of logins for websites and servers, and because my browsers are all configured to clear cookies for most websites after I close their tabs, I need frequent access to passwords synced across my laptops and phones, and 1Password has great apps for all of those except OpenBSD.

All of 1Password's syncing currently works through my Dropbox account. My Mac has 1Password configured to store its encrypted database in my local Dropbox directory, Dropbox does its automatic syncing of that directory to their servers, and 1Password on my phone uses Dropbox's API to pick up any changed files. It's been reliable for years, I have local versioned backups of my database, it works when my devices are offline, and I know I can access that data years in the future.

Using 1Password on OpenBSD

To bring OpenBSD into the mix, there are 3rd-party command-line apps which can read local 1Password files such as 1pass written in Go. Getting the 1Password files onto OpenBSD was left as an exercise to the reader, sending me down the rabbit hole of trying to add OpenBSD support to various FUSE-based packages that could provide a local filesystem view of my Dropbox directory. I managed to hack one of them into semi-working shape, but eventually I gave up and used rclone to do one-way fetching of my Dropbox directory on demand.

While this allowed me to at least view and copy passwords, the process was less than ideal. Browsing in Firefox, I'd have to open a terminal, type 1pass copy <some website>, choose the right one, and then go back to Firefox and paste it in the proper field. Tedious, error-prone, vulnerable to phishing, and now my password is hanging out in clear-text on the clipboard.

A Firefox add-on called Passcards from the developer of 1pass seemed encouraging, as it did Dropbox syncing on its own and supported auto-filling passwords in the browser, but I could never get it to work. The hard-coded Dropbox API token in the add-on doesn't work and the mess of Node dependencies to build a local version failed miserably on OpenBSD.

1Password Lock-In

Meanwhile, AgileBits, the 80-person company developing 1Password, has been pushing their new hosted, subscription-based model for 1Password going forward. Instead of users being in control of their data files, 1Password will store them on AgileBits' servers and users pay a monthly subscription fee for the privilege, forever.

I'm an app developer, I get it. A big company can't sustain development of a product that users only pay for once. However, I've paid for 1Password and all of its major version upgrades, and the $10 or whatever it was to unlock the "pro" features of the iOS app. I'm not opposed to paying money for apps, or for upgrades, or even for a subscription, but I don't want to pay to host my passwords on AgileBits' servers. Security concerns aside, there is an issue of lock-in and now having to make my OpenBSD hacks work with AgileBits' new API (is there even one?) instead of just accessing and backing up files from Dropbox.

Since I wasn't sure how long 1Password would keep working with its non-subscription-based syncing and I was still missing first-class OpenBSD support, I started looked into migrating to something else.

Finding Bitwarden

The main competitor to 1Password is LastPass, which looks nice and works well as a standalone Firefox add-on on OpenBSD, but it has the same lock-in problem and server-side security concerns as 1Password.

KeePass is a popular open-source alternative but its use case seems focused on a single machine. I don't need a stand-alone GUI and I do need browser extensions and mobile apps that can all sync reliably. And honestly, looking at their plugins page left me with a bit of decision fatigue: which ones are good, which ones are secure, which ones are still maintained? Does the browser extension have to read files from my home directory or talk to a daemon that my unprivileged Firefox won't be able to do?

There are various command-line concoctions such as pass which stores PGP-encrypted files in a Git repo, but that doesn't improve my situation over 1Password. I would still have to manually look up passwords and copy them to the clipboard. These command-line packages also lack mobile apps and syncing.

Eventually I stumbled upon Bitwarden which is similar to LastPass but is entirely open-source and its primary developer is funded by users paying for subscriptions to store their data on Bitwarden's servers. However, all of their browser extensions and phone apps support setting a custom API URL before logging in, to allow for private installations. The iOS app and Firefox extension that I tried out looked fairly well polished, but I was more concerned with it being an open platform so I could fix bugs, add features, and host my own data.

Unfortunately, the open-source backend for these apps is written in .NET and expects to talk to a Microsoft SQL Server, requiring a big Docker image to deploy a private installation on Linux.

Since I was expecting to run my own API server on OpenBSD without all of that overhead, I decided to write my own compatible server. Sadly, there is no documentation on Bitwarden's API (outside of its .NET code) so I was not even able to figure out what my server would need to provide.

Rubywarden

Rather than wade through lots of .NET code, I decided to go for a black-box approach. I wrote a simple proxy in Sinatra that I could point the Bitwarden Firefox add-on to as its private API URL. The proxy would intercept each request, print it out to the console, then send it to Bitwarden's actual API, print out the response, and send it back to the Firefox add-on.

With that tool I was able to document all of the API calls that the Firefox extension and iOS app made and the response each was expecting. The encryption key derivation scheme used to actually encrypt and decrypt all of the data took a bit longer to figure out, but because everything is open source, I was able to read the Javascript code of the Firefox add-on to understand what it was doing to encrypt a string with a given password.

