I assume the .json is already encrypted when exported? Where is this my bitwarden encryption key, and what is rotating?
The account encryption key is a completely random 256-bit value (a 78-digit number, if converted to decimal), which is generated behind the scenes when you first create your Bitwarden account. This key is used for encrypting and decrypting all contents of your vault (the vault data are encrypted while stored on the cloud servers or cached on your local device); you can think of it as a 78-digit numerical code to a combination lock that is securing your vault contents. The same encryption key is used for encrypting the vault exports that are created when you selected the “.json (Encrypted)” file format the Desktop app, mobile app, or browser extension (i.e., you can think of those exports as also being secured by a combination lock that can only be opened/decrypted if the 78-digit numerical combination is known).
If you ever change the master password for your account, you have the option to also create a completely new account encryption key by generating a new random 78-digit number (basically, changing the code to the combination lock that is securing your vault contents) — this is called “rotating” the encryption key. If you don’t rotate the account encryption key when changing your master password, then the original key (combination lock code) will still open/decrypt the encrypted vault data that exists in the cloud, in your local vault cache, and in any vault exports created using the “.json (Encrypted)” format. However, if you do rotate the key, then then new key (i.e., the new combination code) will work on the cloud data and on any locally stored data (cache files or export files) that are downloaded in the future, but the new key will not work on old export files that are are still using the old combination.
Here is the kicker: The combination code (account encryption key) is not stored anywhere. But an encrypted form of the account key is stored alongside your encrypted vault data (in the cloud database, and in the local vault cache); the key that allows your to decipher the encrypted account key is derived from your master password. It’s as if the 78-digit combination code to your vault lock is stored in a small safe or lockbox, and your master pasword is the key that opens this safe/lockbox, allowing you to view the account encryption key.
TL;DR: Do not export your vault data in encrypted format unless you can do it from the Web app, where you have the option to specify that the Export Type should be Password-Protected (which does not rely on the account encryption key). Doing it any other way puts you at high risk of losing the ability to decrypt or import the exported data, because data encrypted using the account encryption key becomes unusable when the account encryption key changes or becomes inaccessible.
- Yes. 2) The encrypted encryption key is part of your vault. 3) In the web vault, you can rotate this encryption key, and when you do, this type of backup that you are looking at will be useless for restoring your account. So, it’s usually better not to do it.
Another encrypted backup type that you can do from the web vault that grb mentioned may be better. During the backup, you provide another password to encrypt this backup. You can use this for account restoration despite key rotation. @grb mentioned in another post that you can keep 2 entries in you vault: one for BW master password, and another for this backup password, and then you can do an encrypted backup by autofilling all the passwords, without having to type or cut-and-paste them which may make your backup process more secure. You need to write down the two passwords and keep them safe outside of Bitwarden vault, of course.