Great to hear! Did you export the csv file or encrypted json? If json, did you do it via master password (linked to only your BW account and your current encryption key) or via setting a new personal password (not key or account dependent)? Would suggest to do this via csv (if you have a secure computer) or via the encrypted personal password so you can pick a new password for the export and it’s not dependent on your current account in any way. Slightly safer.
Unless you are in a great hurry, I might still suggest waiting until you get a response from Tech Support (perhaps @bw-admin can escalate your case?).
Export/import is not entirely lossless, so it would be better to fix the issue if one can be found on the back end. In addition, there is at least one other user who might benefit if the root cause if this issue can be found. If you do decide to pursue this with Tech Support, it would be a good idea to refer them to this thread.
What type of export did you create? You should choose a password-protected encrypted JSON for best results (not account-restricted JSON, and not CSV).
2 Likes
I haven’t heard back from Support yet and can wait for a response and would love to know what the heck happened especially seeing that my KeyHash is the same in the logs and I am / was using the Passphrase that I knew was the right one.
I did a CSV and a JSON but not protected one for the exports. This is better than nothing for sure. I feel a little better but NOT happy that this happened and would love to know what the heck did happen. I don’t like backing up my vault but I guess I will have to from now one.
Routinely backing up your vault is considered a best practice. There are various approaches to this, and some can be implemented with relatively little friction.
Good to hear you will give support a chance; I would be interested to hear if there is a resolution. Did you get an automated response when you submitted the contact form?
I did get an automated response from support but as mentioned no response since. I will update and referred to this post as well. If I don’t hear back by tomorrow I will probably move on. I would be interested in the way you mention backing up the vault. If you can point me to that I would appreciate it.
This should help you with backups:
1 Like
Thanks for your patience, one of the team is reviewing and will follow up.
1 Like
@BostonPete this is a very well-written clear guide that @RogerDodger posted. Once you have set it up, it’s trivial to update your backup routinely and you will feel much better.
The guide that was linked in other responses offers a few different options, but there are others that may be even simpler depending on how you use Bitwarden; in addition, the “Cleaning Up” section in the guide is simplistic, as it ignores the fact that traces of deleted files remain on your drive (and that these traces can be virtually impossible to remove if your drive is an SSD). If you decide that you will make backups using decrypted vault exports, there are additional precautions that must be taken (if you are concerned about the possibility of your passwords being viewable by examination of the unused space on your drive).
If you use the Desktop app with any regularity, or if you are willing to periodically launch the Desktop app, then there is an alternative backup technique that will give you an encrypted vault backup that retains more data than do any of the export methods. Let me know if you want more information about this.
@grb Can you please point me in this direction? I have seen this described in a disaster recovery scenario but am curious about your approach. I think it was a simple copy or an encrypted vault folder buried under an /apps folder.
When using one of the Desktop apps, the entire encrypted vault (except for attachments) is stored in a file named data.json in a location that depends on your installation, as long as you are logged in. Because the contents of this file are expunged if you ever log out (which can happen unexpectedly, if your session expires, if you change your master password or KDF iterations, if Bitwarden resets their servers, etc.), creating a persistent vault backup requires you to periodically create copies of the data.json file (storing the copy in any location other than the folder in which the original file resides). Then , if you are ever logged out of Bitwarden and cannot get log back in to retrieve your vault data, simply restore the backed up copy of the data.json file to its original location. However, in order to prevent Bitwarden from immediately logging you out (thereby erasing your restored vault), you have to disconnect from the internet before you attempt to access your restored local vault. Even if your login session is still valid, you should still disconnect the internet before attempting to access the restored local vault, or else the restored backup will just be overwritten by the cloud vault data as soon as the app syncs. More about this at the end of my response (below).
If you regularly use the Desktop app, then the data.json file should be automatically synced during normal usage. In this scenario, the easiest way to keep backup copies of your vault is to use backup or imaging software (e.g., Macrium Reflect for Windows, or Time Machine for macOS) to back up your computer on a regular schedule (e.g., nightly), which should capture the data.json file in its most recent state. It is good practice to back up your computer regularly, regardless.
If you don’t regularly use the Desktop app, then you should periodically launch the app, unlock the vault, and force a sync, before creating your backup copy. In this case, you could just manually copy the data.json file after the sync, and store it in a location of your choice. Personally, I use the portable Desktop app (installed on a USB thumb drive) for this purpose. Using a client app installation that is dedicated creating these backups (i.e., an app installation that you don’t normally use) has the advantage that you can set up a special backup password (by enabling PIN unlock, and setting the PIN to be the password you want to use for your backups).
Based on the requirement to disconnect from the internet before accessing the restored data.json file, you may question the utility of this approach. However, note that while you have the restored local vault unlocked (and the internet disconnected), you are able to create any form of export (CVS, JSON, unencrypted, or encrypted) of the data, which will allow you to import into a new vault (if your original vault was deleted). The advantages of the above method over directly backing up by creating exports are:
- It is possible to create automatically scheduled backups that do not require any user intervention.
- If you re using account switching, then a single backup operation will capture vault data for all accounts that are logged in on the Desktop app.
- You don’t have to commit to a specific export format in advance.
- You will still have access to old password histories and metadata (e.g., timestamps for creation and modification of items), which are lost when doing vault exports (however, as with regular exports, attachments will not be captured using the method proposed here).
The method described above can be adapted to other clients (e.g., the browser extensions or the CLI). Using the CLI offers certain additional advantages.
Feel free to ask if you have any questions about this approach!
2 Likes
Awesome, post! Thank you!
