2·
11 days agoSeparate from the security fixes, Vaultwarden now lets clients have archiving capabilities. Before this update, I created a separate organization just to archive unused accounts. (Although now I have to deal with “moving” those accounts back to my main collection…)
I’ve set this up although I can’t post the exact steps since it’s been so long ago. Here’s a summary.
Have a machine on the same network as the server. Setup dropbear-initramfs on your server to have a SSH server enabled on the luks unlock screen. You’ll have to set the SSH login command to unlock luks in authorized_keys. Then when you need to unlock your server from boot, use ssh with the -J option to jump to the server. Important here: use the local server ip address with respect to the secondary machine. e.g. ssh 192.168.1.1 -J secondary
In that example, 192.168.1.1 is your server address accessible from your secondary machine.
You can unlock remotely through this as well. I’ve setup Tailscale and can unlock my server when I need to reboot for kernel upgrades.