[HN Gopher] Tell HN: Bitwarden does not export attachments in ba...
___________________________________________________________________
Tell HN: Bitwarden does not export attachments in backups
I've been using Bitwarden for about 4 years now and cannot
understand how a Password Manager does not export attachments when
backing up your data. I understand this was the case when the only
export format was a CSV file, but now with JSON files I can't get
my head around the fact that I almost missed crucial SSH keys had I
not checked the output. A simple solution would be to b64 encode
each file and add it into an array! It's even mentioned on their
Help page - https://bitwarden.com/help/export-your-data/ but I
still think it's a bit unacceptable that there isn't even a warning
in the GUI about this. And yes, I know there are ways to manually
export the files, but I shouldn't have to do that.
Author : howlett
Score : 215 points
Date : 2022-06-11 07:07 UTC (15 hours ago)
| culpable_pickle wrote:
| Honestly, with 1Password's cloud only move, I firmly think
| there's a open position for a new major player in the password
| management space that learns from all the current players.
| ancientsofmumu wrote:
| Quick note, the Secure Note field can store up to 10k characters
| (I think it is, last I looked) _post-encryption_ - that 's
| typically big enough for most SSH key types, but may not be big
| enough for some GPG key exports - I have one GPG key armor export
| too large to fit. Point being you can stuff a good amount of info
| in those Notes most times to get exported, but there is a limit
| to be aware of - the client should fail to save the data once
| you've crossed that limit if I recall correctly, red error text
| etc.
| Hellion wrote:
| I'm still on KeePass. I keep meaning to get off of it but it more
| or less works okay (not great)
|
| I use windows, Debian, iOS, and Firefox as the browser on
| desktop. Any recommendations?
| sir_brickalot wrote:
| an underappreciated feature in Keepass are URL overrides so you
| can autorun RDP sessions, SSH sessions, SFTP sessions in other
| apps with filled in credentials. If Bitwarden had this feature,
| I'd probably switch.
| clircle wrote:
| Keepassxc plus the browser extension? Also, if it aint broke...
| vbezhenar wrote:
| I switched to iCloud passwords. It's terrible, but it works.
| When I'm not on iOS/macOS, I'm typing passwords manually
| looking at my phone. Not the best UX for sure.
| adrianmonk wrote:
| I don't use Bitwarden, but I just read the docs about backups,
| which are here:
|
| https://bitwarden.com/help/backup-on-premise/
|
| Those say that the procedure for backups is to keep a copy of the
| entire bwdata directory. It doesn't say that you can or should
| use the export feature.
|
| It seems like the export feature is meant for data migration, not
| for backups. Though they are related, they're not the same
| concept.
|
| It probably wouldn't hurt to make this clearer in the GUI. In the
| export section, it could warn not to use it for backups and could
| give a link to the proper procedure.
| ruffrey wrote:
| It's worth taking a glance at other E2EE apps. I'm biased but
| EnvKey can handle huge content, though file support is in early
| stages.
| hammyhavoc wrote:
| Wow, if true, this is a huge oversight.
| onetom wrote:
| It's not something which you simply forget to think about.
| There must be a lot of features, which are more important, as
| in being requested for.
| hammyhavoc wrote:
| I must have been forgetting since I started using it over a
| year ago. The software itself doesn't warn about this quirk.
| leetrout wrote:
| I went to bitwarden from dashlane that didnt even export secure
| notes
|
| https://www.reddit.com/r/Dashlane/comments/gfwyvo/comment/fq...
|
| This is the same thing again.
|
| I switched to 1password before all the funding and feel like
| there arent any viable alternatives now.
|
| Edit: to be clear this isnt me on reddit this thread is just what
| backed up bitwarden.
| fossuser wrote:
| 1Password remains really great imo - people seem to use worse
| alternatives for ideological reasons but I don't think there
| are any that are actually better.
| x3n0ph3n3 wrote:
| I ditched it when they broke the ability to sync to the local
| file system. Before that, I was using syncthing to share my
| passwords between devices.
| zeroonetwothree wrote:
| How is it better than BitWarden? I've used both and they both
| seem fine but I didn't see an obvious reason to prefer it. BW
| is a lot cheaper as well.
