How To: A User's Guide to Backing Up Your Bitwarden Vault

Although Bitwarden provides an official guide on how to backup your vault, it is a topic that frequently arises here on the community forums, and I thought a user’s perspective might be helpful to some.

Why Backup Your Vault

If you are reading this guide, then I suspect you will agree that password managers are fantastic for simplifying how we remember passwords – just save them all in one place (e.g., Bitwarden), and then memorize only one strong, unique password to protect them all. Of course, the drawback with this “all the eggs in one basket” approach is that if something goes wrong, like you forget your master password or your vault accidentally gets purged, you lose all your passwords and secrets. So, backing up your vault to protect against disaster is an essential practice that is recommended for all Bitwarden users.

Checklist of Items to Backup

Here is my checklist of essential items in a backup strategy to ensure that you maintain access to your Bitwarden vault into the future:

  • Create a copy of your master password and store in a safe location
  • Setup a backup method/device for two-step login/2FA
  • Perform routine exports of your vault contents
  • Perform routine backups of your file attachments

Each one of these items above is discussed below, including best practice for backups.

1. Store a Copy of Your Master Password

There is always a chance you might forget your master password (it comes up in the community forums all the time!). So, securely storing a copy of your master password as a backup could be one of the most important things you do to ensure access to your vault in the future. This is especially true of Bitwarden, which is a zero-knowledge solution, meaning that Bitwarden staff and servers have absolutely no access to your password. Thus, Bitwarden cannot possibly recover or reset your master password for you under any circumstances.

Store a secret copy of your password

How you save and store a copy of your master password depends on how averse you are to risk. Here are some options, in no particular order – just be sure you adopt at least one:

  • Write or print a copy of your master password and store it in a secure location (e.g., a safe) or hide it somewhere that only you will locate (tip: use your password hint in Bitwarden to provide a good clue as to where you hid it).
  • You could also hide a digital copy of your master password in a file on a secure file system, like on an encrypted hard drive on your PC, or a zero-knowledge encryption cloud storage service like Sync.com.
    • Encrypted drive volumes, like a VeraCrypt volume or an Apple encrypted disk image (.dmg) file on a Mac are safe as well, but then you must remember the password to access those secure files, which is another potential point of failure, especially if you have already forgotten your Bitwarden password.
  • Store a digital copy of your password in a secure location: this could be on a flash drive that you store in your physical safe and/or on a self-encrypting flash drive, such as a Lexar JumpDrive Fingerprint USB Flash Drive. Generally speaking, this is probably the most secure backup method.

With any of the above options, it is strongly recommended that you practice recovering your password from your secret location or secure device to make sure it works before you need it.

Alternative: Emergency access takeover (premium feature)

If storing a copy of your master password doesn’t appeal to you and you are a premium subscriber, an alternative approach is to designate someone you trust (that could even be yourself!) as an emergency access contact. That way, if you ever become locked out of your vault, you can have your emergency access contact initiate a Bitwarden account takeover and reset your password for you. See more details on the Bitwarden help pages here.

2. Backup Method for Two-Step Login/2FA

Aside from creating a strong, unique master password for your account, the best thing you can do to secure your vault is employ a two-step login method (aka, 2 Factor Authentication [2FA]), which Bitwarden provides to both free and premium members. But remember, if your primary 2FA method fails (e.g., your phone with the authenticator app dies or gets stolen), and you have no backup 2FA method, you will be locked out of your Bitwarden account.

Recovery codes

All Bitwarden users can generate two-step login recovery codes when they setup their two-step login method. These codes can be entered instead of other 2FA methods at login, if necessary, but they should be treated like a one-time-use item. Use the guidance for backing up your master password (above) when saving or storing your 2FA recovery codes (e.g., print out and store in a physical safe or on an encrypted flash drive). This is the minimum backup method for your two-step login.

Tip: For anyone with concerns about end-of-life and providing access to your vault for loved ones, consider adding your Bitwarden master password and two-step login recovery codes into your will. This legal document is strictly protected, and it could become a condition of your will that your password and recovery codes be passed to a particular family member or friend when the will is executed by your lawyer.

Alternate two-step login method

You could also setup multiple two-step login methods (e.g., authenticator app and email-based 2FA codes), which satisfies the requirement to have a backup 2FA method. However, this isn’t a great approach if the strength of your backup authentication process is weaker than your primary two-step login method.

