Password manager backup plan
How to export your vault and store it without regrets.
Sooner or later, you’ll want out or you'll want to change. Not because your password manager failed you, but because life changes, companies change, and “forever” is a story people tell themselves to sleep. Or maybe you want to move to an Open Source app like Keep Pass.
A password manager export is you taking your keys back. It’s also you dumping the whole keyring onto the floor for a moment. That moment matters.
If you do it right, you walk away with a secure backup and a clean migration. If you do it sloppy, you leave fingerprints everywhere: in downloads folders, in search indexes, in backups you forgot you had.
Know what you’re really extracting
And what won’t come with you
A vault isn’t just passwords. It’s your habits, your weak spots, your late-night “I’ll fix it later” notes. Before you export anything, decide what “your vault” even means.
Start with a scope. Personal vault only, or shared vaults too? If you’ve ever mixed work and home, this is where the rot shows. Shared items are the ones that keep paying rent in your head because you know too many people had access at some point. 1Password has a practical guide for splitting shared access when life gets messy, see how to divide a shared 1Password account.
Now, the hard truth: some secrets don’t export cleanly.
- TOTP (authenticator) seeds: Some managers include them in export formats, some don’t, and some only export them in certain formats. Don’t guess. Do a test export and inspect it in a safe way (more on that later). Your goal is to avoid being locked out when you switch.
- Passkeys: In February 2026, passkey portability is still a patchwork. You can’t count on moving passkeys between vendors. Even the people building this stuff admit it’s a work in progress, see 1Password on passkey import and export specs.
Threat model callout: the biggest risk here is false confidence. You export, you delete the old manager, then you learn your TOTP seeds or passkeys didn’t come along. The fix is simple and annoying: keep the old manager active until you’ve tested logins on your critical accounts (email, banking, Apple/Google/Microsoft, primary social accounts).
If you want a default that won’t betray you, use this: export, import, verify, then rotate the most sensitive passwords after migration. Not before. Not during. After.
Export your vault safely
Windows, macOS, Linux, and mobile reality
When it’s time to export, pick the safest format your manager offers. Encrypted export beats everything. Plaintext CSV is a confession letter.
If you use Bitwarden, follow their official steps for exporting vault data and, if available in your plan and client, choose one of their encrypted export options. If you use Proton Pass, their support doc on exporting from Proton Pass is clear about where export is supported (mobile is often limited, and that’s not an accident).
Here’s the exit plan that works on any platform:
- Export on a desktop when possible (mobile exports can shove files into cloud apps and “help” you in all the wrong ways).
- Export into a folder you control (not Downloads, not Desktop).
- If the export isn’t encrypted, encrypt it immediately, before you do anything else.
- Only then, import into the new manager.
Threat model callout: the danger isn’t just theft. It’s residue. Your OS is a gossip. It keeps receipts.
| Where your vault can “stick” | What can go wrong | Your default move |
|---|---|---|
| Clipboard history | Passwords linger and get pasted later, or scraped by malware | Turn off clipboard history, clear clipboard after export |
| Temporary files | Exported data shows up in temp folders during processing | Export inside encrypted storage, reboot after cleanup |
| Search indexing | Your vault becomes searchable by filename or content | Store exports where indexing is disabled or excluded |
| Backups and sync | A plaintext CSV gets copied to cloud backups forever | Pause backups, avoid syncing plaintext exports |
Platform notes, keep them simple:
- Windows: Turn off Clipboard history (Settings, System, Clipboard). Avoid saving into Libraries that are indexed by default. If you use OneDrive folder backup, pause it while you work. After you’re done, clear the Recycle Bin, then restart. This is about reducing leftovers, not chasing perfection.
- macOS: Spotlight indexing is fast and nosy. Don’t export to Desktop or Documents if they’re synced to iCloud Drive. Put the export inside an encrypted container or an encrypted disk image, then Spotlight can’t index what it can’t read.
- Linux: Export somewhere boring, like a folder you’ve set not to index (Tracker, Baloo, and friends vary by desktop). If you want a practical, local workflow for encryption, you can use secure file encryption with GPG in Nautilus so the plaintext doesn’t hang around like a smell.
Mobile caveat you should accept: phones love convenience. Convenience is a leak. If your manager only exports on desktop, that’s a safety feature wearing an ugly mask.
Store the export without regrets
Encryption, backups, deletion, and verification
A vault export is not a keepsake. It’s an emergency spare tire. You don’t mount it and drive forever, you keep it sealed until you need it.
Your safest storage defaults look like this:
- Preferred: an encrypted export file stored on an encrypted external drive (or inside an encrypted container), kept offline.
- Acceptable: an encrypted export stored in a cloud drive only if it is strongly encrypted before upload, and the encryption password is not stored in that same cloud account.
- Avoid: any plaintext CSV in any cloud-synced folder, even “just for a minute.”
Threat model callout: backups are where plaintext goes to become immortal. Time Machine, File History, cloud backup agents, NAS snapshots, corporate endpoint tools. They don’t care that you “deleted it.”
That’s why encryption first matters more than secure deletion fantasies, especially on SSDs where old blocks can linger. If you exported plaintext, you can try to clean up, but treat it like you spilled ink into carpet. You won’t get it all.
Verification is the part people skip because they’re tired. Don’t skip it.
After import, pick a small set of accounts and test them end-to-end: autofill, TOTP prompt, recovery codes, and account settings pages. If you’re migrating into Bitwarden, keep their import and export FAQs handy because format quirks are where migrations go to die. If you’re coming from 1Password into Bitwarden, their import from 1Password guide is a straight line through the usual traps.
Now handle the stuff that won’t migrate cleanly:
- TOTP seeds: If they didn’t import, you’ll need to re-enroll MFA per account. Use your old manager or authenticator to log in, then switch the MFA app, or add a second factor temporarily. Save new backup codes somewhere safe.
- Passkeys: Plan on re-registering passkeys on important sites, one by one. Keep your old device and old manager until you’ve confirmed the new passkeys work. This is slow work. Honest work.
And while you’re thinking in layers, remember your vault isn’t the only target. Your machine matters too. A firewall won’t fix an export mistake, but it does cut down background noise, see secure your Linux system using UFW IP filter.
Conclusion
You don’t export a vault because you’re paranoid. You export because you’re realistic. A password manager export is a controlled burn, quick, hot, contained.
Choose encrypted export when you can, encrypt immediately when you can’t, and keep plaintext out of synced folders and backups. Verify logins before you shut the old door, and expect TOTP seeds and passkeys to demand handwork. When you’re done, you won’t just have a backup. You’ll have peace that doesn’t squeak when you step on it.
