Where do you back up Bitwarden to?

I feel like putting it on physical media is too insecure and too unreliable. It might get lost, break, or get stolen. Putting it on a cloud backup solution seems not private, and could get stolen eventually and then used.

What’s the best practice for this?

1 Like

I store only two copies .

One unencrypted *.json in usb hw encrypted driver DataShur Pro 2 datAshur PRO2 - iStorage (UK) 4gb where I store also my 2FA recovery codes and other important files .

One encrypted *.json in Proton Drive .

1 Like

Why an encrypted json when Proton Drive already is e2e?

if their proton account is comprimised and the attacker gains access to their drive they would still not be able to get into the vault.

1 Like

Encrypted .json in proton drive, like parish.

Since I use Proton Unlimited there’s also the Proton Sentinel Program protection for my accounts.

Correct Proton is E2EE ,
But for security practice I don’t want to store my passwords in plain text in the cloud .
For this that backup is encrypted by my master password for BW using the option export Encrypted .json file . Is use this backup in case want to restore my vault and the other unencrypted backup I use if I want to view passwords w/o BW in case I’m locked out or move to other Password Manager in future.

Here are some thoughts:

  1. Your BW cloud vault can be considered as one copy of your vault. It’s secured on your end by your randomly-generated complex password and phishing-resistant 2FA. You want to make sure that it’s accessible by writing down the password and the 2FA recovery code.
  2. You want to store the BW .json export offline, encrypted. The password is most secure if kept completely offline. For convenience in making backups, keep the password in the BW vault too. If you are using the BW encryption, using the non-account-specific option is better, and you’ll need to find another tool to decrypt it without BW. Otherwise, you can export the plaintext .json file and encrypt it however you like.
  3. Store your encrypted offline backups in at least 2 devices. If you want to store another copy in the cloud too, then you will need to write the password/2FA credential (like recovery code) of the cloud account down as well.

Keepass will import Bitwarden .json file directly. If you figure out how to use a script to export the Bitwarden .json and import into an empty (or emptied) Keepass vault, you’ll have both the encryption and a readily-accessible backup covered.

I keep KeepassDX installed as a backup password manager.
The Keepass database is encrypted and stored in many places.

1 Like

Exactly doing the same thing although I keep multiple of these encrypted drives in different places. This is the right way to do it imo.

1 Like