| mdaniel wrote:
| My experience is that 1P has a lot more polish and
| consideration for the user (err, I mean before the "8"
| debacle). I cannot recall a single time I have lost an
| autogenerated password, whereas with BW it happened about
| 50% of the time. Filling up my vault with hundreds of
| unnecessary password captures is better than losing a
| single one, because _they_ don 't know how important any
| one password is in order to gauge how "oops, sorrreeee, our
| bad" affects the user
|
| https://github.com/bitwarden/clients/issues/1620 (open
| since _Feb 2021_ )
|
| Aside from that, 1P has a ton more item types, which if one
| thinks about a password manager as a key-value store, maybe
| that's not interesting, but for me it's been really great
| having passport details in a specific spot, without having
| to invent my own taxonomy for squeezing passport details
| into key-value pairs
|
| Speaking of taxonomy, BW's lack of tagging is a dealbreaker
| for me. Why in the world do I have to pick just one
| "folder" for an item to live in: it can be "work" *and*
| "aws" *and* "testing" allowing me to see all work, all aws,
| all testing items grouped together
|
| I do hate the new 1P api-only approach, but I'm not going
| to jump ship just yet because the competition is not yet
| better for my needs
| j1elo wrote:
| > _bitwarden /clients/issues/1620 (open since Feb 2021)_
|
| Oh, try with something much worse, and _open since Dec
| 2017_ (no, migrating to a new place is no excuse at all
| to mark the issue as magically resolved)
|
| https://github.com/bitwarden/clients/issues/443
|
| Here I made a pretty clear video of the issue:
|
| https://community.bitwarden.com/t/persistent-bitwarden-
| ui-an...
|
| Did anyone care? Not that I know of. It's 2022, so that's
| been 5 years now.
|
| I'll keep paying the pro account as long as it keeps
| working _for me_ , but it saddens me that we still don't
| have a universally good and free service that can be
| recommended to lots of non-techies that are still stuck
| on the old customs of reusing passwords.
| dividedbyzero wrote:
| What's the issue with 1Password 8? Upgraded today to get
| the SSH agent and so far it seems alright.
| mdaniel wrote:
| It's partially teething pains as they _reimplement the
| world_ in Electron, and partially "sour grapes" since
| that transition was coscheduled with the "and no more
| local vaults, too bad"
|
| Their QR code scanner went poof, in favor of "take a
| screenshot to the clipboard," and it no longer is able to
| suggest based on the "bundle ID" of the native apps. I
| dunno if it ever did that for Windows, and of course
| Linux support is brand new, but annoying for my case
| nonetheless
| snickerbockers wrote:
| What exactly is an "attachment" in this context? Ive been using
| BW for about a year now but I've never come across that term. Is
| it non-login data like the secure notes section?
| tut-urut-utut wrote:
| Paid version allows you to store files.
| webdog wrote:
| This is very salient, I just left some feedback related to lack
| of functionality, in their community forums yesterday. I bought a
| subscription to use Bitwarden against 1Password, trying to switch
| from 1P to BW. I dislike 1P's arrogant customer service (Read
| their community forums for about an hour, and look at many of the
| responses from staff regarding feature requests) and my attitude
| towards them really soured when they flipped the switch on
| perpetual licensing.
|
| So I was excited and went in with an open mind, and delighted to
| be supporting an open source company:
|
| * The initial migration went off to a bad start as it didn't
| include everything from 1Password. Seemingly random data, and
| some attachments were missing. If I remember correctly,
| timestamps/creation dates didn't seem to migrate over, and some
| whole passwords weren't brought over, but no errors were reported
| from their migrator.
|
| * When I went to setup my vault after the migration, I was
| disappointed to see that there was a distinct lack of password
| types. I have software licenses, credit cards, API keys, regular
| passwords, recovery tokens, (non-critical) GPG keys, SSH keys,
| etc etc that I store in my vault. BW only had/has 4 item types to
| choose from, which just isn't suitable if you want to correctly
| track the types of items for organization and filtering. There is
| support for custom fields, but it just isn't the same..
