How To: A User's Guide to Backing Up Your Bitwarden Vault

So far the new version has reached web vault and Android Play update, but not Firefox extension.
I have been able to create a backup using the web vault and successfully import it to another account vault with folders!
The file structure is similar to the earlier one created by CLI (ie totally random without entry structure) but slightly larger (the folders?).

I just installed the latest release of the BW CLI (2022.10.0) and it appears that the missing-folders bug has been fixed. :+1:


@dh024 As with the web vault… So far, the Firefox extension has not had an upgrade.

The password protected exports definitely are useful, but one reason I export my vault once in a while is to have an offline backup just in case Bitwarden closes down. I understand that the encryption format is something custom so I still can’t really decrypt my backup without Bitwarden (well, I could reverse engineer the Bitwarden source code to implement the algorithm, but that’s painful).
Other than that what’s missing in my opinion in the CLI is for the password to be prompted for rather than having to enter it as a parameter on the command line (and as a result ending up in the shell history file and potentially elsewhere).

@jknockaert - if you omit the --password parameter on the command, the CLI will prompt you to interactively enter your password instead.


Until you update the contents of your guide, I think it would be a good idea to let stand the link to the announcement about the new password-protected backup option:

Users interested in the implementation details and security of this new option can head over to the split off thread, but knowing about the ability to do password-encrypted exports without the CLI is valuable information for all readers of the current topic.

Patience, @grb. I will update my post when I am able to.

I split your discussion because it does not follow the community guidelines. Please review them here:

Yes, I wasn’t complaining about the split — it makes sense. Also not complaining about the OP not being up-to-date yet.

Just making the point that the availability of the new password-protected backup option is information that does belong in this thread, so I posted the link again after it got removed.

Came across this script quite recently, looks useful, haven’t had a chance to test as yet…

“Powershell script that exports Bitwarden passwords to KeePass”

I have not yet verified this myself, but there is a recent Reddit post reporting that when exporting from the Desktop client directly to a BitLockered drive (consistent with the recommendations given above), the export process creates a temporary copy of the unencrypted export in the default Downloads directory. If confirmed, this would directly affect the above advice given about unencrypted exports. The guide may need to specify that unencrypted exports should only be created using the Web Vault (assuming the reported issue is restricted to the Desktop app*).

*Update: I’ve come across a report that similar issues may affect the downloading of unencrypted exports from the Web Vault, depending on the browser and browser settings used. Caveat emptor.

I have been looking for an automated way to do backups, but am also concerned with exposing the master password in some script. One way I’ve found, which is almost certainly not optimal but works, is to simply take an automated copy of the “bwdata” directory. One could do that using a cloud backup service to make it super easy, or write a script invoked by some kind of cron utility. Either way, passwords are not required and you don’t need to worry about any additional encryption procedures.

To restore, either create a new BW install or use an existing one, replace the bwdata directory with the one from your cloud/other backup and then follow the “migrate BW from host to host” procedure. I used this very procedure the other day and it saved my bacon. The way I did this to make it a bit more slick was to tar and gzip the bwdata directory and have my cloud service pick up the tar.gz file.

The only real downside I’ve found to doing this is that the bwdata folder itself isn’t small. However, it contains EVERYTHING, so as long as you had a working instance before and you can remember your master password, it’s a real winner. The recovery procedure itself isn’t particularly slick, but is scriptable if you want, but it’s easy and doesn’t take too long.

Thanks for sharing, although we may be discussing two different things here - this thread is about backing up a user’s vault, whereas I believe you are discussing server backups for self-hosted instances of Bitwarden.

Thank you, you are right. I had not realised that this thread wasn’t particular to self-hosting. My solution only works for self-hosting, but is effectively an easy - albeit inefficient - way to back up the vault using an automated method.

Agreed - thanks for mentioning this! Cheers.

:flushed: that’s not good. I can confirm a tmp file is shown in the download folder when exporting from the BW desktop app.

I’m pretty sure this won’t happen if you export from the Web Vault (although I haven’t tested this myself), so that would be your work-around.

Unfortunately can confirm the same behavior for the Microsoft Store version of Bitwarden.

Yes, I believe it may be a limitation of Electron.

So it turns out that vault exports being saved in a temporary file also occurs when exporting from the Web Vault using FireFox, although @OpSec has provided a work-around.

I will update my previous post.

1 Like

Interesting thread.

I’m self-hosting for a family.

My approach is to copy the entire ./bwdata directory off the self-hosted VM every hour to a safe location in a secured S3 bucket. In particular, this includes the Bitwarden-created nightly SQL Server .bak files of the entire vault as well as the actual SQL Server mdf and ldf files that comprise the database.

I tested the doc’s restore process for the database. That worked.

Clearly this is a blunt instrument. But, it can be easily automated and it’s much simpler, IMHO. For a small group (four of us), the chances that we’d lose too much activity with a restore like this is small. The only question is how many versions of the structure to keep. With no attachments, it’s pretty small…under 300MB so I am keeping a day’s worth of versions.

I’d appreciate feedback on this approach.