bw-export is a simple bash script that exports a raw, encrypted JSON copy of your Bitwarden vault. It will encrypt the JSON file with OpenSSL and lock it, by default, with your vault password.
Either edit the variables in the script itself or use the Environment variables to configure the script and simply run it:
bash export.sh
Run the following command to quickly create an encrypted backup of your vault:
docker run --rm -e BW_ACCOUNT='your_email' -e BW_PASS='your_password' -v "$PWD:/export" mastermindzh/bw-export
By default, bw-export will use the following settings to make your backup:
-aes-256-cbc -pbkdf2 -iter 100000 -k "<Your Vault password>"
To decrypt that simply run OpenSSL with the same params in export mode:
openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -d -nopad -in input.enc -out output.json
You can tweak a lot of the internal workings of bw-export with simple environmental variables. The list below outlines most of them:
Variable | Default value | Description |
---|---|---|
BW_ACCOUNT | bitwarden_vault_test@mastermindzh.tech |
Bitwarden email address |
BW_PASS | VGhpc0lzQVZhdWx0UGFzc3dvcmQK |
Bitwarden password |
BW_FILENAME_PREFIX | bitwarden_vault_export_ |
Prefix to use for generated files ($prefix$timestamp.enc) |
BW_TIMESTAMP | Y-%m-%d %H:%M:%S |
Timestamp to use for generated files |
BW_EXPORT_FOLDER | export |
Folder to put export files in |
BW_FOLDER_STRUCTURE | Y/%m |
Date/timestamp to generate folders |
BW_PASSWORD_ENCODE | base64 |
"plain", or "base64", depending on whether you encoded BW_PASS |
BW_OPENSSL_OPTIONS | aes-256-cbc -pbkdf2 -iter 100000 |
Options passed to openssl's "enc" command |
BW_ENCRYPTION_PASS | $BW_PASS (same value as BW_PASS) |
Password to encrypt the json file |
BW_AUTH_METHOD | password | Whether to login with a password or apikey (apikey required for 2fa) |
BW_CLIENT_ID | user.cc433b96-4767-432f-85a5-b11100d4faa6 | Bitwarden client id |
BW_APIKEY | OG1LS3RSVzdXVWRZN25UWEgwdkdOUVMzV0QzVTZr | Bitwarden api key |