Is this guy right about unencrypted vault back-ups?

I read this on a Reddit post about backing up a vault on USB drives. I know that there’s a lot of false info on the internet (about everything), so I would like your thoughts. Here is what he wrote:

“Anybody who is creating unencrypted vault exports should be aware that this creates a temporary copy of your unencrypted vault on your device (this is true even if you use the “Save As” option to specify that the file should be saved “directly” to your external USB drive, or to some encrypted container). Even though the temporary file is deleted at the end of the export process, it may be possible to use file recovery tools, forensic tools, or malware to recover some or all of your vault contents from the device at a later date. If your device uses an SSD for persistent storage, it may not be possible to fully expunge all traces of a deleted file from the drive.
I’m not aware that anybody has demonstrated this type of vulnerability specifically for Bitwarden vault exports, but personally, the fact that the plaintext file is created to begin with is enough to give me pause.
My understanding is that this is a limitation of how JavaScript/TypeScript implements file save operations. I don’t have sufficient technical expertise to know whether it is possible for js/ts code to circumvent this file-saving mechanism.”

What do you think? Is he correct that saving the file as an unencrypted .json file directly to a USB drive (or any drive) can still leave a trace of the file on your device?


This is definitely true on Windows, and you don’t have to take anybody’s word for it. Create an export (encrypted if you prefer to play it safe) and wait for the prompt to specify the desired file name and location, but do not yet specify the destination for the export. With the “Save As” dialog still open (waiting for your input), use File Explorer to open your Downloads folder, and you will see a temporary file that has just been created. Open this file using Notepad, and you will see that it contains your Bitwarden export.

I cannot say MacOS does not make any such copy, only that I have not found one yet after looking in caches and temporary folders as well as in Downloads. This assumes also that you are not opening a document with a typical word processor or spreadsheet, merely saving it.

However if, having saved a file, you examine it with Quicklook in Finder then it will generate a thumbnail, which can be cleared with qlmanage -r cache

If you bitlocker your drive, then BitLocker might protect you anyway, because the file trace would be encrypted.

Some people suggest setting the browser’s downloaded folder to get around this problem. For example, setting Firefox Download directory will result in the temp file being in the set folder. But this doesn’t work with the export from the desktop app, you might be able to change it by mucking with Windows to change your download folder.

As far as I understand it, you would have this protection if the user is logged out of their Windows account, but probably not if the computer is left unattended while logged in, or if malware is running on the device.

1 Like

First, I agree with you immediately that using an encrypted volume to download and lock the volume up afterward is a better way to make sure that the material is less likely to be accessible to others.

For the sake of discussions (not arguments), I’ll put in some more info.

From the malware standpoint, I also agree with you on the technical possibility, but haven’t seen a malware description that ever mentions scraping deleted data from disk. I am no expert, but here might be someone who knows malware:

First, it’s almost certainly not worth the time and effort for a malware creator to write code to recover deleted data from the hard drive. If they’ve already got the kind of access to your computer that would make that possible, there are far easier and juicier targets. Further, the intensive ongoing disk activity needed to capture data from the entire hard drive - and the corresponding large amount of data exfiltration - would pose a higher risk of discovery.

This is kind of like a bank robber, who has managed to successfully tunnel into the vault undiscovered, considering picking the pockets of the bank tellers and stealing the furniture from the lobby. Low value theft, unless the robber happens to get lucky enough that one of the desks in the lobby happens to contain an expensive gold pocket watch, and much higher chance of getting caught.

So, this kind of trace file/swap file/hibernate file danger is probably from somebody that would do a forensic analysis on your computer. With Bitlocker on a TPM-integrated CPU, and the user logged out, or the account in a locked state, the attacker would have to have other exploits to gain access to them.

But for another category that you have pointed out, with me adding one more :

  1. People who have access to your unlocked account
  2. Somebody who can log into your computer using another account if they too can “undelete” trace file.

This risk may be less if you follow the credo of not using BW on a system that you don’t have exclusive control, and be mindful about locking your computer as an “OPSEC” todo.

; TLDR: OK, so Veracrypt volume is better, but bitlocker might be sufficient already.

1 Like