A comprehensive set of tools for testing, analyzing and decrypting Bitwarden vault data and exporting it to 1Password-compatible CSV format. These tools enable the complete Bitwarden decryption process including ASP.NET Data Protection, Bitwarden EncString parsing, key derivation, and field decryption. NOTE: You will need to manually edit some code files, change hard coded paths/key xml strings to the ones you find on your instance. See docs for how the process works end to end.
This tool is designed for legitimate data recovery purposes only. Ensure you have proper authorization before using this tool on any Bitwarden vault data.
- Complete Bitwarden Decryption: Implements the full Bitwarden decryption process
- ASP.NET Data Protection: Handles P| prefixed encrypted data
- Bitwarden EncString Support: Parses and decrypts 2.iv|data|mac format
- Key Derivation: PBKDF2-SHA256 and HKDF key stretching
- Field Decryption: Decrypts individual vault item fields
- 1Password Export: Generates CSV files compatible with 1Password import
- Multiple Database Support: Works with SQL Server databases
- Comprehensive Logging: Detailed output for debugging and verification
- Python 3.8+
- .NET 8.0 SDK (for C# components)
- SQL Server (for database access)
- Linux/Windows/macOS
pip install pymssql cryptographydotnet add package Microsoft.AspNetCore.DataProtection
dotnet add package Microsoft.Extensions.Hosting- Clone this repository:
git clone <repository-url>
cd bitwarden_code- Install Python dependencies:
pip install -r requirements.txt- Install .NET 8.0 SDK:
# Ubuntu/Debian
wget https://packages.microsoft.com/config/ubuntu/22.04/packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt-get update
sudo apt-get install -y dotnet-sdk-8.0
# Windows
# Download from https://dotnet.microsoft.com/download/dotnet/8.0Set the following environment variables or create a .env file:
# Database Configuration
export DB_SERVER=localhost
export DB_PORT=1433
export DB_USER=sa
export DB_PASSWORD=your_database_password
export DB_NAME=vault
# Bitwarden Configuration
export BITWARDEN_MASTER_PASSWORD=your_master_password
export BITWARDEN_USER_EMAIL=user@example.comCreate a master_password.txt file with your Bitwarden master password:
your_master_password_here
- Basic Decryption:
python bitwarden_decryptor_main_sanitized.py- Custom Database:
export DB_SERVER=your_server
export DB_NAME=your_database
python bitwarden_decryptor_main_sanitized.py- Compile the C# project:
dotnet build complete_bitwarden_decryptor_sanitized.cs- Run the decryptor:
dotnet run complete_bitwarden_decryptor_sanitized.csfrom database_utils import connect_to_database, get_user_data
from crypto_utils import derive_master_key, decrypt_user_key
# Connect to specific database
conn = connect_to_database()
user_data = get_user_data(conn)
# Decrypt with custom parameters
master_key = derive_master_key(
master_password="your_password",
email=user_data['email'],
kdf_iterations=user_data['kdf_iterations']
)from csv_exporter import convert_to_1password_format, save_to_csv
# Convert to 1Password format
csv_data = convert_to_1password_format(decrypted_items, symmetric_key, cipher_columns, master_key)
# Save to CSV
save_to_csv(csv_data, filename="custom_export.csv")-
crypto_utils.py: Cryptographic functions- PBKDF2-SHA256 key derivation
- HKDF key stretching
- AES-256-CBC decryption
- HMAC-SHA256 verification
-
database_utils.py: Database operations- SQL Server connection
- User data retrieval
- Cipher data extraction
-
field_decryptor.py: Field decryption- Bitwarden EncString parsing
- Individual field decryption
- JSON data extraction
-
csv_exporter.py: Export functionality- 1Password CSV format conversion
- Data sanitization
- File output
- Database Connection: Connect to SQL Server database
- User Data Retrieval: Get user email, KDF settings, and encrypted keys
- Master Key Derivation: Use PBKDF2-SHA256 with email as salt
- Key Stretching: Apply HKDF to derive encryption and MAC keys
- User Key Decryption: Decrypt the user's symmetric key
- Field Decryption: Decrypt individual vault item fields
- CSV Export: Convert to 1Password-compatible format
- ASP.NET Data Protection:
P|prefixed data - Bitwarden EncString:
2.iv|data|macformat - AES-256-CBC: Standard Bitwarden encryption
- HMAC-SHA256: Message authentication
-
Database Connection Failed
- Verify SQL Server is running
- Check connection parameters
- Ensure firewall allows connections
-
MAC Verification Failed
- Verify master password is correct
- Check KDF iteration count
- Ensure data hasn't been corrupted
-
Decryption Errors
- Verify ASP.NET Data Protection keys
- Check Bitwarden EncString format
- Ensure proper key derivation
Enable verbose logging:
import logging
logging.basicConfig(level=logging.DEBUG)Run the test suite:
python -m pytest tests/- Credential Storage: Never commit passwords to version control
- Data Protection: Ensure encrypted data is handled securely
- Access Control: Limit access to decryption tools
- Audit Logging: Log all decryption activities
- Data Cleanup: Remove sensitive data after processing
bitwarden_code/
├── README.md # This file
├── requirements.txt # Python dependencies
├── bitwarden_decryptor_main_sanitized.py # Main Python script
├── complete_bitwarden_decryptor_sanitized.cs # Main C# script
├── crypto_utils.py # Cryptographic functions
├── database_utils_sanitized.py # Database utilities
├── field_decryptor.py # Field decryption
├── csv_exporter.py # CSV export functionality
├── tests/ # Test files
└── docs/ # Documentation
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests for new functionality
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
This tool is provided for educational and legitimate data recovery purposes only. Users are responsible for ensuring they have proper authorization before using this tool on any Bitwarden vault data. The authors are not responsible for any misuse of this tool.
For issues and questions:
- Check the troubleshooting section
- Review the documentation
- Open an issue on GitHub
- Contact the maintainers
- Initial release
- Complete Bitwarden decryption support
- 1Password CSV export
- ASP.NET Data Protection support
- Comprehensive documentation