It would really be great to be able to export the .zip format with a password and/or account key, just like the option to have json encrypted exports without attachments.
Generally these exports are meant to serve as a backup, and it’s better to have them already encrypted when we are downloading from Bitwarden.
Am I correct that this is about “zip” option for attachments being unencrypted? (came from this thread’s suggestion)
If so, I’d love to hear how others are working around this in the meantime… I’m a bit wary of using smaller custom projects like portwarden (though I appreciate their efforts!). I’d prefer obviously a Bitwarden-maintained solution, or else just a generic solution. eg: maybe something I can run over the unencrypted .zip output from bitwarden/bw-cli, and be reasonably sure the next machine–on which future me tries to unencrypt said zip–will likely be able to get a compatible decryption command.
the best I’ve come up with is to hope openssl is important enough to not have any backwards incompatibility issues:
$ openssl \
enc -aes-256-cbc -md sha512 -pbkdf2 -iter 1000000 -salt \
[-d] # ... my-bitwarden-attachements.zip.enc; see below
files in this folder
File ./my-bitwarden-attachements.zip.enc
can be opened with:$ openssl \ enc -aes-256-cbc -md sha512 -pbkdf2 -iter 1000000 -salt \ -d \ -in my-bitwarden-attachements.zip.enc > my-bitwarden-attachements.zipThen the decrypted zip can be opened as normal; eg:
$ unzip my-bitwarden-attachements.zipgenerated by
The file ./my-bitwarden-attachements.zip.enc was originally generated by:
bw export --format zip --output my-bitwarden-attachements.zip --session REDACTED_SESSION_IDper Password Manager CLI | Bitwardeninflate zip, ensure it looks good, discard inflated copy
encrypt zip:
$ openssl \ enc -aes-256-cbc -md sha512 -pbkdf2 -iter 1000000 -salt \ -in my-bitwarden-attachements.zip > my-bitwarden-attachements.zip.encreproducibility
made in this environment:
$ cat /etc/lsb-release # ... $ openssl --version # ... $ bw --version # ...
anyway, would love to hear feedback here and/or alternatives, as I’m sure others here have tried to answer the same question for themselves.
If not, then is there and/or should there be a separate FR thread for that?
By “this” you mean this feature request? – Then I would think, that this feature request was mainly about being able to also export attachments. That it ended up as unencrypted ZIP files for now is just how it… ended up for now.
There at least were some plans to also support encrypted ZIP exports, but that PR ([PM-11721] [BEEEP] Add initial password-protected zip export support by quexten · Pull Request #10926 · bitwarden/clients · GitHub) was closed (for now?!).
The encryption issue was mentioned here, here, here, and here, but this feature request thread is primarily about the option to export attachments at all (an option that was not available until 9 months ago).
What I do is to place a copy each file into an encrypted VeraCrypt container — I do this at the same time that I upload said file to my Bitwarden vault. I also include metadata indicating which vault item the file is attached to (i.e., the corresponding vault item’s UUID) in the VeraCrypt container.
This was a habit that I developed before the ZIP export feature was released. You could use a similar approach with the ZIP export, though (although if you are concerned about leaving traces of the unencrypted data on your hard drive, then you need to take special precautions if you are on a Windows system).
What about organization attachment exports, especially for families?
Closing this request as export all attachments is now available. For other derivatives of this feature, please create a new feature request.