Backup of vault or database?

Help
1

I’m asking what is the most efficient way to backup the vault.

I have Vaultwarden installed and running as a Docker container.

I used this YML file:

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      DOMAIN: "https://185.236.152" 
    volumes:
      - ./vw_data:/data

In the folder where is the YML file, the one used to launch the container, I found the folder ~/Vaultwarden/vw_data and inside there are the files as described here: Backing up your vault · dani-garcia/vaultwarden Wiki · GitHub, like this:

data
├── attachments          # Each attachment is stored as a separate file under this dir.
│   └── <uuid>           # (The attachments dir won't be present if no attachments have been created.)
│       └── <random_id>
├── config.json          # Stores admin page config; only exists if the admin page has been enabled before.
├── db.sqlite3           # Main SQLite database file.
├── db.sqlite3-shm       # SQLite shared memory file (not always present).
├── db.sqlite3-wal       # SQLite write-ahead log file (not always present).
├── rsa_key.pem
├── tmp
└── sends                # Each Send attachment is stored as a separate file under this dir.
    └── <uuid>           # (The sends dir won't be present if no Send attachments have been created.)
        └── <random_id>

So I think that the data are all stored in these files.
I tried to upload something like 100 passwords and all the files and folder are in total 6MB. I tried to export all the vault as encrypted json file and it is only 700kB.

I have the following questions:

  1. Are all the data in the DB encrypted? I tried to open the file db.sqlite3 but I don’t have it installed to check the content but maybe I cannot do this check by myself anyway. If someone get this file, can she/he get the saved passwords? How to make this check?
  2. According to the wiki reported in the indicated link of above, if I copy all the folder I should have everything for the back up. Is it correct or am I wrong? If it’s true why install other apps (more than 6MB) to backup this full folder
  3. What about backup (copy and paste somewhere else) the only file db.sqlite3? I’ve not understood this from the wiki. If I lose everything, and I have a copy of the file db.sqlite3, can just paste the db.sqlite3 file to have everything as it was before losing everything? I mean the copy, not the backup using the command (‘sqlite3 ./data/db.sqlite3 “.backup /path/to/backup/snap_vaultwarden.sqlite3”’), that requires installing sqlite3

Anyway, the export of all the vault in json is only 700kB, so I’m still thinking how to automatize this export but it seems there is no this feature yet.

Let me know if some of my assumptions are wrong and how to check them.

Thanks

2

I just use this docker image which has 1M+ downloads so I’m not alone. I use the backups regularly to move the current database to my backup vaultwarden server and it never fails. It can encrypt if you want and which data gets backed up is configurable.

Overkill for a simple task but it just works and saves me the trouble of figuring all your questions&answers myself.

3

Yes, but I need the answers to those questions to be more efficient

4

This thread about detecting “backup worthy changes” might be of interest but the BACKUP_USE_DEDUPE feature never made it into the release branch of the backup tool.

Having a 100% reliable backup is more important than saving a few KB IMHO. Triggering a backup minutes after an important vault change is something I’d use if you figure out how to reliably detect backup worthy changes.

5

The sqlite3 database is not “encrypted”, meaning that anyone can read the database. But obviously the information contained there is worthless unless you know the encryption keys, and this is based on your master password(s), which obviously are not part of the database.

The db.sqlite3 is the most important file to backup, but you may also need the “attachments” folder, which contains the (encrypted) attachments, if any.

So yes, with the sqlite database you’d have “pretty much” everything, but it’s best to follow the advice and backup the whole data directory.

Note that it’s not safe to just copy the db.sqlite3 file, as there may be changes not yet written into that file (this is what the .sqlite3-shm and .sqlite3-wal files are for), so the best is to use the ‘backup’ function of sqlite3, like

sqlite3 ./data/db.sqlite3 ".backup /home/backup/vaultwarden_db.sqlite3"

This will ensure that the backup (“vaultwarden_db.sqlite3”) has everything and is in a consistent state.

6

I run VaultWarden on Docker. I use a script I wrote which exports the VaultWarden database and in addition also zips the vaultwarden database folder, so I have two forms of backup. Those backups are both put into my incremental offsite backup solution, Restic, which stores data in S3.

#!/usr/bin/bash
current_date_time="`date +%Y%m%d%H%M%S`";
echo "$current_date_time VaultWarden backup starting" >>  /var/log/yourname/vaultwarden-backup;

/usr/bin/sqlite3 /opt/vaultwarden/vw-data/db.sqlite3 "VACUUM INTO '/srv/backups/database/vaultwarden-db.sqlite3'"

# Remove the old zip backup of the whole VaultWarden folder, then create a new backup
rm /srv/backups/database/vaultwarden-backup.zip
zip -r /srv/backups/database/vaultwarden-backup.zip /opt/vaultwarden -x /opt/vaultwarden/vw-data/icon_cache/*