|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "Bitwarden Automated Backup" |
| 4 | +date: 2023-06-26 12:00:00 -0400 |
| 5 | +category: "Service Setup" |
| 6 | +tags: ['linux', 'bitwarden', 'backup'] |
| 7 | +--- |
| 8 | + |
| 9 | +## Purpose |
| 10 | + |
| 11 | +## Prerequisites |
| 12 | + |
| 13 | +You will need `unzip` and `cron` simply to install the Bitwarden CLI. |
| 14 | + |
| 15 | +```bash |
| 16 | +sudo apt install unzip cron -y |
| 17 | +``` |
| 18 | + |
| 19 | +## Installing the Bitwarden CLI |
| 20 | + |
| 21 | +Unfortunately it does not exist in the distro repo or flatpak. Though it is in snap, if you are interested in such things. I installed it manually through a handy script I wrote. It will make updating it manually later a bit easier it at least. Either way the CLI binary will need to be somewhere we can run it. |
| 22 | + |
| 23 | +```bash |
| 24 | +curl -L -o bw.zip "https://vault.bitwarden.com/download/?platform=linux&app=cli" |
| 25 | +unzip bw.zip |
| 26 | +sudo mv ./bw /usr/local/bin |
| 27 | +rm bw.zip |
| 28 | +``` |
| 29 | + |
| 30 | +## Bitwarden User |
| 31 | + |
| 32 | +Before we begin we will need to create a new user for running the script. This user will securely store the environment variables as well. Unfortunately even though we have the API key, Bitwarden still requires your vault password. I assume this is for actually decrypting the vault. To store them securely, I put them in the service user's `~/.bash_profile`. This way only that user, and sudoers/root will have access and the job won't need to run as root. Obviously plaintext isn't ideal, but for the script to use it, it must be read somewhere. No amount of encryption would change that. Also note this machine should be isolated on your network from other services. |
| 33 | + |
| 34 | +To create your user run the following: |
| 35 | + |
| 36 | +```bash |
| 37 | +sudo adduser \ |
| 38 | + --system \ |
| 39 | + --shell /bin/bash \ |
| 40 | + --group \ |
| 41 | + --disabled-password \ |
| 42 | + --home /home/bitwarden \ |
| 43 | + bitwarden |
| 44 | +``` |
| 45 | + |
| 46 | +## Bitwarden API Credentials |
| 47 | + |
| 48 | +To get your API key log into your Bitwarden web vault. From the user menu in the upper right, go to _Account Settings_. Then on the left hand menu go to _Security_, then _Keys_ in the top menu. This should bring you to _Encryption Key Settings_ and at the bottom of the page _API Key_. Your account will only have one set of client ID/secret. Click _View API Key_ to retrieve it. You'll need these values to add to the `.bash_profile` along with your vault password. |
| 49 | + |
| 50 | +```bash |
| 51 | +sudo touch /home/bitwarden/.bash_profile |
| 52 | +sudo chmod 600 /home/bitwarden/.bash_profile |
| 53 | +sudo nano /home/bitwarden/.bash_profile |
| 54 | +``` |
| 55 | + |
| 56 | +```conf |
| 57 | +export BW_CLIENTID="<your_client_id>" |
| 58 | +export BW_CLIENTSECRET="<your_client_secret>" |
| 59 | +export BW_PASSWORD="<your_vault_password" |
| 60 | +export BW_NOTIFICATION_EMAIL="<your_notification_email_address>" |
| 61 | +``` |
| 62 | + |
| 63 | +## Setting up the Script |
| 64 | + |
| 65 | +The script needs to be put somewhere the Bitwarden user can read it, and it needs to be set as executable. |
| 66 | + |
| 67 | +```bash |
| 68 | +REPO_BACKUP_SCRIPT=https://raw.githubusercontent.com/BinaryPatrick/BitwardenBackup/main/backup.sh |
| 69 | +sudo curl -L -o /home/bitwarden/backup.sh $REPO_BACKUP_SCRIPT |
| 70 | +sudo chown bitwarden /home/bitwarden/backup.sh |
| 71 | +sudo chgrp bitwarden /home/bitwarden/backup.sh |
| 72 | +sudo chmod 744 /home/bitwarden/backup.sh |
| 73 | +``` |
| 74 | + |
| 75 | +The script also includes an email notification if the vault fails to unlock or authentication fails. You'll need to [set up postfix to send email](/posts/configuring-postfix-with-gmail/). |
| 76 | + |
| 77 | +## Adding to `crontab` |
| 78 | + |
| 79 | +Now that the script is in place, we can add it to `crontab`. We need to do a little hand holding to make sure the `crontab` environment can see the bw binary, and will use the environment variables we configured. Also notice, our script requires an output directory to run. We'll set this to `/home/bitwarden`. Feel free to configure this to use a mounted share or something though. Remember the output is encrypted using the vault password so it is relatively safe to have on a restricted file share. |
| 80 | + |
| 81 | +```bash |
| 82 | +sudo su bitwarden |
| 83 | +crontab -e |
| 84 | +``` |
| 85 | + |
| 86 | +```conf |
| 87 | +PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin |
| 88 | +0 0 * * * BASH_ENV=/home/bitwarden/.bash_profile /bin/bash /home/bitwarden/backup.sh /home/bitwarden |
| 89 | +``` |
| 90 | + |
| 91 | +## Validate Decryption |
| 92 | + |
| 93 | +An untested backup is no backup at all. Make sure to try and decrypt the file that is created using the decryption script once you have a backup. It should create a json file. |
| 94 | + |
| 95 | +```bash |
| 96 | +REPO_DECRYPTION_SCRIPT=https://raw.githubusercontent.com/BinaryPatrick/BitwardenBackup/main/decrypt.sh |
| 97 | +sudo curl -L -o decrypt.sh $REPO_DECRYPTION_SCRIPT |
| 98 | +sudo chmod +x decrypt.sh |
| 99 | +``` |
| 100 | + |
| 101 | +When you run the script, pass the filename of the file you want to decrypt and you will be prompted for your vault password. |
| 102 | + |
| 103 | +```bash |
| 104 | +./decrypt.sh bw_export_xxxxxxxxxxxxxxx.enc |
| 105 | +``` |
| 106 | + |
| 107 | +## Resources |
| 108 | +- https://www.digitalocean.com/community/tutorials/send-email-linux-command-line |
| 109 | +- https://easyengine.io/tutorials/linux/ubuntu-postfix-gmail-smtp/ |
| 110 | +- https://bitwarden.com/blog/how-to-back-up-and-encrypt-your-bitwarden-vault-from-the-command-line/ |
| 111 | +- https://bitwarden.com/help/cli-auth-challenges/ |
0 commit comments