Configure Bitwarden

see the bitwarden about key connector https //bitwarden com/help/about key connector/ and deploy key connector https //bitwarden com/help/deploy key connector/ instructions and perform the following steps set up and deploy key connector configure key connector activate key connector before you start to get started using key connector for customer managed encryption, please review the following requirements to use key connector, you must have an enterprise organization a self hosted bitwarden server an active sso implementation activate the single organization and require single sign on policies if your organization meets or can meet these requirements, including a team and infrastructure that can support the management of a key server, contact bitwarden so they can activate key connector 1 | set up and deploy key connector after you contact bitwarden about key connector, they reach out to kick off a key connector discussion perform the following tasks to set up and deploy key connector a | obtain a new license file after bitwarden enables key connector for your organization, complete the following steps to obtain the new license open the bitwarden cloud web app and go to your organization billing > subscription screen in the admin console scroll down and select \[ download license ] when prompted, enter the installation id used to install your self hosted server and select \[ submit ] if you don't know your installation id off hand, you can retrieve it from /bwdata/env/global override env you won't need your license file immediately, but you must upload it to your self hosted server later b | initialize key connector to prepare your bitwarden server for key connector, perform the following steps save a backup of bwdata/mssql after you start using key connector, we recommend you ensure you have access to a pre key connector backup image in case of an issue if you use an external mssql database, back up your database update your self hosted bitwarden installation to retrieve the latest changes /bitwarden sh update edit the bwdata/config yml file and enable key connector by toggling enable key connector to true nano bwdata/config yml rebuild your self hosted bitwarden installation /bitwarden sh rebuild update your self hosted bitwarden installation again to apply the changes /bitwarden sh update 2 | configure key connector to configure key connector, perform the following steps d ownload the tarball of the linux pkcs #11 binaries from the {{futurex}} portal copy the linux pkcs #11 tar file to your bitwarden server extract the tar file the extracted content of the tar file is a single fxpkcs11 directory this directory contains the following files and directories (only the files and folders relevant to the installation process are included in this list) file name or directory description fxpkcs11 cfg pkcs #11 configuration file to use for hsm integrations x86/ this folder contains the module files for 32 bit architecture x64/ this folder contains the module files for 64 bit architecture the x86 and x64 directories contain multiple directories named for the specific openssl versions these openssl directories contain the pkcs #11 module files built with the respective openssl versions you must use the openssl 3 x binaries as that is the version installed in the bitwarden key connector container file name description configtest program to test configuration and connection to the hsm libfxpkcs11 so pkcs #11 library file pkcs11manager program to test connection and manage the hsm through the pkcs #11 library convert the pem certificate created with fxcli in the previous section to pfx format using openssl openssl pkcs12 export nokeys in bitwarden cert pem out bitwarden cert pfx specify futurex123 as the password for the pfx file copy the following files to the /opt/bitwarden/bwdata/key connector directory as previously noted above, you must use the openssl 3 x binaries as that is the version installed in the bitwarden key connector container bitwarden pfx pki p12 (the tls client certificate created for the futurex pkcs #11 library to mutually authenticate to the vectera plus) libfxpkcs11 so fxpkcs11 cfg pkcs11manager by putting these files in the /opt/bitwarden/bwdata/key connector directory, the system bind mounts them inside the bitwarden key connector container at /etc/bitwarden/key connector edit the bwdata/env/key connector override env file that came with the /bitwarden sh update you downloaded example key connector override env env keyconnectorsettings webvaulturi=https //ec2 34 193 223 21 compute 1 amazonaws com keyconnectorsettings identityserveruri=http //identity 5000 keyconnectorsettings database provider=json keyconnectorsettings database jsonfilepath=/etc/bitwarden/key connector/data json keyconnectorsettings certificate provider=filesystem keyconnectorsettings certificate filesystempath=/etc/bitwarden/key connector/bitwarden pfx keyconnectorsettings certificate filesystempassword=futurex123 keyconnectorsettings rsakey provider=pkcs11 keyconnectorsettings rsakey pkcs11librarypath=/etc/bitwarden/key connector/libfxpkcs11 so fxpkcs11 cfg=/etc/bitwarden/key connector/fxpkcs11 cfg keyconnectorsettings rsakey pkcs11slottokenserialnumber=3174612105 keyconnectorsettings rsakey pkcs11loginusertype=user keyconnectorsettings rsakey pkcs11loginpin=edy0dd29b2t82 fc0&@511h1m4d8 keyconnectorsettings rsakey pkcs11privatekeylabel=bitwarden the fxpkcs11 cfg=/etc/bitwarden/key connector/fxpkcs11 cfg enables the {{futurex}} pkcs #11 module to find the configuration file at the non default location ( /etc ) to determine the keyconnectorsettings rsakey pkcs11slottokenserialnumber value you must specify, run the pkcs11manager utility against your {{vectera}} and select option 1 ( print library/token info ) set keyconnectorsettings rsakey pkcs11loginpin to the password value you configured for the bitwarden identity what to expect the following sections cover some key concepts you should understand when setting up bitwarden endpoints the automated setup populates endpoint values based on your installation configuration however, we recommend that you confirm the following values in key connector override env are accurate for your setup keyconnectorsettings webvaulturi=https //your bitwarden domain com keyconnectorsettings identityserveruri=http //identity 5000 database key connector must access a database that stores encrypted user keys for your organization members create a secure database to store encrypted user keys and replace the default keyconnectorsettings database values in key connector override env with the values designated in the required values https //bitwarden com/help/deploy key connector/# text=http%3a//identity%3a5000 ,database, key%20connector%20must column for the chosen database the preceding key connector override env instructions define local json , but we do not recommend this option outside testing environments for production environments, bitwarden recommends using one of the other supported database options (such as microsoft sql server, postgresql, mysql/mariadb, or mongodb) rsa key pair key connector uses an rsa key pair to protect user keys at rest you must replace the default keyconnectorsettings rsakey and keyconnectorsettings certificate values in key connector override env with the values required to integrate with the {{vectera}} the rsa key pair must be at a minimum of 2048 bits in length key connector accesses the hsm stored private key through the {{futurex}} pkcs #11 module and the x 509 certificate directly in the file system 3 | activate key connector now that key connector is fully configured and you have a key connector enabled license, complete the following steps restart your self hosted bitwarden installation to apply the configuration changes /bitwarden sh restart log in to your self hosted bitwarden as an organization owner and go to the admin console billing > subscription screen select \[ update license ] and upload the key connector enabled license retrieved in a preceding step if you haven't already done so, go to the settings > policies screen and enable both the single organization and require single sign on authentication policies both are required to use key connector go to the settings > single sign on screen the next few steps assume that you already have an active login with sso implementation using saml 2 0 or oidc if you don't, implement and test a login with sso before proceeding in the member decryption options section, select key connector in the key connector url input, enter the ip address key connector is running at (by default, https //your domain/key connector ) and select \[ test ] to ensure you can reach key connector scroll to the bottom of the screen and select \[ save ]