How to back up and encrypt your Bitwarden vault from the command line
- Blog
- How to back up and encrypt your Bitwarden vault from the command line
As of the October 2022 release, the option for exporting encrypted backups of a Bitwarden vault protected by a password of your choice is available in the web vault. Learn more about this feature in this blog article.
As long as there's a law by the name of "Murphy," you can rest assured that unwanted things might happen. Your internet connection will go down, software will crash, batteries will die, software won't compile, and password manager vaults can (out of nowhere) become unreadable. No matter how much we want to think it is, technology is not perfect.
But if things go wrong with your password manager, without the right plans in place, you could wind up with a big problem on your hands (as in not being able to retrieve your passwords).
What do you do?
One thing you should regularly do is back up your vault. With a working backup, you can also import it back into Bitwarden and be functioning in minutes (or seconds).
But how do you do that? Well, if you're using the GUI, it's as easy as opening Bitwarden, clicking File > Export Vault, and walking through the simple prompts.
If, however, you want to do this from the command line, it's not nearly as easy. However, by crafting a handy bash script, you could greatly simplify the process.
Let’s walk through how it's done.
The only thing you'll need to make this work is a running instance of Bitwarden and the Bitwarden CLI tool. I'll be demonstrating on the Linux operating system (Pop!_OS to be exact), so if you're using either macOS or Windows, you'll need to adjust this to meet the needs of your OS.
I'm going to show you how to set this up so it's an interactive command as well as one you can set up to run automatically. The only caveat to running it automatically is that you cannot have two-factor verification enabled (because getting that to automatically work in a script would be a challenge.) So, if you use two-factor authentication (which you should), you'll have to use the interactive script.
NOTE: These scripts are optimized for Linux and MacOS. Windows optimized scripts are planned for the future.
Create the new script with the command:
nano bw_backup.sh
In that script, paste the following:
#!/usr/bin/env bash
export LC_CTYPE=C
export LC_ALL=C
read -p "Bitwarden account email: " BW_ACCOUNT
read -p "Master Password (hidden): " -s BW_PASS
EXPORT_OUTPUT_BASE="bw_export_"
TIMESTAMP=$(date "+%Y%m%d%H%M%S")
ENC_OUTPUT_FILE=$EXPORT_OUTPUT_BASE$TIMESTAMP.enc
export BW_SESSION=$(bw login $BW_ACCOUNT $BW_PASS --raw)
bw export --raw --session $BW_SESSION --format json | openssl enc -aes-256-cbc -pbkdf2 -iter 600000 -k $BW_PASS -out $ENC_OUTPUT_FILE
bw logout > /dev/null
unset BW_SESSION
unset BW_PASS
unset BW_ACCOUNT
Save and close the file.
Give the file execution permissions with the command:
chmod u+x bw_backup.sh
You can then run the script with the command:
./bw_backup.sh
You'll be asked for the email address associated with your Bitwarden Vault, followed by the master password. If you have two-factor authentication enabled, you'll then be asked for the 6-digit passcode. Upon successful authentication, you'll find a new file, named something like bw_export_20220822140328.enc
.
That file is also encrypted. Before you can actually use it, you must decrypt it with a command like this:
openssl enc -aes-256-cbc -pbkdf2 -iter 600000 -d -nopad -in bw_export_20220822140328.enc -out bw_export.json
You should then have a JSON file you can import back into Bitwarden, should the need arise.
Say you don't have two-factor authentication setup for your Bitwarden account (again… you should) and you want to automate this. For that, the script will need to be slightly altered to look like this:
#!/usr/bin/env bash
export LC_CTYPE=C
export LC_ALL=C
export BW_ACCOUNT=EMAIL
export BW_PASS=PASSWORD
export BW_SESSION=$(bw login $BW_ACCOUNT $BW_PASS --raw)
EXPORT_OUTPUT_BASE="bw_export_"
TIMESTAMP=$(date "+%Y%m%d%H%M%S")
ENC_OUTPUT_FILE=$EXPORT_OUTPUT_BASE$TIMESTAMP.enc
bw --raw --session $BW_SESSION export --format json | openssl enc -aes-256-cbc -pbkdf2 -iter 600000 -k $BW_PASS -out $ENC_OUTPUT_FILE
bw logout > /dev/null
unset BW_SESSION
unset BW_PASS
unset BW_ACCOUNT
Where EMAIL is the email address associated with your Bitwarden vault and PASSWORD is your master password.
Save and close the file.
Give the file executable permission with the command:
chmod u+x bw_backup.sh
The script is run the same way as the interactive command, only you won't be prompted for input. One thing to keep in mind is that you're saving your Bitwarden credentials in that file, so make sure you save the file in a hidden directory (one that starts with a period) or another out-the-way location. Again, I don't recommend this method, but in certain instances, it might be the best option.
Now, we'll automate this with the help of cron. Create a cronjob with the command:
crontab -e
To run this script every night at midnight, that entry would look something like this:
0 0 * * * /path/to/bw_backup.sh
Save and close the crontab editor and your job is ready. The backup should run every night at midnight and save the backup file in the same location housing the backup script.
And there you have it, a handy method of backing up and encrypting your Bitwarden vault from the command line.
If you aren't familiar with using a command line, but still want to create an encrypted backup of your Bitwarden vault, check out this handy guide that shows you step-by-step how to create an encrypted export of your Bitwarden data — from the web vault.
Not using Bitwarden yet? Quickly get started and sign up for a free personal account or initiate a 7-day business trial to see how Bitwarden can secure your enterprise.
Jack Wallen is an award-winning author and avid supporter of open source technologies. He has covered open source, Linux, security, and more for publications including TechRepublic, CNET, ZDNet, The New Stack, Tech Target and many others since the 1990s in addition to writing over 50 novels.