VaultTub

VaultTub is our self-hosted vaultwarden/bitwarden instance which can be accessed via vault.bathcs.com.

During handover, you should be invited to sign up from [email protected] (it might be in the junk folder).

For docs of how to use this, see bitwarden’s documentation.

Quick setup

Note

Throughout this page we refer to “Owners of organisations”, from this we mean the delegated people who are the Owners of the Bitwarden organisation. Please see our quick note on owners for who this should be.

BathCS admins will invite you to VaultTub once you’ve been elected. Hopefully you will get an email from them directing you here.

1. Once invited, go to the junk folder in Outlook and find the email

2. If the email is in junk, there should be a dropdown at the top of the email with the option to make “[email protected]” never go to your junk folder. Please select this as you will get a lot more emails after this point.

3. Follow the link in the email to sign up

4. Enter your details and create an account:

   • Use your University of Bath email (as it’s by invite only)
   • Make sure the password is strong (and isn’t used anywhere else) and you can remember it. Write it down somewhere safe if you are unsure.

   Note

   If you lose this password, you cannot recover it.

5. REQUIRED: Set up 2FA

6. OPTIONAL: Follow security recommendations

7. REQUIRED: for Owners of organisations: set up emergency access

Previous committees/initiatives will add you to the relevant organisation as described in the handover procedure.

Caution

Please berate them with emails until they do this as (which has to happen before the summer holidays). This is because if they are uncontactable, all the passwords will be lost forever.

Recommended Settings

Once you have signed up with a password you can remember (but don’t use anywhere else), we recommend updating the following settings:

Settings can be found: “Profile Icon in top right > account settings”.

Two-step login

Caution

This is required for all committee members, please see our 2fa page here for a more general overview of what this is.

Assuming you don’t have a security key, we recommend using the “Authenticator App” option (see the instructions in 2fa section here for a more in-depth explanation of how to setup this).

If you have a security key (e.g. Yubikey), use the FIDO2 WebAuthn option. All other options have not been enabled as that takes time and is not worth it.

Keys

I recommend upgrading to use Argon2id with settings:

• KDF Iterations: 10
• KDF Memory: 64 (maximum that works with iOS)
• KDF Parrallelism 8

Emergency Access

Caution

This is a requirement for all the Owners of organisations

We recommend setting up emergency access with at least 1 other person, this is for safety if you lose access to your account.

Head to the emergency access tab in the settings page and click “Add emergency contact”, entering the users email (Note they need to have a VaultTub account).

This should be required for users with a significant amount of power due to the risk of losing everything (we cannot recover your passwords).

Note this does require about 3 emails of back and forth accepting with the person (I have been fooled into thinking it was over before when it was not).

Using the extension/app

Bitwarden has a browser extension and an app which supports self-hosted instances (and multiple accounts).

Note

If you wish, you can also set it up so you can approve sign-in requests when signing in somewhere else, which you may prefer over TOTP 2FA.

To install the app or the extension:

• Download the extension, from Bitwarden’s download page

• Open it up

  • if you already have an account you can click the profile icon and then click “Add account”.

• Under the input for the email address (set to “bitwarden” by default), you can select “self-hosted”.

• Input “https://vault.bathcs.com” for the server field and hit “Save” in the top right.

• Enter your login details for VaultTub.

Recommended settings

You may wish to change the default lockout period or add a pin, which can be done in the “Settings tab”. These are handled on a per account basis.

You can click “unlock with pin” and enter a pin (unchecking “unlock with master on browser restart” if you don’t want that).

You can also change the “Vault timeout”, however this is not recommended.

Quick note on owners

Make sure you have at least two owners to an organisation. This is so we have backups to make sure we don’t lose access to the data.

For societies we recommend roles equivalent to chair and secretary. For other initiatives, we recommend you choose someone to act as the Owner.

Note

For security reasons, please do not grant access to external users unless necessary. Make sure to keep data secure, especially where sensitive or personal data is involved.

Owners also require emergency access to be set up with someone who is not another owner of their organisation.

Recommended Use

This should be used for society passwords.

These society passwords should be stored in relevant organisations. You have the power to create as many organisations you like and share them with other people.

Note

When you are no longer a member of a society your account will be disabled (but not deleted unless necessary).

Organisations

To create an organisation, you can go to your “vaults” and click the “New organization” button on the side panel.

Once created you can go to the “Organizations” tab in the top right and choose the organisation to manage, where you can invite new members (via “Members > Invite Member”) or create a new collection (basically a folder which you can choose who has access to it).

For each member you can choose the role and what collections they have permission to access, the rest is up to you on how you organise everything.

Note

When adding members, they will have to accept the invitation and then you will have to confirm them in the organisation interface.

Handover procedures

Please see [../handover/permissions.md]

Rotating passwords

As part of the handover procedures, it is recommended that each initiative rotates all the passwords stored in the organisation.

To do this, please follow this rough instruction list:

• Open the item on VaultTub (either by the extension or website)

• Copy the password and temporarily store it somewhere (e.g. in the notes section)

• Visit the website

• Navigate to the change password section (it’s different for every website)

• On the extension, click “edit” on the item and click the “Generate Password” button and confirm that it will override the current password stored then

  Password recommendations:

  • >= 25 characters
  • include special characters
  • min numbers: 2
  • min special characters: 2
  • uncheck “avoid ambiguous characters”

• Click “Save” on the item to save the new password

• Paste the new password in the change password fields + change the password

• Log out and log in again to make sure the new password has saved correctly

• Delete the temporary storage of the old password

• Add a line to the notes saying it was updated on the current date and include your name

How to deal with the worst case scenarios

If it is relating to the website being down, please contact [email protected]. Note that I do not have any access to any of the data stored as it is all encrypted.

I lost my password and don’t have Emergency Access

In that case, there is nothing we can do. Your account must be deleted and you will need to be re-invited (this means you WILL lose access to any password you have on the account). Organisations passwords can be recovered by other members of the organisation.

This is why you MUST either know your password by hand or store your password in your own password manager which also has a proper recovery procedure (which normally have to be emergency access contacts).

The owner of the organisation is not responding

If all owners of the organisation are not responding or have lost access to their account, this is slightly more of an issue so make sure to have multiple owners.

The organisation will have to be deleted and recreated. To save as many passwords as possible, get all other members to see what Collections they have access to and if they have permission to export the vault (found in the settings for the organisation).

You want to then either export the vault data or copy every single password into a new organisation.

Instance Management stuff

Inviting new users

Only administrators (with the interface password) can invite new users.

This can be done through the admin interface. You simply type the users email in “Invite User” section.

Backups

This is handled by me (hw2210) as I am the maintainer of the NAS it is running on.

But the basic idea:

• Has an on-site iterative backup every day
• Has an off-site iterative backup every day

Contact [email protected] if you have any questions.

Emails

Emails are sent through my SMTP server on the same network, which cannot receive emails (because of the firewall) but can send them.

I should mention this has dkim, dmarc and spf setup to help with bypassing spam filters. From testing this works fine however may end up in junk folders from now and again.

Certificates

This currently is a manual process so it may have an expired certificate from time to time (every 10 years).

If you do spot this, please contact [email protected] and I will update it. However this assumes I have access to the Cloudflare configuration.