Direct Export of Encrypted Vault

Feature Requests Password Manager
, ,
1

Feature name

  • A means of directly exporting an encrypted Bitwarden vault targeted at the CLI that does not decrypt the vault or require the vault password.

Feature function

  • What will this feature do differently?

    • Currently, all means of exporting a Bitwarden vault decrypt it in the process.This includes encrypted export, which decrypts the user’s vault with the vault password and then re-encrypts it with a different key. The proposed feature will export a user’s vault as a direct transfer, without decrypting it.
    • Since direct exports will not decrypt the user’s vault, this operation can be done with only the user’s API key.

  • What benefits will this feature bring?

    • Better security for automated backups. Currently, any automated process that exports a Bitwarden vault has to store the vault password on an Internet-connected machine. I would like to be able to back up my vault automatically, without putting my vault password at risk.
    • More resilient encrypted exports. Currently, encrypted exports are created with a secondary encryption key, and the exports are rendered useless if that encryption key is rotated or inaccessible. A direct export leaves exports of my vault encrypted with my password, making it so that I can still access my passwords in the event of a disaster.
4 Likes
2

It would be helpful for me too.

We are a small team using the Bitwarden cloud. The cloud version is simple and user-friendly, but we need backups of the Organization vault in case something goes wrong with the Bitwarden cloud.

I am the sole Owner and Admin of our Organization vault. All the guys from our IT department only have Manager roles. I would like to delegate regular backups of the Organization vault to them. But for now, every organization storage export requires my master password.

So I wish there was some special key that I could give to the IT department. IT Department should be able to export the encrypted vault with this key without my master password. But they shouldn’t be able to decrypt the vault with this key.

3

By the way, Encrypted-export-only API key requests something similar. I think we should like each other’s requests.

Or maybe even ask the forum admin to merge requests.

4

Feature name

  • API key that can only perform an account-restricted encrypted export

Feature function

  • To allow me to perform automated backups of my vault without storing a vector to allow someone to modify my vault or otherwise see its decrypted contents, allow for the creation of an api key that is only able to perform an account-restricted encrypted export (Encrypted Exports | Bitwarden Help Center)
1 Like