Backup 2FA device (premium feature)

A very secure way to create an additional two-step login method is to setup a separate (i.e., backup) physical security device that you use for your Bitwarden 2FA logins. For example, if you use a Yubikey security device for 2FA, setup a second device as well and store it in a secure location (e.g., a physical safe or a good hiding spot) or ask a trustworthy friend or family member to store it for you. This might be the most secure strategy because you always have a highly secure fall-back method to get into your vault if your primary method no longer works. Something like a Yubikey Bio, which can only be activated after scanning your fingerprint, would be a great option here.

3. Export Your Vault Contents

The third and most obvious component of your vault backup strategy is to routinely export a copy of the contents of your vault (i.e., your logins and passwords, credit card information, secure notes, etc.) to a safe location. This component is essential in case you ever encounter a situation where it is not possible to access your Bitwarden vault, such as accidental or deliberate deletion of your vault (e.g., in an emergency where you believe your vault may have been compromised by an attacker). Just remember to perform exports routinely so that your backups capture the most recent changes to your vault.

Bitwarden makes it easy to export your vault using either the Bitwarden web vault, desktop app, or browser extension. But there are some limitations to what you can export.

Vault contents you can export

The Bitwarden export tool will backup all your current login items, cards, identity items, and secure notes from your personal vault and organizational vault(s), if applicable, including the folder structures and collections associated with them. So essentially, all the text-based information and vault structure you have stored in Bitwarden gets saved.

Vault contents you cannot export

Here are the things that Bitwarden currently cannot backup when you create an export file:

I mention these items specifically so that you are able to consider in advance how the loss of these items might impact you, if you ever had to restore your entire vault from a backup file.

Three different export methods

Bitwarden provides three* options for exporting a text file containing your vault information, each with distinct advantages and disadvantages:

  • Unencrypted export – plain text representation of your vault contents stored as a CSV or JSON-formatted text file.
    • The simplest and most straight-forward file format, which can be viewed in any text editor or word process.
    • Obviously, an unencrypted export file of all your vault contents is something you need to fiercely protect. Thus, if you create unencrypted export files for your backup strategy, be sure to save them directly to an encrypted volume or drive that is secure. VeraCrypt volumes, Mac encrypted disk image volumes, or encrypted removable drives/flash drives are all good options. Avoid saving these files to an unencrypted drive and then copying them to a secure location, because a very determined attacker might be able to retrieve deleted files from your computer, depending on the file system it uses.
    • Note that JSON files contain more vault information than CSV files, so for backup purposes you should always chose a JSON file.
  • Bitwarden-encrypted export – a JSON file in which the contents have been encrypted using the same key that is used to encrypt your Bitwarden vault.
    • These files are generally safe to store on your personal devices without worrying about additional encryption, assuming you are using a strong, unique master password.
    • The critical limitation of these Bitwarden-encrypted files is that they share the same encryption key as your Bitwarden account – this becomes problematic if you are every locked-out of your account and your only option is to start over from scratch. But if you can’t access your account, you can’t decrypt these export files, making them a poor backup solution. Note that unencrypted files obviously do not suffer from this limitation!
    • If you ever rotate your encryption key, your Bitwarden-encrypted export files will be inaccessible.
    • An advantage of Bitwarden-encrypted files is that they are convenient to generate and store, so if you ever had to purge your vault and restore the contents back again (e.g., if you accidentally duplicated all 600 items in your vault!) then you could deliberately wipe the vault and quickly restore your contents from your Bitwarden-encrypted JSON backup file.
  • Password-encrypted export (Bitwarden CLI only) – although this might be the least convenient export format, it is also the most powerful. Using the web vault interface or the Bitwarden Command Line Interface (CLI) in a terminal window, you can manually export your files using a strong encryption system in which you choose the password.
    • Because this encryption system does not depend on your Bitwarden account and current encryption key, but just a password of your choice, this export method may be the best format for backing up your vault contents.
    • Password-encrypted export files have all the advantages of the Bitwarden-encrypted exports, plus they can be restored (imported) to any Bitwarden account, as long as you remember the password. (Tip: I use my Bitwarden master password to encrypt my CLI export files because that password already unlocks the same info in my vault, so I don’t consider it to pose a significant risk).
    • A significant advantage of using the Bitwarden CLI to generate your export files is that one can automate or semi-automate the backup process by creating scripts that run all the CLI export commands for you. For more information and an example, see the final section below entitled Automating Your Exports.

