How To: A User's Guide to Backing Up Your Bitwarden Vault

Hi @rustycanb - glad you were able to make it work with a bit of help from @sugianto. :+1:

And yes, the current CLI version has a bug where the folder information is missing on export - there is an active bug report here that will be addressed soon, I hope:

@dh024 Thanks for the reference to the bug report. I’ll keep an eye it. Not a deal breaker, but it would be good to have fix soon.

@rustycanb is the above accurate, seeing as the bug report states the folders are not preserved using any export format from CLI?

Yes, I think I made a mistake. Tested again and no folders are present. Sorry for misinformation.

1 Like

Clarification: When a vault is exported using CLI -- format json the folders are (mostly) included in the resulting backup file. If the folders are present like this first line of the JSON file: "encrypted": false, "folders": [ { "id" etc...: then that file can be imported into another account vault and folders are present. I have not been able to discover what causes the inconsistent behaviour, but the file with folders is, as expected, slightly larger.
From my tests, this does not happen with a CLI exported file specifying a password on the command line. No folders are present in the imported vault after it is imported into a different account’s vault, other data is intact.

8 posts were split to a new topic: New Backup Options for Bitwarden - Academic Questions!

So far the new version has reached web vault and Android Play update, but not Firefox extension.
I have been able to create a backup using the web vault and successfully import it to another account vault with folders!
The file structure is similar to the earlier one created by CLI (ie totally random without entry structure) but slightly larger (the folders?).

I just installed the latest release of the BW CLI (2022.10.0) and it appears that the missing-folders bug has been fixed. :+1:


@dh024 As with the web vault… So far, the Firefox extension has not had an upgrade.

The password protected exports definitely are useful, but one reason I export my vault once in a while is to have an offline backup just in case Bitwarden closes down. I understand that the encryption format is something custom so I still can’t really decrypt my backup without Bitwarden (well, I could reverse engineer the Bitwarden source code to implement the algorithm, but that’s painful).
Other than that what’s missing in my opinion in the CLI is for the password to be prompted for rather than having to enter it as a parameter on the command line (and as a result ending up in the shell history file and potentially elsewhere).

@jknockaert - if you omit the --password parameter on the command, the CLI will prompt you to interactively enter your password instead.


Until you update the contents of your guide, I think it would be a good idea to let stand the link to the announcement about the new password-protected backup option:

Users interested in the implementation details and security of this new option can head over to the split off thread, but knowing about the ability to do password-encrypted exports without the CLI is valuable information for all readers of the current topic.

Patience, @grb. I will update my post when I am able to.

I split your discussion because it does not follow the community guidelines. Please review them here:

Yes, I wasn’t complaining about the split — it makes sense. Also not complaining about the OP not being up-to-date yet.

Just making the point that the availability of the new password-protected backup option is information that does belong in this thread, so I posted the link again after it got removed.

Came across this script quite recently, looks useful, haven’t had a chance to test as yet…

“Powershell script that exports Bitwarden passwords to KeePass”

I have not yet verified this myself, but there is a recent Reddit post reporting that when exporting from the Desktop client directly to a BitLockered drive (consistent with the recommendations given above), the export process creates a temporary copy of the unencrypted export in the default Downloads directory. If confirmed, this would directly affect the above advice given about unencrypted exports. The guide may need to specify that unencrypted exports should only be created using the Web Vault (assuming the reported issue is restricted to the Desktop app*).

*Update: I’ve come across a report that similar issues may affect the downloading of unencrypted exports from the Web Vault, depending on the browser and browser settings used. Caveat emptor.

I have been looking for an automated way to do backups, but am also concerned with exposing the master password in some script. One way I’ve found, which is almost certainly not optimal but works, is to simply take an automated copy of the “bwdata” directory. One could do that using a cloud backup service to make it super easy, or write a script invoked by some kind of cron utility. Either way, passwords are not required and you don’t need to worry about any additional encryption procedures.

To restore, either create a new BW install or use an existing one, replace the bwdata directory with the one from your cloud/other backup and then follow the “migrate BW from host to host” procedure. I used this very procedure the other day and it saved my bacon. The way I did this to make it a bit more slick was to tar and gzip the bwdata directory and have my cloud service pick up the tar.gz file.

The only real downside I’ve found to doing this is that the bwdata folder itself isn’t small. However, it contains EVERYTHING, so as long as you had a working instance before and you can remember your master password, it’s a real winner. The recovery procedure itself isn’t particularly slick, but is scriptable if you want, but it’s easy and doesn’t take too long.

Thanks for sharing, although we may be discussing two different things here - this thread is about backing up a user’s vault, whereas I believe you are discussing server backups for self-hosted instances of Bitwarden.

Thank you, you are right. I had not realised that this thread wasn’t particular to self-hosting. My solution only works for self-hosting, but is effectively an easy - albeit inefficient - way to back up the vault using an automated method.

Agreed - thanks for mentioning this! Cheers.