|
| * No support for tagging. I tried to setup a nested folder
| structure alternatively, but the UX was not easy to use in the
| desktop application (I was assuming I could do something similar
| to a `mkdir -p path/to/nested/folder` but BW only allowed me to
| create a single folder item at a time. For 500 password items,
| and different "buckets" I keep to organize, I ended up abandoning
| folders and just kept everything in the root in a mish-mash
| setup.
|
| I get that it's small and open source, and you have to temper
| expectations when comparing David (BW) vs Goliath (1P), but BW
| seems to have earned more community trust, and has an engaged
| community of fans. BW could absolutely provide a better
| experience than 1P both from a customer empathy standpoint, and
| from a product delivery perspective. But point 2 makes a failure
| (IMO) on point 1. Reading through their community forums, many of
| these (What I'd consider) table-stakes features have been left to
| rot on the tree of technical debt. Which makes me sad, because
| I'd pay a lot more than their current pricing model if they kept
| an open source attitude towards the product and could deliver
| more than just a "We're working on it! Stay tuned!" attitude
| after years of community comments. I'm gonna stick with 1P when
| the licenses come up for renewal, and use KeePass or Vault as an
| on-prem backup solution.
|
| I truly, truly hope BW succeeds, because I'd love to move away
| from my current setup. But I'm not willing to capitulate my
| workflow because the company can't deliver on highly-
| requested/highly-coveted features.
|
| I don't squarely put the blame on BW. This feels very common in
| the saas lifecycle: A feature has some sort of engagement/revenue
| metric attached to it, for growth tracking. Whether correlation
| is correct is a debate for another time, but many of these core
| features have an opaque effect on revenue or engagement (If
| you're a cynical product manager, an efficient tagging system
| correlates to less engagement, because I'm spending less time
| rooting around the user interface, which is less opportunity to
| use the application minute-by-minute), or it's considered
| plumbing-type work in which the revenue/engagement potential is
| spread out across the entire userbase, so the effect is less
| explosive (SSH key management[1], a niche feature requested by a
| loud subset of 1P users had huge awareness. But external sharing
| of items[2] was something I heard very little about, even though
| (objectively) external sharing casts a wider a shadow of net-new
| 1P users.
|
| I digress. This just reminded me of the frustration I have with
| software: Feels like everything I want to use is always missing
| some key element that I have to trade off for another key element
| when looking at competitors.
|
| [1] https://blog.1password.com/1password-ssh-agent/ [2]
| https://blog.1password.com/psst-item-sharing/
| jiveturkey wrote:
| Those 3 points are valid but not even the worst bits. It sounds
| like you are just griping about the switching cost issues, and
| didn't get much further than initial setup.
|
| Once you actually try to use BW in earnest, you'll find it's
| noticeably worse than 1PW in most ways. The most glaring is
| that it is meh at detecting login forms and poor at detecting
| new account signup. These are the 2 primary flows for a pw
| manager! It's unforgivable. Other flaws aside, 1PW puts
| significant effort there and it shows.
|
| > I truly, truly hope BW succeeds,
|
| They've had quite long enough time already to do that. How long
| will you hold out hope?
|
| I want to love BW so much. I never could get myself to look at
| KeePass. Anyway the primary use case I care about is sharing,
| not self-mgmt.
| TingPing wrote:
| I've used BW for years and have never had issues detecting
| forms.
| anthropodie wrote:
| I have Bitwarden desktop/mobile apps and I keep them in sync
| exactly for this reason. In case something bad happens I can at
| least copy and paste individual password!
| quyleanh wrote:
| This is one of my motivation to selfhosted Vaultwarden [0]. Full
| features, lightweight with Rust, privacy, and full control.
|
| [0] https://github.com/dani-garcia/vaultwarden
| simplyfantash wrote:
| I hope it wasn't really one of your motivations, because
| Vaultwarden implements the server API. The lack of attachment
| backup occurs at the Bitwarden client level.
| ajb wrote:
| Yes, but if you're running your own server you can back up
| the server, you don't need to export.
| Hellion wrote:
| If you Control the server, you can certainly control backups
| at a root level
| Skunkleton wrote:
| I really hope not. Why would the server have the keys
| needed to decrypt the vault?
| BrandoElFollito wrote:
| It does not.
|
| I actually wanted that functionality for my own
| installation but it was rejected.
