I am currently a premium bitwarden user, largely happy and impressed with the system.
The information I store in bitwarden is very important. Not only does it allow me to access my various accounts but it also acts as a documented list of what accounts I hold, both of which are critical to anybody sorting out my estate should I suddenly pop off.
This eventuality is covered beautifully by the emergency access feature which also mitigates against me losing access to the system by forgetting the password - all I need to do is ask for person with emergency access to initiate it they can go in change the password and I can get back into the system again.
Recently I’ve also been thinking about what happens if there is a problem at the bitwarden end. What if they lose my vault? What if they stop working completely? Negligible risk? Possibly but in gambling terminology you never bet your whole bank on a “safe” bet no matter how short the odds.
The bitwarden recommended solution to this is to download an unencrypted text file containing all my usernames and passwords, encrypting the file myself, storing it somewhere safe and then permanently erasing the unencrypted file.
I feel very nervous and dissatisfied with this proposition, I don’t think my vault should ever be allowed out in an unencrypted form.
Very interested here to be corrected if I’ve got anything wrong and/or find out how other bitwarden users have dealt with this issue.
You got nothing wrong, saving your vault unencrypted on disk has some risk.
To mitigate it you can export it password encrypted. This last option woult probably limit a bit your import options in case of having to migrate to something different from Bitwarden. Keepassxc can import that, btw.
Another option is to export unencrypted from a client that does not save that unencrypted temporary file to disk. That’s what I do with Bitwarden CLI:
Export it to stdout (on Linux, I do not trust windows for that) and pipe it to my encryption program of choice.
Of course, in this last case there is always the possibility of RAM being written to swap on disk (although with enough RAM on your system, swap is mostly not needed nowadays).
Some download in an encrypted form, which can be imported into KeePassXC.
Some download unencrypted into an encrypted volume.
Some download unencrypted and then put it into an encrypted archive.
Some use the portable version to unlock once a month (to sync), and then this can be used offline to access what’s in the vault.
Some copy the desktop data directory (with the encrypted vault) while the app is locked and restore the data to use it offline as backups.
These have different risks that different people can tolerate differently. I personally emphasize accessibility, so I download unencrypted on an encrypted volume and then put this into an encrypted archive that is stored in multiple places.
With this method, it is recommended to use a file password that is stronger than the vault master password, to compensate for the fact that exports do not benefit from updates to the KDF settings for the Bitwarden account. I would recommend, at a minimum, a 6-word random passphrase; you can save this password in your Bitwarden vault (for convenience), but to prevent data loss due to circular dependencies, at least one copy of this file password should be kept outside the vault (e.g., written on a securely stored Emergency Sheet).
Furthermore, because the encryption/decryption algorithms used by Bitwarden are published, there are options other than KeePassXC for decrypting Bitwarden’s password-protected vault exports.
As alluded to by @kpiris, in some operating systems (notably, Windows), downloading directly into an encrypted container requires special precautions to be taken, to prevent an unencrypted temporary file from being written into your default Downloads folder.
If using this method, the option “Unlock with PIN” should be disabled before syncing, and a copy of the bitwarden-appdata folder should be made after each sync (to prevent the cached data from being deleted if the session key expires or is deauthorized) — my method is to put this folder in an (unencrypted) zip file. In addition, for reasons explained in the above discussion of file passwords (i.e., the inability to strengthen KDF over time), these types of backups should not be retained for extended periods of time (e.g., multiple years) — delete your old backup after creating an update (at most, retain one year’s worth of old backups).
Thanks for the very informative replies.
I’d rather keep everything android only if possible but there is plenty for me to look into here and I’m especially reassured that the encrypted backups can be read by programs other than the bitwarden apps.
I think I’ll create a test export and get someone to try and read it into keepassxc.
I actually really like keepassdx (the android version) and would likely switch to it if I could think of a way of replicating the emergency access functionality.
