Enterprise (Hosted) Backup

We want to use cloud-hosted Bitwarden Enterprise (password manager) for our organization and are looking for a solution for automatically, periodically backing up both individual and organization-wide vaults.

(When I say “individual,” I mean individual users’ business vaults – not personal vaults belonging to users that might have personal Bitwarden accounts, such as a Bitwarden families plan.)

The purpose of the backup would be for disaster recovery, e.g., if a user accidentally deletes their vault, or an administrator accidentally deletes a user, or if Bitwarden somehow loses our data in the cloud (which is unlikely but possible).

The backup could be to Microsoft’s cloud (e.g., to OneDrive or SharePoint or Azure), or it could be to a dedicated cloud-to-cloud backup service (e.g., Axcient, Avepoint, Dropsuite, Veeam, Datto, etc.).

Ideally, it would be off-the-shelf and would not require custom scripting. (I know people have published their own scripts on Github, which could be used if necessary, but I’d like to avoid even that.)

Also, ideally it would perform all of these backups centrally. (I hope the solution does not require deploying a script to each individual user’s machine to back up their individual vault!)

Does anyone have a solution to recommend? Thank you!

Hey there, it sounds like you might benefit from using the global policy to disable individual vaults, and then set up collections for each team member in the organization so that there is only one back required. We’re also doing work to improve the automation around this flow, so stay tuned.

Additionally, unless you disable it, team members can also redeem a free families plan to store their personal (non-work related credentials) in a separate Bitwarden vault.

For additional assistance on scripted backups, don’t hesitate to reach out to the support team using the form at: Help Center | Bitwarden

@dwbit thanks for the advice. I have done as you suggested.

One downside of disabling individual vaults and using separate collections for each user is that administrators now have very easy access to all user’s passwords. With individual vaults, an administrator would still have access to a user’s passwords if they performed an Administrative Take-Over, but that’s a more drastic measure that would be noticed, unlike the “casual” access I have now that I’m using collections. At least when an administrator accesses a user’s password, that event is logged, which will help prevent abuse.

But a potential upside is that, using collections instead of individual vaults, administrators can run reports (e.g. the Weak Passwords report) covering all users passwords. If using individual vaults, the reports would only cover the administrator’s own passwords – not other users’ passwords – right? However, the report is not in a very useful format, because it just lists individual items that are weak and doesn’t tell me which user or collection they belong to. I have to click each password (i.e., access it!) to find out which user it belongs to so I can tell them to change it.

Hey @Trailing4801 you might be interested in reading about Access Intelligence, which is currently in limited preview, but allows you to send an actionable prompt to affected users by managing critical apps/access: Introducing Bitwarden Access Intelligence: Empower your teams with proactive enterprise security protection | Bitwarden

Regarding the access issue for administrators, have you checked out the collection settings on the Organization Info screen? Ensuring ‘Owners and admins can manage all collections and items’ is disabled, could be helpful in this case.

Thanks, @dwbit !

Yes, ‘Owners and admins can manage all collections and items’ is already disabled.

However, if I remove Manage Collection privileges for admins then I need to give Manage Collection privileges to the user, which I didn’t want to do to keep them out of trouble (e.g., accidentally deleting their collection, giving access another user, …). I suppose there’s no way to avoid that, right?

If I remove Manage Collection privileges for admins, will admins still be able to run Access Intelligence on collections they have no access to?

Also, does Access Intelligence search for all of these problems?

  • Exposed passwords
  • Reused passwords
  • Weak passwords
  • Unsecure websites
    (The blog post you linked to only mentions that it identifies “at risk” and “weak” passwords but doesn’t give specifics.)