With my documentation in-hand, I wrote a new Sinatra server that implements all of the API calls needed by the Firefox extension and iOS app. I deployed it to a server with Unicorn behind nginx, and used Let's Encrypt to get a TLS certificate for it.

My API server is now small and easy to understand, it has a much smaller attack surface than the .NET version, and all of my data is stored in a SQLite database that I can backup and version with cp. No lock-in, a first-class experience on OpenBSD and Firefox, and I feel better understanding the details of how my data is encrypted.

Migrating from 1Password

The Bitwarden web client (not the Firefox add-on) supports directly importing 1Password data files for users subcribed to Bitwarden's hosted service. Since I'm not using Bitwarden's web client, I wrote a command-line 1Password conversion tool that can read a 1Password Interchange Format file, encrypt the passwords using Bitwarden's format, and insert them into the database that bitwarden-ruby uses.

After importing more than 700 logins from my 1Password file, I noticed that the Bitwarden Firefox add-on was quite sluggish on OpenBSD. Unlocking it with my master password would take four or five seconds to parse everything before showing the large list of logins.

Since this data was years of migrated 1Password installations and other password stores, I decided to spend a few hours cleaning it up. After deleting some 300 logins and moving others into various folders, the add-on seems a bit snappier though still leaves something to be desired. I'd also like to change its keyboard shortcut to Alt+\ like Cmd+\ is for 1Password, but Firefox's new WebExtension system doesn't support changing these hard-coded keyboard shortcuts yet like Chrome does.

At this point I've been using Bitwarden's iOS app and Firefox extension exclusively. I have some minor things left to implement in my server My server now has TOTP support, and everything seems to be working well.

Fetch the Rubywarden code from GitHub if you want to check it out.

Comments? Contact me via Twitter or e-mail.

20 Comments

bitwarden (authentic, via ) on november 17th, 2017 at 10:47:15:

Impressive work reverse engineering it all! Your docs look pretty much spot on. Swing by our dev chat room (Gitter) if you ever have any questions.

Roman Zolotarev (authentic, via ) on november 17th, 2017 at 10:59:43:

Switched from 1Password to #POSIX shell script :)
https://raw.githubusercontent.com/romanzolotarev/dotfiles/master/bin/crypt pic.twitter.com/SAKNT0kWaE

Yuki (authentic, via ) on november 17th, 2017 at 11:10:33:

There's already a tool like this called password-store. It's built with UNIX philosophy in mind so it's pretty extendable and flexible

Roman Zolotarev (authentic, via ) on november 17th, 2017 at 11:14:35:

Password-store requires GPG. Which is overkill to manage passwords. The goal of my experiment was to use only the software available in #OpenBSD base.

Roman Zolotarev (authentic, via ) on november 17th, 2017 at 11:15:57:

Note: for TOTP I had to install 3rd-party package though.

Yuki (authentic, via ) on november 17th, 2017 at 22:04:09:

Well sure, I find password-store to be quite nice since it's done so simple and uses the tools that I use daily in this case GnuPG and git.

Roman Zolotarev (authentic, via ) on november 17th, 2017 at 22:57:12:

pass is awesome ;)

Ve Telko (authentic, via ) on november 17th, 2017 at 11:14:18:

Power in simplicity

Manuel 🐡 (authentic, via ) on november 17th, 2017 at 15:14:29:

Nice. I read it and switched to @bitwarden_app. 👌

D. Creemer (authentic, via ) on november 17th, 2017 at 20:59:05:

FYI - https://github.com/dcreemer/1pass — faced similar challenges, went a different way.

Gauthier P. (authentic, via ) on november 17th, 2017 at 21:54:55:

Super nice!
Let's hope you can finalize that, maybe @bitwarden_app could add it as an alternative version :)
I'll look into the code and will try to make my own version to learn more about password manager!

Feld (authentic, via ) on november 17th, 2017 at 22:22:26:

this is what I needed to use BitWarden... thanks!

Feld (authentic, via ) on november 17th, 2017 at 22:22:46:

In fact I might be able to get us to use this at work... !!

Brock Allen (authentic, via ) on november 19th, 2017 at 06:53:27:

ha, look like @bitwarden_app is using @IdentityServer :)

bitwarden (authentic, via ) on november 19th, 2017 at 06:54:45:

Indeed we do :)

Brock Allen (authentic, via ) on november 19th, 2017 at 06:56:30:

I might have to give you guys a try then :)

Brock Allen (authentic, via ) on november 19th, 2017 at 07:00:07:

somehow the circle would be complete if i logged into @bitwarden_app via @IdentityServer to access the @IdentityServer nuget keys

bitwarden (authentic, via ) on november 19th, 2017 at 07:01:41:

Careful. You might create a circular dependency. Stack.... overflow.....

Konstantin (authentic, via ) on november 19th, 2017 at 08:55:46:

would love to switch – they support every major and minor browser except... Safari! [bummer] 🤦‍♂️

Grumpy Meerkat (authentic, via ) on november 19th, 2017 at 12:48:43:

Could you explain your claim that your ruby version have a smaller attack surface? Genuinely intrigued