Encrypted export - Independent from account encryption

This is a follow up to:

Not sure why it was closed it right away as we can’t even share feedback, so reopening here. For one, there is a dead link in the documentation page pointed to (“Rotating your account’s encryption key”):
https://bitwarden.com/help/article/change-master-password/#rotating-your-accounts-encryption-key

Then, I am puzzled by the following:

Rotating your account’s encryption key will render an Encrypted Export impossible to decrypt. If you rotate your encryption key, replace the old backup with one that uses the new encryption key.

Does it mean we need to also backup the encryption key somewhere? If so, the vault backup would not be very useful as it the Bitwarden account were compromised, the encryption key may be rotated and it’d be impossible to restore the backup.

The objective would be to have a backup that can be decrypted/imported into a fresh vault based only on the master password.

@Em9172 Welcome! I closed the other thread as the intended function of Encrypted Export has been implemented. Additional feature requests/updates should be treated as new topics to make sure they are visible and captured since things do get lost sometimes if they are in comments alone.

We’ll fix the link, thank you for the heads-up! [Edit: Link fixed]

For this particular thread, it seems as if the request is for an encrypted backup that is apart from the account’s encryption (which is on our radar, just not a dev timeline yet). Could you change the title to reflect that, or specify the feature you’d like to see added to encrypted export?

I have some concerns, as does the OP here, but of a different flavor.

First let me say that this feature has been requested many times here. In my particular instance I have a tendency to rotate my encryption key at least yearly or more often. Seems like a good practice to me. Since I am prone to forgetfulness I could see myself swapping the key and forgetting that my data backup is now worthless until I create another one. My backups are spread over multiple media devices and multiple locations as well. One backup is NOT a backup! This is MY problem and I suspect many users never change their encryption keys.

My suggestion is to have the Bitwarden Vault throw up a BOLD FLAG during key encryption that stops just short of mandating an immediate backup of the vault after key exchanging.

I will likely export plain text into my virtual drives, as in the past, if that is still an option. I will check later.

I know this new feature will make many happy. Good job!!

1 Like

I second this.

I would like to be able to export an encrypted backup using a second “master-password”

That way I can import the file back into any BitWarden account using the same Master-Password to decrypt the file.

That way, if I am locked out of my account but still have the encrypted file and second master password I can get in

(I don’t think the password for the encrypted file password should HAVE to be the same as the account Master Password; but it could be)

3 Likes

Optional 2nd Master Password for the encrypted backup allowing imports to new Bitwarden Vaults would allow users who do not have access to their vault anymore to get back up and running! This would be like the Emergency Access Kit from 1Password but for recreating everything in a new Vault.

What about file attachments, is there a way to get them back out?

1 Like

I reply here instead of here since it seems to be the official topic.

I agree with what has been said. For now, I don’t see the point of the encrypted export. It’s not a backup and the need to import in the exact same vault makes it totally useless :confused: .

I voted for this topic. I hope you will change this behavior in the future :slightly_smiling_face:.

4 Likes

This is a must have feature , I was hyped whwn “encrypted export” was announced, but it was a complete letdown when I found out it cannot be decripted or readed outside Bitwarden web vault, I want a backup option to serve as an way to regain acess to my data just in case one day out of the blue Bitwarden shuts down it`s operations (who knows?) and along with it all my accounts credentials…

1 Like

I see two options that can easily be implemented within the existing architecture:

  1. Export an encrypted JSON that contains the Protected Symmetric Key, much like the data.json file from the Desktop App already does. This can be decrypted with the users master password. The downside is it contains an encrypted copy of the users encryption key.

  2. Export an encrypted JSON that using a new random encryption key, and store the new Protected Symmetric Key in the export. Essentially like the data.json file but with a rotated encryption key. This can be decrypted using the Master Password used to create it, with the advantage of not including the original encryption key.

However you decide to implement Encrypted Export, you should provide a tool to be able access/decrypt the file independent of Bitwarden services. I.e. If Bitwarden was gone, users could still access the contents of the backup.

3 Likes

I would also appreciate the possibility to have a way to store an encrypted version of the vault which could also be decrypted outside of bitwarden for the same reasons given. There is always the risk that bitwarden can be down and with it access to all accounts which are managed here.

I’m not an expert, but would it be save to download the plaintext json, go-offline and do the encryption manually on my local device? Basically, is the download via the sha256 encrypted web connection to bitwarden secure enough or is there a risk that the file can leak? Any opinions?

