Understanding Encrypted Export

I am trying to understand exporting encrypted JSON as a backup. My goal is to avoid gothas like I exported the backup only to discovered that I cannot restore. I am going to explore different scenarios.

  1. I changed my master password and somehow messed up the password. Now I have no idea what the new password is. The instructions appears to delete your vault and then reimport the encrypted JSON. All you would need is the master password?

  2. Somehow your vault is corrupted. This appear to be the same as #1.

  3. You messed up an entry and want to know what it is but only has a encrypted JSON. Can you import an existing export to another vault and then look it up?

  4. You rotated your encryption key. Can I still restore from encrypted JSON.

Hi @paulsiu - if you export from the Bitwarden app in encrypted format, it will use the symmetric key derived from your account and master password. Therefore, to decrypt it, your only choice is to import it back into your same account. So, your scenario #1 above means that you would be unable to open your exported vault if you had to create a new one. Same for scenario #3 - it won’t import into another account, unless you save the JSON file as UNencrypted.

In scenario #2, if your vault was corrupted but you still had access to it, you would be able to delete the contents of the vault and then import the encrypted file. That is probably one of the main use-cases for encrypted JSON exports.

Regarding scenario #4, I’m afraid I am not sure about that one, but my strong suspicion is that it will not work.

What I do is save both an encrypted copy to the cloud, and I also use an encrypted volume (synced to the cloud as well) to store the unencrypted exports so that the different scenarios you mention above are both covered.

One other good option is that you are able to use the Bitwarden CLI to save an encrypted version of your JSON export using a password of your choice that is NOT tied to a specific account. That should be the best of both worlds, and it might be something one could setup in a bash or Python script and schedule on a regular basis. Cheers!

Thanks, with the CLI, does the issue with symmetric key apply and you can only import it into the same account?

I haven’t tried it myself to be certain, but my understanding is that you can import back to any account in the CLI as long as you provide the password when prompted:

Awesome. I will test this out.


1 Like