Bitwarden ========= +---------------+----------------------------------------------------------------------+ | Metric | Target | +===============+======================================================================+ | RPO | 1 hour | +---------------+----------------------------------------------------------------------+ | RTO | 4 hours | +---------------+----------------------------------------------------------------------+ `Bitwarden`_ is running in the ``aks1.eastus2.azure`` k8s cluster. There is a backup cronjob that runs as a sidecar in the Bitwarden pod, and executes every hour. The backups are placed into the ``crate-bitwarden-backup`` s3 bucket. The backup is basically an encrypted zip of the ``/data`` folder, including the Sqlite DB that Bitwarden uses. The backup is performed `by this script`_. The admin token that is used to encrypt the backup is located in Vault ``crate/infra/sysadmin/bitwarden``. To Recover Bitwarden, first redeploy it (if required) from the cr8-tools repo. Note that Bitwarden is deployed from the developers machine - you will need to be a sysadmin and have access to Vault to do it. Then: .. code-block:: console $ k exec -it bitwarden-0 -c bitwardenbackup -- /bin/sh # cd /tmp # aws s3 cp s3://$AWS_BUCKET/$PREFIX/bitwarden_2022_01_11_140005.bf . # openssl bf -d -k $ADMIN_TOKEN -salt -in bitwarden_2022_01_11_140005.bf -out /tmp/backup-restore.zip # unzip backup-restore.zip # cp -R data/backup/data/* /data # # Then kill the bitwarden pod... .. note:: Please note that each private Bitwarden Vault (for each user) is encrypted using the users credentials and **cannot be accessed by Crate.io**. This is by design and how bitwarden works. The shared Crate.io Vault is encrypted using the admin token. .. _Bitwarden: https://bitwarden.cr8.net .. _by this script: https://github.com/crate/cr8-tools/blob/master/other-tools/bitwarden/backup/cronscript.sh