Vaultwarden Export & Rclone Upload

Dockerized tool that automatically exports your Vaultwarden vault and securely uploads it to any cloud storage backend supported by rclone.

Shell Apache-2.0 13 commits
View on GitHub Docker Image
docker backup vaultwarden rclone selfhosted

This Dockerized tool allows you to automatically export your Vaultwarden (Bitwarden) vault as an unencrypted JSON file and securely upload it to any cloud storage backend supported by rclone.

Features

  • Automated Export: Uses the official @bitwarden/cli to securely log in, unlock, and export your vault.
  • Universal Storage: Uses rclone under the hood, supporting 40+ cloud storage products (S3, WebDAV, SMB, Google Drive, OneDrive, Nextcloud, etc.).
  • Automatic Cleanup: Rotates old backups automatically based on a configurable retention period.
  • Encryption: Optionally compress and encrypt exports with AES-256 via 7zip.
  • Lightweight: Built on Alpine Linux.

Quick Start

Run as a one-shot container, perfect for cron scheduling:

docker run --rm \
  -e BW_HOST=https://vault.example.com \
  -e BW_CLIENTID=user.xxxxxxxx \
  -e BW_CLIENTSECRET=your_client_secret \
  -e BW_PASSWORD=YourMasterPassword \
  -e RCLONE_DEST=mysmb:vaultwarden \
  -e RCLONE_CONFIG_MYSMB_TYPE=smb \
  -e RCLONE_CONFIG_MYSMB_HOST=192.168.1.10 \
  -e RCLONE_CONFIG_MYSMB_USER=your_smb_user \
  -e RCLONE_CONFIG_MYSMB_PASS=your_smb_password \
  -e ARCHIVE_PASSWORD="your-archive-password" \
  benjaminaicheler/vaultwarden-export-rclone:latest

Environment Variables

Variable Description Required
BW_HOST URL of your Vaultwarden instance Yes
BW_CLIENTID Bitwarden API Client ID Yes
BW_CLIENTSECRET Bitwarden API Client Secret Yes
BW_PASSWORD Master password to unlock your vault Yes
RCLONE_DEST Rclone destination (e.g. mysmb:vaultwarden) Yes
RCLONE_CONFIG_* Any rclone configuration parameters No
CLEANUP_MIN_AGE Minimum age of backups to keep (default: 30d) No
ARCHIVE_PASSWORD Encrypt export as .7z with AES-256 No

Docker Compose Example

services:
  vaultwarden-backup:
    image: benjaminaicheler/vaultwarden-export-rclone:latest
    environment:
      - BW_HOST=https://vault.example.com
      - BW_CLIENTID=user.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      - BW_CLIENTSECRET=your_client_secret
      - BW_PASSWORD=YourMasterPassword123
      - CLEANUP_MIN_AGE=30d
      - RCLONE_DEST=mysmb:vaultwarden
      - RCLONE_CONFIG_MYSMB_TYPE=smb
      - RCLONE_CONFIG_MYSMB_HOST=192.168.1.10
      - RCLONE_CONFIG_MYSMB_USER=your_smb_user
      - RCLONE_CONFIG_MYSMB_PASS=your_obfuscated_smb_password

Security Considerations

  • The container requires your Master Password and API credentials as environment variables.
  • By default, the exported JSON file is unencrypted. Always set ARCHIVE_PASSWORD to encrypt your backup before upload.
  • Ensure your .env files or docker-compose.yml configs are strictly secured (chmod 600).