I’m in a process of migrating my Keepass data into Bitwarden.
I modified some entries’ notes on my Keepass repository, exported the Keepass repository to Keepass XML 2.0 format which is one of the option accepted in Bitwarden.
The import went in very smoothly as all my entries are there but I noticed that some of the notes’ entries are wrong. So I updated those notes field entries on my Keepass and exported them again.
I purged the bitwarden vault (irreversible) and re-import my new Keepass exported 2.0 XML and the wrong notes’ entries persist in Bitwarden.
Next steps, I deleted all the history records of the wrong entries in Keepass, exported them again, reviewed the exported Keepass raw XML and confirmed that the intended corrected notes are there and none of the wrong ones exist.
I repeat the vault purged process and reimport the clean Keepass XML 2.0 and guess what? The entries with the wrong notes are still there.
This makes me wonder if Bitwarden vault purge process purge everything.
It seems odd that you still see the old values if you did this:
reviewed the exported Keepass raw XML and confirmed that the intended corrected notes are there and none of the wrong ones exist.
For troubleshooting purposes, I would suggest the following:
Create a new free Bitwarden account (using a throwaway email), and try importing your XML there. Are the outdated notes still present? If so, this suggests you may have missed something when reviewing the XML contents.
After purging the vault (before reimporting the clean XML), log out of the Web Vault and Log back in, to confirm that the purge was successful. Then retry the import.
Depending on what happens in the above tests, if you are still unable to get rid of the outdated notes in the tests, it would help if you can try to pare down the XML to the minimum content that is able to reproduce the issue.
I did those suggestions and they don’t work as the notes still show up but I found out what happened.
Can’t explain why as this is not happening to all entries, just some.
Basically, what I did in Keepass was moving my notes into custom fields and assign those custom fields to protect values in process memory. What keeps showing up in BW notes were my custom fields containing the notes. Even though I can’t see them in Keepass but they shows in BW as notes. Weird as this only happens to some items after importing to BW but not all. They’re using the same custom fields.
What’s weird, BW imported some items correctly but leaving some other ones into Notes. I also checked the notes whether they contain special characters and they are none.
I’ll research further and share if I find anything else.
Thanks
I don’t know enough about Keepass to understand what you mean by the above. But the XML export is a text file and should not be affected by what is happening in the Keepass process memory. Perhaps this “memory protection” function in Keepass is just some simple encoding that results in scrambled text being exported in the XML, and perhaps the Bitwarden importer is smart enough to unscramble such encoded text on import.
Your best bet is probably to undo any such memory protection in Keepass before exporting the data, and delete any notes that you don’t want to be imported.
If you want further assistance, I would (again) suggest that you create a test XML export for troubleshooting purposes in which you have deleted all records except for one example of a record that is giving you trouble. Sanitize that record (i.e., obfuscate any sensitive information), then share the contents of the resulting XML with us. For best results, enter three grave accents (```) on a line by itself in the forum comment editor, then paste the XML contents, and finally enter a new line with another sequence of three grave accents (```) by itself.
First of all, thank you so much for all the help and detail answers to this topic.
Finally, after bunch of trials and errors, I found the root cause of this.
Keepass XML 2.0 protected field format has ProtectInMemory=“True” element’s attribute as follow
<Value ProtectInMemory="True">xxxx</Value>
Apparently, Bitwarden import process will import any content within the Keepass’ protected elements/fields to Notes section if it encounters any CR LF (Carriage Return Linefeed) special characters which is a normal text files lines termination characters, in my case is within the exported Keepass 2.0 XML format protected fields (ProtectInMemory=“True” element’s attribute).
For example, I have a following secure note entry with 2 lines with CR LF (non-displayed):
Bitwarden import process will import and render the example values above in the Notes section but if I get rid of the CR LF special character by concatenating the lines with ; (semi-colon) separator (I pick this character as a preferred line separator)
the import process will honor this entry as a single line in a custom protected field and imported it properly.
This explains why only certain contents show in the Notes section while others are not.
I’m hoping that Bitwarden team can consider this as a bug in the application’s import process and fix it as this could be affecting other import values from other password management software out there.
I also hope this solve will help others with the same experience or at least for importing Keepass 2.0 XML format to Bitwarden.
If I’ve understood correctly, when the <value> contains CRLF, the Bitwarden importer imports the data into the “Notes” field and preserves the line breaks (but ignoring the ProtectInMemory attribute?), but when the <value> contains no line breaks, the Bitwarden importer imports the data into a custom field (of the “Hidden” type, presumably — I think this is what you mean by “custom protected field”).
Could you check whether the imported items with ProtectInMemory=True have Bitwarden’s “Master password re-prompt” option enabled (for both cases — line breaks or none)?
As far as a “fix”, that would be complicated by the fact that the value of custom fields cannot contain multiple lines. There is work being done on preventing the display of any contents (including Notes) of items that have the “Master password re-prompt” option enabled, so waiting for the implementation of that behavior may take care of the issue (assuming that Bitwarden’s importer translates the ProtectInMemory=True attribute inot enabling the item’s “Master password re-prompt” option).
I didn’t have the Bitwarden’s “Master password re-prompt” option enabled I will try it with enabled or disabled option when I have time.
Regardless, I wrote a quick python script to cleanup the Keepass XML 2.0 file by replacing all those CRLF characters with ‘;’ semi-colon character on all my custom fields that have ProtectInMemory=True, purged and reimported the vault.
All good so far, I will try to research around with “Master password re-prompt” option though.
Thanks
No, what I meant is to import one Keepass item that has the ProtectInMemory=True attribute. Then open that imported item in Bitwarden, and try to Edit the item. When you try to Edit the item, does it ask you to first enter your master password in a modal window title “Master Password Confirmation”? If so, then this means that the Bitwarden importer has properly interpreted the ProtectInMemory=True attribute to imply that the item should be protected using Bitwarden’s master password reprompt feature.
I was wondering whether this happens at all, and whether it happens both with and without CRLF linebreaks in the protected field of the XML being imported.