Quick question: does this method lock the vault you copy to your specific Bitwarden account and encryption key, like the master password based encrypted json vault export on the website? I like the flexibility of the personal password encrypted export as it decouples the vault from your account and your current encryption key.
Yes and no. The problem with the legacy (“account-restricted”) encrypted JSON is that the account encryption key is not part of the exported data; therefore, the only way to decrypt the JSON is to import it back into the original account, which has the encryption key (provided that you did not rotate the key in the meantime). In contrast, your encrypted vault cache (the data.json file) does contain a copy of the account encryption key (in the form of a protected key — i.e., the account encryption key is itself encrypted, using the stretched master key, which is hashed and stretched version of your master password or a PIN, if you have set up a PIN for unlocking your vault).
Therefore, although unlocking the data.json technically relies on your account encryption key, it does not require the existence or accessibility of the original account, because it contains a copy of the key. This is exactly the way that the password-protected JSON export works, as well (it stores a copy of the account encryption key, protected by the specified password). And just like the password-protected JSON export, you could set any password that you want for unlocking the the data.json file, by enabling PIN unlock (and since every client has an independent PIN, you could have a dedicated PIN password for your data.json backups different from the PIN you may use for routine use of Bitwarden, if you use a separate installation — such as the Portable Desktop app — that is dedicated to creating backups).
1 Like
I’ve been tagged a few times now. I don’t have anything helpful to add – I just desperately hope this is just a bug. I feel like I’m being gaslighted… I know my master password… I just can’t imagine a world in which I’ve somehow forgotten it. The fact that this is the third report of something similar I’ve seen makes me think I’m not crazy. Eagerly awaiting Bitwarden’s response to this. I got nowhere with support, personally.
I was out all day yesterday but I did hear back from support and all they asked for was to try and capture some info when trying to log in to the vault via a browser and that was about it.
That said reading through the threads I am curious about backups and disaster recovery. I am using an app that makes a backup of my home PC every singe day that I can pull single files from or do a full restore if needed.
Is the JSON file used / on your system if you have and use a browser extension or only if you use the desktop app? I only have the Desktop app on my home PC and rarely use it so I would assume the vault / JSON file doesn’t get updated unless you use the desktop app?
Lets say I do have the data.json file how can you use it to recover my vault? So maybe I do have backups without even knowing I do?
It was mentioned using something to backup your system regularly as a backup but the recovery is the part i am a little confused about.
Were you asking me how I was able to export my vault after getting locked out of the cloud? Of course I wasn’t thinking and it seems like I should have backed up using the secure JSON file as well since it seems to have more info than just the regular JSON and of course the CSV file. I was just thrilled that I was able to get anything at all.
Sounds like the first steps of a trouble-shooting process, so I’m not surprised — hope you humored them and provided the requested information, so that they can progress further. Send them a link to this thread as well, if you haven’t already. I would also suggest sending a DM to @bw-admin with your support ticket number, so that he has the ability to monitor progress on this issue.
The data.json file is only updated when you actually log in to the Desktop app (or when the vault syncs while you are using the app). If your computer was ever backed up while the Desktop app was logged in, you may be able to recover data from the data.json file. If you logged out of the Desktop app (either manually or by a vault timeout setting) before backups were made, then the data.json file will not contain usable data. If the app was locked and/or shut down during the backup, that’s fine, as long as it was logged in.
To retrieve your data from the data.json file, restore it to its original location, then disconnect your computer from the internet before launching the app. You should be asked to unlock your vault, and then you will have access to the backed up data. At this point you can use the export feature if you wish, or manually copy/paste important information.
Ok so this is only for the Desktop App? The Browser Plugins don’t work the same? I was able to get my data from the Brower Plugin by doing the same disconnecting. Since I use the browser plug-in I almost never use the desktop version so I assume it didn’t have a recent version of my vault. My Backups are made once a day using Synology’s ABB which I highly recommend to everyone…
Yes I did respond to their request and haven’t heard back, I did mentioned this thread in the ticket as you can update by replying to e-mail before I even got the first response.
From what it looks like to me somehow my Master Password got messed up. I didn’t change it and I 100% know what it is… The interesting thing is that the Key Hash on my work PC and my Home are the same, I was able to use my Master Password on my Home PC with it disconnected from the Network but when I use the method you provided to try and great the hash it doesn’t match up using the known good password so I have no clue what is going on or what they can do. It does seem like I am not the only one but the tests they had me try were to see if my system is overloaded from the iterations but I don’t even think I am getting that far as it seems like the Master Password is just not being accepted.
This is after saving the HTML file and editing it to change the “1” to a “2” on Line 481? And checking that the KDF Iterations matches the kdfIterations value from the .log file?
The documentation is unclear, but I have never been able to find a data.json file for the browser extension. I know that some (or all?) of the vault data is stored in the .log files, but I don’t know if this is literally a log, or whether this is also the data that the browser extension reads back in when unlocking the vault.
Probably what I would try if I were you would be to restore all the contents of the extension data folder (e.g., on Chrome: %LocalAppData%\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb), then disconnect the internet and see if you are able to unlock your browser extension.
However, I thought you were already able to export from the browser extension on your “main PC”. What additional information are you hoping to recover from the Synology backups? Even if you are able to retrieve a backup of your local vault cache, there is no mechanism for pushing that vault back into the cloud — you can only use it for purposes of exporting or otherwise retrieving vault data (to then reconstitute into a new vault).
Curiosity is killing my cat, do you have bitwarden installed via synology docker? If so that is a third party project called Vaultwarden and could possibly explain the reason why you’re having issues. Possibly an out of date server version which isn’t compatible with the recent bitwarden clients.
If the above theory is on point you need to seek support from the third party developer and not here.