What is the difference between the output of these two methods of generating encrypted organization vault exports?

When using the Bitwarden web vault to create an encrypted export of an organization’s vault, slightly modifying the procedure to generate the export yields different results. What is the difference between the outputs?

Because the output is encrypted, and the salt is randomized for each export, the difference is not obvious. But the file size is significantly different depending on the export method used (and consistent within each method), meaning that there is likely a significant difference in the underlying data.

  1. From the web vault, one method to generate the organization’s encrypted vault export file is to login to the manager’s Bitwarden vault, and to select the option to perform an encrypted JSON export. At the top of the page, you then select the organization from the dropdown menu (instead of the manager’s main vault). This generates an export file named encrypted_export_[timestamp].json.

  2. From the web vault, the second method to generate the organization’s encrypted vault export file is to follow the same steps as above, but to select the organization’s vault as the primary vault before performing the export. The UI isn’t very clear about this, but the link is there if you look for it. (This is different from just looking at the organization’s vault as if it was sub-vault under the user’s vault, which is what happens when you click a similarly named link.) When you perform an export this way, Bitwarden generates an export file named encrypted_org_export_[timestamp].json. This export file is notably smaller than the file generated above, even though the data should be identical.

Questions:

  • Why is the 2nd file smaller?
  • What’s the difference between the 2 files?
  • Is there any difference in how these 2 export files function during an import?

@bit Well, that is not my field of expertise… But I think, the export of an organization vault would have to be done via the admin console (assuming you are the admin). See here: Export an organization vault | Bitwarden Help Center

I think here is an explanation, why there is an organization export also in the password manager section (in short: if you are not the admin): https://community.bitwarden.com/t/export-my-vault-json-file-empty-if-all-items-shared-to-organization/11446/13

Sorry for not answering your question - but this was the relating info I could provide…

Screenshots depicting your two methods would be helpful.

But as @Nail1684 alluded, you will only get a partial org vault export unless you export from within the Admin Console.

I agree that screenshots will be most helpful. I wanted to post some, but I realized I would have to redact most areas of the screenshots, so I was hoping I could convey this with just words. But I really think screenshots will help. Let me see what I can do to get some, and I’ll write back.

Thanks. I appreciate it. What you wrote is completely correct, but alas, doesn’t explain this particular issue. I’ll post more details with screenshots (hopefully) soon.

@grb @Nail1684

I think we may also need someone from Bitwarden to chime in, if they can offer assistance.

Here are screenshots to illustrate the 2 methods of which I wrote in my original post.

  1. The 1st method generates the encrypted_export_[timestamp].json file, which is always larger than the encrypted_org_export_[timestamp].json file generated by the second method. Here is a screenshot for the 1st method:


This 1st method requires first defining the current account as the organization’s owner. See this screenshot for how that looks:

  1. The 2nd method involves the Admin Console. It actually generates a smaller file than Method 1, even though it should contain the same data. The export file is named encrypted_org_export_[timestamp].json:

Hopefully someone can explain why these 2 export files ( encrypted_export_[timestamp].json and encrypted_org_export_[timestamp].json), which should contain the same data, are significantly different in size, what those differences entail, and how future imports may be affected.

As an addendum, there is something else I cannot explain. As you can see, I can be meticulous regarding details and precision (when it is helpful!). When I ran these tests a day ago, everything was exactly as presented above. But when I run the same tests now, everything is the same except now the export files are named encrypted_org_export_[timestamp].json for both methods. The core issue, however, remains unchanged: the encrypted JSON export file for the organization generated by Method 1 is always significantly larger than the encrypted JSON export file generated by Method 2.

Interesting. I would expect the opposite. The first method should only export collections for which you have “Can Manage” access, and the second method should export all collections.

Do you have any items in an “unassigned” collection? Perhaps the two methods treat such items differently.