LastPass Enterprise Migration Guide
Secure migration of your organization with Bitwarden is straightforward and secure. Follow the steps in this guide to migrate data and users from LastPass:
If you need assistance during your migration, our Customer Success team is here to help!
This document describes the best practices for migrating data securely from Lastpass to a Bitwarden Teams or Enterprise organization, building an infrastructure for security based on simple and scalable methods.
Password management is crucial for organizational security and operational efficiency. Providing insight into the best methods to perform migration and configuration is intended to minimize the trial-and-error approach that is often needed when exchanging enterprise tools.
Steps in this document are listed in the recommended order for ease-of-use and smooth onboarding for users
LastPass data may be exported from the web-based vault or from a LastPass browser extension. We recommend doing your export from the LastPass web vault and ensuring the file is saved as a
.csv. Check out this article for step-by-step instructions.
Note that gathering a full export of your data across your LastPass organization may require assigning all shared folders to a single user and exporting as that user, or performing multiple exports (i.e. one for each segment of shared folders).
Any export created in LastPass will contain data from both your personal vault and any shared folders that the exporting user was assigned to. Remove any personal vault data before importing data into your Bitwarden organization.
Bitwarden currently limits the length of most item fields to 1,000 characters and Secure Notes to 10,000 characters. Items that exceed those limits should be saved as separate files (text, key, pem, ssh, etc.) and added as attachments to an item.
Bitwarden organizations relate users and vault items together for secure sharing of logins, notes, cards, and identities.
It's important that you create your organization first and import data to it directly, rather than importing the data to an individual account and then moving items to the organization secondarily.
Create your organization. Start by creating your organization. To learn how, check out this article.
To self-host Bitwarden, create an organization on the Bitwarden cloud, generate a license key, and use the key to unlock organizations on your server.
Onboard administrative users. With your organization created, further setup procedures can be made easier by onboarding some administrative users. It's important that you do not begin end-user onboarding at this point, as there are a few steps left to prepare your organization. Learn how to invite admins here.
Configure identity services. Enterprise organizations support logging in with single sign-on (SSO) using either SAML 2.0 or OpenID Connect (OIDC). To configure SSO, open the organization's Settings → Single Sign-On screen, accessible by organization owners and admins.
Enable enterprise policies. Enterprise policies enable organizations to implement rules for users, for example requiring use of two-step login. It is highly recommended that you configure policies before onboarding users.
To import data to your organization:
Open your organization and navigate to the Settings tab.
Select Import data from the Settings menu:
From the file format dropdown, select LastPass (csv).
Select the Choose File button and add the file to import.
Import to Bitwarden can't check whether items in the file to import are duplicative of items in your vault. This means that importing multiple files will create duplicative vault items if an item is already in the vault and in the file to import.
Select the Import Data button to complete your import.
Currently, file attachments are not included in Bitwarden import operations and will need to be uploaded to your vault manually. For more information, see File Attachments.
You should also recommend to employees that they export their individually-owned data from your existing password manager and prepare it for import into Bitwarden. Learn more here.
Bitwarden supports manual onboarding via the web vault and automated onboarding through SCIM integrations or syncing from your existing directory service:
To ensure the security of your organization, Bitwarden applies a 3-step process for onboarding a new member, invite → accept → confirm. Learn how to invite new users here.
Automated user onboarding is available through SCIM integrations with Azure AD, Okta, OneLogin, and JumpCloud, or using Directory Connector, a standalone application available in a desktop app and CLI tool that will synchronize users and groups from your existing directory service.
Whichever you use, users are automatically invited to join the organization and can be confirmed manually or automatically using the Bitwarden CLI tool.
Share vault items with your end-users by configuring access through collections, groups, and group-level or user-level permissions:
Bitwarden empowers organizations to share sensitive data easily, securely, and in a scalable manner. This is accomplished by segmenting shared secrets, items, logins, etc. into collections.
Collections can organization secure items in many ways, including by business function, group assignment, application access levels, or even security protocols. Collections function like shared folders, allowing for consistent access control and sharing amongst groups of users.
Shared folders from LastPass can be imported as collections into Bitwarden by using the organization import template found here and placing the name of the shared folder in the
Collections can be shared with both groups and individual users. Limiting the number of individual users that can access a collection will make management more efficient for admins. Learn more here.
Using groups for sharing is the most effective way to provide credential and secret access. Groups, like users, can be synced to your organization using SCIM or Directory Connector.
Permissions for Bitwarden collections can be assigned on the group or user-level. This means that each group or user can be configured with different permissions for the same collection. Collection permissions options include options:
Can view, except passwords
Can edit, except passwords
Grant access to all current and future collections
Learn more about permissions here. Bitwarden uses a union of permissions to determine final access permissions for a user and a collection. For example:
User A is part of the Tier 1 Support group, which has access to the Support collection, with can view permission.
User A is also a member of the Support Management group, which has access to the Support collection, with can edit access.
In this scenario, User A will be able to edit to the Collection.
The Bitwarden Customer Success team is available 24/7 with priority support for your organizations. If you need assistance or have questions, please do not hesitate to contact us.