LazyDom

8 min read | 3 days ago

This guide walks you through exporting from Bitwarden, importing into Proton Pass, verifying integrity (logins, TOTP seeds, notes, cards, identities), handling items that do not migrate automatically (attachments, passkeys, shares), and securely disposing of leftover export files.

TL;DR

1. Clean your Bitwarden vault first (trash, duplicates, legacy accounts, stale 2FA codes).
2. Export unencrypted JSON (needed for Proton Pass import) – store it briefly with strict permissions.
3. Import JSON in Proton Pass → Settings → Import → Bitwarden.
4. Manually recreate: attachments, Send links, passkeys (FIDO2/WebAuthn), collections/shares, password history.
5. Spot‑check critical items (bank, email, cloud, registrar) + a few TOTP codes.
6. Securely shred the export file and any temporary derivatives.

1. Why Migrate?

Bitwarden vs Proton Pass: Key Differences

NOT a “better crypto” argument—both are strong. It’s about ecosystem consolidation, aliasing, and UI preferences with Proton Pass.

Hide My Email: why it shines

• Unique per‑site aliases: avoid cross‑site tracking and credential stuffing that target reused addresses.
• Autofill + instant generation: create and fill an alias at signup without leaving the flow.
• Private reply routing: receive replies without exposing your real mailbox; turn off forwarding anytime.
• One‑click kill switch: disable a spammed alias without touching your primary email or changing logins (Acts like a smarter, managed “burner email” layer you can rotate or retire per site—without the hassle of juggling separate inboxes).
• Clean separation: keep vendors from learning your canonical address while preserving deliverability. Learn more about Email Aliases

Proton Pass creating and autofilling a per‑site alias (your real address is never exposed)

Added Security & Hygiene Perks

• Dark Web Monitoring – Paid Proton plans can surface breach exposures tied to your primary email (and increasingly aliases), giving you early warning to rotate credentials before active abuse.
• Password Health (Weak / Reused) – A consolidated view (or periodic manual audit) to spot weak, short, or re‑used secrets so you can prioritize rotations while everything is fresh in your mind post‑migration.
• Inactive / Missing 2FA Signal – Identify high‑value accounts lacking TOTP/passkey fields; treat migration as a trigger to enable MFA everywhere feasible (email, registrar, banking, cloud consoles). Proton Pass makes it obvious which entries have no TOTP seed yet.
• Secure Password Sharing – Share a single password, note, card, or a collection of items with anyone—even if they don’t use Proton Pass—via granular vault sharing; revoke or adjust access without exposing unrelated data. Learn more about Password Sharing.

2. Pre‑Migration Checklist

Pre‑Migration Tasks and Rationale

Tip: Create a plaintext (temporary) checklist file to tick off, then shred it at the end.

3. Clean & Classify Bitwarden Data

Group edge cases now:

• Attachments – Proton Pass currently: re‑attach manually (download → add to item in Pass).
• Send items – Export does not include them; copy any content you still need.
• Passkeys (FIDO2/WebAuthn authenticators) – Not exportable; you must re‑register with each site in a passkey-supporting Proton Pass client.
• Collections / Shared (Org) – Personal import ignores organizational scoping. Plan manual recreation / team migration.
• Password History – Not imported. If needed, export a separate encrypted archive (optional) & store offline.

Optional labeling strategy: In Bitwarden, prefix critical items with a temporary tag like CRIT- to speed post‑import sampling.

4. Export from Bitwarden (Safely)

Bitwarden Web Vault → Settings → Export Vault.

Export Format Options

Steps:

1. Choose JSON (unencrypted).

2. Enter master password → download bitwarden_export_YYYYMMDD.json.

   Bitwarden Export: choose JSON (unencrypted) then download before hashing & secure disposal

3. (Optional security hardening) Immediately set strict perms & hash it:

    chmod 600 bitwarden_export_20250904.json
    sha256sum bitwarden_export_20250904.json > bitwarden_export_20250904.json.sha256
   

4. (Optional audit) Quick schema glance:

   head -n 40 bitwarden_export_20250904.json | sed 's/"password": ".*"/"password": "REDACTED"/'
   

Security Notes:

• Keep file on an encrypted volume if possible.
• Do not email / cloud-sync the raw export.
• Close unrelated apps while it exists.

