OK, thanks for the solid answer. I suppose the core of my question was that pretty much: is it just as secure AND a less likely target than bitwarden. That makes a lot of sense to me. I would probably still worry about the strength of the code , though. Do we know if/how it’s been audited?

I mean, your best having a look at the official Git but, i’d say, access/visibility is the most important.

Is it on your LAN/not open then even if it was less secure, it’d still be more secure if you know what I mean.

I host mine on a VPS but it’s behind traefik with authelia (and 2FA). Plan is to get fail2ban setup over the next couple of evenings. SSH is cert only, probably going to change the port too but not sure if that’s really necessary. I’m comfortable exposing on that basis.

The code is as good as bitwardens, and even better, everyone can see the code to review it’s vulnerabilities and fix them.

What is a major factor is you’re far less likely to be of interest to a hacker. So whilst crunching numbers to crack bitwarden encryption may make some sense…it makes absolutely zero sense to spend that time to hack mine.

Also the vault is en/de crypted on device so the code never sees your passwords