BitwardenΒΆ
Metric |
Target |
|---|---|
RPO |
1 hour |
RTO |
4 hours |
Bitwarden is running in the aks1.eastus2.azure k8s cluster. There is a backup cronjob
that runs as a sidecar in the Bitwarden pod, and executes every hour. The backups are placed
into the crate-bitwarden-backup s3 bucket.
The backup is basically an encrypted zip of the /data folder, including the Sqlite
DB that Bitwarden uses.
The backup is performed by this script.
The admin token that is used to encrypt the backup is located in Vault crate/infra/sysadmin/bitwarden.
To Recover Bitwarden, first redeploy it (if required) from the cr8-tools repo.
Note that Bitwarden is deployed from the developers machine - you will need to be a sysadmin and have access to Vault to do it.
Then:
$ k exec -it bitwarden-0 -c bitwardenbackup -- /bin/sh
# cd /tmp
# aws s3 cp s3://$AWS_BUCKET/$PREFIX/bitwarden_2022_01_11_140005.bf .
# openssl bf -d -k $ADMIN_TOKEN -salt -in bitwarden_2022_01_11_140005.bf -out /tmp/backup-restore.zip
# unzip backup-restore.zip
# cp -R data/backup/data/* /data
# # Then kill the bitwarden pod...
Note
Please note that each private Bitwarden Vault (for each user) is encrypted using the users credentials and cannot be accessed by Crate.io. This is by design and how bitwarden works. The shared Crate.io Vault is encrypted using the admin token.