I want to make a paper backup of the entire Vault to store in a bank safe deposit box.
However, I would like to print it encrypted and deposit the corresponding key with a lawyer. Is there a standard for doing this?
I’m not sure I understand the reason for a paper copy; for one thing OCR will turn a printed copy into an electronic copy almost instantly.
Maybe give your master password to your lawyer and the 2FA recovery keys to your executor or someone else you trust implicitly.
Best approach may be to export the vault to a usb key and store the usb key in a safety deposit box. Your export could be encrypted. The usb key could also be encrypted such as a biometric usb key. Of course, all that behind a safety deposit box is a very high level of security and perhaps overkill.
A different approach: store your printed master password and 2FA recovery key in a safety deposit box (or separate them) and your encrypted vault locally or with a trusted lawyer or estate executor on a usb key. They won’t be able to access it without access to your safety deposit box.
I agree with @222 that this is probably the best approach. Here is information on how to create a backup on usb:
Another possibility is to give your lawyer Emergency Access:
@Berzdorfer Welcome to the forum!
If your lawyer would be in principle be willing to learn or follow instructions for how to decrypt a passwords database that is encrypted on paper, then they should also be capable of following the instructions for being a “grantee” of Emergency Access. This would be the most seamless solution for your use-case.
Nonetheless, if you require an encrypted hardcopy printout, I found this software tool that could be helpful for this purpose:
You are better off securing something like a vault in a secure location and giving access to a lawyer than giving a lawyer the vault. Lawyers are notoriously disorganized. You and they may never see it again. Lol!
By the way, I had a bank lose my safety deposit box once! They lost all the records of ownership. It was a sea of boxes with an offer to try all keys. They often ship stacks of boxes to different locations. Banks often take no responsibility for lost contents. Lots of news articles online. Always have a B Plan.
Surely multiple versions of heavily encrypted copies should do the trick. Store on multiple USB keys and in the cloud. All you then have to do is decide who to trust Oh, and how (and how often) to update of course.
You can use a cloud storage that provides automatic syncing so the latest version is automatically uploaded. That makes that portion easier.
For remote off premises protection I employ the following method, which would serve well for your use case:
I download the data vault UNENCRYPTED on purpose. I download both formats json and csv. These are placed in a zip file and then gpg encrypted to my “super key”. The resultant zip.gpg file is placed as an attachment on one of my Tutanota email accounts. These email accounts are not publicly circulated and are used for storage as mentioned above here. Tutanota themselves cannot ever gain access to these attachments even if I were to upload an unencrypted file. I never do, but just saying!!
I bring my vault contents down unencrypted because it gives me total control and all access even if BW were to disappear from the scene. Not likely, but I like covering my bases!! Generic json and csv can be opened and used via numerous methods. Solid security and NOBODY will ever even find my encrypted contents unless I give them directions to it.
It would be trivial to accommodate your needs for “succession” planning.
“Best approach may be to export the vault to a usb key and store the usb key in a safety deposit box. Your export could be encrypted. The usb key could also be encrypted such as a biometric usb key. Of course, all that behind a safety deposit box is a very high level of security and perhaps overkill.”
I wouldn’t count on a USB backup remaining vital for an extended period of time. USB drives are notorious for data corruption. You have to write a fresh backup at least once a year and check that the drive is vital.
A KeePass user recently tried to restore from a USB backup and found they couldn’t open the database. Turned out it was corrupted. Encrypted data more easily corrupts. Be careful.
Personally, I would have at least one cloud backup. Cloud storage is very safe. You sometimes hear the cloud just is someone else’s computer. Sort of, but it is not easy for an attacker to get into your account on there if you use a strong password. The major providers mirror data but those mirrors are encrypted using AES 256.
Cloud storage is very safe and very reliable. Write down your cloud credentials wherever you keep your Bitwarden master password.
Even using relatively weak passwords and no 2FA, for 25 years, I’ve never had an account anywhere broken into. The chances are extremely remote your cloud account with a strong password is compromised, and even then you they would have to be able to break into your encrypted Bitwarden export. It would be way too much effort for any hacker unless they 1. know your cloud account and 2. know your vault is worth hundreds of millions or more.
Hackers look for low hanging fruit. They want maximum results with minimal effort.
Hmm, necro-thread.
Anyway, it is interesting that no-one directly answered the original question, and only @qrb offered a paper solution at all.
For the question, there is not to my knowledge any defined standard for it.
Given @Berzdorfer spoke about a paper copy, a straightforward solution to making one is to use command line tools, e.g. openSSL, gpg, zip -e, to encrypt the data using a pass phrase and either in-process (-a option in openSSL) or after, use encode with Base64. While this will expand the file about 30%, base64 encoding has the great advantage over Paperbak that it produces plain alphanumeric text so no high resolution printer is needed nor a good scanner to return it to computer-readable form. The necessary tools then to recover the vault contents are long-lived, so long as your lawyer has the pass phrase with suitable instructions. This is an example of a bash SSL script for one platform: Simple built-in way to encrypt and decrypt a file on a Mac via command-line? - Super User
I have no plan to do this myself yet a little diversity of medium and storage security is a reasonable idea for people to have. I wonder what Berzdorfer did?