I always found it quite strange and not very secure to just put my plaintext passwords into a configuration file. That’s why I would be very interested in having an integration with eg Bitwarden to automatically get my password out of the Bitwarden Vault. This would also make it possible to change any password, without changing the configuration file of HA.
Main features:
Get username/password/token/… from Bitwarden vault
Approve which passwords can be requested by HA and which not (could be done by adding the approved ones into an organisation for example)
Both self-hosted as Bitwarden’s web vault compatible
This Feature request is NOT the same like this addon: Home Assistant Community Add-on: Bitwarden RS. The addon from @frenck is purely to make it easy to self-host the Bitwarden Vault. My Feature request is to enable Home Assistant requesting passwords from Bitwarden, like we currently can via credstash.
I’m not too technical on this aspect, but there’s a powerful, full-featured command-line interface (CLI) tool to access and manage your Bitwarden vault: https://help.bitwarden.com/article/cli/
What do you guys think? I believe this could increase the security heavily.
Good point which I assumed would be possible to mitigate. But that must be confirmed by someone with a decent knowledge on this. As said, I’m not that technical enough for this.
What I found to be a possible viable solution is to work with tokens. Like this:
Bitwarden works by having a “master key” that is computed from your email and
password. This needs to be kept “safe”, but this is a CLI program. We could
store the master key on disk somewhere, but that’s a bad idea.
The way we do this is with an in-memory ‘agent’ that listens on a 127.0.0.1 port
(configurable, but defaults to 6277) see: python/bitwarden/agent.py for all the
details. Bonus if you figure out why that port # :). Ideally on POSIX platforms
it would use a socket on disk somewhere to communicate, but I wanted this to
work on Windows, so this is what we can do… patches welcoome to fix this up
on POSIX.
when you login, it starts up the agent, with a timeout set to the login
access_token timeout in seconds, since we do not currently support re-freshing
the token. At the end of the token lease, the agent will kill itself and stop
running. (this is configurable, but not exported to the CLI yet – patches
welcome)
The agent requires a token to get the master key from it’s in-memory store.
This is currently 16 bytes of os.urandom() on startup and is stored on disk, but
changes every time a new agent runs.details are in python/bitwarden/db.py
But: I believe that adding a similar component for Bitwarden (or any other) is still a viable feature request. It’s not that if there is already another service providing this, that everyone must use that one. HA is always about aggregating many different (competing) services. Some people use Philips Hue to control their lights, some use KNX, … etc.
That’s the core strength of HA: be an independant platform upon which any other service can be integrated. So don’t stick with only 1 single viable option to login securily.
On the other hand, Bitwarden is really made simple for end users. To be honest, credstash really doesn’t look that simple or intuitive for non-developers.
It’s just a feature request I have, hoping for some traction as Bitwarden is really trending in this area. If no-one is interested, so be it. Then I’ll try to get credstash up & running, and have it synced with Bitwarden.
I don’t want to start a pointless yes/no discussion here. My only point here is that indeed there are already some alternatives available, but they are not really easy to use for non-advanced users. I would like to have a solution which I can easily use across all platforms (Mac OS, iPhone, Android, … etc) to sync my passwords. If I change my Google password, that I don’t have to update it in 3 different places & by logging in via terminals & via commands I don’t know by heart.
So again: yes, there are alternatives, but as long as you need more advanced technical knowledge & thus it’s not straightforward to use, not many people will start using them, which leads in the end to the same situation as before. Of course, for some people (like you) it’s not difficult at all and you can set it up in less than 5 minutes, but know that HA is becoming more and more popular, with less tech knowledge necessary (thanks to zeroconf etc.) and thus reaching a new target user group, who are not able to do this.
And also: why not allow people to keep using their preferred solution? I honestly don’t want to switch from Bitwarden to something else. I’m just looking for an easy way to integrate my current solution in this platform. And I’m quite convinced I’m not the only one on this.