Although Bitwarden provides an official guide on how to backup your vault, it is a topic that frequently arises here on the community forums, and I thought a user’s perspective might be helpful to some.
If you are reading this guide, then I suspect you will agree that password managers are fantastic for simplifying how we remember passwords – just save them all in one place (e.g., Bitwarden), and then memorize only one strong, unique password to protect them all. Of course, the drawback with this “all the eggs in one basket” approach is that if something goes wrong, like you forget your master password or your vault accidentally gets purged, you lose all your passwords and secrets. So, backing up your vault to protect against disaster is an essential practice that is recommended for all Bitwarden users.
Here is my checklist of essential items in a backup strategy to ensure that you maintain access to your Bitwarden vault into the future:
- Create a copy of your master password and store in a safe location
- Setup a backup method/device for two-step login/2FA
- Perform routine exports of your vault contents
- Perform routine backups of your file attachments
Each one of these items above is discussed below, including best practice for backups.
There is always a chance you might forget your master password (it comes up in the community forums all the time!). So, securely storing a copy of your master password as a backup could be one of the most important things you do to ensure access to your vault in the future. This is especially true of Bitwarden, which is a zero-knowledge solution, meaning that Bitwarden staff and servers have absolutely no access to your password. Thus, Bitwarden cannot possibly recover or reset your master password for you under any circumstances.
How you save and store a copy of your master password depends on how averse you are to risk. Here are some options, in no particular order – just be sure you adopt at least one:
- Write or print a copy of your master password and store it in a secure location (e.g., a safe) or hide it somewhere that only you will locate (tip: use your password hint in Bitwarden to provide a good clue as to where you hid it).
- You could also hide a digital copy of your master password in a file on a secure file system, like on an encrypted hard drive on your PC, or a zero-knowledge encryption cloud storage service like Sync.com.
- Encrypted drive volumes, like a VeraCrypt volume or an Apple encrypted disk image (.dmg) file on a Mac are safe as well, but then you must remember the password to access those secure files, which is another potential point of failure, especially if you have already forgotten your Bitwarden password.
- Store a digital copy of your password in a secure location: this could be on a flash drive that you store in your physical safe and/or on a self-encrypting flash drive, such as a Lexar JumpDrive Fingerprint USB Flash Drive. Generally speaking, this is probably the most secure backup method.
With any of the above options, it is strongly recommended that you practice recovering your password from your secret location or secure device to make sure it works before you need it.
If storing a copy of your master password doesn’t appeal to you and you are a premium subscriber, an alternative approach is to designate someone you trust (that could even be yourself!) as an emergency access contact. That way, if you ever become locked out of your vault, you can have your emergency access contact initiate a Bitwarden account takeover and reset your password for you. See more details on the Bitwarden help pages here.
Aside from creating a strong, unique master password for your account, the best thing you can do to secure your vault is employ a two-step login method (aka, 2 Factor Authentication [2FA]), which Bitwarden provides to both free and premium members. But remember, if your primary 2FA method fails (e.g., your phone with the authenticator app dies or gets stolen), and you have no backup 2FA method, you will be locked out of your Bitwarden account.
All Bitwarden users can generate two-step login recovery codes when they setup their two-step login method. These codes can be entered instead of other 2FA methods at login, if necessary, but they should be treated like a one-time-use item. Use the guidance for backing up your master password (above) when saving or storing your 2FA recovery codes (e.g., print out and store in a physical safe or on an encrypted flash drive). This is the minimum backup method for your two-step login.
Tip: For anyone with concerns about end-of-life and providing access to your vault for loved ones, consider adding your Bitwarden master password and two-step login recovery codes into your will. This legal document is strictly protected, and it could become a condition of your will that your password and recovery codes be passed to a particular family member or friend when the will is executed by your lawyer.
You could also setup multiple two-step login methods (e.g., authenticator app and email-based 2FA codes), which satisfies the requirement to have a backup 2FA method. However, this isn’t a great approach if the strength of your backup authentication process is weaker than your primary two-step login method.
A very secure way to create an additional two-step login method is to setup a separate (i.e., backup) physical security device that you use for your Bitwarden 2FA logins. For example, if you use a Yubikey security device for 2FA, setup a second device as well and store it in a secure location (e.g., a physical safe or a good hiding spot) or ask a trustworthy friend or family member to store it for you. This might be the most secure strategy because you always have a highly secure fall-back method to get into your vault if your primary method no longer works. Something like a Yubikey Bio, which can only be activated after scanning your fingerprint, would be a great option here.
The third and most obvious component of your vault backup strategy is to routinely export a copy of the contents of your vault (i.e., your logins and passwords, credit card information, secure notes, etc.) to a safe location. This component is essential in case you ever encounter a situation where it is not possible to access your Bitwarden vault, such as accidental or deliberate deletion of your vault (e.g., in an emergency where you believe your vault may have been compromised by an attacker). Just remember to perform exports routinely so that your backups capture the most recent changes to your vault.
Bitwarden makes it easy to export your vault using either the Bitwarden web vault, desktop app, or browser extension. But there are some limitations to what you can export.
The Bitwarden export tool will backup all your current login items, cards, identity items, and secure notes from your personal vault and organizational vault(s), if applicable, including the folder structures and collections associated with them. So essentially, all the text-based information and vault structure you have stored in Bitwarden gets saved.
Here are the things that Bitwarden currently cannot backup when you create an export file:
- items in the Vault Trash
- file attachments
- password generator history
- password history of individual items in your vault
I mention these items specifically so that you are able to consider in advance how the loss of these items might impact you, if you ever had to restore your entire vault from a backup file.
Bitwarden provides three* options for exporting a text file containing your vault information, each with distinct advantages and disadvantages:
Unencrypted export – plain text representation of your vault contents stored as a CSV or JSON-formatted text file.
