Guillaume Hérail

Ramblings in Frenglish

Self-Hosting and Risk Assessment

Posted on — Jan 29, 2021

Someone reached out to me to get advices on the best password manager out there. From their perspective, the two options that were competing against each other were Bitwarden and Keeweb. As such, the solution would be self hosted. This sparked an interesting discussion that I wanted to translate to a blog post.

A password manager is very important, it holds the secrets to your accounts and maybe some other information as well. If you lose access to that information, you probably have a lot of issues. This renders your password manager a critical piece of your life.

In Infrastructure, there is a way to classify services in tiers. Each service in each tier can only depend on services that are from a higher tier. An example:

Using this model, your DNS service would probably be Tier 1 when your issue tracker might be Tier 2 or even Tier 3. The definitions will depend on your context of course but this is the idea.

Coming back to our password manager, the impact if you were to lose access to it would be high, critical even. This would qualify as Tier 1, a lot of things are depending on it. Now imagine that you host your password manager at home. You have your server and the passwords to access it are probably in your password manager and this creates a circular dependency where you need your password manager to access your server but to access your server, you need your password manager. You can of course have backups but they come with a maintenance cost: you need to check that your backups are working and also that you can restore them.

Another thing to keep in mind is that you can’t compete alone with a service provider whose job it is to provide the service you want with a 99.5% SLA on uptime. What happens when you go on holidays and your server crashes?

Self-hosting is a lot of fun but it also comes at a cost: it is not just installing a software and forgetting about it. You have security updates, backups, general upgrades, monitoring, alerting, … Of course, service availability is not the only requirement, you might want to avoid using a cloud service for your personal data. It’s fine, it’s part of your requirements. You need to make sure you evaluate the risks of you maintaining everything while keeping your requirements in mind and whether it’s worth delegating that responsibility to a service provider.

Thanks for the chat, Jean!

This is day 17/100 of #100DaysToOffLoad!