Direct Export of Encrypted Vault

Feature name

  • A means of directly exporting an encrypted Bitwarden vault targeted at the CLI that does not decrypt the vault or require the vault password.

Feature function

  • What will this feature do differently?

    • Currently, all means of exporting a Bitwarden vault decrypt it in the process.This includes encrypted export, which decrypts the user’s vault with the vault password and then re-encrypts it with a different key. The proposed feature will export a user’s vault as a direct transfer, without decrypting it.
    • Since direct exports will not decrypt the user’s vault, this operation can be done with only the user’s API key.
  • What benefits will this feature bring?

    • Better security for automated backups. Currently, any automated process that exports a Bitwarden vault has to store the vault password on an Internet-connected machine. I would like to be able to back up my vault automatically, without putting my vault password at risk.
    • More resilient encrypted exports. Currently, encrypted exports are created with a secondary encryption key, and the exports are rendered useless if that encryption key is rotated or inaccessible. A direct export leaves exports of my vault encrypted with my password, making it so that I can still access my passwords in the event of a disaster.