Status: Migration from old instance complete. Security assessment under review.

A thorough evaluation of the self-hosted Vaultwarden setup, including migration to a new server, comprehensive security assessment, replacement analysis, and alternative password management strategies.

What Was Done

1. Cloned the production database from the UnRAID tower to the local Mini for redundancy
2. Performed a security assessment covering container hardening, backup strategy, TLS configuration, and access controls
3. Evaluated beyond-Bitwarden alternatives — what would it take to move away from Vaultwarden entirely? Including Passkey-first approaches, age-encrypted password stores (hermes-pass), and hardware-backed solutions
4. Maintained a mirror at /Volumes/Mini_1Tb/Projects/vaultwarden-mirror/ for development and testing

Source Files

• Main repo: /Volumes/Mini_1Tb/Projects/vaultwarden/
• Mirror (dev): /Volumes/Mini_1Tb/Projects/vaultwarden-mirror/
• Security assessment: vaultwarden-replacement-security-assessment.md
• Replacement plan: vaultwarden-replacement-plan.md
• Beyond-Bitwarden analysis: vaultwarden-replacement-beyond-bitwarden.md

Key Findings

• Current Vaultwarden deployment is stable but has hardening gaps
• Age-encrypted password stores (hermes-pass) offer a compelling alternative for CLI-centric workflows
• Passkey-first approaches are still maturing — Vaultwarden remains the better choice for shared/secrets management in the near term
• Hook scripts on the mirror enable custom pre/post-backup processing