Learn how to automate secure Vaultwarden backups on Debian/Ubuntu. This step-by-step guide ensures your credentials remain safe with encryption, logging, and automation.
Warning
Your Vaultwarden password will be temporarily stored in plain text on your machine when the script is executed. It will be deleted upon completion. However, this still poses a security riskโif your machine is compromised, your vault could be at risk. Proceed with caution and ensure your system is secure.
Prerequisites
- sudo privileges on your machine
- Vaultwarden installed and running
- A Debian/Ubuntu environment
Step 1: Install Required Tools
sudo apt update && sudo apt install -y snapd jq libsecret-tools
sudo snap install bwNext, grant Snap access to the home directory:
sudo snap connect bw:homeConfigure Shell PATH
echo 'export PATH=$PATH:/snap/bin' >> ~/.bashrc
source ~/.bashrcStep 2: Create Required Directories
mkdir -p ~/vaultwarden/{scripts,exports,tmp}
chmod 700 ~/vaultwarden/exports ~/vaultwarden/tmpStep 3: Store Credentials Securely
# Store Email
secret-tool store --label="Vaultwarden Backup Email" service vaultwarden-backup account email <<< "[email protected]"
# Store BW Password
secret-tool store --label="Vaultwarden Backup Password" service vaultwarden-backup account bw_password <<< "your_bitwarden_password"
# Store Export Password
secret-tool store --label="Vaultwarden Export Password" service vaultwarden-backup account export_password <<< "your_export_password"Note: Replace the placeholders with your actual Vaultwarden credentials.
Step 4: Configure Vaultwarden Server
bw config server "https://vaultwarden.example.com"Note: Replace with your actual Vaultwarden server URL.
Step 5: Create the Backup Script
Create a script at ~/vaultwarden/scripts/bitwarden_backup.sh with the following content:
#!/bin/bash
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/snap/bin
LOGFILE="$HOME/vaultwarden/scripts/bitwarden_backup.log"
exec > >(tee -a "$LOGFILE") 2>&1
# Retrieve credentials
BW_EMAIL=$(secret-tool lookup service vaultwarden-backup account email)
BW_PASSWORD=$(secret-tool lookup service vaultwarden-backup account bw_password)
EXPORT_PASSWORD=$(secret-tool lookup service vaultwarden-backup account export_password)
# Validate credentials
if [[ -z "$BW_EMAIL" || -z "$BW_PASSWORD" || -z "$EXPORT_PASSWORD" ]]; then
echo "Error: Missing credentials in keyring."
exit 1
fi
BW_PASSWORD_FILE=$(mktemp "$HOME/vaultwarden/tmp/bw_pass.XXXXXX")
echo -n "$BW_PASSWORD" > "$BW_PASSWORD_FILE"
chmod 600 "$BW_PASSWORD_FILE"
BW_SESSION=$(bw login --raw --passwordfile "$BW_PASSWORD_FILE" "$BW_EMAIL") || exit 1
UNLOCK_SESSION=$(bw unlock --raw --passwordfile "$BW_PASSWORD_FILE" --session "$BW_SESSION") || exit 1
BW_SESSION="$UNLOCK_SESSION"
EXPORT_PW_FILE=$(mktemp "$HOME/vaultwarden/tmp/export_pw.XXXXXX")
echo -n "$EXPORT_PASSWORD" > "$EXPORT_PW_FILE"
chmod 600 "$EXPORT_PW_FILE"
bw export --format encrypted_json --raw --password "$(cat "$EXPORT_PW_FILE")" --session "$BW_SESSION" > "$HOME/vaultwarden/exports/vaultwarden-backup-$(date +%m-%d-%Y-%H-%M).json"
bw logout --session "$BW_SESSION"
rm -f "$BW_PASSWORD_FILE" "$EXPORT_PW_FILE"
Set Script Permissions
chmod +x ~/vaultwarden/scripts/bitwarden_backup.sh
chmod 700 ~/vaultwarden/{exports,tmp}Step 6: Automate with Cron
Edit crontab:
crontab -eAdd this line to schedule hourly backups:
0 * * * * /home/YOUR_USERNAME/vaultwarden/scripts/bitwarden_backup.shStep 7: Verification
Run the backup manually:
~/vaultwarden/scripts/bitwarden_backup.shCheck if the backup file was created:
ls -l ~/vaultwarden/exports/Review the backup logs:
tail -f ~/vaultwarden/scripts/bitwarden_backup.logAdditional Considerations
Backup Rotation
Consider deleting old backups periodically to save storage space.
Offsite Storage
Sync backups to cloud storage (Amazon S3, Google Drive, or a self-hosted solution).
Adjust Backup Frequency
Modify the cron job for daily or weekly backups if needed.
FAQs
How often should I back up Vaultwarden?
Daily or hourly backups are recommended for active users.
Can I encrypt the backup files further?
Yes, consider using gpg for additional encryption.
What if my backup script fails?
Check logs at ~/vaultwarden/scripts/bitwarden_backup.log for errors.
Conclusion
Now your automated Vaultwarden backup is fully secured and running on Linux! ๐ ๐