How To: A User's Guide to Backing Up Your Bitwarden Vault

yobyot · December 29, 2022, 10:31pm

Thanks, @grb.

I appreciate the feedback.

phw · March 23, 2023, 8:12am

grb:

@dh024 Thank you for creating this excellent guide, and for sharing your automation script.

Hope you don’t mind if I expand on one of your points:

dh024:

Three different export methods

Bitwarden provides three options for exporting a text file containing your vault information, each with distinct advantages and disadvantages:

I would add a fourth method (which I currently prefer), available for Windows users:

Install the portable Desktop app either on a USB drive or on your PC, and leave it logged in but locked (using the Master Password) when not in use; then periodically unlock and sync the portable app to get an updated copy of your encrypted vault saved in the .\bitwarden-appdata folder. If you do this on a USB drive, then the USB drive itself is your backup; if you do it on your PC, then your encrypted vault will be backed up anytime you back up your computer hard drive.

If you ever need to restore your backup, then make sure your device is off-line, plug in your USB drive (or restore your backup of the local .\bitwarden-appdata folder), and unlock the portable app. Now you can use any of the 3 export methods described in David’s guide.

I haven’t fully optimized the above technique — it is possible it can be made to work using the regular desktop client (instead of the portable one, which is only available for Windows), and it may be possible to make this work without leaving the portable vault logged in (which would provide additional security).

Would welcome any feedback on this alternative backup approach.

Thanks for this idea. I have some question:

Is there any problem resulting from the fact that there is a warning information displayed by bitwarden, when going to the download page and tryting to download the portable app, saying: “NO AUTOMATIC UPDATES!!”:

I have to admit that this message scares me a little… it looks like there’s the possibility that if you use an outdated portable app and you ever need your backup it could be a problem to get the backup working due to changes in the bitwarden code, which have been made in the online (updated) version in between.

So to speak you would have to add in your guide that whenever doing a backup with this method, one should first download the latest portable app version to the encrypted hard drive, than sync it there with the online vault to make sure that each backup comes with the latest bw version.

But I like the idea of not having to perform a real backup process at all (including encrypted json and file attachments, which seems to be kind of a hazzle), unless your vault ever gets broken/corrupted. So you just have the portable app in sync (which is something like a bitwarden version, which can be backupped like @dh024 suggest, in case of a problem with your account, but which does not necessarily need to be backuped as long as everything works fine).

Did I get this idea right? I like it

grb · March 23, 2023, 3:00pm

Actually, the opposite is probably more likely. The version of the portable desktop that you were using when you last synced your “backup” vault is guaranteed to be able to read that backup at any point in the future, no matter what changes Bitwarden makes to their code. However, in the unlikely event that Bitwarden releases a client app update that is not backwards compatible with old data.json files, then you would need the older version of the portable desktop app to access your old backups. Personally, I do keep the portable app up-to-date by manually updating it, but I also have an archive of older versions (older releases can also be downloaded from Bitwarden’s repository on GitHub, if need be).

To update the portable app, you can just go to Help > Check for updates in the app itself, no need to do a manual download. Also, the method I’ve proposed does not require an encrypted harddrive, since the data.json file that contains your vault data is always encrypted.

Please note that the method I have proposed does not preserve file attachments (or Sends). It will preserve the metadata (i.e., when restoring a backup, you’d be able to determine which of your vault items had attachments, and what the attachment file names were), but because attachments are never cached on the local device, the technique I have suggested will not back up any file attachments stored in the cloud.

I recommend that you also maintain multiple copies of the app’s data folder (e.g., by backing up the drive on which you have installed the portable desktop app, or by rotating more than one USB drive containing the portable app). At the very least, use a different client app to verify that you can unlock and sync the vault, before launching the portable app to sync your backup. This is because there have been glitches when Bitwarden will log out all clients that are connected to the internet, as soon as the app is launched, ulocked, or synced — if this happens with your portable desktop app, then the locally cached vault data associated with the portable app (i.e., your backup) will be immediately deleted without warning.

phw · March 23, 2023, 8:10pm

I have to ask: is it true that the only way to backup attachments will result in a hazzle and effort via CLI (in combination with batch), as @dh024 was explaining in his initial post? Will bitwarden ever create a proper and simple backup feature, which just makes it possible to backup the whole vault including attachments and which will make it possible to restore a full backup including attachments? I feel like being scammed that there is no useful full backup feature and people need to find manual workarounds and other people need to write tutorials on how to backup… that this topic even exists does not feel right: A nice, simple, full backup feature seems to be a basic requirement for a password manager app, but it does not seem to exist. Maybe I will have to make this a feature suggestion. Does it have technical reasons why there is no proper full backup option in bitwarden, which will just create something like a encrypted *.7z file, which is encrypted via the master password and which can later be used to recreate the vault if broken (including attachments of course…)?

