When I was a LastPass I never made backups. The only time I exported the vault was when transferring to Bitwarden.
Now I’m reading about making backups of the vault and how and where to store it. Of course, I would be lost (mentally and online) by losing everything in my vault but what is the scenario for this? If the vault should become corrupted, doesn’t BW have a backup of the encrypted BLOBs?
I’ve tried ‘backing up’ by downloading the portable client, logging in, typing the 2FA and then afterwards logging out. I guess then I have a backup but to access the vault again if my enrypted BLOB on BW’s servers become corrupted, I still have to connect to the servers to login.
I’m asking all this to try and figure out what routines I should use moving forward. I mean, if we talk the LastPass hack, then the data was ‘simply’ stolen - not altered to become corrupt.
IMO it’s just wise and prudent to have a local backup copy JiC. I do a backup once a month with the rest of my offline backups as part of my overall backup strategy for all my critical data.
I keep personal offline backups of “everything” (not just my vault). I do this because I have lost data due to my own actions and also those of others. I did not like it.
A few examples of how this could happen within Bitwarden:
I delete a vault entry and realize months later that I really do need it.
Bitwarden as a company becomes insolvent and does not pay their hosting bill.
A bad actor gains access to my email and uses it to delete my vault.
I forget my master password (it happens).
My TOTP stops working (e.g. got a new phone and the secret key did not copy over).
Bitwarden has configured a strict 7-day retention policy for PITR and a policy of no long-term retention. This functionality is for disaster recovery purposes only , users and organizations are responsible for creating and securely storing backups of their own vault data. Blob-stored data, specifically attachments and Send files, are not subject to PITR functionality and are irrecoverable once deleted from Bitwarden.
Here is a good document addressing how to create backups. You should also create an emergency sheet to recover from many of these scenarios with less data loss.
Thanks ALL - will definitely do the Vaul Export (and put as a recurring task in Todoist) and then save the file on an offline device and/or an encrypted part of a disk. I don’t have a lot of attachments so password protected sounds good
Oh so it’s another/new password from the current master password?
Was actually just thinking that if I choose the unencrypted with attachments, simply because it’s unencrypted, should I forget the master password, and save the files on encrypted storages… eh, going in circles here because those password should be on an emergency sheet as well)
Yes, I would do something like a diceware sentence.
Can be a different password; does not have to be. The primary argument for doing so is that backups exist for a long time and if you have reason to change your master password, the old one would still work on the old backups.
Since I keep my backups off-line, my level of concern is much less. The only reason I use a password at all is because the export process momentarily places a file on my primary hard drive.
As others have said, a copy of the export password does belong on your emergency sheet. I also keep a copy in my vault so I can easily copy/paste it to avoid unknowingly creating an unrecoverable backup due to a typo-ed password.
Account Restricted is horrendously bad. IMHO, bitwarden should remove it as an option. If a bad actor gets access to your email and deletes your bitwarden account, none of your backups can be recovered.
Any kind of mission-critical data should always be backed up, ideally using a “3-2-1” strategy.
Adding on to the scenarios described by @DenBesten:
I can no longer log into my vault for an unknown reason, and I am unable to convince Bitwarden customer support to restore a backup (which is typically only done if there is a vault corruption caused by Bitwarden).
My vault is corrupted on the cloud servers, and the problem is not discovered and remedied within 7 days.
An attacker has taken over my vault and changed the master password.
A server-side issue causes all of my Bitwarden apps to be logged out at once, and the servers remain temporarily unavailable for logging back in for a period of time during which I need access to some of the vault contents.
I make a mistake when editing a vault item, overwriting some important information that I need later.
All Azure servers are destroyed in a natural catastrophe or act of war, and I do not have any devices that are still logged in.
I disable my 2FA (which subjects me to NDLP requirements) and lose access to my devices at some future time when Bitwarden may have made their policies for waiving NDLP more restrictive (to the point where they will not agree to waive NDLP for your case).
etc.
Not sure I understand your thinking there. If you log out, all of the cached vault data are deleted, so you no longer have a backup. FYI, I used to recommend a backup strategy that consisted of keeping a logged-in copy of the Portable Desktop App on a USB flash drive, and/or making redundant copies of the “bitwarden-appdata” folder from the logged-in portable app (which I would ZIP, and store separately). Unfortunately, this method is no longer viable, until the following bug is fixed:
As a result of this bug, the “backups” created using the above method depend on the continued accessibility of the device on which they were created, and the preservation of the TPM on that device.
My off-line backup now includes a copy of portable KeepassXC Since it works completely off-line, and can import a Bitwarden Password Protected JSON, there is no worry about a login expiring or Azure cratering.
I do keep an (outdated) export pre-imported into Keepass, both for immediate emergency access and as a way to validate my export. I do realize that some functionality may be lacking (e.g. I have not tested Passkeys and I know attachments are missing), but during an emergency, something is better than nothing.
Made the mistake of choosing account-restricted but that is now fixed. Got 2 copies on encrypted devices and a 6+ word export password that makes sense to only me.
Will check out KeePassXC for offline access. Sounds promising. If all the AI’s start working together and start ruining everything
Yes. I import into KeePassXC every third or fourth Bitwarden export, which is why my KeePassXC is generally outdated. My immediate reason for importing is to demonstrate my Bitwarden export worked. For me, this is a “once a year” activity, whereas backups are “at least quarterly”.
KeepassXC has a XML export which is more complete than its CSV export. Bitwarden can read both formats, although I have never personally tried it because I do my best to keep Bitwarden my source-of-truth, avoiding change in the rare cases it is not available.
