If someone were to get your Bitwarden backup file, what damage could they do? Would they also need your master password to use the data or would they be able to get all the passwords with just the backup?
Trying to increase security and this ran across my mind the other day.
Any insight is appreciated!
Good question - it all depends on what type of .JSON backup file you have exported from your vault. If you chose to use an encrypted backup, your secrets are safe, assuming that you used a long, unique, and unguessable password. But there is also an option to create an unencrypted JSON export file, which stores everything in plain text and can easily be read by anyone who got a hold of your file. You should only ever store unencrypted files on an encrypted drive that only you have access to, or within an encrypted volume like those you can create with free software like VeraCrypt or TrueCrypt.
More details on JSON exports can be found here:
Thanks so much for the informative reply!
Does the encrypted backup use the same password used to log in to Bitwarden?
Do you suggest VeraCrypt or TrueCrypt above BitLocker?
Good questions - first, the encrypted JSON is for quick backup and restore purposes only. It is encrypted with a key derived from your master password in your current account. This is really important because if you ever get locked out of your account (e.g., forget the password) or you delete your account (e.g., it is hijacked by someone who steals your unlocked phone and you delete the account in response), the backup is useless. But it is a very convenient and safe way to create a backup, so I like to generate an encrypted JSON backups anytime I am making bulk changes to my vault, and I want to be able to “restore and undo” those changes.
For longer term backups, I would export an unencrypted JSON stored on an encrypted drive where only you have access. A Bitlocker encrypted flash drive is fine (particularly if you can store it in a safe or somewhere secure). Or you can use an encrypted container (e.g., VeraCrypt container or a MacOS encrypted drive image), which has the advantage of being able to be uploaded to the cloud. Services like Dropbox, OneDrive, Sync.com, etc. all have end-to-end encrypted vaults available, which is where I store my encrypted Mac disk image (so essentially it is double-encrypted). I personally don’t think there is a “best” way overall - it really depends on your needs.
Hope that helps!