Now I am afraid again :
I just tried the following steps: I downloaded bw portable. I copied it to a USB stick in a folder called <2023-03-23_backup>. Then I opened the *.exe file, logged in, synced and then locked the vault. In this state my json file is somewhat 600 kb in size and contains something like 10.000+ lines of text - so the vault is obviously open and it is properly encrypted.

In my world, I would only want to use this backup if my bitwarden online vault was ever corrupted or similar. Therefore, I would just leave this backup like it is and disconnect my usb stick. The backup should be safe on the stick.

The next time when I want to create a backup, I will either download the latest bw portable *.exe file or I will copy the existing *.exe file to a new folder on my stick called for example <2023-04-30_backup>. I will open this *.exe file in the new folder and as there is no open session within this folder I will have to log in, sync everything from my online vault, and then lock the session again. Now I have a second backup in a seperate folder. I will detach my usb stick and keep the stick in my closet.

With these steps I should create an archive of backups over time and always have a more or less up to date backup within a more or less up to date bitwarden portable version, which is always in the locked vault state with an encrypted *.json file.

However, now the scary part: What exactly should I do or NOT DO ( ) if my online vault ever get’s corrupted and I plan to use the latest backup file to rescue my online vault? I somewhat understood that as soon as I reopen bitwarden portable while being connected to the internet it could happen that my encrypted json backup file will immediately be closed and as the online vault is corrupted I would lose the backup. Knowing this, I would make a copy of the stick or the lastest couple of backup folders of course - before trying to recover my online vault. But anyway, what would be the correct steps in this situation (besides the fact that I did not backup any of the file attachments, which is a different topic)?

grb · March 24, 2023, 2:34pm

You can also just use any of the “regular” Bitwarden client apps to manually download the attachments, or better yet — just copy the attachment file to your backup media at the same time that you first upload it as a Bitwarden attachment. If you want an automated backup process for attachments, you will need some kind of script (but you don’t have to write your own script — you can just use one of the available third-party utilities, like [PortWarden(GitHub - vwxyzjn/portwarden: Create Encrypted Backups of Your Bitwarden Vault with Attachments)).

Odd choice of words. Has Bitwarden made any representations that their premium product includes an integrated full backup solution? This is not a standard function for password managers, and competing products such as Dashlane or LastPass do not have anything equivalent, either.

If you do everything you described, the correct recovery process would be to disconnect your device from the internet, launch the portable app from the most recent backup folder, and unlock the vault. From this point, what you do depends on what your goals are:

If it’s a temporary outage and you just want quick access to a few of your credentials, you can copy them from the backed up vault (using the portable desktop app).
If you’ve lost access to your Bitwarden account and need to set up a new account, create a .json export from the portable desktop app, and import that into your new Bitwarden account.
If you’re migrating to a new password manager product, create a .csv export from the portable desktop app, and import that into your new password manager.

phw · March 24, 2023, 8:23pm

Thanks a lot. You’re right. The choice of words was probably a little harsh. It was just what I expect from a product like this.

phw · March 26, 2023, 11:53am

Unfortunately, the bitwarden CLI does not support FIDO2 Security Key 2FA… instead it only allows less safe ways as second factor (e.g. TOTP, Yubikey OTP,…), which I explicitly did not want to set up with bitwarden, beause I wanted to make a 100% sure that all of my second factors are something, which a possible attacker must phyiscally obtain, to be able to use it. So I have to accept that all semi-automatic backup possibilities via CLI (e.g. portwarden) won’t work for me. Right now I am disappointed again that bitwarden just does not offer a proper and safe full encrypted backup option including attachments. I will file a feature request.

grb · March 26, 2023, 2:10pm

Yes, it would be nice if FIDO2 was supported 100% on all clients. Here’s a possible work-around that some users have found acceptable:

