Assuming that you're not a high profile target self-hosting does make it rather unlikely that you'll get pwned in this case.

An attacker can justify allocating a lot of resource to pwn bitwarden.com. If you manage to break into the vaults you're bound to find something juicy, just because of how large the target is.

Or you could decide to pwn me. Figure out where my bitwarden is hosted, what my config looks like, what mistakes I might have made setting it up, then maybe find a way in. Then it's just the start, since the passwords are encrypted on disk, so at best you have access to an encrypted sqlite database. Now you need to find a way to get me to leak my vault key. Maybe I sometimes use the web interface? Maybe not. Who knows.

After all of that you may realize that all of my passwords are either not super important or require some form of 2FA, therefore wasting your time.

But hey, you can log into my hacker news account!

Security through irrelevancy.

Just set up backups, enable apt unattended upgrades for major security patches and forget the rest.

If you want to really get paranoid, pass it all through wireguard or ssh tunnels, but for bitwarden at least it's all client side encrypted anyways, you could probably run it on a very out of date system without issue.

Sure. But do you constantly verify backups, check hard drive health and file corruptions, practice disaster recovery?

And these are just for the integrity of your _encrypted_ data. There are a lot more to do to fully secure your home infra in general. How do you secure your wireguard client key on the go? Do you monitor access logs? What about Guest Wi-Fi access, vlan separation...

I don't know if worrying about all these considered being paranoid. End of day it's about risk management, and personally, the benefits of selfhosting does not justify the effort I will need to put into maintaining it.

It’s not everything encrypted. The server sees what domains you have passwords for. So there is a lot of metadata visible on the server. You have to trust the server also if you use the web client because the web client is loaded from the server. It could leak all your data if the server is compromised and you log in via web.

> The server sees what domains you have passwords for.

The server does not see the domains you have passwords for. The following data are saved in plaintext:

- A list of "equivalent domains" (this starts out with a default list, but individuals can change this). This totally can be used to deduce which websites you have an account for, but that's not really enough information, as most websites will not have an entry here.

- Some metadata such as your email, master password hint

- Most of the boolean values (mfa enabled, email verified, premium)

- Custom field types (types only, field name, and value are both encrypted)

- Revision date

- Bunch of UUIDs

Here is what a single password entry looks like when retrieved from the /sync endpoint, which happens before decryption: https://pastebin.com/FLr19qiN

> You have to trust the server also if you use the web client because the web client is loaded from the server.

This is true! However, the android app, cli, and other clients do not get loaded from the server, thus, in theory, you can inspect the source of them, possibly compile it yourself, and use that. In those scenarios you do not have to trust the server.

Agreed, managing secure servers is a full time job.

The situation with Bitwarden is a bit different though. Secrets are encrypted on the clients, the server never sees decrypted data.