Help understanding password encrypted json CLI export


I’m having some difficulties with the CLI password encrypted json format. From my understanding, by using a password instead of the account encryption key I could import this encrypted json in a new Bitwarden account?
Either I’m doing it wrong, or I’ve understood it wrong because when trying to import in a new account I receive an error “Data is not formatted correctly. Please check your import file and try again.”

The Help guide is also a little bit confusing:

a) the example from Import & Export - Encrypted Exports - CLI section does it the following way:

bw export --output /users/me/documents/ --format json --password [email protected]

b) but the Getting Started - Bitwarden CLI - export shows a slightly different way:

bw export [--output <filePath>] [--format <format>] [--password <password>] [--organizationid <orgid>]

  --format encrypted_json to export an encrypted .json file
  • --password <password> to specify a password to use to encrypt encrypted_json exports instead of your account encryption key

Using method a) the json export is in plaintext, while using method b) I’m receiving the “data not formatted correctly” error. The command I used for b) is:

bw export --output /users/me/documents/ --format encrypted_json --password [email protected]

What am I doing wrong? Did I make a wrong assumption based on the sentences below and I can’t actually import the password encrypted json to a new account?

Vault data can be exported in an encrypted JSON file. In most Bitwarden apps, these exports are encrypted using your account's encryption key, which are generated on account creation and unique to each Bitwarden user account. The CLI has a unique option to encrypt the file with a specified password.

There is no import option specifically for encrypted exports. A handler will determine that the .json file is encrypted and attempt to decrypt the file using your account's encryption key.

Hi @firn - can you try it like this and let us know if it works for you:

bw export --output /users/me/documents/myexport.json --format encrypted_json --password [email protected]

I think you specified the filepath but not the filename.

Same error is received when importing to new account “Data is not formatted correctly. Please check your import file and try again.”

By not explicitly specifying the filename, the exported json filename defaults to: “bitwarden_encrypted_export_YYYYMMDDHHMMSS”

Strange. I received an error if I omitted the filename, and using the method I showed above, I had no problem importing the file.

I assume that when importing with the CLI you used the bitwardenjson option?

I’m trying to import the encrypted json directly from the webvault of the new account, I haven’t used the CLI as I was still connected to my own account.
Maybe it’s worth mentioning that I used the apikey login method, but that shouldn’t make a difference, should it?

Ah, I see. I don’t think you can import a password-encrypted export from the CLI using the web vault or BW apps. My understanding is that you can only import it again using the CLI.

If you export a standard json-encrypted file, you can import that with any BW app/client. But, the catch is that you MUST import it back to the same account that it was exported from because it is encrypted with that accounts encryption key. If you try to import it to another account, it won’t open, just in case anyone else finds this thread and wasn’t sure.

I was aware of that limitation, that’s why I wanted to test out the password encrypted json. I’ll give it another shot and try to import it directly from the CLI and see how it goes.
Appreciate your quick replies!

L.E. Okay, that did the trick! Importing from the CLI worked! I was asked for the password I’ve set and all went well! Indeed I used the bitwardenjson arugument
“bw import bitwardenjson /users/me/documents/myexport.json”

Many thanks for your help, really appreciate it!

1 Like