Many sysadmin teams still rely on password-protected spreadsheets for credential sharing, which presents multiple security risks: no audit trails, weak encryption, and no proper access controls. When multiple administrators need access to production credentials, we need enterprise-grade solutions.
{
"must_have": [
"Individual authentication per admin",
"End-to-end encryption",
"Access audit logging",
"Linux/Mac compatibility",
"Web interface with SSL",
"Open source option"
],
"nice_to_have": [
"CLI access",
"API integration",
"2FA support",
"Emergency access"
]
}
1. Bitwarden (Self-Hosted)
The open-source version of Bitwarden (bitwarden_rs) can be self-hosted with Docker:
# Install Docker (if not present)
curl -fsSL https://get.docker.com | sh
# Run Bitwarden_RS container
docker run -d --name bitwarden \
-v /bw-data/:/data/ \
-p 80:80 \
-p 3012:3012 \
bitwardenrs/server:latest
Features include:
- Per-user access controls
- Secure password sharing
- Browser extensions
- Mobile apps
2. Passbolt
Specifically designed for teams with native Linux support:
# Ubuntu/Debian installation
sudo apt install -y mariadb-server php php-cli php-mysql \
php-ldap php-gd php-xml php-mbstring php-curl
curl -sSL https://download.passbolt.com/ce/installer/debian/install.sh | sudo bash
Access Control Matrix
Create clear policies for credential access levels:
# Example YAML policy for Passbolt
access_control:
production_db:
admins: [user1@domain.com, user2@domain.com]
read_only: [user3@domain.com]
staging:
admins: [user1@domain.com, user3@domain.com]
Backup Strategy
Always implement encrypted backups of your password database:
#!/bin/bash
# Daily encrypted backup script
TIMESTAMP=$(date +%Y%m%d)
openssl enc -aes-256-cbc -salt -in /var/lib/bitwarden/data.db \
-out /backups/bw_$TIMESTAMP.enc -pass file:/etc/backup.key
- Enforce 2FA for all admin accounts
- Rotate master encryption keys annually
- Implement IP whitelisting for admin access
- Conduct quarterly access reviews
Many IT teams still rely on password-protected Excel files or text documents to manage credentials. This approach fails on multiple fronts:
- No proper access auditing
- Single point of failure (the master password)
- No version control for password changes
- Weak encryption in most cases
Here are three battle-tested solutions that meet your requirements:
1. Passbolt
Feature highlights:
# Example of Passbolt API usage
import passbolt
client = passbolt.Client(
base_url="https://yourdomain.com",
private_key="/path/to/admin_private.key"
)
# Retrieve a password
ssh_creds = client.get_resource(resource_id="prod-ssh-01")
print(f"Username: {ssh_creds['username']}")
2. Bitwarden (Self-Hosted)
Installation on Linux:
# Using the official Bitwarden install script
curl -Lso bitwarden.sh https://go.btwrdn.co/bw-sh
chmod +x bitwarden.sh
./bitwarden.sh install
./bitwarden.sh start
3. Vaultwarden (Unofficial Bitwarden-compatible Server)
Docker-compose example:
version: '3'
services:
vaultwarden:
image: vaultwarden/server:latest
environment:
- ADMIN_TOKEN=your_secure_token_here
volumes:
- ./vw_data:/data
ports:
- "443:443"
When implementing any password management system:
- Always enforce 2FA for admin accounts
- Implement IP whitelisting for admin access
- Regularly rotate API keys and admin tokens
- Monitor for failed login attempts
Here's how you might implement basic audit logging with Passbolt's API:
from datetime import datetime
def log_access(resource_id, user_email):
timestamp = datetime.utcnow().isoformat()
log_entry = f"{timestamp} | {user_email} accessed {resource_id}\n"
with open("/var/log/passbolt_access.log", "a") as f:
f.write(log_entry)
return True
Remember to set proper permissions on your log files:
sudo chown root:adm /var/log/passbolt_access.log
sudo chmod 640 /var/log/passbolt_access.log