This project contains a Powershell script that exports Bitwarden passwords to a KeePass database as well as json encrypted format.
For more details on how the data is stored, see KeePass, Bitwarden encrypted json and Windows SecureString.
-
Run the
Export.ps1script on your computer. -
When the script starts, it will ask you for your Bitwarden login information. To find your login information, go to your online Bitwarden vault and click on the "Settings" tab. In the "Settings" tab, you will see your "API Key" and your "OAuth 2.0 Client Credentials." These are the client_id and client_secret that the script will ask for. Enter your API Key and your OAuth 2.0 Client Credentials into the script when it asks for them.
-
After you enter your login information, the script will ask for your master password. Enter your master password to continue.
-
Once you have entered all of the required information, the script will create a new kdbx (KeePass Vault) and a new json (bitwarden's encrypted json) file. These files will be saved in the same location as the "Export.ps1" script.
If you have any problems connecting or the script shows errors, you can reset the script by deleting the Bitwarden.cred file in the Export folder. This will allow you to enter your login information again.
The Releases packages contains everything that’s needed. There's no need to do anything else. If you would like to do setup BitwardenBackup manually, feel free to follow the manual install.
The directory we will need to extract files are all in ./Export/lib/.
└───Export
├───lib
│ ├───Bitwardencli
│ ├───KeePass
│ └───sdelete
└───src
└───deleteItems- Download and extract the latest version of Bitwardencli,
bw.exemust be in./Export/lib/Bitwardencli. I encourage you to validate the checksum of the file. - Download and extract the latest version of KeePass (.zip portable version),
KeePass.exemust be in./Export/lib/KeePass. I encourage you to validate the signature of the file. - Download and extract the latest version of KPScript for Keepass,
KPScript.exemust be in./Export/lib/KeePass. I encourage you to validate the signature of the file. - Download and extract the latest version of sdelete,
sdelete64.exemust be in./Export/lib/sdelete. - Create a new empty KeePass vault. The format of the vault should be KDBX 4, named
Empty.kdbxand its password should be.. The file must be in./Export/. Be sure to use secure vault settings. This vault will be used to import your passwords and its password will be replaced by your main password.
This script can be started automatically with the Windows task scheduler each time you connect to your session.
The following intervals are used and they each have a maximum number of files that will be kept for each.
1 Hour For the first day, the youngest version of every day is kept.
2 week For the last two week, one file per day is kept.
2 month For the last two month, one file per week is kept.
>2 month For the files that are older than two months, the youngest version of every month is kept.
This means that there is only one version in each interval and as files age they will be deleted unless when the interval they are entering is empty.