I love Bitwarden. It's a great piece of software and it's reasonably priced. We use it at my place of work (I pushed to install and use Bitwarden on the company level). I also tried the Bitwarden_RS, it does the same work however it's not suited for company use as it lacks the feature to create groups. There's an open issue that provides a workaround, however that workaround proved to be unusable. I tried to reach out to maintainers to see whether the feature could be implemented and paid for their effort but.. let's just say the answer was "No.".
Long story short - we use official Bitwarden and are paying for it and couldn't be happier. Bitwarden_RS looks like a cool toy, but I can't see any reason why anyone would run it. It's good for personal passwords, but Bitwarden itself offers free service so there's no need to venture down the self-hosted road.
> It's good for personal passwords, but Bitwarden itself offers free service so there's no need to venture down the self-hosted road.
It's a trust issue. I don't trust my passwords on someone else's server. I don't trust free services to remain free forever. I don't trust paid services to not increase the fees 4x over a few years.
The alternative to bitwardenrs or bitwarden/server is not bitwarden.com for me given the areas I'm concerned with, it's going back to KeePass + Syncthing.
I think the reticence to provide the group features in bitwarden_rs may come from being unwilling to too blatantly step on the toes of Bitwarden LLC by producing a $0 drop in alternative to their paid service. bitwarden_rs is open source and bitwarden/server is _mostly_ open source (Some SSO related features are not), so it seems worthwhile to get along and not need to fork the ecosystem.
> It's a trust issue. I don't trust my passwords on someone else's server.
They don't have your decryption key, therefore they save encrypted blobs and have no means to obtain your password. This takes care of trust issue - it simply is not an issue and never will be.
Even if malicious employee does something out of the ordinary or "hacker" gets the database, they still have the impossible task of breaking the encryption (which for all intents and purposes is impossible as of right now).
This returns us back to my starting point - there's *no objective* reason to use bitwarden_rs, apart from curiosity and/or convenience. I'm not saying it SHOULD not be used. We are all free to make choices as we see fit and don't need to justify them, however the reasons you listed are not reasons at all because the concerns you have don't exist.
> however the reasons you listed are not reasons at all because the concerns you have don't exist.
You've only attempted to address 1 of 3, and the other reply indicates that there is absolutely attack vectors from bitwarden.com if bitwarden LLC wanted to, was forced to, or was compromised.
I run bitwarden_rs for my own passwords because I want to run my own stuff for anything like passwords. (Previously I used KeePassX, and my biggest issue with it was that it was mostly tied to one device, depending on whatever file-based sync you might set up, and I never did—barring backups—so it was only ever on my main laptop, not on any secondary laptop or phone unless I jumped through some hoops to use one of the backups.)
I don’t run the official Bitwarden server because its system requirements are much too high for my liking.
Meanwhile, bitwarden_rs uses ~24MB disk space, ~24MB RAM, and <0.03% CPU on my single-core Vultr box.
Oh yeah, one other practical reason I couldn’t/wouldn’t go with bitwarden.com’s free plan: I’ve got a few TOTP things in my vault, gotta pay for that.
I chose to use bitwarden_rs because the official server is huge, and deploying it seemed like a massive pain.
Before installing the rust version I actually went through the code to check that it wasn't doing anything untoward; it wasn't a very thorough review, but it took a couple hours. Given the fact that you don't actually need to trust a Bitwarden server, I'm not too concerned about using an "unofficial" implementation.
I ran bitwarden_rs for a bit on a digital ocean node, but ultimately decided to buy a premium membership because it was less than $5/mo and I think that they will do a better job securing the system and keeping things up to date than I would in my spare time.
Long story short - we use official Bitwarden and are paying for it and couldn't be happier. Bitwarden_RS looks like a cool toy, but I can't see any reason why anyone would run it. It's good for personal passwords, but Bitwarden itself offers free service so there's no need to venture down the self-hosted road.