How to generate a secure Argon2 PHC string to access the admin page?

[xplosionmind]

Immediately after installing this app (thank you for packaging it, by the way 🌻), the YunoHost installer provides a token to access Vaultwarden’s /admin page.

Once accessed, the following warning appears:

I click on the banner’s link, and I try to perform the following:

tommi@nebuchadnezzar:~$ sudo yunohost app shell vaultwarden
vaultwarden@nebuchadnezzar:~/live$ vaultwarden hash
bash: vaultwarden: command not found
vaultwarden@nebuchadnezzar:~/live$ echo -n "MySecretPassword" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4
bash: argon2: command not found
vaultwarden@nebuchadnezzar:~/live$ exit

Nevertheless, it doesn’t seem to be working… Any advice on how to generate a secure Argon2 PHC string?

Thank you! 💕

[carross-tlhuillier]

You can use

user@cloud:~$ sudo yunohost app shell vaultwarden
vaultwarden@cloud:~/live$ /var/www/vaultwarden/live/vaultwarden hash --preset bitwarden
Generate an Argon2id PHC string using the 'bitwarden' preset:

Password: 
Confirm Password: 

ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

Generation of the Argon2id PHC string took: 369.876759ms
vaultwarden@cloud:~/live$ exit

[tituspijean]

Thanks! This could be a nice addition in a doc/ADMIN.md file. :)

[xplosionmind]

Thanks so much, @carross-tlhuillier!

I can successfully get the Argon2id PHC string, but then I don’t know how to use it. I am afraid I made a mess, as I am now locked out of my admin page… 😱

Here’s what I did:

1. Run sudo yunohost app shell vaultwarden
2. Run /var/www/vaultwarden/live/vaultwarden hash
3. Enter a chosen password, when prompted
4. Get the Argon2id PHC string
5. Reboot the server (I don’t know how to reboot the app alone)
6. Visit the /admin page
7. Paste the obtained Argon2id PHC string in the “Enter admin token field”. Error message.
8. Paste the chosen password in the “Enter admin token field”. Error message.

What am I doing wrong?

[carross-tlhuillier]

Maybe you have already edit config on the admin page, which override the config file.
Try login using the old password, then edit the admin page password in the option "Admin token/Argon2 PHC" of the admin page.
I am not sure that I have understand correctly, so here some explanations :

1. Running /var/www/vaultwarden/live/vaultwarden hash, doesn't change the password, it just generate the hash and give it to you
2. You have two options to edit the password, the config file /etc/yunohost/apps/vaultwarden/settings.yml and the admin page. To be sure edit the password on each.
3. If I remember correctly you doesn't even need to restart vaultwarden.

[xplosionmind]

Ooh, I see. I was still able to log into the /admin page by using the original plain text Admin token automatically provided by YunoHost after installation.

So I changed the Admin token both in the GUI and in /etc/yunohost/apps/vaultwarden/settings.yml as you suggested, and after restarting the vaultwarden service (it wasn’t working without a restart 🤔) I was able to login using the Admin password I set while generating the Argon2 PHC string.

Pheeew!