| 1una wrote:
| > A simple solution would be to b64 encode each file and add it
| into an array!
|
| An individual file attachment can be as large as 500 MB[0]. It
| would make the JSON file too big to use.
|
| Still, I do think that Bitwarden should warn users about it when
| exporting. Just mentioning it in the _Help Center_ doesn 't seem
| so helpful.
|
| [0]: https://bitwarden.com/help/attachments/
| ben0x539 wrote:
| > An individual file attachment can be as large as 500 MB[0].
| It would make the JSON file too big to use.
|
| The backup would be too big to use if it included all the data
| it's a backup of? What?
| manmal wrote:
| Why is such a JSON file too big to use if it's only ever
| handled by streaming parsers? SQLite would be a better backup
| format ofc.
| mdaniel wrote:
| Can you explain how sqlite is a better container for
| arbitrary binary files than zip?
|
| I mean, I know "INSERT INTO files ('my-file.bin',
| X'CAFEBABE...')" gets it into sqlite, but how would a sane
| person get that content back out?
| onetom wrote:
| Well, you can just get BLOBs out of an SQLite DB with
| SELECT. Also: https://www.sqlite.org/fasterthanfs.html
|
| Not that performance or file size would matter in this
| case, BUT what using SQLite would allow is to use a single
| format for persisting all aspects of the password database,
| with immediate, programmatic, _random_ access to all
| fields, including attachments.
|
| But I also agree, that for this specific use-case, even
| SQLite is a bit of an overkill probably.
|
| Finally, there is always https://www.passwordstore.org/ :)
| mdaniel wrote:
| Right, but I feel we're having a miscommunication about
| the level of effort one should expend to recover the
| payloads; your mental model is that this:
| sqlite3 -noheader -newline '' export.db "select data from
| files where filename = 'my-file.bin'" > my-file.bin
|
| is more user friendly than: unzip
| 1PasswordExport-
| ILESALYKVFDNJH3K24FEO3QRHM-20220611-100457.1pux files/my-
| file.bin
| vbezhenar wrote:
| AFAIK SQLite field limit is 2 GB, so if you're used to
| storing Blurays in your password database, that might be a
| limiting factor as well.
| weaksauce wrote:
| the maximum file size is smaller than 500MB so that's a
| moot point and not many people are going to be hitting that
| size limit in the first place... it is a password manager
| after all.
| xanaxagoras wrote:
| You should move to vaultwarden and do regular offsite backups
| with one of the projects listed at the bottom here:
| https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-y...
|
| This will backup your entire database, including attachments,
| users, etc.
| replwoacause wrote:
| I've been using BW for 5 years but looks like I need to start the
| search for a new PW manager. Thanks for pointing this out.
| longrod wrote:
| This makes a lot of sense. I use Notesnook [0] which also
| encrypts everything client side. It also doesn't export
| attachments in the automatic backups. I asked the devs and this
| is done to save user's bandwidth and also to make everything more
| reliable. Suppose the user's internet is slow or metered, what
| should be done then? Would the backup never be taken? That's
| obviously a bad idea since the notes are too important not to
| backup.
|
| So it makes a sacrifice on the attachments to make sure backup of
| the more important stuff keeps working even when there's no
| internet. Moreover downloading all the attachments takes a lot of
| time and doing it every day (or whatever interval) wouldn't be a
| good user experience.
|
| I think the Notesnook guys were thinking of adding cloud-to-cloud
| backups for attachments to work around this reliably.
|
| [0] https://notesnook.com
| nirvdrum wrote:
| I'm not familiar with the tool, but naively I'd think offering
| an "include attachments" checkbox would give the user control
| over backup size. I know that might complicate the UI a bit and
| maybe even confuse user by having the option, but expecting all
| of your data to be backed up and only discovering that it isn't
| after it's too late isn't stellar UX either.
| aceazzameen wrote:
| I recently switched from LastPass to Bitwarden, and LastPass has
| the same issue. I had to manually save all my attachments and
| upload them into their proper place on Bitwarden. It was
| frustrating, but also not a big deal in my case. Worse things
| have happened.
|
| I wholeheartedly agree that these companies should have a warning
| that attachments won't export. Because I almost forgot about
| them.