Set up TOTP as a second 2FA for your Bitwarden login, but store the TOTP seed in Bitwarden itself (and nowhere else). That way, the only way an attacker could get the TOTP code for authenticating a login into your Bitwarden account would be:

Get the TOTP code or seed from your vault, which would require them to have access to your Yubikey or to one of your devices that has an unlocked vault (in which case they would have no need for the TOTP code anyway).
Phishing, which would be highly unlikely in the case of logging in to the CLI (and you would presumably never try to use the TOTP authentication method on any client other than the CLI, making phishing impossible for those clients).
Social engineering: Don’t give anybody your Bitwarden TOTP code or seed — I’m sure you know better.
Brute force: Bitwarden has rate-limiting mechanisms to slow down brute-force attacks, and will notify you after 9 failed login attempts.

And, in case it’s not obvious, the proposed method would allow you to authenticate to the CLI client using TOTP, by using your Yubikey to log in to any other Bitwarden client, and thus getting access to the TOTP code.

bw-tinkerer · March 26, 2023, 5:46pm

Sorry i’m very late to reply to this. Cryptomator doesn’t care where the encrypted vault is stored (local or cloud). it will work fine for locally stored-files or cloud stored-files, either one. when I said cryptomator was better suited for cloud storage, i meant cryptomator is better suited to cloud storage than veracrypt is (because cryptomator uses file level encryption), NOT that cryptomator is better suited to cloud storage than to local storage.

isle9 · April 7, 2023, 5:28pm

One question. Do I still need to enter my master password at unlock if I log in using my apikey? Is there a way to create an automated script without using my master password at all?

Pavel_bw · June 8, 2023, 2:22pm

I think you should upvote this: Direct Export of Encrypted Vault

picitup · July 24, 2023, 1:01pm

Hi @dh024
Thanks very much for this article. I found it very informative. As a scummy Windows 10 user, I wanted to achieve the same with a batch file. I had fun with it as I think it’s been about a decade since I built one lol. Anyway, it’s below and it works fine. It provides and encrypted json vault output using the master password, but could easily be modified to take any password.

Anyone is welcome to take it and improve or modify it for their own use. It only exports the passwords, not attachments.

Here it is:

:: Batch file to export passwords from Bitwarden
:: Free to distribute and modify. Help yourself!
:: Author Steve Mayall
:: 24th July 2023
@echo off
:: check if password supplied
if ‘%1’==‘’ goto :usage
bw login me@mysite.com %1
echo.
:: Unlock and send the session ID to a file
bw unlock %1 --raw > session.txt
:: set the BW environment variable
SET /P BW_SESSION=<session.txt
:: here we go…
Bw export --format encrypted_json --password %1
goto :eof
:usage
echo ------------------------
echo Usage: export (password)
echo ------------------------

Cheers

Steve

trparky · December 8, 2023, 5:50pm

I improved upon an existing script @dh024 created and converted it to a Powershell script to allow users who use Windows to export their Bitwarden Vaults.

I’ve open sourced the script under the MIT License and it can be found here.
trparky/Bitwarden-Vault-Export-Script (github.com)

tessus · January 25, 2025, 8:18pm

It’s interesting how all scripts that pop up to export your vault with attachments do not provide a restore script.
So now imagine a user that has about 100 attachments across 200 entries.

It probably takes a full day to restore the attachments manually. Has it never occured to the bw devs that this process needs improvement?

DenBesten · January 26, 2025, 3:57pm

Well, it is on the active development roadmap, as of this month so I can confidentially state that yes it has occurred to the developers.

kpiris · January 26, 2025, 6:23pm

That must be because It’s way easier:

To export attachments, you just search for items that have them and download them in some directory structure.
To restore them you need to come up with a way to pair each attachment to the item it belonged to when it was exported; which is not so straightforward.

The scripts that I use (and wrote myself) try to do that. They are written in bash, so they might be a bit more difficult to use on Windows.

But, in any case, it should be definitely easier for everyone once Bitwarden provides a direct way to export attachments from their client(s). As @DenBesten pointed out.

tessus · January 26, 2025, 7:22pm

Slightly late, but at least it is on the roadmap.

Apart from the security aspect of the product, what is more important than being able to backup and restore your data?
(Restoring half your data doesn’t count.)

Yep, this was apparently not conveyed by my sarcastic undertone.

Awesome, I will have a look. I haven’t touched Windows, since Win 3.11…