The Vault
The Vault is a password manager hosted by XR using BitWarden/Vaultwarden software. It is a place for XR groups to securely store and share the passwords to their online accounts.
What is a password manager?
A password manager is a tool that lets you store all of your passwords together in a safe place. Browsers such as Firefox have this facility. It allows you to generate and securely store passwords that are very strong (e.g. cj*XknvKPgg9b5
) because they are not guessable but you don't have to remember them. Instead, you have to know the one master password to access them. This makes life easier for you and much harder for hackers.
You can store lots of passwords, even ones you created years ago if you wish. And you can also store other codes like bike locks and notes you don't want to lose or leave lying around. That said, XR may not be around forever, so our servers will not be the best place for storing important personal information such as bank account logins!
Using our XR Vault you'll be able to access passwords from each of the XR groups that you're involved with as well as your own private storage area.
How do I join the Vault?
Ask your XR group's Group Admin to send you an invite to your group's organisation in the Vault. If your group doesn't yet have an organisation see here
- Click on Create account
-
Fill in your email address and name (an alias is fine)
-
Create your password [minimum of 12 characters]
It is important to choose a master password that is really hard to guess (the Vault will tell you whether it is a strong password or not) and you shouldn't use this password anywhere else. If there's any chance that you might forget this master password, make sure to record it somewhere safe. See also Don’t get locked out of your vault account below
Type your master password then click Submit.
- You have now created an account on the Vault and can begin to use it to store your passwords.
If you want access to the passwords shared by your group you need to do some additional steps:
-
From your Vaultwarden homepage click on Settings in the left side menu, and then on My account
-
Under the My Account section note down your account's fingerprint phrase. This will be a string of five random English words (e.g.
alligator-transfer-laziness-macaroni-blue
). -
Send this fingerprint phrase to your group admin. This will help them to identify you and give you access to the group's passwords.
What if my XR group isn't already using the Vault?
If you want your group to be able to use the Vault, have your group's Secretary, Internal Coordinator, External Coordinator or Group Admin get in touch with the Digital Discussions Applications Team using this Mattermost channel. They can then create the Vault organisation and give you access so you can begin sharing passwords within your group.
How do I access the Vault?
Accessing the vault via the web interface
The most straightforward way to use the Vault on your computer is by simply going to it's web page. Enter https://vault.extinctionrebellion.uk/ into the URL bar of your web browser and you'll be presented with the login page.
However, it is more convenient to use, and more secure, to install a browser extension (see next paragraph).
Accessing the Vault via laptop or PC (web browser extension)
For regular users of the Vault on laptop or PC it's very worthwhile to take a moment to install the Bitwarden browser extension.
To install one of these:
- Go to the Download part of the Bitwarden website and scroll down to the Web Browser section:
-
Click on the browser that you are using and install the extension.
-
You should now see a small shield icon at the top-right of the browser window:
If you click on this the following screen should pop up:
Click on the
Logging in on
drop-down menu (circled in red) and selectself-hosted
. -
Under
SELF-HOSTED ENVIRONMENT
, set theServer URL
field tohttps://vault.extinctionrebellion.uk
and clickSave
. You can ignore (leave blank) the fields under the 'Custom Environment' heading -
Click
Log in
, enter your email address and master password and then clickLog in
(top-right corner).
What doesn't work for laptop/PC access
Don't use Bitwarden's Desktop Apps. These apps (available for installation on Linux, MacOS and Windows) do not work properly with our self-hosted Vaultwarden software (tested April 2024). We don't believe this to be much of a problem since there are so many other ways to use the Vault
To access the Vault on your mobile device:
-
Install Bitwarden from either the Google Play Store or Apple App Store
-
Open the app. You will see a screen that looks like this:
-
Click on the
Logging in on
drop-down menu (circled in red above) -
Enter
https://vault.extinctionrebellion.uk
in theServer URL
field (circled red below) and then clickSave
(top right of screen). You can leave all the other fields blank
-
Back at the log in screen enter your email address. You may wish to select
Remember me
to avoid repeating this step. Clickcontinue
-
Enter your vault password in the
master password
field and click onLog in with master password
Using the Vault
The following instructions are mainly describing use via a laptop/pc web browser extension, but similar operations are also available via mobile devices and via direct web access
Adding new passwords
To add new passwords to the Vault for either new or existing accounts:
-
Click on the small shield icon at the top right of your browser window and log in if necessary:
-
You should see a screen like this:
-
Click on the + icon in the top-right corner (circled in red). You should see a screen similar to this:
-
Enter your username and password. If you want to generate a random secure password (strongly recommended!), click on the generate password icon circled in red.
-
Click Save (top-right).
Filling existing passwords
To access the information in the Vault when you want to log in to a website:
-
Click on the small shield icon at the top right of your browser window:
-
You will now see a screen like this:
-
If the correct account appears under LOGINS then click on it and the username and password fields on the website page should automatically be filled.