| jdeibele wrote:
| Thank you for saying something about this. I make up answers to
| "security" questions like: first pet's name? Favorite teacher?
| and so on but that means that I have to record what the answer
| is.
|
| I've been doing that in the notes section for LastPass. I think
| that I'm going to have to move to doing it in the Notes app
| since that works on all my Apple devices. And it looks like I
| can lock one Note without having to lock all of them.
| woojoo666 wrote:
| Last I checked, notes are included in the export. This post
| is about attachments
| Chad_King wrote:
| mdaniel wrote:
| In case you haven't already seen it, 1P has effectively a
| "click button, get fake security question answers" and I love
| it: https://support.1password.com/generate-security-
| questions/
|
| They use the "battery horse stable" scheme so you don't have
| to read crazy ascii over the phone to customer support
| no-reply wrote:
| That is nice. I have ascii 24-48 characters with mixed
| special characters. A garbled mess to read aloud.
| BrandoElFollito wrote:
| Bitwarden has the same. I just generated wobble-swaddling-
| reflex-repost
| jeroenhd wrote:
| Looking at the export code:
| https://github.com/bitwarden/clients/blob/da5e4a57d026e0d093...
|
| The entire export process seems to be client side. Altering the
| export to include files should be feasible though the Bitwarden
| devs might choose not to merge your code because allowing users
| to access all of those Azure buckets all at once must come at a
| significant cost.
|
| My workaround for this is to stuff SSH keys and the like in
| secret fields rather than attachments. This doesn't work for
| larger files, but it works well enough for my use cases so far.
| jmull wrote:
| ... is there some better way to back up your bitwarden data than
| export?
|
| Because if not, then I don't understand this. If you can't back
| up attachments, they can't be used for anything important. If
| they can't be used for anything important, then what are they
| for?
|
| It would be better to not have attachments at all than not let
| people back them up.
| foobiekr wrote:
| This is sadly common. 1Password does not either.
| selykg wrote:
| Sort of a vendor lock in type deal.
| jwong_ wrote:
| Main thing keeping me off switching to something else.
|
| 1Password's extensions getting worse with every update gets me
| closer each day though.
| mdaniel wrote:
| The irony is that if they'd just open source them, it's not
| like that's where their real intellectual property lies and
| they may get a lot more help -- or at the bare minimum _I_
| can see what the extension is screwing up in _my_ case and
| fix it while they "damn get around to it"
|
| I'm waiting for someone to point out that BW's extensions are
| open source and are still a dumpster fire, but for me the
| difference is that BW started as a dumpster fire, so I don't
| feel compelled to bring their extension up to sane operating
| levels, whereas 1P's are _mostly_ right, and just need a
| tune-up here and there
| mdaniel wrote:
| Incorrect, I just tested it: $ unzip -l
| 1PasswordExport-ILESALYKVFDNJH3K24FEO3QRHM-20220611-100457.1pux
| ... 1952 01-01-1980 00:00
| files/dbp6d2jjtfbwbp5tnqx6vw5jaa__developerID_installer.pem
| kosolam wrote:
| Please stop rationalizing this. It's an awful bug in design.
| Bitwarden company should give their immediate response. This is
| completely devastating for my trust in this software and company.
| kosolam wrote:
| I am a paying customer, but a refund in this specific case is
| like spitting on a dead body. The fact that they designed it
| like that and never warned the users is treacherous. To all BW
| employees that keep rationalizing this and downvoting my
| comment: it's all funny and stuff until there is a great
| damage. And then the shit hits the fan..
| throw10920 wrote:
| Rationalizing and discussion are more appropriate for HN than
| an emotionally-manipulative comment like this one.
| julianlam wrote:
| > This is completely devastating for my trust in this software
| and company.
|
| Okay, I guess you should ask for a refund, then.
|
| Yes, that's a snarky response, but in all seriousness, the BW
| team is good at refunding, so if you're unsatisfied, ask for a
| refund and move on.
| onetom wrote:
| Except a bug is an unintentional problem with something, which
| exists. The backup feature not saving attachments is a missing
| feature. You need to write more code to support it, NOT simply
| modify existing code, which was already meant to provide this
| feature, but because of some mistakes it doesn't.
