Restore A Backup

How do I restore a backup? I am new to Bitwardeb (LastPass refugee). I have seen some very good, detailed posts about how to create a backup. However, I can’t seem to find a similar post on how to restore a backup and maybe even a safe way to test your backup. I did see a post from recent post grb that dealt with a somewhat related issue. Is there any advice or link someone would be able to point me to?
Thanks

Restoration procedures would depend on what type of backup you have. If you’re backing your vault up by creating a vault export, then restoration is done using the Import function in the Web vault.

If you’re backing up the data.json file (a method that I’ve suggested), then you just have to restore the data.json to its original location, and disconnect from the internet before launching the Bitwarden app.

So the details depend on what type of backup method you’ve chosen. There may be some additional advice or pointers to give for each of the approaches summarized above, so let us know your preferred backup method.

The typical way is to go to the Web Vault, select the Tools/Import command, and then select the Bitwarden file type.

Screenshot 2023-02-09 7.33.52 PM871×353 27.3 KB

Thank you. I saw your post in another thread. I just wanted to be sure that it was also applicable to just a normal backup.

Thank you. I am new to Bitwarden and now I know. I hope that I never have to use it . . . but . . .better to have a plan than nothing at all.

The .json has some flexability benefits, but I am concerned about the fact that it is not in an encrypted state to begin with. I did see your post about disconnecting from the internet before launching Bitwarden. However, I am not exactly sure precisely what steps I would follow Would I?

1. Disconnect from the internet, then
2. Copy the .json file to the original location
3. Launch the desktop app and verify that the data is now restored.
4. Quit the app.
5. Connect to the internet
6. Start the app again and all is well?

The .json password encrypted method has some benefits in that I believe that it is automatically in an encrypted state to begin with. However, I am not sure what the limitations are. For example, can I import the .jason password encrypted into another Bitwarden vault if, for some reason, I was totally locked out?

Sorry to have so many questions. I am sure that what I am asking appears quite obvious to you and RogerDodger, but I don’t want to make a mistake that could have been avoided by having a reasonable understanding of what to do before an emergency situation arises.

By the way, both you and RogerDodger have stressed the necessity to have a strong password and I have taken that to heart. I saw your detailed post about entropy and it was very interesting. I will probably need to read it several times with a period of reflection between each read to even begin to understand the finer points.

So, just to prevent confusion, I have to point out that “.json” is just a file format (like “.csv”, “.xml”, “.doc”, “.txt”), so you have to be more specific about what you are intending to refer to. For example, Bitwarden can produce 3 different “flavors” vault exports that all are stored in a “.json” file format. In addition, the Bitwarden clients apps use a “.json” formatted file to cache a local copy of the vault contents.

Of the four possible types of “.json” files that may be produced by Bitwarden, the only one that is not in an encrypted state is the one that is created when you use the export function to export your vault contents in the form of an unencrypted .json. In contrast, the data.json file that is used as a local vault cache is always encrypted (as are the password-protected .json export and the legacy account-restricted .json export).

Yes, of the two available encrypted export formats, the password-protected .json format can always be imported into any Bitwarden account, or even decrypted outside of Bitwarden (using a third-party tool, like BitwardenDecrypt).

The main limitations of using vault exports as a backup method is that they do not retain password histories, item modification timestamps, and similar metadata. The also do not keep any file attachments or “sends”, but that is true of almost all backup methods.

Since you are still learning the ropes, I would recommend that you use password-protected vault exports for regularly backing up your vault. This method is both simple and effective. Choose a password that is different from your master password, and make sure that you store a copy of the backup password somewhere outside Bitwarden.

If you’re referring to restoring a backup of a data.json file (local copy of the encrypted vault), then the process would be as follows:

1. Exit the Desktop app if it is open.
2. Restore the backed up data.json file to its original location.
3. Disconnect the device from the internet.
4. Launch the Desktop app and unlock your vault.
5. Use the app to look up (and copy, if desired) any information that you need, including password histories.