If the account is not there then you will need to search for it in the search bar circled in red. Once you have found the correct account you will have to copy and paste the username and password into the website.
Accessing your password history
If you generate a password and forget to save it to the Vault, you can retrieve it:
-
Click on the small shield icon at the top right of your browser window:
-
Click on Generator (circled in red):
-
Click Password History to access previously generated passwords.
Sharing passwords
All this is documented in Get Started with Organizations in the Bitwarden docs. Be aware that our Vault is a self-hosted installation, and there are no charges for using it - always use our Vault, rather than the commercial Bitwarden one.
Vault management (for Vault owners)
This section is for those with 'owner' status for a vault
Granting access to a vault
If your vault account has 'owner' status for your group's vault then you are able to invite other members. To do this log into your account using the website https://vault.extinctionrebellion.uk and follow these steps:
- Click on the 'cube of cubes' (dice) button to the left of your avatar and select
Admin Console
, or click directly onAdmin Console
at the base of the left menu - In the left hand menu click on
Members
- Click on the
Invite Member
button
- In the pop-up, enter the email address of the person to be invited
- Select the member role / status as appropriate. If the person is a well known & trusted member of your group then it's probably best to make them a fellow 'owner'. Having a number of owners helps avoid access to the group's vault from being lost
- Click
Save
Back on the members page you should now see 'Invitation sent' next to the email address of the person you've invited.
- You may wish to prompt that person to check their emails and accept the invitation. Send them this link help with the next steps: https://rebeltoolkit.extinctionrebellion.uk/link/1064#bkmrk-how-do-i-join-the-va . If they leave it too long (about 10 days??) then the invitation may expire. If they already have an XR Vaultwarden account then they can just log into that in order to accept the invitation, otherwise they'll be requested to set one up. Once they've logged into their account (new or existing) and accepted the invitation then they should send you their account's 'fingerprint phrase'
- At this stage you should see a 'Needs confirmation' label next to the new member's entry on the members page. Click on the '3 vertical dots' to the right of their entry
- Click on
Confirm
in the pop-up menu - In the 'Confirm User' pop-up, compare the displayed 'fingerprint phrase' with the one that the new member sent you. If they're identical then click on
Confirm
Removing access
If someone loses their phone, gets arrested, or has their devices compromised, you should remove their access as soon as possible.
You (as a vault owner) can remove someone's access to the group, or change which collections they have access to, by logging into your account using the website https://vault.extinctionrebellion.uk and accessing the 'Members' page as follows:
- Click on the 'cube of cubes' (dice) button to the left of your avatar and select
Admin Console
, or click directly onAdmin Console
at the base of the left menu - In the left hand menu click on
Members
- Click on the '3 verticle dots' to the right of the person concerned
- Click on 'Revoke access' (temporary) or 'Remove' (permanent) as appropriate
What to do if someone leaves your group
If the person has had access to important passwords, you should assume they have a copy of them. So, as well as removing them from your group on the Vault, you should also CHANGE ALL THE PASSWORDS they had access to.
Don’t get locked out of your Vault account!
If your password is lost then there is no way to regain access to your account (it is designed to be secure after all). Any passwords that you’ve stored in your personal areas will be lost, although it will be possible for you to be re-invited to any shared group vaults after setting up a new account. If you were the sole ‘owner’ of a group’s vault then control of that will also have been lost, although others in your group (who you’d previously granted access to) should still be able to gain access in order to retrieve passwords.
So it’s best to take precautionary measures to ensure you never lose control of your vault.
These might include:
-
Use a master password that you’re sure you won’t forget (but which is still complex enough to be secure), or storing the master password somewhere safe
-
Set up a password ‘hint’ to be emailed to you when needed (but only do this if you can think of something cryptic enough that it wouldn’t help anyone else guess your password)
-
If your account is the ‘owner’ of a group’s vault, invite a second trusted group member to also be an ‘owner’, and make sure to nominate someone to replace you if you leave the group
-
You can nominate someone to be an ‘Emergency Contact’. This facility allows you to designate and manage trusted emergency contacts (who must also have XR Vault accounts set up), who can request access to your vault in a case of lost password. If you lose your password you then ask one of your emergency contacts to request access to your account. You will get an email to notify you of the request, and you then grant permission for them to proceed. When selecting your emergency contact, do consider that they will potentially have access to all group vaults to which you’ve been invited
"Low KDF Iterations" warning
Following an update to the Vault software in August 2024 you will probably start seeing a "Low KDF Iterations" warning displayed on your main password manager page. Our advice is to please ignore the message for the time being. DDAT are considering whether any action actually needs to be taken, and will aim to draw up instructions on how to proceed if so.