| 0des wrote:
| > Bitwarden company should give their immediate response.
|
| Why do people do this? The hands touch the hips, the call for a
| rage mob is made because the internet must have justice, and
| the kangaroo court begins.
|
| Just use something else if it bothers you.
| tluyben2 wrote:
| I have been bitten by this. It is quite weird imho.
| jiveturkey wrote:
| I don't think 1password does either? Anyone know for sure? I
| think they give you a separate attachments folder, but any item
| loses its association to any attachment.
| mdaniel wrote:
| https://news.ycombinator.com/item?id=31706068
| jiveturkey wrote:
| thanks. does the json for the pw item itself, reference the
| attachment?
| mdaniel wrote:
| They generally do a good job of documenting their file
| formats, and 1pux is no exception:
| https://support.1password.com/1pux-format/#files-folder
|
| I was able to use their opvault specification as a clean-
| room implementation of a reader, so I can also attest that
| their docs are accurate, too
| Youden wrote:
| It's been raised but doesn't appear to be a large enough issue to
| be put on the roadmap: https://community.bitwarden.com/t/allow-
| attachments-to-be-ex...
|
| The project is open-source, maybe send them a pull request?
| that_guy_iain wrote:
| > The project is open-source, maybe send them a pull request?
|
| Just because a project is open-source doesn't mean they'll
| accept a pull request with your feature request in it.
| matheusmoreira wrote:
| Indeed. Few things are worse than spending time and effort
| figuring out a complex repository, making and testing changes
| to the code and sending in a patch only to get _ignored_.
| grepfru_it wrote:
| Good to see open source hasn't changed in 20 years. This
| has been my biggest gripe. You have an idea, you present
| real world use cases, you submit a patch.. Only to have
| your idea ridiculed or ignored as you point out. THEN, a
| few weeks/months/years later, your same patch is accepted
| by someone else with a twitter blue checkmark to rave
| reviews.
| hotpotamus wrote:
| I like Bitwarden and open source, but attachments are a paid
| feature for them, so you'd be essentially working to add value
| to their paid features for free. That feels unfair to me.
| Aeolun wrote:
| I think you'd be working to add quality to _your_ backups for
| free. Sure, they'd also give it to other customers, but what
| matters is that you have it (and henceforth do not have to
| maintain your own fork).
| hotpotamus wrote:
| That's a more generous way of looking at it and certainly a
| fair point.
| revendell_elf wrote:
| SahAssar wrote:
| I think the point is more that you'd be giving away work
| for free that is only usable by people paying someone other
| than you.
| _flux wrote:
| Well the clients are still quite nice and you can use them
| with VaultWarden for free and get attachments.
| Vladimof wrote:
| I never switched to Bitwarden because I don't like how it was
| designed but this is clearly a huge bug even though I probably
| wouldn't use the feature to attach files.
| waplot wrote:
| >because I don't like how it was designed
|
| can you elaborate?
| Vladimof wrote:
| I already have a file server that is synced between my
| devices so for me KeepassXC works better (i.e.: I don't
| need to setup another server just for my password
| manager)...
| AnonHP wrote:
| Bitwarden pivoted to serving enterprise needs (like SSO,
| collaboration) a few years ago and hasn't given much attention to
| improving the basic product itself (there still aren't additional
| types, like licenses, WiFi passwords, etc.). You can file this as
| an issue and wait.
| capableweb wrote:
| Just like every other product initially launched for consumers,
| eventually pivoting to enterprises and forgetting about the
| little guy.
|
| Seems it's impossible for people to run companies for the
| average consumer. Are their cash-flow really so bad they can't
| help themselves going into the enterprise market or is there
| something else going on?
| sokoloff wrote:
| Enterprises are vastly more willing to pay to have their
| problems solved than consumers. (I say this as I see the
| difference in behavior in my own two personas.)
|
| Enterprises don't blink at paying $50K/yr for something to
| improve security and save staff thousands of hours of time.
| Consumers are used to things being (or appearing to be) free.
| On a per-user basis, I'd expect consumers to ask more
| questions of support, while paying much less.
| richardw wrote:
| Without meaning to disparage the OP, enterprises don't put
| you on HN when their feature isn't supported. They pay enough
| to focus the mind on important features.
|
| Enterprises are an 80/20 play. Keep your top clients happy
| and you'll be fine. The first time you get a large order you
| realise that's where your focus should be.
| waplot wrote:
| bitwarden allows you to add custom fields and secure notes for
| anything that falls outside the usual email/password data.
| laurent123456 wrote:
| I'm wondering why their enterprise clients are ok with this
| though. I would have thought they'd get more pressure from them
| since most businesses would not want to lose all their
| attachments if there's a problem.
| johnchristopher wrote:
| Or maybe businesses forbid attachments in the first place or
| maybe they haven't realized and are okay with what being now
| locked in the service.
|
| Isn't the bitwarden client opensource enough or the
| implementation free that someone could come in and modify the
| export functionality or add the functionality to the API ?
| fomine3 wrote:
| Probably enterprises don't want export feature by user.
| rsstack wrote:
| Organization export is separate from the user export and
| it's only available to administrators.
|
| I just checked - it's using the same code and is missing
| attachments too.
| dspillett wrote:
| Perhaps attachments isn't an enterprise priority over things
| like SSO support and other features that have seen changes
| and additions?
| rsstack wrote:
| I only noticed attachments exist after this post. They are
| pretty hidden away and there are other ways to store SSH
| keys that do get included in the export.
| phpisthebest wrote:
| As an Enterprise Client, I did not even know there was
| attachments, and i dont know what I would use attachments
| for...
| mdaniel wrote:
| Splunk licenses (and likely a ton of other enterprise-y
| software) are actual files, so when we renew our license,
| it goes into 1P as an attachment on our Splunk item
|
| I recognize that's not what _you_ would use attachments
| for, but I 'm offering that there are enterprises that get
| benefit from attachments, not just individual users
| phpisthebest wrote:
| We have Software Asset management tools that manage those
| assests, This also tracks renewal dates, and various
| other aspects of Software management that makes password
| managers not a good fit.
|
| Our password manager is just a password manager, I
| suspect many other organizations are the same.
| chipsa wrote:
| Better solution that b64 the files is just make a zip file from
| the attachments with them in folders by the name of the entry.
| That said, I don't use the attachments feature (If I need to
| securely store files, I store them elsewhere).
| [deleted]
| sigio wrote:
| I use bitwarden/vaultwarden (self hosted), and didn't even know
| there was an attachment option, so haven't used it upto now. I
| did use notes (for storing stuff like ssh/gpg keys), and can
| confirm that these are exported correctly. Attachments are also
| not exported in vaultwarden as far as I can see.
|
| I'll just stick to stuffing files in notes for now, as I had been
| doing.
| mdaniel wrote:
| > Attachments are also not exported in vaultwarden as far as I
| can see.
|
| Understandable, since sibling comments are saying export
| happens on the client side, and Vaultwarden is merely a server-
| side replacement
|
| Although also relevant is the sibling observation that if
| you're already running Vaultwarden isn't "backup" less "export
| from some faceless corporation" and more "take a backup of the
| vaultwanden database"?
| ravi-delia wrote:
| In all fairness I think you can run Bitwarden self hosted
| too, so it would also just be a database backup
| moughxyz wrote:
| File backups need to be done in real time, otherwise backing up
| gigabytes of data on demand would be infeasible.
|
| We recently released this feature for Standard Notes[0]. Files
| you upload to your account from any device are automatically
| encrypted and backed up to a local folder on your computer.
|
| Granting companies full custody of your files today feels
| reckless; local backups are a must. And better it be encrypted.
|
| [0]: https://standardnotes.com
| thiagocmoraes wrote:
| I just found out this now and I'm upset. I've been a paying user
| for a long time and won't use attachments anymore. Might as well
| consider migrating to a different password manager to migrate my
| attachments. Thanks for letting me know.
| jka wrote:
| Can you migrate storage of your SSH keys in Bitwarden to custom
| fields[1]? Those should -- I think -- be exported with the
| contents of the vault.
|
| [1] - https://bitwarden.com/help/custom-fields/#custom-fields-
| for-...
| sigio wrote:
| Custom fields, or notes, both are exported
___________________________________________________________________
(page generated 2022-06-11 23:02 UTC)