sdgoij/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-01-16 20:50:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix docker docs link and cosmetic changes

docgalaxyblock
2024-03-10 18:54:24 +01:00
parent b08050718e
commit cf43c65c17
1 changed files with 22 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
Enabling-admin-page.md

@@ -1,4 +1,5 @@
**IMPORTANT**: It's heavily recommended to activate HTTPS before enabling this feature, to avoid possible MITM attacks.
> [!IMPORTANT]
> It's heavily recommended to activate HTTPS before enabling this feature, to avoid possible MITM attacks.
This page allows a server administrator to view all the registered users and to delete them. It also allows inviting new users, even when registration is disabled.
@@ -8,7 +9,7 @@ To enable the admin page, you need to set an authentication token. This token ca
To set the token, use the `ADMIN_TOKEN` variable:
```sh
```bash
docker run -d --name vaultwarden \
-e ADMIN_TOKEN=some_random_token_as_per_above_explanation \
-v /vw-data/:/data/ \
@@ -32,26 +33,27 @@ In order to disable the admin page you have to unset the `ADMIN_TOKEN` and resta
## Secure the `ADMIN_TOKEN`
> :warning: This feature is available since [1.28.0](https://github.com/dani-garcia/vaultwarden/releases/tag/1.28.0)+.
> [!WARNING]
> This feature is available since [1.28.0](https://github.com/dani-garcia/vaultwarden/releases/tag/1.28.0)+.
>
> Using environment variables is preferred.
> But if you updated settings via the admin interface you need to update the admin token via the same web interface!
> Please **do not** edit the `config.json` manually since that could cause issues if done wrong!
>
> To log into the admin page after securing the token, you instead use the password provided during token creation.
> :warning: Using environment variables is preferred.<br>
> :warning: But if you updated settings via the admin interface you need to update the admin token via the same web interface!<br>
> :warning: Please **do not** edit the `config.json` manually since that could cause issues if done wrong!
> :warning: To log into the admin page after securing the token, you instead use the password provided during token creation.
Previously the `ADMIN_TOKEN` could only be in a plain text format.<br>
You can now hash the `ADMIN_TOKEN` using Argon2 by generating a [PHC string](https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md).<br>
This can be generated by using a built-in `hash` command within Vaultwarden, or use the `argon2` CLI tool.<br>
Previously the `ADMIN_TOKEN` could only be in a plain text format.
You can now hash the `ADMIN_TOKEN` using Argon2 by generating a [PHC string](https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md).
This can be generated by using a built-in `hash` command within Vaultwarden, or use the `argon2` CLI tool.
Within the vaultwarden application we have two presets, one using the [Bitwarden defaults](https://github.com/bitwarden/clients/blob/04d1fbb716bc7676c60a009906e183bb3cbb6047/libs/common/src/enums/kdfType.ts#L8-L10), and one using the [OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id).
Some examples on how to generate an Argon2id PHC hash.
### Using `vaultwarden hash`
There is a PHC generator built-in into Vaultwarden which you can run via the CLI `vaultwarden hash`.<br>
This can be done via `docker exec` on the already running instance, or by running this locally via docker on your own system.<br>
I use `vwcontainer` as the container name below, replace this with the correct container name of your instance.<br>
There is a PHC generator built-in into Vaultwarden which you can run via the CLI `vaultwarden hash`.
This can be done via `docker exec` on the already running instance, or by running this locally via docker on your own system.
I use `vwcontainer` as the container name below, replace this with the correct container name of your instance.
The Vaultwarden CLI will ask for the password twice, and if both are the same it will output the generated PHC string.
Examples:
@@ -95,7 +97,7 @@ Use this string in your docker/podman CLI command. For `docker-compose.yml` file
### How to prevent variable interpolation in `docker-compose.yml`
When [[using Docker Compose]] and you configure the `ADMIN_TOKEN` via the `environment` directive you need to escape all five occurrences of the dollar sign `$` in the generated argon2 PHC string using two dollar signs `$$` in order to prevent [variable interpolation](https://docs.docker.com/compose/compose-file/#interpolation):
When [[using Docker Compose]] and you configure the `ADMIN_TOKEN` via the `environment` directive you need to escape all five occurrences of the dollar sign `$` in the generated argon2 PHC string using two dollar signs `$$` in order to prevent [variable interpolation](https://docs.docker.com/compose/compose-file/12-interpolation/):
```yaml
environment:
ADMIN_TOKEN: $$argon2id$$v=19$$m=19456,t=2,p=1$$UUZxK1FZMkZoRHFQRlVrTXZvS0E3bHpNQW55c2dBN2NORzdsa0Nxd1JhND0$$cUoId+JBUsJutlG4rfDZayExfjq4TCt48aBc9qsc3UI
@@ -112,9 +114,10 @@ WARNING: The m variable is not set. Defaulting to a blank string.
<br>
**⚠️ Note:** This is not the case when using a `.env` file for `docker-compose.yaml`<br>
As shown below. In this case just use the single `$` variant.<br>
The same for using the docker/podman cli using `-e ADMIN_TOKEN`.
> [!NOTE]
> This is not the case when using a `.env` file for `docker-compose.yaml`
> As shown below. In this case just use the single `$` variant.
> The same for using the docker/podman cli using `-e ADMIN_TOKEN`.
```
/docker-data