*Note: See also an alternative backup method proposed by @grb below.

4. Backup Your File Attachments

File attachments are a premium feature of Bitwarden that allows you to upload photos, images, sensitive documents, certificate files, etc. into your vault for safe storage. However, none of the Bitwarden export methods mentioned above are able to backup your file attachments. So, another method must be used.

Manual method

The most straightforward but time-consuming process to backup all your file attachments is (1) to locate all the vault items with attachments using the search window in Bitwarden, and then (2) download each file to a secure location, such as an encrypted drive or volume.

To easily locate all the items in your vault that have file attachments associated with them, you can use the full-text search expression below (make sure you don’t omit the leading > symbol):

 > attachments:*

Note that full-text searches can be only used in the Bitwarden web vault, desktop app, and browser extension clients.

Automating File Attachment Backups

The Bitwarden CLI can also be used to download your file attachments, and this method becomes quite powerful if you create a script to perform all the work for you. The CLI can be used to list all the file attachments in your vault, which helps to locate and save a backup of all your files. For those familiar with the CLI and the javascript jq tool, a typical set of commands might start like this:

  bw login
  bw list items | jq -r '.[] | select(.attachments != null) '

which generates a list of items with file attachments. You can the follow up with a command like this to download each file attachment you want:

  bw get attachment <filename> --itemid <itemID> --output <path>

But this can get quite time consuming accessing each file one at a time in the CLI, so automating this process becomes almost a necessity, which is the topic of the last section in this guide below.

Automating Your Backups

If you look back to the vault backup strategy that I recommended at the beginning of this guide, the first two components were to you save copies of your master password and your two-step login method. Since these are essentially one-time activities, there is no need for automation for these steps.

However, routine exports of your vault contents and file attachments are something you will do repeatedly, so automating this process using the Bitwarden CLI is a huge time saver. My strategy is to run weekly exports of my personal and organizational vaults as well as a full backup of all my file attachments. To streamline the process, I use a Bash-shell script that I wrote for use in the MacOS terminal. The script simply prompts me to provide my Bitwarden password, then it automatically logs me in to the CLI, saves a session key in main memory, then automatically performs a password-encrypted export of the vaults, and finally it saves all my file attachments to a secure location. It takes me about 10 seconds of interaction to execute it and enter my master password, and then everything else is automatic, so it is easy and convenient enough to do daily, if one wanted to.

If anyone is curious to see the script I created, I have posted it to Github here (feel free to add comments or suggestions about the script on Github):

https://github.com/dh024/Bitwarden_Export/blob/main/bw_export.sh

Similar approaches could be used to run regularly scheduled tasks, such as cron jobs on Linux or MacOS, or using the Task Scheduler on Windows to execute your backup script. The script I linked above could be modified with a bit of effort to run automatically each night or weekly, provided that you were willing to store your Bitwarden credentials somewhere on the computer, which is possible but has some potential security risks associated with it. (For me, not having to worry about exposing my master password in a scheduled script outweighs the benefit of the additional convenience of a fully automated backup solution, but that’s just my personal preference.)

Summary

A sound backup strategy for securing access to your vault into the future requires that you create backups of your master password and two-step login/2FA methods, as well as routine exports of your Bitwarden vault contents and file attachments (if applicable). I hope this guide helped users to think about the available options to implement such a strategy, and that you are already using solid approaches to your backups. If you don’t use a backup strategy yet, then I hope this guide helps you to implement a strategy today!

And if you have comments to share, suggestions to improve this guide, or any questions, please add a post below. I would be happy to amend this guide to correct any errors I made or incorporate good ideas that I was not aware of. Cheers!

POLL:

Do you regularly backup your Bitwarden vault?
  • Yes, religiously!
  • Yes, occasionally
  • No, but I keep meaning to start/will start now
  • Nope - can’t be bothered to

0 voters

8 Likes

@dh024 Thank you for creating this excellent guide, and for sharing your automation script. :clap:

Hope you don’t mind if I expand on one of your points:

I would add a fourth method (which I currently prefer), available for Windows users:

Install the portable Desktop app either on a USB drive or on your PC, and leave it logged in but locked (using the Master Password) when not in use; then periodically unlock and sync the portable app to get an updated copy of your encrypted vault saved in the .\bitwarden-appdata folder. If you do this on a USB drive, then the USB drive itself is your backup; if you do it on your PC, then your encrypted vault will be backed up anytime you back up your computer hard drive.

