When using the Bitwarden web vault to create an encrypted export of an organization’s vault, slightly modifying the procedure to generate the export yields different results. What is the difference between the outputs?
Because the output is encrypted, and the salt is randomized for each export, the difference is not obvious. But the file size is significantly different depending on the export method used (and consistent within each method), meaning that there is likely a significant difference in the underlying data.
From the web vault, one method to generate the organization’s encrypted vault export file is to login to the manager’s Bitwarden vault, and to select the option to perform an encrypted JSON export. At the top of the page, you then select the organization from the dropdown menu (instead of the manager’s main vault). This generates an export file named encrypted_export_[timestamp].json.
From the web vault, the second method to generate the organization’s encrypted vault export file is to follow the same steps as above, but to select the organization’s vault as the primary vault before performing the export. The UI isn’t very clear about this, but the link is there if you look for it. (This is different from just looking at the organization’s vault as if it was sub-vault under the user’s vault, which is what happens when you click a similarly named link.) When you perform an export this way, Bitwarden generates an export file named encrypted_org_export_[timestamp].json. This export file is notably smaller than the file generated above, even though the data should be identical.
Questions:
Why is the 2nd file smaller?
What’s the difference between the 2 files?
Is there any difference in how these 2 export files function during an import?
@bit Well, that is not my field of expertise… But I think, the export of an organization vault would have to be done via the admin console (assuming you are the admin). See here: Export an organization vault | Bitwarden Help Center
I agree that screenshots will be most helpful. I wanted to post some, but I realized I would have to redact most areas of the screenshots, so I was hoping I could convey this with just words. But I really think screenshots will help. Let me see what I can do to get some, and I’ll write back.
Thanks. I appreciate it. What you wrote is completely correct, but alas, doesn’t explain this particular issue. I’ll post more details with screenshots (hopefully) soon.
I think we may also need someone from Bitwarden to chime in, if they can offer assistance.
Here are screenshots to illustrate the 2 methods of which I wrote in my original post.
The 1st method generates the encrypted_export_[timestamp].json file, which is always larger than the encrypted_org_export_[timestamp].json file generated by the second method. Here is a screenshot for the 1st method:
The 2nd method involves the Admin Console. It actually generates a smaller file than Method 1, even though it should contain the same data. The export file is named encrypted_org_export_[timestamp].json:
Hopefully someone can explain why these 2 export files ( encrypted_export_[timestamp].json and encrypted_org_export_[timestamp].json), which should contain the same data, are significantly different in size, what those differences entail, and how future imports may be affected.
As an addendum, there is something else I cannot explain. As you can see, I can be meticulous regarding details and precision (when it is helpful!). When I ran these tests a day ago, everything was exactly as presented above. But when I run the same tests now, everything is the same except now the export files are named encrypted_org_export_[timestamp].json for both methods. The core issue, however, remains unchanged: the encrypted JSON export file for the organization generated by Method 1 is always significantly larger than the encrypted JSON export file generated by Method 2.
Interesting. I would expect the opposite. The first method should only export collections for which you have “Can Manage” access, and the second method should export all collections.
Do you have any items in an “unassigned” collection? Perhaps the two methods treat such items differently.
One of us would have to do some testing to verify, but my best guess at this point is that the structure of the encrypted .JSON files might be different for the two export methods (even if they contain the same data). I know there’s been changes in this area, and if I recall correctly, the encrypted exports sometimes produce one big encrypted blob. In the past, I believe that all exports contained a plaintext JSON structure, in which individual field values were encrypted. Perhaps Bitwarden now uses both formats, and the two export methods you’ve been using result in either one format or the other.
Are you sure that in both cases, your encrypted export had the same “Export Type” (i.e., either both Account-Restricted, or both Password-Protected)?
I compared the JSON structures for a organization vault export done either from the Web Vault Password Manager or from the Admin Console, and they were basically identical. However, the structure of a Password-Protected JSON is very different from the structure of an Account-Restricted encrypted JSON.
It is more secure, as it hides metadata about the number of vault items, folders and collections, the vault items types, creation/modification timestamps, status of “favorite” and “master password reprompt” settings, etc.
Yeah, I know. But what I don’t see is why they are encrypting this way only the password-protected exports and not the account-restricted ones or even the data.json files from the different clients.
I meant the data.json of bitwarden cli or the desktop client, for eample.
If you are logged in (locked or not) on the desktop client and go to the client’s data directory, there you will find this data.json file I’m talking about. It contains the encrypted vault.
I see. Perhaps this will be changed in the future, or perhaps there are performance-based reasons for keeping the structure of the local data.json cache as is.
The Admin Console is definitely not available via the browser extension. The Password-Protected export option became available in browser extensions starting with version 2024.6.0.
would have to do some testing to verify, but my best guess at this point is that the structure of the encrypted .JSON files might be different for the two export methods (even if they contain the same data). I know there’s been changes in this area, and if I recall correctly, the encrypted exports sometimes produce one big encrypted blob. In the past, I believe that all exports contained a plaintext JSON structure, in which individual field values were encrypted. Perhaps Bitwarden now uses both formats, and the two export methods you’ve been using result in either one format or the other.