Importing from Bitwarden

Overview

Vault’s import tool supports Bitwarden exports, making it straightforward to migrate your team’s development credentials from Bitwarden to Vault. The importer reads Bitwarden’s JSON or CSV export format, detects credential types, and creates credentials in your Vault tenant with preserved metadata.

Export from Bitwarden

Bitwarden supports JSON and CSV export formats. The JSON format preserves more metadata (custom fields, folder structure, notes), so it is the recommended format.

In Bitwarden:

Log in to the web vault or open the desktop application.
Go to Tools > Export Vault.
Choose JSON as the file format.
Select the folder or collection you want to export, or export everything.
Enter your master password to confirm.
Save the export file.

Run the import

npx @ghoststack/vault-cli import bitwarden \
  --file ./bitwarden-export.json \
  --tenant my-org \
  --token $VAULT_TOKEN \
  --dry-run

The --dry-run flag shows what would be imported without writing anything to Vault:

# Preview output:
# [dry-run] Would create: aws-access-key (api-key)
# [dry-run] Would create: staging-postgres (database-url)
# [dry-run] Would create: deploy-ssh-key (ssh-key)
# [dry-run] Would create: jwt-signing-secret (generic-secret)
# 4 credentials would be imported.

When you are satisfied with the preview, remove --dry-run:

npx @ghoststack/vault-cli import bitwarden \
  --file ./bitwarden-export.json \
  --tenant my-org \
  --token $VAULT_TOKEN

Type detection

The importer analyzes each Bitwarden item and maps it to a Vault credential type:

Bitwarden item type	Content analysis	Vault type
Login	Password field contains a URL scheme	`database-url`
Login	Password starts with PEM header	`ssh-key`
Login	Default case	`api-key`
Secure Note	Content starts with PEM header	`ssh-key` or `tls-certificate`
Secure Note	Default case	`generic-secret`
Identity / Card	Skipped	Not imported

Override the automatic detection with --type-map:

npx @ghoststack/vault-cli import bitwarden \
  --file ./bitwarden-export.json \
  --tenant my-org \
  --token $VAULT_TOKEN \
  --type-map "AWS Access Key=api-key" \
  --type-map "Staging DB=database-url"

Field mapping

Bitwarden items have different fields depending on their type. The importer maps them as follows:

Login items:

The password field becomes the credential value.
The username is stored in metadata.username.
The first URI is stored in metadata.url.
The item name becomes the credential name (lowercased, spaces replaced with hyphens).

Secure Note items:

The notes field becomes the credential value.
The item name becomes the credential name.

Custom fields:

Custom fields from Bitwarden are stored as metadata key-value pairs.
Hidden custom fields are treated as sensitive and included in the encrypted credential metadata.

Folder-based naming

If the Bitwarden export includes folder structure, you can use it as a name prefix:

npx @ghoststack/vault-cli import bitwarden \
  --file ./bitwarden-export.json \
  --tenant my-org \
  --token $VAULT_TOKEN \
  --use-folders

With --use-folders, an item named “API Key” in the folder “Production/Stripe” becomes production-stripe-api-key in Vault.

Handling duplicates

The duplicate handling behavior matches the 1Password importer:

--on-conflict=skip (default) — Skip credentials that already exist.
--on-conflict=overwrite — Update existing credentials with imported values.
--on-conflict=rename — Append a numeric suffix to avoid conflicts.

CSV imports

If you export as CSV instead of JSON, the import command works the same way:

npx @ghoststack/vault-cli import bitwarden \
  --file ./bitwarden-export.csv \
  --tenant my-org \
  --token $VAULT_TOKEN

CSV exports contain fewer fields (no custom fields, no folder structure), so JSON is preferred when available.

Post-import steps

Review imported credentials in the Vault dashboard.
Configure lease policies appropriate for each credential.
Set up ACLs for team access.
Delete the Bitwarden export file immediately. It contains plaintext secrets.
Test each imported credential by creating a lease and verifying the value works with the target service.