If you ever need to restore your backup, then make sure your device is off-line, plug in your USB drive (or restore your backup of the local .\bitwarden-appdata folder), and unlock the portable app. Now you can use any of the 3 export methods described in David’s guide.

I haven’t fully optimized the above technique — it is possible it can be made to work using the regular desktop client (instead of the portable one, which is only available for Windows), and it may be possible to make this work without leaving the portable vault logged in (which would provide additional security).

Would welcome any feedback on this alternative backup approach.

2 Likes

Interesting approach, @grb - thanks for the addition and the idea. What’s the advantage of doing it this way, if you still have to use one of the export methods I outlined above?

There are a few advantages:

  • You get the security of an encrypted backup with the ability to import to a new account (without using the CLI, which can be intimidating for some).

  • I haven’t fully tested, but I am reasonably sure that when re-opening your backed-up vault off line, you still have access to the password history and other metadata (modification dates) that are not preserved in vault exports. You won’t be able to re-import these into your existing account or into a new account, but it may be useful to be able to look up some old information if the main vault has been lost (or if an important password has scrolled past the history’s 10-entry limit)

  • You can even access links to your attachments (by opening the .json), which may come in handy in some limited use-cases (you wouldn’t be able to access the attachment files while in off-line mode, obviously, and I don’t think you can connect your logged in off-line session to the server because of the 30-day expiration of the session). I’d have to experiment to come up with a use-case in which these links may be useful.

2 Likes

I need to do more testing to verify this, but I believe that my suggested alternative method may also provide some benefits if you have an organization vault or multiple accounts (using account switching) – as long as all accounts are logged in at the time the backup is made, I believe that a single backup will capture all vaults.

2 Likes

Excellent post.

1 Like

Great job. Anything I offer is a minor quibble. There are doubtless an infinite variation of ways to skin the cat depending on preferences and circumstances. And there is something to be said for limiting the number of options presented in a “how to” document (in spite of my suggestions below)

I would suggest verarypt or cryptomator for exports. Cryptomator file-level encryption is well suited to syncing changes immediately to multiple copies of the encrypted database (typically one local and one on the cloud) because it only has to sync the changed files, not the entire vault. Having an up to date encrypted copy available on the cloud could be handy in certain circumstances.

In terms of backup for 2FA, I use Aegis TOTP for android which can be set to automatically export encrypted database every time you change anything in Aegis. I sync the local export directory to the cloud with Foldersync for Android. Again having access to encrypted backups on the cloud can be a lifesaver if something happens when you are far away from your home base and home devices. Those who store their 2FA inside of bitwarden already have their 2FA backed up with their bitwarden (except for the 2FA that they use to get into bitwarden).

Hi @bw-tinkerer - thanks for adding your comments. I agree that VeraCrypt is a great solution (I think I mentioned it), but a caveat needs to be stated for Cryptomator - it will encrypt files stored on a cloud vault, but typically the source would be a local folder of files, and I believe Cryptomator will not encrypt local files. So you would need BOTH Veracrypt and Cryptomator if you wanted the local and cloud files to be protected. Of course, a Veracrypt vault on its own is also very secure, whether it is local or on the cloud.

Personally, I use Sync.com as my cloud file storage service because it provides zero-knowledge, end-to-end encryption automatically. So that’s another good solution, especially if your local drives are already encrypted.

And I like Aegis as well - I just wish it had support for iOS, since I have a mix of mobile devices. Other than the commercial offerings, like Microsoft Authenticator or Google Authenticator, I have not found a cross-platform, open-source authenticator app that allows backup/sync of your OTP database. So, I personally use Microsoft Authenticator (for anything that doesn’t go into Bitwarden Authenticator) because I already require it at work anyways. Cheers.

