Decrypt password-protected exports without an account?

As explained here, password protected vault exports are encrypted with a password of your choice and “can be decrypted with the password and can be imported to any Bitwarden account.” This makes them more flexible than account restricted exports, which can only be re-imported into the original account.

However, in the case that the Bitwarden service disappears (becomes permanently available with no warning due to some disaster), is it possible to decrypt the password protected export file without logging into a Bitwarden account?

It would be fine if it still required the Bitwarden desktop client or the bw CLI program, but if it can only be decrypted and imported after logging into a Bitwarden account, then it seems like the password protected export does not protect against the disappearance of the Bitwarden service.

The encryption method for these exports is well-documented, and standard cryptography libraries can be used to do the decryption. If you’re not up to doing the necessary coding yourself, the third-party utility BitwardenDecrypt is an example of a tool currently available to do such a decryption. However, it would be a fairly safe bet that if Bitwarden, Inc. ever disappears, then the open-source community will quickly respond with myriad options for decrypting password-protected Bitwarden exports.

1 Like

Thanks for the link to BitwardenDecrypt, it looks like a great tool that does pretty much what I want. By allowing the user to decrypt data.json, it also solves my other problem with password-protected exports, which is that I want the vault file to be encrypted with my master password without having to re-type it when creating the export.

I wonder if Bitwarden would consider including a command for decrypting data.json as part of the official bw CLI tool. It would be great to have an officially supported tool for decrypting an offline Bitwarden vault with the original master password.

Nevermind, I figured out how to do what I actually want to do, which is to open my vault in Bitwarden offline, on a new machine. This is partially covered by Using Bitwarden Offline | Bitwarden Help Center and Storage | Bitwarden Help Center but I’ll document the full steps (for Linux users) here in case anyone else is trying to do this:

  1. Back up the Bitwarden-*.AppImage executable and ~/.config/Bitwarden/data.json while your Bitwarden vault is locked (but still logged in) and the app is not running.
  2. Then, if you lose your primary computer / storage drive, open your backup drive on a new computer, copy the files over, then run Bitwarden-*.AppImage in order to create ~/.config/Bitwarden/.
  3. Close the Bitwarden app. Copy your backed up data.json to ~/.config/Bitwarden/data.json.
  4. Run the Bitwarden app again. It should show that your account is logged in and prompt you to enter your master password, which should successfully unlock your vault. This can all be done offline.

Yes, this is a good backup method, which I also use. However, please note that between Step 3 and Step 4, you must disconnect your device from the internet. And because this type of backup can only be used off-line, you’ll ultimately need to create an export (if your goal is to import the backup into a working password manager account).

I have described this backup technique in a post on another thread, which you may find helpful:

That is an extremely helpful post, thank you. I have one follow-up question. Above, you wrote:

And because this type of backup can only be used off-line, you’ll ultimately need to create an export (if your goal is to import the backup into a working password manager account).

And in the linked post, you wrote:

The advantages of the above method over directly backing up by creating exports are […] You will still have access to old password histories and metadata (e.g., timestamps for creation and modification of items), which are lost when doing vault exports

However, if you must export your vault after restoring it offline, then won’t you lose your password history and metadata anyway? Or, are you just pointing out that they will still be available in the backed-up copy of data.json (which can only be accessed offline) if you need to refer back to them?

:point_up: This.

Awesome, thanks! Have you considered documenting this backup method in the official Bitwarden docs? It took me a long time to find this solution because most of the forum posts and documentation regarding backups seems to focus on exports, without mentioning data.json at all.

I have no affiliation with Bitwarden (other than being a customer), so I don’t have any ability to modify the official Help docs. However, there is a link at the bottom of each page in the Help Center, which you can click to “Make a suggestion to this article”; you could try submitting a suggestion there.

There is a (now somewhat outdated) backup guide written by a former community member (David H), which you can find under the tag tips:backups. A brief description of the data.json-based approach to vault backups is described in the top comment in the discussion of David H’s backup guide.

I see, thanks again for your help. Maybe I will write up the Linux version of this approach somewhere with more visibility, or try to get it added to the official docs. I feel that backing up data.json as well as the Bitwarden executable is by far the best approach because it’s automatic (no manual exports or need to automate exports using the CLI), encrypted with your master password, and preserves all password history, etc. It seems to me that the real purpose of exports should be for transferring your vault to another Bitwarden account or password manager, not for creating backups, yet even the official docs recommend using exports for backups. And just from searching these forums, Reddit, etc. it seems like there is general confusion about the best way to create backups. It would be nice to get community consensus for the most straightforward and reliable way to create a backup.