Help - Changed Iterations and can not log back in?

When using one of the Desktop apps, the entire encrypted vault (except for attachments) is stored in a file named data.json in a location that depends on your installation, as long as you are logged in. Because the contents of this file are expunged if you ever log out (which can happen unexpectedly, if your session expires, if you change your master password or KDF iterations, if Bitwarden resets their servers, etc.), creating a persistent vault backup requires you to periodically create copies of the data.json file (storing the copy in any location other than the folder in which the original file resides). Then , if you are ever logged out of Bitwarden and cannot get log back in to retrieve your vault data, simply restore the backed up copy of the data.json file to its original location. However, in order to prevent Bitwarden from immediately logging you out (thereby erasing your restored vault), you have to disconnect from the internet before you attempt to access your restored local vault. Even if your login session is still valid, you should still disconnect the internet before attempting to access the restored local vault, or else the restored backup will just be overwritten by the cloud vault data as soon as the app syncs. More about this at the end of my response (below).

If you regularly use the Desktop app, then the data.json file should be automatically synced during normal usage. In this scenario, the easiest way to keep backup copies of your vault is to use backup or imaging software (e.g., Macrium Reflect for Windows, or Time Machine for macOS) to back up your computer on a regular schedule (e.g., nightly), which should capture the data.json file in its most recent state. It is good practice to back up your computer regularly, regardless.

If you don’t regularly use the Desktop app, then you should periodically launch the app, unlock the vault, and force a sync, before creating your backup copy. In this case, you could just manually copy the data.json file after the sync, and store it in a location of your choice. Personally, I use the portable Desktop app (installed on a USB thumb drive) for this purpose. Using a client app installation that is dedicated creating these backups (i.e., an app installation that you don’t normally use) has the advantage that you can set up a special backup password (by enabling PIN unlock, and setting the PIN to be the password you want to use for your backups).

Based on the requirement to disconnect from the internet before accessing the restored data.json file, you may question the utility of this approach. However, note that while you have the restored local vault unlocked (and the internet disconnected), you are able to create any form of export (CVS, JSON, unencrypted, or encrypted) of the data, which will allow you to import into a new vault (if your original vault was deleted). The advantages of the above method over directly backing up by creating exports are:

  1. It is possible to create automatically scheduled backups that do not require any user intervention.
  2. If you re using account switching, then a single backup operation will capture vault data for all accounts that are logged in on the Desktop app.
  3. You don’t have to commit to a specific export format in advance.
  4. You will still have access to old password histories and metadata (e.g., timestamps for creation and modification of items), which are lost when doing vault exports (however, as with regular exports, attachments will not be captured using the method proposed here).

The method described above can be adapted to other clients (e.g., the browser extensions or the CLI). Using the CLI offers certain additional advantages.

Feel free to ask if you have any questions about this approach!

2 Likes