I feel like the transfer is safe IF the file ends up in a safe place on your end. I select an encrypted virtual disk, which I immediately close leaving it “eyes only” to me if I need it in the future. Of course you should have multiple backups, which I do. It does me no good to export my vault into a virtual drive on my computer if the hard drive then crashes a few days later.

I am new to BitWarden, and I am impressed with it. But I’m also a careful “data liberation” freak who wants to occasionally do an independent backup of my BitWarden Vaults.

I can see 2-3 ways to do this:

  1. Use BW’s encrypted JSON export for backup / restore, which won’t help me if I need to have a look at just one or two “lost” or changed password records – restoring (re-importing) the encrypted json to BW means wiping out (replacing) your entire current vaults with the older data.

  2. Doing a local un-encrypted export from BW and using your own methods of encrypting it for backup. You can put your own key(s) on it that way.

  3. Do an un-encrypted .csv export from BW and re-import the .csv into KeePass for safe keeping and easy reference to the data. You’ll likely lose some data, but should have what you need to keep from being locked out of accounts. I haven’t tried this yet, but I will as I want to see how much work it is to do.

So my vote for the ability to give an encrypted export its own encryption key is focused on being able to use these exports as useful backups and data-transfer files, including the ability for re-importing to a new Vault on BitWarden rather than have the limitation that it must be imported only to your “production” BW vault in order to be able to use it.

I would like to point out a resolution to this feature request, from my perspective, will also be a resolution this: Passwordless Account Deletion Should Be Delayed/Reversable

In the unlikely event of an account deletion by a malicious party with access to my email, the only thing I’d truly care about is the recovery of my data. Which is currently not possible with the encrypted backup option because it’s account dependent and the old account would be gone

I second (third?) this :slight_smile:
To fully comply with local security regulations our organization would need to have encrypted backups (we’d hold locally & offsite) that have never been decrypted during automated backup-runs and can be accessed/decrypted completely independent of any accounts or such.
This is for “absolute disaster” recovery, setting up up a local bitwarden host from scratch and import the data.

2 Likes

Public service announcement:

If you want an encrypted backup, that only needs your master password to open, and does not need any connection to bitwarden servers to unlock the vault (ie. account encrypted unlocked), its easy to do… bitwarden already does it!

Simply do this:

While logged in, but with vault locked, simply make a copy of the “data.json” file at “C:\Users\yourname\AppData\Roaming\Bitwarden” (or equivalent on other OS’s).

That file is the vault only encrypted with your master password. Even if bitwarden servers are down (permanently) you can just place that data.json file in any bitwarden installation, and you will instantly be logged in, and just need masterpassword to unlock vault, which will all work without even having an internet connection.

So all you have to do is keep a copy of the bitwarden installer, and make regular backups of the data.json file. Now you have a encrypted backup that does not need any account authentication to any bitwarden server.

When they first talked about implementing encrpyted backup - this is what I thought they would implement. A simple file protected with 1 password.

And I don’t want to be rude but… the reason that bitwarden didn’t do this is fairly obvious: It removes any need for you to use their servers. Indeed if you just sync your data.json file to a cloud service (on all your bitwarden devices) - you don’t ever need bitwarden servers again for anything.

2 Likes

Not taken as rude, but just to clarify, the current function was the fastest method to allow a universal export that was encrypted - and that could be imported for use in cross-platform scenarios. Using data.json is totally fine for an emergency scenario, but a lot of folks want to have cross-platform access :slight_smile:

We are absolutely planning on furthering the encrypted export, but the catch-22 is making an export that uses a password as a backup for an account for which you’ve forgotten the password :crazy_face:

5 Likes

Does this mean that in an organization anyone with the desktop app has the ability to take a copy of the whole vault, which they can access even if they’ve left the organization, independent of whether there’s a policy preventing them exporting from within Bitwarden?

Within any client, you’re only exporting your individual vault data, not the org data. That must be done from the Web Vault, and by an Admin/Owner or a Custom user with export permissions.

Happy to clarify further if needed :+1:

No that’s really clear and helpful, thanks… and a huge relief! :+1:

1 Like

First of all this fact is not clearly explained in the documentation as it should. Many can do an encrypted export thinking they are bulletproof just to discover, too late, that’s not the case.

Second, I modified my export script to export an unencrypted json and then I encrypt it with 7zip and delete the original file.

Not the safest procedure but at least I am sure I have an encrypted export I can decrypt anytime regardless.

7z" a -sdel -p"%_secret%" C:\Users\user\Documents\Bitwarden\BWvault "C:\Users\user\Documents\Bitwarden\vault.json"