Looking at keepassXC doc I couldn’t find such setup. Maybe it’s possible, but maybe it also leads to trouble down the road. The “official way” seems to use cloud storage.

You keep saying external server for syncthing, but again: syncthing does direct data transfers, encrypted end to end, between devices.

I mention that but with a specific context.

• people with certain ISPs will need to use the relay transfer feature because direct connections can’t be established. Similarly, if you work in an office and you use the corporate network, you usually can’t have device-to-device working (can be both from a technical POV and from a policy POV).
• even with 0 data transfers, servers still have some trust in establishing your direct connections. I know that syncthing uses keys to establish connections, but that’s why I mentioned CVEs. If there is one, your sync connection could be hijacked and sent elsewhere. It’s a theoretical case, I don’t think it’s very likely, but it’s possible. The moment you have a server doing anything, you are extending trust.

In those cases then yes, you are extending a bare minimum trust, and you fully encrypted data would temporarily pass on the relay’s RAM

And from my (consumer) PoV this is functionally equivalent to have the data stored on a server. It might not be all the data (at once), it might be that nobody dumps the memory, but I still need to assume that the encrypted data can be disclosed. Exactly the same assumption that should be made if you use bitwarden server.

If this makes you paranoid

Personally it doesn’t. As I said earlier, it’s way more likely that your entire vault can be taken away by compromising your end device, than a sophisticated attack that captures encrypted data. Even in this case, these tools are built to resist to that exact risk, so I am not really worried. However, if someone is worried about this in the case of bitwarden (there is a server, hence your data can be disclosed), then they should be worried also of these corner cases.

I just get nothing from Bitwarden that syncthing and KeePass don’t offer more easily.

You can say many things, but that keepass + syncthing is easier is not one of them. It’s a bespoke configuration that needs to be repeated for each device, involving two tools. bitwarden (especially if you use the managed service) works out of the box, for all your devices with 0 setup + offers all features that keepass doesn’t have (I mentioned a few, maybe you don’t need them, but they exist).

I don’t know how or why you would have vault conflicts, but it really does sound like something fixable

At the time I did not use syncthing, I just used Drive (2014-2017 I think), and it was extremely annoying. The thing is, I don’t want to think about how to sync my password across devices, and since I moved to bitwarden I don’t have to. This way I don’t need to think about it, and also my whole family doesn’t have to. Win-win.

That said, if you are happy with your setup, more power to you. I like keepass, I love syncthing, I have nothing against either of them. I just came here to say that sometimes people overblow the risk of a server when it comes to a password manager. Good, audited code + good crypto standards means that the added risk is mininal. If you get convenience/features, it’s a win.

Agree on the versioning issue. In fact I mentioned that the issue is convenience here. It is also data corruption, but you probably are aware of that if you setup something like this. Manually merging changes is extremely annoying and eventually you end up forgetting it to do it, and you will discover it when you need to login sometime in the future (I used keepass for years in the past, this was constantly an issue for me). With any natively sync’d application this is not a problem at all. Hence +1 for convenience to bitwarden.

However KeePassXC’s sync feature does sync the vault.

How does it work though? From this I see you need to store the database in a cloud storage basically.

For mobile I just give syncthing full permission to run in the background and have never had issues with the syncing on the folders I designate.

I use this method for my notes (logseq). Never had synchronization problem, but a lot of battery drain if I let syncthing running in the background.

Nothing else passes through it unless you opt into using relaying in case you have NAT issues.

I guess this can be very common or even always the case for people using some ISPs. In general though, you are right. There is of course still the overall risk of compromise/CVEs etc. that can lead to your (encrypted) data being sent elsewhere, but if all your devices can establish direct connections between each other, your (encrypted) data is less exposed than using a fixed server.

If you are paranoid, the software is open source and you can host your own relays privately,

This would also defeat basically all the advantages of using keepass (and family) vs bitwarden. You would still have your data in an external server, you still need to manage a service (comparable to vaultwarden), and you don’t get all the extra benefits on bitwarden (like multi-user support etc.).

To be honest I don’t personally think that the disclosure of a password manager encrypted data is a big deal. As long as a proper password is used, and modern ciphers are used, even offline decryption is not going to be feasible, especially for the kind of people going after my passwords. Besides, for most people the risk of their client device(s) being compromised and their vault being accessible (encrypted) is in my opinion way higher than -say- Bitwarden cloud being compromised (the managed one). This means that for me there are no serious reasons to use something like keepass (anymore) and lose all the convenience that bitwarden gives. However, risk perception is personal ultimately.

Few reasons, with the most important being convenience. Syncthing is going to see just a binary blob as the password storage is encrypted. This means it is impossible for syncthing to do proper synchronization of items inside the vault. Generally this is not a problem, but it is if you happen to edit the vault on multiple devices and somehow syncthing didn’t sync yet the changes (this is quite common for me on android, where syncthing would drain the battery quite quickly if it’s always actively working). For bitwarden on the other hand the sync happens within the context of the application, so you can have easy n-way merge of changes because its change is part of a change set with time etc.

Besides that, the moment you use syncthing from a threat model point of view, you are essentially in the same situation: you have a server (in case of syncthing - servers) that sees your encrypted password data. That’s exactly what bitwarden clients do, as the server only has access to encrypted data, the clients do the heavy lifting. If the bitwarden server is too much of a risk, then you should worry also of the (random, public, owned by anybody) servers for syncthing that see your traffic.

Keeshare from my understanding does use hosting, it uses cloud storage as a cloud backend for stateful data (Gdrive, Dropbox etc.), so it’s not very different. The only difference would be if you use your private storage (say, Synology Drive), but then you could use the same device to run the bit/vaultwarden server, so that’s the same once again.

