Chapter 5: Admin Training
When it comes to new services, I like to summarize the administrative tasks as my documentation can be a bit overwhelming. This chapter will summarize the administrative tasks for BitWarden.
This chapter is broken down into these sections:
-
These instructions assume you've follwed these instructions in Chapter 4: https://github.com/ZacksHomeLab/BitWarden/wiki/Chapter-4.-BitWarden-Maintenance#how-to-automate-backups
-
If so, there's a PowerShell script (backup-bitwarden.ps1) that is capable of performing two types of backup processes:
- Incremental - Recommended if not performing a software update
- All - Recommended if performing a software update
-
SSH into your BitWarden server
-
To perform an incremental backup, perform the following command:
# Password file location: /opt/bitwarden/password_file
# Final Backup Location: /backups
# Retention (days): 14
# Log file location: /opt/bitwarden/backup-bitwarden.log
sudo /usr/bin/pwsh -File "/opt/bitwarden/backup-bitwarden.ps1" -PasswordFile /opt/bitwarden/password_file -FinalBackupLocation /backups -Incremental -days 14 -LogFile /opt/bitwarden/backup-bitwarden.log
- To perform a full backup, execute the following command:
# Password file location: /opt/bitwarden/password_file
# Final Backup Location: /backups
# Retention (days): 14
# Log file location: /opt/bitwarden/backup-bitwarden.log
sudo /usr/bin/pwsh -File "/opt/bitwarden/backup-bitwarden.ps1" -PasswordFile /opt/bitwarden/password_file -FinalBackupLocation /backups -All -days 14 -LogFile /opt/bitwarden/backup-bitwarden.log
- These instructions assume you've followed added the PowerShell script from Chapter 4: https://github.com/ZacksHomeLab/BitWarden/wiki/Chapter-4.-BitWarden-Maintenance#step-1-create-powershell-script-1
- SSH into your BitWarden Server
- Execute the following command:
# Update Password file to your password file's location
# Update the BackupFile to the location of your backup file
sudo /usr/bin/pwsh -File "/opt/bitwarden/restore-bitwarden.ps1" -PasswordFile /opt/bitwarden/password_file -BackupFile '/backups/BitWardenBackup-2022-12-26_23-24-39.tar.gpg'
- These instructions assume you've followed these instructions in Chapter 4: https://github.com/ZacksHomeLab/BitWarden/wiki/Chapter-4.-BitWarden-Maintenance#how-to-automate-software-updatesupgrades
- If you followed Chapter 4, you would remember that this is an automated process. However, if an update were to come out on Monday and there's a feature or bug fix that you'd like to implement now, you can perform the following steps to update BitWarden:
- SSH into your BitWarden Server
- Run the following command to run the PowerShell script to Update Bitwarden:
# Update Password file to your password file's location
# Update the finalbackuplocation to your server's backup location
# Update the logfile to the location of this script's logfile
sudo /usr/bin/pwsh -File "/opt/bitwarden/update-bitwarden.ps1" -PasswordFile /opt/bitwarden/password_file -FinalBackupLocation /backups -LogFile /opt/bitwarden/update-bitwarden.log
The scenario assumes you need to adjust the number of licenses. You may set a predefined number of users per month, but I tend to save costs as much as I can by updating our licenses as we need to.
- This is currently done through BitWarden's online vault. You MUST have administrator access to your BitWarden Cloud instance.
- Log into the online vault: https://vault.bitwarden.com
- Once signed-in, click Organization - Billing - Subscription:
- Update the Subscription Seats amount to your liking and click Save (in my example, I'll adjust it from 1 seat to 2 seats):
- Once updated, scroll and download the license under Self-hosting:
-
Input your Installation ID. This can be found in two locations:
- From the admin panel (requires your account to be an admin within BitWarden's Global Environments): https://bitwarden.example.com/admin
- From the Global Environments File on the server (sudo nano /opt/bitwarden/bwdata/env/global.override.env)
-
Click Submit
-
Once downloaded, proceed to Step 2.
- Open your self-hosted BitWarden instance: https://bitwarden.example.com/
- Once signed-in, click Organizations - Billing - Update license:
- Upload your license file from Step 1 and click Submit:
- You should now be able to add another user to your self-hosted instance.
- This step assumes you have enough licenses to add another user. If not, see Steps 1 & 2.
- Log into your self-hosted instance: https://bitwarden.example.com
- Click Organizations - Manage - Memebers - Invite User:
* Email Address: Input the person's email address, it must be a real email as they will have to verify it upon creation.
* User Type:
| Role | Description |
|---|---|
| User | Assign this role if the person needs access to a collection. They'll be able to add items to their assigned collection(s). |
| Manager | Assign this role if you want this person to be able to add or remove people from their assigned collection(s). |
| Admin | Assign this role if you want this person to be able to manage the organization access, all collections, members, reporting, and security settings. |
| Owner | Assign this role if the individual will be the sole owner of this application. This role will have the ability to control all aspects of the software. |
| Custom | You can create your own custom role with this selection. |
* Access Control: Select what collection this user has access to (e.g., Maybe the person works in HR and they need access to the 'HR' collection). You can also select if they should have access to passwords or read-only for said collection.
* Click Save (Upon click, the person should receive an email).
- In my example, I'll be creating a user that has access to the 'default collection':
- Once invited, you should see the new user appear in your members list:
- Notify the person they should have received an email regarding their new BitWarden account and to click the 'Join Organization Now' button:
- Upon joining the organization, they'll need to select 'Create account':
- They'll need to do the following upon account creation:
- Input their Name
- Create a master password
- Retype said master password
- Type a master password hint
- Click Create Account
- Upon creation, they'll need to login:
- After login, they'll need to verify their email by clicking the 'Send Email' in the top-right:
- They will need to go back into their email and click the 'Verify Email Address Now' button in their email:
- NOTE: if you require 2FA upon sign-in for your organization, the end-user must go through the 2FA setup before joining your organization.
