✅ Passsword protected export - Independent from account encryption

I reply here instead of here since it seems to be the official topic.

I agree with what has been said. For now, I don’t see the point of the encrypted export. It’s not a backup and the need to import in the exact same vault makes it totally useless :confused: .

I voted for this topic. I hope you will change this behavior in the future :slightly_smiling_face:.


This is a must have feature , I was hyped whwn “encrypted export” was announced, but it was a complete letdown when I found out it cannot be decripted or readed outside Bitwarden web vault, I want a backup option to serve as an way to regain acess to my data just in case one day out of the blue Bitwarden shuts down it`s operations (who knows?) and along with it all my accounts credentials…

1 Like

I see two options that can easily be implemented within the existing architecture:

  1. Export an encrypted JSON that contains the Protected Symmetric Key, much like the data.json file from the Desktop App already does. This can be decrypted with the users master password. The downside is it contains an encrypted copy of the users encryption key.

  2. Export an encrypted JSON that using a new random encryption key, and store the new Protected Symmetric Key in the export. Essentially like the data.json file but with a rotated encryption key. This can be decrypted using the Master Password used to create it, with the advantage of not including the original encryption key.

However you decide to implement Encrypted Export, you should provide a tool to be able access/decrypt the file independent of Bitwarden services. I.e. If Bitwarden was gone, users could still access the contents of the backup.


I would also appreciate the possibility to have a way to store an encrypted version of the vault which could also be decrypted outside of bitwarden for the same reasons given. There is always the risk that bitwarden can be down and with it access to all accounts which are managed here.

I’m not an expert, but would it be save to download the plaintext json, go-offline and do the encryption manually on my local device? Basically, is the download via the sha256 encrypted web connection to bitwarden secure enough or is there a risk that the file can leak? Any opinions?

I feel like the transfer is safe IF the file ends up in a safe place on your end. I select an encrypted virtual disk, which I immediately close leaving it “eyes only” to me if I need it in the future. Of course you should have multiple backups, which I do. It does me no good to export my vault into a virtual drive on my computer if the hard drive then crashes a few days later.

I am new to BitWarden, and I am impressed with it. But I’m also a careful “data liberation” freak who wants to occasionally do an independent backup of my BitWarden Vaults.

I can see 2-3 ways to do this:

  1. Use BW’s encrypted JSON export for backup / restore, which won’t help me if I need to have a look at just one or two “lost” or changed password records – restoring (re-importing) the encrypted json to BW means wiping out (replacing) your entire current vaults with the older data.

  2. Doing a local un-encrypted export from BW and using your own methods of encrypting it for backup. You can put your own key(s) on it that way.

  3. Do an un-encrypted .csv export from BW and re-import the .csv into KeePass for safe keeping and easy reference to the data. You’ll likely lose some data, but should have what you need to keep from being locked out of accounts. I haven’t tried this yet, but I will as I want to see how much work it is to do.

So my vote for the ability to give an encrypted export its own encryption key is focused on being able to use these exports as useful backups and data-transfer files, including the ability for re-importing to a new Vault on BitWarden rather than have the limitation that it must be imported only to your “production” BW vault in order to be able to use it.

I would like to point out a resolution to this feature request, from my perspective, will also be a resolution this: Passwordless Account Deletion Should Be Delayed/Reversable

In the unlikely event of an account deletion by a malicious party with access to my email, the only thing I’d truly care about is the recovery of my data. Which is currently not possible with the encrypted backup option because it’s account dependent and the old account would be gone

I second (third?) this :slight_smile:
To fully comply with local security regulations our organization would need to have encrypted backups (we’d hold locally & offsite) that have never been decrypted during automated backup-runs and can be accessed/decrypted completely independent of any accounts or such.
This is for “absolute disaster” recovery, setting up up a local bitwarden host from scratch and import the data.


Public service announcement:

If you want an encrypted backup, that only needs your master password to open, and does not need any connection to bitwarden servers to unlock the vault (ie. account encrypted unlocked), its easy to do… bitwarden already does it!

Simply do this:

While logged in, but with vault locked, simply make a copy of the “data.json” file at “C:\Users\yourname\AppData\Roaming\Bitwarden” (or equivalent on other OS’s).

That file is the vault only encrypted with your master password. Even if bitwarden servers are down (permanently) you can just place that data.json file in any bitwarden installation, and you will instantly be logged in, and just need masterpassword to unlock vault, which will all work without even having an internet connection.

So all you have to do is keep a copy of the bitwarden installer, and make regular backups of the data.json file. Now you have a encrypted backup that does not need any account authentication to any bitwarden server.

When they first talked about implementing encrpyted backup - this is what I thought they would implement. A simple file protected with 1 password.

And I don’t want to be rude but… the reason that bitwarden didn’t do this is fairly obvious: It removes any need for you to use their servers. Indeed if you just sync your data.json file to a cloud service (on all your bitwarden devices) - you don’t ever need bitwarden servers again for anything.


Not taken as rude, but just to clarify, the current function was the fastest method to allow a universal export that was encrypted - and that could be imported for use in cross-platform scenarios. Using data.json is totally fine for an emergency scenario, but a lot of folks want to have cross-platform access :slight_smile:

We are absolutely planning on furthering the encrypted export, but the catch-22 is making an export that uses a password as a backup for an account for which you’ve forgotten the password :crazy_face:


Does this mean that in an organization anyone with the desktop app has the ability to take a copy of the whole vault, which they can access even if they’ve left the organization, independent of whether there’s a policy preventing them exporting from within Bitwarden?

Within any client, you’re only exporting your individual vault data, not the org data. That must be done from the Web Vault, and by an Admin/Owner or a Custom user with export permissions.

Happy to clarify further if needed :+1:

No that’s really clear and helpful, thanks… and a huge relief! :+1:

1 Like

First of all this fact is not clearly explained in the documentation as it should. Many can do an encrypted export thinking they are bulletproof just to discover, too late, that’s not the case.

Second, I modified my export script to export an unencrypted json and then I encrypt it with 7zip and delete the original file.

Not the safest procedure but at least I am sure I have an encrypted export I can decrypt anytime regardless.

7z" a -sdel -p"%_secret%" C:\Users\user\Documents\Bitwarden\BWvault "C:\Users\user\Documents\Bitwarden\vault.json"

This is what I do, but with SSDs it’s likely that the original data is still there since wear-levelling means that data shredding doesn’t work.

edit: oops, sorry for the necro - but it’s still a live gotcha!

@Deebster I’m not sure why this Feature Request is still open, as the requested feature (Password-Protected Encrypted Export) was implemented in the 2022.10.0 release:


@bw-admin Please close this thread, unless there is a reason not to.

@grb You are right, this was released with 2022.10.0

Closing this thread.

Isn’t closing the thread supposed release the votes? How come the thread still shows 33 votes now that it’s closed?

The original votes stay visible on the thread. All voters should receive their votes back though, to vote on other topics.