The thing is, from a higher level point of view the security model can only be one of a handful of cases:

• the password data only remains local
• the password data is sync’d with device-to-device (e.g. ssh) connections
• the password data is sync’d using an external connection that acts as a bridge or as a stateful storage, where all the clients connect to.

The more you go down in the list, the more you get convenience but you introduce a bit of risk. Tl;Dr keepass with keyshare/syncthing has the same risks (or more) than a Bitwarden setup with bitwarden server.

In addition to all the above, bitwarden UX is I would say more developed, it has a better browser plugin, nice additional tools and other convenience features that are nice bonuses. It also allows me to have all my family using a password manager (including my tech illiterate mom), without them having to figure out anything, with the ability to share items, perform emergency accesses etc.

Edit: I can’t imagine this comment to be deemed off topic, so if someone downvoted simply to express disagreement, please feel free to correct or dispute what I wrote, as it would certainly make for an interesting conversation! Cheers

Over nextcloud probably the e2ee. I suppose soon they will also integrate this better with email (like you can attach directly and save directly from email), so the seamless integrations with the rest of the products will probably amount to other benefits over time.

Until I can easily export the data, where is the vendor lock?

Vendor lock means that migrating away has significant cost or technical challenges.

Take this case: documents saved are first of all easily downloadable from drive (in bulk), and also exportable in markdown.

They change pricing/add features that I don’t want/sell off the company (hard now that it’s managed by a nonprofit but still) etc.? I make a nice bulk download and move everything in whatever other system I want. I can do the same for contacts, email (I use my own domains) and calendar. Basically, 1h + the time to download files and I am moved to another provider.

Can you elaborate in what you think the vendor lock looks like?

https://github.com/ProtonMail/WebClients/tree/main/applications

They use monorepo for the web clients, at least.

Here the mobile apps:

https://github.com/ProtonDriveApps

Usually when hotels close past a certain time you can use a secondary entrance with your keys/card or at most call. Most hotels have a desk open 24h so this doesn’t even apply.

Also, I really don’t think Italians are generally rude. People are friendly, but also loud and warm, which often can be misunderstood. Assholes exist, obviously.

Yes, you cited examples from early 2000 and then you add current references that have the characteristics I have observed. Maybe you should develop your argument better at this point? Or are you keeping the best examples that show meaningful, present, contributions secrets just to make your argument weaker on purpose?

I pointed out flaws in your arguments which you keep not addressing by making arrogant comments, which makes me thing you don’t have any more arguments to use.

Also, I don’t hate Apple, I don’t care for it. I even mentioned in my very first comment that what Apple does is no different from what other organizations do, even if those make currently bigger contributions to FOSS (Microsoft contributions to the Linux kernel, google project zero reports etc.).

You also continue to avoid the argument that forbidding people to run what they want on generic purpose hardware is completely against the principles of FOSS, and yet all your argument is “why would they”. This fact alone would put any OSS contribution to shame, because it’s a clear as day demonstration that they don’t believe (let alone care) about the Freedom of users, and that opensourcing is a mere way to pursue business interests, which has no moral value on its own.

You cited a couple of mid-2000 projects (e.g. OpenCL), that Apple opensourced and that anyway hardly apply to the current Apple, since 15+ years passed and the company is under new leadership etc. Then you listed a bunch of links, which I have looked at, and I saw that the vast majority of the OSS projects are related to Swift-ui and other tools that are useful to build app (mostly) in their ecosystem (webKit, careKit, etc.).

So to understand better, your argument fully relies on contributions that happened 15 years ago, to claim that the current company “cares” about FOSS?

Also, you disregard the second part of the argument in order to write your arrogant reply:

Apple is even worse than them considering how they want to have the complete monopoly of what can run on their hardware, which is completely antithetical to the core idea of FOSS.

Which is an answer to your statement:

So? Why should they? It’s a major competitor. Should they provide windows support too? Lol. (They don’t anymore, btw)

Which begs the question: what caring about FOSS means to you? For me caring about FOSS means caring about the freedom of the customers who already paid for their hardware to run whatever they want on it. This freedom Apple opposes in whatever way they can, in basically whatever hardware they make.

I really don’t get which critical contributions they do. On their own website https://opensource.apple.com/projects/ they seem to list basically tools and frameworks for building apps, which is on their interest first and foremost that developers have. I don’t know what “Community projects” mean, and how big contributions they do there.

Also I don’t really like your argument “why they should provide Linux support, they are a competitor”. Well, this is what happens when a single company does both the hardware and the software AND doesn’t care about the “freedom” part of Foss.

To be fair though most companies can’t care less, open source is just a practice that some companies do to pursue their own interest. Microsoft does huge contributions to OSS (including the Linux kernel), same for Google, and yet I would not really say that those companies care about FOSS. Apple is even worse than them considering how they want to have the complete monopoly of what can run on their hardware, which is completely antithetical to the core idea of FOSS. Despite you paid already the 2.5k for your hardware and their OS, they can’t just let you run whatever you want on it.

Corporations can also act on behalf, or on the orders of nation states. So you don’t solve anything, if a state wants to get involved, it will. You have the additional cons that corporations tend to cater to their financial interests anyway, while a public institution might not always have ulterior motives.

I think the general idea is discovery. At the moment if you want to look for a project you go to github and search. If you go to my gitea instance you find only my 10 projects. With federation I could search my own gitea instance and find/easily clone repos from all the federate instances. To me it seems a gamechanger in making codeberg/gitea and also gitlab real competitors to github.

I run /e/OS on my Fairphone 3. The only thing that doesn’t work is login with fingerprints with my banking app. Everything else works, I did not have a problem and I am now running it for more than 3 years I believe (or 4?).