Love the idea regarding your script. I’ve attempted to run in on linux, but getting the following errors:

[email protected]:~/bin$ bash bitwarden.sh
bitwarden.sh: line 2: $'\r': command not found
bitwarden.sh: line 12: $'\r': command not found
bitwarden.sh: line 13: $'\r': command not found
bitwarden.sh: line 18: $'\r': command not found
bitwarden.sh: line 23: $'\r': command not found
bitwarden.sh: line 27: $'\r': command not found
bitwarden.sh: line 34: $'\r': command not found
bitwarden.sh: line 35: $'\r': command not found
Starting export script...
bitwarden.sh: line 37: $'\r': command not found
': not a valid identifierad: `bw_password

bitwarden.sh: line 42: $'\r': command not found
bitwarden.sh: line 44: syntax error in conditional expression
'itwarden.sh: line 44: syntax error near `]]
'itwarden.sh: line 44: `if [[ $(bw status | jq -r .status) == "unauthenticated" ]]
[email protected]:~/bin$ sudo bash bitwarden.sh
bitwarden.sh: line 2: $'\r': command not found
bitwarden.sh: line 12: $'\r': command not found
bitwarden.sh: line 13: $'\r': command not found
bitwarden.sh: line 18: $'\r': command not found
bitwarden.sh: line 23: $'\r': command not found
bitwarden.sh: line 27: $'\r': command not found
bitwarden.sh: line 34: $'\r': command not found
bitwarden.sh: line 35: $'\r': command not found
Starting export script...
bitwarden.sh: line 37: $'\r': command not found
': not a valid identifierad: `bw_password

bitwarden.sh: line 42: $'\r': command not found
bitwarden.sh: line 44: syntax error in conditional expression
'itwarden.sh: line 44: syntax error near `]]
'itwarden.sh: line 44: `if [[ $(bw status | jq -r .status) == "unauthenticated" ]]

Hello @Zoltrix - welcome to the Bitwarden community.

It looks like you are running the script on a Windows machine, is that correct? If so, it looks like your file editor has saved the text file in a format that isn’t compatible inside your docker container. See here for a good discussion of the issue and a fix:

And if you need to discuss the script itself, please use GitHub for that, if you don’t mind. Cheers.

1 Like

@dh024 I have tried each method you so kindly suggested to backup my Bitwarden 2FA secured vault, after login, the results are:

Encrypted JSON backup using CLI and my own password results in an encrypted file but I can’t import that file into another Bitwarden account, says ‘Data is not formatted correctly’. I thought the point of adding my password to the command line was to separate the resulting file from my original Bitwarden account and allow safe storage.
bw export --output /path/to/file/ --format encrypted_json --password $ASECRET

Backup JSON formatted using CLI results in a text-editor readable file. Restoring that file to another account is possible with folders intact.
bw export --output /path/to/file/ --format json

Backup a CSV formatted file and resultant file can be imported to another account with formatting intact.
#bw export --output /path/to/file/

Thanks for your great post, but am I missing something in the first example of CLI encrypted with my password?

Importing an encrypted JSON with a separate password is only supported using CLI for now. In the near future, cough this month’s release, users should be able to export-import encrypted JSON with a separate password on the web vault.

4 Likes

@sugianto Thank you. That worked using bw import bitwardenjson /path/to/file
The resulting imported vault had no folders, not a big deal, all the other data seems intact.
Thanks for your quick response!

Hi @rustycanb - glad you were able to make it work with a bit of help from @sugianto. :+1:

And yes, the current CLI version has a bug where the folder information is missing on export - there is an active bug report here that will be addressed soon, I hope:

@dh024 Thanks for the reference to the bug report. I’ll keep an eye it. Not a deal breaker, but it would be good to have fix soon.

@rustycanb is the above accurate, seeing as the bug report states the folders are not preserved using any export format from CLI?

Yes, I think I made a mistake. Tested again and no folders are present. Sorry for misinformation.

1 Like

Clarification: When a vault is exported using CLI -- format json the folders are (mostly) included in the resulting backup file. If the folders are present like this first line of the JSON file: "encrypted": false, "folders": [ { "id" etc...: then that file can be imported into another account vault and folders are present. I have not been able to discover what causes the inconsistent behaviour, but the file with folders is, as expected, slightly larger.
From my tests, this does not happen with a CLI exported file specifying a password on the command line. No folders are present in the imported vault after it is imported into a different account’s vault, other data is intact.

8 posts were split to a new topic: New Backup Options for Bitwarden - Academic Questions!

So far the new version has reached web vault and Android Play update, but not Firefox extension.
I have been able to create a backup using the web vault and successfully import it to another account vault with folders!
The file structure is similar to the earlier one created by CLI (ie totally random without entry structure) but slightly larger (the folders?).