If you need to restore your cloud vault from this type of backup, then you will have to complete an export/import procedure:

6. From the Desktop app (and with the internet still disconnected), use the export function under File > Export vault. If you still have access to your Bitwarden account, and if the account encryption key has not been rotated since the data.json backup was made, then choose “.json (Encrypted)” as the file format. Otherwise, choose the plain “.json” format (note that using this format may leave traces of your unencrypted vault contents on your SSD, even after deleting the file).
7. Close the Desktop app.
8. Re-connect your device to the internet.
9. Log in to the Web Vault of your existing Bitwarden account (if you still have access to it), or to a new Bitwarden account (if you are starting over).
10. If your Bitwarden account contains vault items that match those contained in the export, then you should delete these (or purge the entire vault, if applicable) before importing.
11. Import the .json file that you created in Step 6 above; set the import file format to “Bitwarden (json)”.
12. After the import has completed, log out and then log back in to the Web Vault, and confirm that all imported items are present.

@grb are you meaning that this method is suggested over the regular vault export options? What additional items or pros are as a result of using your above method vs the vault export options?

It is a method that I personally use and that I have suggested to others on the forum, but it is not an “official” recommendation from Bitwarden, and I don’t think it is a commonly used approach.

I have described my backup approach and its advantages in the post linked below. This post describes using the method with the Desktop app, but it can be adapted for use with browser extensions or the CLI, as well.

grb - I really can’t thank you enough for your willingness to a greenhorn newbie!! I wasn’t aware that .json was just another type of file extension (an extra benefit of your detailed explanation). I have to say that you guessed correctly that I am a “follow the steps 1 - 2 - 3 kind of person” and the way that you laid it out, makes it super clear and easy to follow - including your recommendation for someone still learning the ropes (that’s me). So at this point I will continue in your suggested manner (password protected vault exports).

I do have one follow-up question. If, someday in the future when I feel more confident, I did want to create a backup that retained such things as password histories, etc., would using the unencrypted .json accomplish that? I understand that this is an unofficial approach and that there are significant security related factors that have to be addressed, so that is not something that I will be trying now. However, having all of this in one thread will make it easier to refer to when the time is right.

Once again, I sincerely appreciate the time that everyone for their comments (RodgerDodger and Geradv514).

If, by “unencrypted .json”, you are referring to the unencrypted vault export (saved in a JSON-formatted file), then no, this does not retain password histories. It does retain more information than the vault export that is saved in CSV format, however (for example, the CSV export does not include credit card or identity items, or metadata such as the type of a custom field). This is one reason why I recommended that you start by using the password-protected JSON export for your backups; the password-protected JSON export contains all the same data that the unencrypted JSON export does.

In contrast, the data.json backup method that I’ve been discussing above (described in detail here) — which is encrypted, I would like to stress once more — does retain password histories, modification dates, etc.

Pretty wild that you potentially loose much needed info thru a json export. Seeing that a restore/import from the json backup up file can include and is support such items during the import (password history, identity items, custom fields) ,why can’t BW incorporate these items to the existing json vault export ?

Password history is not supported during import.

Identity items, custom fields, etc. are supported on import, but are also included on export in JSON format. The only export format that is significantly “lossy” is the CSV format, and I believe that format is intended mainly for purposes of importing into other apps. Even the CSV export does include custom fields, but they are all converted to “text” type (instead of maintaining distinctions between text, linked, hidden, and boolean types).

So you may have misunderstood what I wrote.

Ah ok so really the one thing we’d miss out on using the vault export vs copy of json file is password histories.

Thanks for your patience

That’s the main thing, but with the data.json method you also capture some additional metadata, like modification dates, or the names of attachments, etc.

So with names of attachments, on a restore you’ll just see what the attachments was called but no actual attachment right?

You are right. The attachments are not stored in the vault itself, they are stored as encrypted blobs on the server, and are only downloaded to your device on demand. Thus, they are not preserved in backups of the data.json file.

You can find third-party tools, like Portwarden and Bitwarden-Attachment-Exporter that use CLI commands to back up attachment files. I have no personal experience with those tools and do not endorse them or vouch for them in any way (nor do I have any reason to believe that they wouldn’t work as advertised).

Grb - Thank you for being so accommodating to a greenhorn such as myself !!
Gerardv514 - Your follow up questions helped a lot with my understanding.

Between the two of you. I feel like I can be somewhat prepared to restore a backup.

For sure, I’m definitely walking away from this discussion with one of those “you learn something new everyday” thoughts. Very helpful.