- This will vary on your organization as you may use Yubikeys, DUO, or some other form of 2FA. I'll demonstrate setting up 2FA via email from the end-user's POV
- Click the User Profile icon in the top-right and select 'Account Settings':
- Click Security - Two-step login:
- For this example, select Manage next to Email:
- Input Master Password to confirm the 2FA:
- Click 'Send email':
- A verification email should have been sent with a 6-digit verification code, like so:
- Input the code to enable 2FA:
- Click Close:
- Once the person has verified their email address. You should receive an email notifying you of said verification. Once verified, browse to Organizations - Manage - Members and select Confirm on the new user's account:
- You will be shown a pop-up regarding verifying the user's fingerprint. Click confirm.
- Once confirmed, your end-user will be emailed of the confirmation they have access to your organization:
- They may need to logout/login to see their new collections.
- Once logged-in, they should see your organization on the left-hand side:
- In case an employee was hit by a bus, or is no longer with the company. Emergency access will need to be configured if they have two-factor deployed. You WILL NOT have access to their passwords if two-factor is enabled. Emergency access is a way to bypass that.
- I'll be demonstrating how to setup emergency access from the end-user's POV
- Log into BitWarden: https://bitwarden.example.com (replace example.com with your domain)
- Click the User Profile icon in the top-right and select Account Settings:
- Click Emergency Access on the left-hand side:
- Click Add emergency contact:
- Input your supervisor's email address, select Takeover, and have the wait time be 7 days (I use 7 days in case an individual was somehow hacked, and this gives us a few days to make sure their account is safe):
- The supervisor should receive an email notifying them of said emergency access:
- The supervisor will need to input their master password to confirm:
- The supervisor can verify the confirmation by clicking the user profile in the top-right and selecting 'Account Settings':
- Click Emergency Access and verify your employee is showing in your Designated as emergency contact list:
- Collections are kind of like file shares. You can set up collections to where a department may have their own collection and one or many people have access to more than one collection.
- Depending on how large your organization is, you may want to use groups to manage a user's access to collections. I do this regardless of the size of the organization. So, if I have an HR collection, I would create an HR Group for said collection. So, if someone were to ask me for access to a collection, I'll just add the user to the group affiliated with said collection.
- Browse to your Self-Hosted instance: https://bitwarden.example.com (replace example.com with your domain)
- Click Organization - Manage - Collections:
- Click New Collection:
- In my example, I want to create an 'IT' collection. So, I'll input the name 'IT' and click Save:
- Browse to your Self-Hosted instance: https://bitwarden.example.com (replace example.com with your domain)
- Click Organization - Manage - Groups:
- Click New Group:
- In Step 1, I created an IT Collection. I would like to create an IT group affiliated with said collection.
- I'll input the name 'IT' and select the IT collection under Access Control, like so:
- Once the group has been created, you can now add the individuals to said group that require access to your new collection.
- Click Organizations - Manage - Members:
- Select the user that will be added to your newly created group by selecting the user and clicking Groups:
- I want this user added to my 'IT' group that I created in Step 2:
- They may need to logout/login to see their new collection.
- As mentioned in 'How-To Create a Collection', I use groups to manage my collection access. So, the user will need to be added to the affiliated group with said collection.
- Browse to your Self-Hosted instance: https://bitwarden.example.com (replace example.com with your domain)
- Click Organizations - Manage - Members:
- Select the user that require their group membership to be updated and select Groups:
- I want this user added to the 'IT' group that has access to the 'IT' collection:
- Click Save
- The user may need to logout/login to see the new collection.
- this section is for individuals who need to aid end-users in deploying software to their devices (e.g., computers, phones, etc).
- Yes, you can do this with an MDM but some of us work on little to zero budgets.
- Download BitWarden from their device's App Store
- Once installed, open the App
- You cannot take screenshots within the application, which is unfortunate. Anyways, click the gear icon in the top-right corner
- Server URL: https://bitwarden.example.com (replace example.com with your domain)
- Click Save
- Once settings have been updated, have the end-user input their email address & Master Password
- Upon sign-in, if they have 2FA enabled, they'll need to go through that process.
- You can implement extensions through Group Policy, but I will assume that is not the case for everyone
- Dependent on your browser, install the BitWarden extension based on your browser's web store:
- Click Add Extension:
- Once installed, open the extension and click Settings:
- Input your self-hosted URL and click Save:
- Input your Email Address and click Continue:
- Input your master password and click Log in:
- If you/they have 2FA enabled, you will be prompt to do that now. In my case, it's asking if I would like to open the popup in a new window, I'm clicking Yes as it will close on me if I were to check my email:
- I'll need to open my email to retrieve my 6 digit code. Once inputted, select Remember me and Continue:
- Success!:
- Yes, this can also be automated via GPO, MDM, etc. I'll be demonstrating the manual process.
- Dependent on the individual, they may want to use the Desktop version of the software as some people are familiar using desktop applications for password managers (e.g., KeePass).
- Download the desktop application here: https://bitwarden.com/download/
- Select your OS:
- Open the installer and click Install (IIRC it may not require admin privileges if you install only for the current user):
- Check Run BitWarden and select Finish:
- Once the app is open, click Settings in the top-left corner:
- Input your self-hosted URL: https://bitwarden.example.com (replace example.com with your domain):
- Input email address, Check Remember email, and click Continue:
- Input Master Password and click Log in:
- If you/they have 2FA enabled, they'll need to access said 2FA method. In my case, I'll need to access my email to grab the 6-digit code:
- Success!:
