I recently took the plunge and started using Bitwarden to manage all my logins, except email addresses and Apple ID.
After eight straight hours spent changing login details, now each of the websites for which I previously had a password stored in the Mac keychain has a unique and randomly-generated twenty-digit combination of lower case, upper case, numbers and special characters stored in the Bitwarden vault.
Only twenty digits??
Yes, “only” twenty randomly generated digits including lower case, upper case, numbers and special characters, which based on some tests I did in KeyPassXC result in an entropy between 110 and 130 bits. No reason to be paranoid, no reason to need more than that for me.
One last thing which I felt like doing before calling it a day was to create a local and encrypted backup of the Vault, and I selected KeyPassXC to achieve that.
The advantage of doing so it twofold:
● First, I now have an encrypted backup with all my login credentials which I can access through KeyPassXC should anything happen to Bitwarden (unlikely);
● Then, I could easily start using KeyPassXC and its browser extension if I wanted to use a locally stored encrypted vault rather than an encrypted cloud-synced one (I still prefer Bitwarden though, since it’s more user friendly).
Let’s see how to safely back up the Bitwarden vault using KeyPassXC on macOS.
The short version
1. If you have a Mac with SSD, save the CSV file generated by Bitwarden directly onto an external and encrypted USB drive.
2. Use these settings when importing the CSV onto KeyPassXC, without even needing to open the file:
Short version – explanations
Fact is, it’s not really possible to securely delete files on Solid State Drives, and on macOS trying to securely remove a file by moving it onto an Encrypted Disk Image or an encrypted USB drive doesn’t work either.
If you save a file on your desktop, in Downloads, etc, and you then try to move it onto an Encrypted Disk Image or an encrypted USB drive, the file will only be copied rather than moved, and the original will remain wherever you first saved it. This is my experience on macOS Catalina.
Sure, you can move the file to the Bin and then “permanently delete it,” but it will just keep floating around in the SSD and may be recovered with dedicated software.
What I did the first time around, when I saved the CSV file on the desktop and was then unable to securely move it onto the Disk Image / USB drive, was to first rename it, then delete all content and save it, then replace it multiple times by moving another file with the exact same name and extension onto the desktop, and finally bin it and “permanently delete it” from the bin.
Step 1: in your browser, change the default setting for downloads
If you already have an encrypted USB drive, just plug it in and skip to Step 7. Otherwise, let’s proceed to encrypt a USB drive.
Step 2: launch Disk Utility: Finder > Applications > Utilities > DiskUtility.app
Step 3: select the USB drive and click Erase
Step 4: in Name, assign a name to the USB stick
Step 5: in Format, select MacOS Extended (Journaled, Encrypted)
Step 6: insert a Password for the encryption and type it again to Verify it
Step 7: log in at https:// bitwarden .com/
Step 8: Go to Tools > Export Vault
Step 9: select .csv in File format
Step 10: select the encrypted USB drive
Step 11: click Save
Step 12: open KeyPassXC
Step 13: Select Import from CSV
Step 14: point to the CSV file in the encrypted USB drive
Step 15: fill in the General Database Information and click Continue
Step 16: change the Encryption Settings if you wish (I didn’t) and click Continue
Step 17: create a Master Key for the encrypted database (I used the same Master Password which I use in Bitwarden)
Step 18: assign a name to the encrypted database, and save it wherever you want on your Mac
Step 19: in Column layout, fill in the fields as follows
Step 19: feel free to delete the “type” folder
Step 20: in the “login” folder there will be all your credentials imported from Bitwarden
There you go: all your login credentials are now safely backed up in a local encrypted database (which you can also send to your iPhone and open with Strongbox) and you don’t need to worry about securely deleting the CSV file from your Mac, since it is stored in the external encrypted USB drive.