Export (most of) your Bitwarden items into a KeePass database.
This repository moved to https://gitlab.com/rogs/bitwarden-to-keepass.
This repository is a fork of davidnemec/bitwarden-to-keepass.
They did all of the work, I just added the custom URL functionality and created a Docker repository. All props to davidnemec!
- Exports Bitwarden vault items to KeePass format (.kdbx)
- Supports:
- Logins with usernames and passwords
- TOTP seeds and settings
- Multiple URIs (including iOS and Android app identifiers)
- Custom fields (text, hidden, boolean)
- File attachments
- Secure notes
- Nested folder structures
- Maintains folder hierarchy from Bitwarden
- Ensures unique entry names by appending item IDs when needed
- Handles custom Bitwarden/Vaultwarden instances
DATABASE_PASSWORD(optional): The password you want your KeePass file to have. If not set, the script will ask for a password interactively.DATABASE_NAME(optional): The name you want your KeePass file to have. If not set, it will default tobitwarden.kdbx.BITWARDEN_URL(optional): A custom Bitwarden/Vaultwarden instance URL. If you are using the official https://bitwarden.com, you can leave this blank.DATABASE_KEYFILE(optional): Path to a key file for additional KeePass database security.
All backups will be written to /exports. You need to mount that volume locally in order to retrieve the backup file.
The simplest way to run the tool is using Docker:
docker run --rm -it -v ./exports:/exports rogsme/bitwarden-to-keepassImportant Docker flags:
--rm: The container deletes itself after running (prevents credential leakage)-it: Enables interactive mode (required for credential input)-v ./exports:/exports: Mounts local directory for the KeePass file output
The tool will prompt for several pieces of information:
- KeePass database password (if not set via environment variable):
DATABASE_PASSWORD is not set
Keepass DB password [input is hidden]- Bitwarden credentials:
Email address: your@email.com
Master password: [input is hidden]- Two-factor authentication (if enabled):
Two-step login code: 123456You'll see progress information like this:
Generating KeePass file /exports/bitwarden.kdbx
2024-02-20 15:12:54 :: INFO :: KeePass database does not exist, creating a new one.
2024-02-20 15:13:20 :: INFO :: Folders done (1).
2024-02-20 15:13:36 :: INFO :: Starting to process 999 items.
2024-02-20 15:13:36 :: INFO :: Saving changes to KeePass database.
2024-02-20 15:13:43 :: INFO :: Export completed.The script automatically locks your vault and logs out:
Your vault is locked.
You have logged out.
KeePass file /exports/bitwarden.kdbx generated successfullyYour KeePass file will be in the mounted exports directory:
ls exports
bitwarden.kdbx- Does not support credit card or identity items
- Requires interactive login (no persistent sessions)
- Android and iOS app identifiers are stored as custom properties
- The tool requires your Bitwarden master password but never stores it
- Each run requires fresh authentication
- The Docker container is removed after each use
- All credentials are handled securely in memory
- The KeePass database is created with your specified password protection
For security reasons, the Docker container requires fresh authentication each time. This prevents any accidental credential storage and ensures each export starts from a clean state.
Set the BITWARDEN_URL environment variable to your instance URL before running the container:
docker run --rm -it -v ./exports:/exports -e BITWARDEN_URL="https://your-instance.com" rogsme/bitwarden-to-keepassYes, you can specify a key file path using the DATABASE_KEYFILE environment variable. The key file must be accessible to the container.