- The simplest and most straight-forward file format, which can be viewed in any text editor or word process.
- Obviously, an unencrypted export file of all your vault contents is something you need to fiercely protect. Thus, if you create unencrypted export files for your backup strategy, be sure to save them directly to an encrypted volume or drive that is secure. VeraCrypt volumes, Mac encrypted disk image volumes, or encrypted removable drives/flash drives are all good options. Avoid saving these files to an unencrypted drive and then copying them to a secure location, because a very determined attacker might be able to retrieve deleted files from your computer, depending on the file system it uses.
- Note that JSON files contain more vault information than CSV files, so for backup purposes you should always chose a JSON file.
Bitwarden-encrypted export – a JSON file in which the contents have been encrypted using the same key that is used to encrypt your Bitwarden vault.
- These files are generally safe to store on your personal devices without worrying about additional encryption, assuming you are using a strong, unique master password.
- The critical limitation of these Bitwarden-encrypted files is that they share the same encryption key as your Bitwarden account – this becomes problematic if you are every locked-out of your account and your only option is to start over from scratch. But if you can’t access your account, you can’t decrypt these export files, making them a poor backup solution. Note that unencrypted files obviously do not suffer from this limitation!
- If you ever rotate your encryption key, your Bitwarden-encrypted export files will be inaccessible.
- An advantage of Bitwarden-encrypted files is that they are convenient to generate and store, so if you ever had to purge your vault and restore the contents back again (e.g., if you accidentally duplicated all 600 items in your vault!) then you could deliberately wipe the vault and quickly restore your contents from your Bitwarden-encrypted JSON backup file.
Password-encrypted export (Bitwarden CLI only) – although this might be the least convenient export format, it is also the most powerful. Using the web vault interface or the Bitwarden Command Line Interface (CLI) in a terminal window, you can manually export your files using a strong encryption system in which you choose the password.
- Because this encryption system does not depend on your Bitwarden account and current encryption key, but just a password of your choice, this export method may be the best format for backing up your vault contents.
- Password-encrypted export files have all the advantages of the Bitwarden-encrypted exports, plus they can be restored (imported) to any Bitwarden account, as long as you remember the password. (Tip: I use my Bitwarden master password to encrypt my CLI export files because that password already unlocks the same info in my vault, so I don’t consider it to pose a significant risk).
- A significant advantage of using the Bitwarden CLI to generate your export files is that one can automate or semi-automate the backup process by creating scripts that run all the CLI export commands for you. For more information and an example, see the final section below entitled Automating Your Exports.
File attachments are a premium feature of Bitwarden that allows you to upload photos, images, sensitive documents, certificate files, etc. into your vault for safe storage. However, none of the Bitwarden export methods mentioned above are able to backup your file attachments. So, another method must be used.
The most straightforward but time-consuming process to backup all your file attachments is (1) to locate all the vault items with attachments using the search window in Bitwarden, and then (2) download each file to a secure location, such as an encrypted drive or volume.
To easily locate all the items in your vault that have file attachments associated with them, you can use the full-text search expression below (make sure you don’t omit the leading > symbol):
Note that full-text searches can be only used in the Bitwarden web vault, desktop app, and browser extension clients.
bw login bw list items | jq -r '. | select(.attachments != null) '
which generates a list of items with file attachments. You can the follow up with a command like this to download each file attachment you want:
bw get attachment <filename> --itemid <itemID> --output <path>
But this can get quite time consuming accessing each file one at a time in the CLI, so automating this process becomes almost a necessity, which is the topic of the last section in this guide below.
If you look back to the vault backup strategy that I recommended at the beginning of this guide, the first two components were to you save copies of your master password and your two-step login method. Since these are essentially one-time activities, there is no need for automation for these steps.
However, routine exports of your vault contents and file attachments are something you will do repeatedly, so automating this process using the Bitwarden CLI is a huge time saver. My strategy is to run weekly exports of my personal and organizational vaults as well as a full backup of all my file attachments. To streamline the process, I use a Bash-shell script that I wrote for use in the MacOS terminal. The script simply prompts me to provide my Bitwarden password, then it automatically logs me in to the CLI, saves a session key in main memory, then automatically performs a password-encrypted export of the vaults, and finally it saves all my file attachments to a secure location. It takes me about 10 seconds of interaction to execute it and enter my master password, and then everything else is automatic, so it is easy and convenient enough to do daily, if one wanted to.
If anyone is curious to see the script I created, I have posted it to Github here (feel free to add comments or suggestions about the script on Github):
Similar approaches could be used to run regularly scheduled tasks, such as cron jobs on Linux or MacOS, or using the Task Scheduler on Windows to execute your backup script. The script I linked above could be modified with a bit of effort to run automatically each night or weekly, provided that you were willing to store your Bitwarden credentials somewhere on the computer, which is possible but has some potential security risks associated with it. (For me, not having to worry about exposing my master password in a scheduled script outweighs the benefit of the additional convenience of a fully automated backup solution, but that’s just my personal preference.)
A sound backup strategy for securing access to your vault into the future requires that you create backups of your master password and two-step login/2FA methods, as well as routine exports of your Bitwarden vault contents and file attachments (if applicable). I hope this guide helped users to think about the available options to implement such a strategy, and that you are already using solid approaches to your backups. If you don’t use a backup strategy yet, then I hope this guide helps you to implement a strategy today!
And if you have comments to share, suggestions to improve this guide, or any questions, please add a post below. I would be happy to amend this guide to correct any errors I made or incorporate good ideas that I was not aware of. Cheers!
- Yes, religiously!
- Yes, occasionally
- No, but I keep meaning to start/will start now
- Nope - can’t be bothered to