Bitwarden backups security concerns
Table of Contents
Bitwarden backups
For me, the purpose of a password manager backup is to be able to restore my vault by myself at any given time.
Bitwarden allows to you export your Vault with an Encrypted export. However this export is encrypted with your account encryption key. This can be uselful on some cases, but for me it’s a red flag as you are encrypting with an encryption key you do not hold. You can only restore this data if your restore it to your bitwarden account AND your account encryption key has not changed. So if for example, bitwarden.com is blocked or has an issue you won’t be able to decrypt your backup.
You can also export your vault protected by a password, but I haven’t found any process to decrypt this file offline either (they may be one, but doesn’t seem to be docummented).
So the only way I see to really own your backup copy, meaning that you can actually read it without anybodys help is to export it unencrypted and then encrypted yourself with a key you control. I use my gpg account:
# To encrypt
gpg --recipient my@email.com --encrypt bitwarden_export_20230907111009.json
# To decrypt
gpg bitwarden_export_20230907111009.json.gpg
Warning: Keep into account that Vault exports do not include file attachments, items in the trash, password history, or Sends.
So on my case, I keep 3 backups of my account that protect me from difference things:
- One encrypted with my account encryption key (which will work as long as bitwarden.com is working ok and there has been no change in my account encryption key).
- One backup encrypted with my gpg key (which will work as long as I have my gpg key).
- I have Emergency access enabled to a trusted contact, in case something happens to me or the two previous backups fail.
Backup your two-step login
If you protect your password manager (Bitwarden or other) with a two-step login (which you should) you run into another dilemma…
If you store your TOTP codes (the 6 digit code that changes every 30 seconds) in your password manager, where do you store the codes used to access your password manager in the first place?
For this I use two independent solutions:
- Store my Authenticator key somewhere safe
- Yubikey
Authenticator key
TOTPs are simply passwords that change every 30 seconds, based on another password, sometimes called Authenticator key. So you can simply keep the Authenticator key of your password manager in a safe place (this includes paper in a safe box) or an encrypted file somewhere and then use oathtool.
For some time I used andOTP to store the TOTP of my password manager. It’s a nice Android App that can store your TOTPs and encrypt them using GPG. However this project is no longer maintained.
A better alternative for me now has been oathtool, which can be easily installed on most Linux distros with:
sudo apt install oathtool
Then with one command you can generate the TOTP whenever you need it:
oathtool --base32 --totp GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
831123
Warning: The following command will also work and output a number but a different one! So make sure you add the
--totp
oathtool --base32 GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
429123
Also note that running this command will enter the Authenticator key in you command history. Not super critical as there is no reference to what website or service this key belongs to, and not to worry if you are using a safe environment, but just keep it in mind. If this bothers you, you can easily delete the command from your history editing ~/.zsh_history
(if you use zsh) or ~/.bash_history
(if you use bash).
Yubikey
You can have more than one two-step login process enabled. So I also ave a Yubikey enabled in my bitwarden account. This yubikey I don’t use it daily as it find it less convenient but it is stored in a safe place as a backup.
Yubikey are pieces of hardware and as such they can get corrupted or break without warning. So I would never trust them to hold my only access to any service but I feel comfortable enough for a backup. Keep in mind that you can also link up to 5 Yubikey’s to your Bitwarden account.