I feel like putting it on physical media is too insecure and too unreliable. It might get lost, break, or get stolen. Putting it on a cloud backup solution seems not private, and could get stolen eventually and then used.
One unencrypted *.json in usb hw encrypted driver DataShur Pro 2 datAshur PRO2 - iStorage (UK) 4gb where I store also my 2FA recovery codes and other important files .
Correct Proton is E2EE ,
But for security practice I don’t want to store my passwords in plain text in the cloud .
For this that backup is encrypted by my master password for BW using the option export Encrypted .json file . Is use this backup in case want to restore my vault and the other unencrypted backup I use if I want to view passwords w/o BW in case I’m locked out or move to other Password Manager in future.
Your BW cloud vault can be considered as one copy of your vault. It’s secured on your end by your randomly-generated complex password and phishing-resistant 2FA. You want to make sure that it’s accessible by writing down the password and the 2FA recovery code.
You want to store the BW .json export offline, encrypted. The password is most secure if kept completely offline. For convenience in making backups, keep the password in the BW vault too. If you are using the BW encryption, using the non-account-specific option is better, and you’ll need to find another tool to decrypt it without BW. Otherwise, you can export the plaintext .json file and encrypt it however you like.
Store your encrypted offline backups in at least 2 devices. If you want to store another copy in the cloud too, then you will need to write the password/2FA credential (like recovery code) of the cloud account down as well.
Keepass will import Bitwarden .json file directly. If you figure out how to use a script to export the Bitwarden .json and import into an empty (or emptied) Keepass vault, you’ll have both the encryption and a readily-accessible backup covered.