101 backup: verifying your backup: but how with file-password encrypted json?

tl;dr surprisingly the canonical help doc says nothing about testing/verifying one’s backup, so looking to see what people do here.

For folks that are actually doing backups: how are you verifying your backup? Are you really setting up a dummy account? or is there a way to put your bitwarden desktop in “anonymous/incognito”-mode of sorts? or a CLI maybe?

my specific export case: I’m using the newer JSON-encrypted, but file-password-protected mode to generate my backups. Now to test those I obviously don’t want to mutate my real bitwarden vault by importing said backup just as a test. I simply want to do a spot-check that everything decrypts okay, and then disregard said unlocked content (putting the thumbdrive away safely somewhere.

Right now I’m planning to solve this by booting to a live linux ISO with my thumbdrive, installing bitwarden desktop, and seeing how import goes. Would love if there was something simpler that bitwarden offers like, like a --decrypt flag that simply prints the plaintext JSON to stdout or something.


note I picked tag “cloud-default” because the forum software made me pick one… but this question is agnostic where your cloud is.

@qsu Hi!

Actually, there are two or three programmes, for that, I guess. My favourite would be to use KeePassXC. It can import Bitwarden’s password-protected JSON exports. (though I’m not sure whether passkeys are transferable now)

As I have no experience with the CLI, your questions to that have to be addressed by someone else.

PS: As this is a question and not a feature request, I changed the tag to “Ask the Community” - I hope this is okay for you.

Not yet. Waiting for that one too.

Any particular reason for doing it this way?

I’m thinking it would be simpler just setting up a second test account and importing the json there using the web vault.

There’s also BitwardenDecrypt, that’s supposed to work. I remember doing some tests a couple of weeks ago with password protected json exports that didn’t decrypt. I didn’t dig more into it, though.

But the restore on a second test account I think would be the real test, since is what you would need to do if you needed to use the backup.

I do regular backups from the CLI, I use unencrypted json exports that I pipe to gpg to encrypt them.

I use a different tack…

I use TrueCrypt to create an encrypted Volume. Once every couple weeks, I export a CSV file, mount the encrypted volume, store it there, then unmount it (ie, encrypt it). I also export a JSON at the same time.

I have a couple of years worth of backups stored this way. It’s secure as can be. I do check it to make sure the CSV file is readable each time.

It’s quick & easy, and works.

Bitwarden desktop requires logging into the cloud vault. So, you would still need a “test account” to follow this approach.

A completely separate OS install is overkill – just create a separate browser profile and login to the other account from there. Or, as @Nail1684 suggests, KeepassXC is a great choice… if you are ok with not testing the passkey portion (for now).

This will not work, as importing is not local, it immediately uploads the data to the logged in cloud account (and then syncs it to the client app that was doing the importing).

Your main options are:

  1. Register for a free Bitwarden account, test by importing into the new account (note that Bitwarden Terms of Service only allows a single free account, so if your main account is not paid account, then you should delete the test account after you have confirmed that the import worked).
  2. Same as a above, but use a self-hosted server to register your account.
  3. Use a third-party tool that can read encrypted Bitwarden exports (e.g., KeePassXC, BitwardenDecrypt, or bwJsonDecryptor).
  4. If the folder structure of your vault is relatively simple, then you can also create a new folder (named “ImportTest”, etc.) and import the .json back into your main account while specifying this folder as the import destination. To undo the effects of the import, you will have to log in to the Web Vault, individually (one at a time) open the “ImportTest” folder and every subfolder inside the “ImportTest” folder, then check the “All” checkbox and click “Delete” in the top overflow menu; after all items have been deleted, you can delete all of the subfolders in the “ImportTest” folder, and finally delete the “ImportTest” folder itself. Like I indicated above, this process can be quite cumbersome unless you have a relatively simple folder structure in your vault.

Oh yes this is exactly the level of tech I was looking for: something that can work offline. It’s not perfect as it’s not a tool maintained by bitwarden (that just feels like the most stable way to offer a solution), but I used keepassxc for almost a decade before I found Bitwarden, so at least I know it’s a trustworthy/long-term solution!

Maybe a “official docs”-feature request? This feels like something that should be addressed by Bitwarden, even if it’s just to have a mention that this is the best solution Bitwarden team knows about to test its own portable-backups JSONs. (Do they really want people making spurious accounts just to test? (that’s also reliant on having access to a bitwarden server somewhere, which isn’t as flexible as I’m sure the passsword-solution is intended to help solve). I have to think it’s at least worth updating the canonical documentation on this front: Export Vault Data | Bitwarden Help Center


Thanks for the help everyone! The only surprise left for me is that there’s no attachment export. I suppose I can just stop using attachments.

1 Like

Glad, we could be of help!

Two things:

  1. Though I have no expertise with the CLI - I know, attachments can be exported via the CLI.
  2. If you really “protest” I think we could change it back to a feature request - but a feature request should be specific about more or less “one thing”, everyone could give a meaningful vote for, so, I would rather suggest, opening a new feature request, only requesting that one thing. - And, you can also go to the doc site, go to the end of the page and “Suggest changes to this page”. Though I can’t guarantee the success of that…
1 Like

Also not perfect in that attachments and passkeys do not yet export/import. In one respect though I actually like this approach better… if Bitwarden were to disappear off the face of the earth, I have a tested alternative that can import “90%”.

I personally do not use attachements for the very reason that they are not included in the backup (I store things like drivers license#'s as text in notes fields).

That would be a perfectly valid feature request. The one “gotcha” with FRs is that they should clearly state one idea, so it is best to create a separate one, instead of this conversation, which is more about advise seeking.

2 Likes

Done! Posted here: Fix doc to have a corresponding "test/verification"-flow for every backup-flow mentioned - feel free to edit/fix (again I was unclear on the forum-tags here).

I’m also very open to suggestions here/there if anyone wants me to edit anything to make that post easier to act on.

1 Like

As I’m also waiting for the next version of KeePassXC, I saw two things that might be worth sharing here (though this is a Bitwarden forum - but as we discussed importing a Bitwarden export with KeePassXC…):

First, I wasn’t aware of that “nested folders” seem to be not imported correctly at the moment - though it is on the list for the next release: Support nested folders on Bitwarden import · Issue #11491 · keepassxreboot/keepassxc · GitHub

Second, they are working also on the passkey import from Bitwarden’s JSON’s, also on the list for the next release: Support passkeys with Bitwarden import by varjolintu · Pull Request #11401 · keepassxreboot/keepassxc · GitHub (though, as they discuss this there also, the FIDO alliance works on standards for importing/exporting passkeys and when that get’s released, that whole topic of passkey export and import need’s further adaptions on all sides)

1 Like