Hey there! I wanted to ask what would be the best way to backup your bitwarden vault anywhere thats not hosted online and locally such as a USB. Thanks!
Just be sure to read both the main post and the discussion that follows. The comment posts in that thread include a description of an alternative backup approach, as well as information on some potential security issues that can occur with encrypted exports, a bug that can affect some CLI exports, and a recently released password-encrypted export feature that can be used for backups.
Regarding any backups, especially for anything that would be considered “mission critical” such as a password vault I would highly suggest looking to develop some type of good 3-2-1 backup strategy.
Meaning you have:
3 copies of your data, one being the live data in Bitwarden, and then two backups to provide for 3 sources of your data.
2 of those backups should be on different media types of possible, such as if wanting to retain offline only backups either tape, optical, paper, or a flash drive as you say should work. (One thing to note with flash drives, typically if they are not plugged in every so often the data can become corrupted and lost. This should not be an issue if you have a decent backup strategy with multiple copies of your data, and if you backup often enough even let’s say once per year that should lessen the chance of data corruption on a flash drive. Just something of note to be aware of.) Though silent data corruption can happen on just about anything, including the LTO tape, optical, flash media, etc as mentioned, hence why having multiple backups and a good recovery plan is essential.
1 of the copies of your data should be completely off-site, this can be at a friend or relatives house, a safety deposit box at a local financial institution, etc.
This will help to ensure in any case your data will be recoverable in just about any situation.
The main challenge especially with completely offline backups, and maintaining good upkeep of your off-site backups as well is to be diligent and stick to a routine in your backup process.
Making sure your local backup is done every so often after major changes with your vault, and keeping the off-site backup also up to date every so often to be sure when you need them the most they are the most recent copies.
i personally use my own method of backups, of course this is different for everyone but what i do is create a task every month to backup my password vault for local access including org backup and the one in that specific pw manager.
now when backup locally ensure you know how you want to store that password database because just storing it on a usb drive allows anyone to pick it up and hit restore and get access to all your passwords.
what i typically do may be overkill for many, but what i do when exporting is
- export vault > .json (encrypted)
- find the local file and use encryption software such as encrypto or even keka archive software to encrypt it once more and delete the original unsecure file ALWAYS.
- rename the file to something less obvious not "bitwardenpasswords’ etc
- i typically copy it over multiple devices.
- test and run lock out scenarios.
i agree with @cksapp i typically always have minimum of 3 copies, me i use even cloud drives with the file encrypted.
This is complete extra level but i typically use boxcryptor on every drive i use that also encrypts each file that gets copied to it giving it 3 levels of encryption. (1 being .json encrypted, 2 being encrypto, 3 being boxcryptor)