Backup Bitwarden using it's CLI

Bitwarden is a Free*, open-source, independently audited, state-of-the art password manager. It offers a lot of the functionality of paid password managers like Lastpass, 1Password, etc. for free to its users. As a bonus you can even self-host your own instance of bitwarden on your server.

*= basic features are free. Premium and family/team subscriptions are available.

You need Backup!

It is important for you, the user, to keep a secured copy of your passwords offline in the event the server is unavailable, or you’re experiencing connectivity issues, etc. Here I show you how to export your bitwarden vault (this method backs up everything except file attachments & items in trash) using the bitwarden app, and the official bitwarden command-line-client. Also I show you one of many ways to encrypt your backup (locally on your device).

Method A: Via Bitwarden App(s)

Bitwarden now provides the user an option to backup straight from their apps (desktop and mobile). Head to FileExport vault.

You can export your bitwarden vault straight from the app.
You can choose the backup file format, .json or .csv.

Remember: Select the .json format to ensure that your exported backup contains cards, notes, identities, etc. The .csv format of the backup doesn’t support them.

The above method should work with all versions of the Desktop apps and also in mobile apps.

Method B: Manually using the command line

One of my favorite features with Bitwarden has been their well-documented command line client. It really was a big motivator for me to switch from Keepass when bitwarden was new and gaining traction!

Install Bitwarden-CLI, if not installed already, from homebrew

  • There are several methods at your disposal.
  • My favorite: Using homebrew and get it by running brew install bitwarden-cli

Once you install it, here’s a quick guide on how to use it:

  1. Login to your BW-vault

    bw login
    # type in your credentials

    Here you might be prompted for 2FA (if you have set it up). If you haven’t yet, you really should! Here’s how.

    After successfully authentication a session key is returned from the server. This key key is necessary to use the subsequent commands (and any command for that matter, which requires your vault to be unlocked.)

  2. Pass the session key to your CLI commands

    export BW_SESSION="###UniqueSessionKEY###"
  3. Export backup

    # Current method
    bw export --output ~/Desktop/bw.export.json --format json
    # on older versions you could run:
    bw list items > ~/Desktop/bw.json
  4. Lock vault and logout

    bw lock && bw logout

Encrypting your backup

You should always archive and encrypt the database. Reason for doing so, you might ask.

Why archive? - If you only have one copy that you over write, data corruption

Why encrypt? - I’m sure you know this if you’ve read this article so far, but one word, Privacy! Longer version, Your passwords are Your private property, you need to keep them locked up.

There are hundereds of ways of achieving this; I am showing one of many ways using Keka to archive it as a .7z.

Create an encrypted archive of your exported vault.