5. Proton Pass Import

Browser Extension / Web App → Settings → Import → Pick “Bitwarden” inside Proton Pass. Upload the JSON; Proton parses and maps types:

Accessing Import: open the gear menu in the Proton Pass header and choose Import to start bringing in your Bitwarden JSON

Navigate to Settings → Import to begin a Bitwarden vault migration

Bitwarden → Proton Pass Mapping

Items NOT imported: attachments, sends, org collections, password histories, FIDO2 devices.

Bitwarden import dialog: confirm file selection then click Import to start processing

Proton Pass import: select Bitwarden JSON, map types, and review summary before finalizing

If the import UI reports errors:

• “Unknown field” → likely future Bitwarden attribute; safe to ignore.
• “Invalid JSON” → redownload; ensure no editor auto-saved changes (VS Code formatting etc.).

If file size is large (> few MB) and browser stalls, try a different browser or Proton Pass desktop (if available) to avoid memory aborts.

6. Post‑Import Validation

1. Count Check – Bitwarden item count vs Proton Pass count (± items you knew wouldn’t migrate).
2. Critical Sampling – Open each CRIT- tagged item; test a login (in private browser session) for a few high-value services.
3. TOTP Integrity – For 3–5 random entries, generate a code in Proton Pass & Bitwarden (don’t delete BW yet) → they should match within the same 30s window.
4. Search Smoke Test – Search by a rare domain; confirm it appears.
5. Attachments – Manually add files where needed; consider whether they truly must live in the manager.

When satisfied, either locally archive Bitwarden (log out) or keep in read‑only mode a few days as rollback.

7. Recreate Non‑Migrated Elements

Manual Re‑creation Checklist

For high-value accounts, take opportunity to rotate weak / reused passwords during recreation.

8. Secure Disposal of Export

After you have 100% confidence:

sha256sum -c bitwarden_export_20250904.json.sha256   # (optional integrity re-check)
shred -u -n 3 bitwarden_export_20250904.json         # overwrite & delete
rm -f bitwarden_export_20250904.json.sha256
history -d $(history | tail -n 1 | awk '{print $1}') 2>/dev/null || true  # scrub command (optional)

If using an SSD, shredding may not guarantee physical overwrite—rely on full‑disk encryption + deletion.

9. Optional: Minimal Sanitized Subset Script

If you want to migrate only logins (omit cards, identities, notes) you can pre-filter. Example Node.js one-liner (run locally, never on shared host):

node -e 'const fs=require("fs");const src=JSON.parse(fs.readFileSync("bitwarden_export_20250904.json","utf8"));src.items=src.items.filter(i=>i.type===1);fs.writeFileSync("bitwarden_logins_only.json",JSON.stringify(src));'
chmod 600 bitwarden_logins_only.json

Import bitwarden_logins_only.json instead. (Type 1 = login in BW schema.)

10. Troubleshooting

Common Issues and Fixes

11. Rollback Plan

Hold Bitwarden account (do not delete) for a grace period (e.g., 7–14 days). If a missing item surfaces, export just that item (copy manually) into Proton, then finalize by deleting BW vault after verifying no dependencies (browser extension removal, mobile app sign‑out, emergency access revocation).

12. Security Mindset Checklist (Final Pass)

• Enforced 2FA on Proton account
• Shredded Bitwarden export(s)
• Revoked Bitwarden browser extension & mobile app
• Rotated any reused / weak passwords encountered
• Verified random TOTP codes
• Re-established critical passkeys (if used)
• Documented any manual recreation steps for audit

13. FAQ

Q: Can I keep Bitwarden as encrypted backup?

Yes, but ensure unique master password & enable 2FA; understand potential confusion later.

Q: Are passkeys exported?

No—re-register them.

Q: Do I need to sign out everywhere before deleting Bitwarden?

Recommended: sign out, revoke sessions; reduces risk of stale device leak.

Q: Should I use CSV instead of JSON?

JSON preserves more structure (preferred here).

Q: Is shredding on SSD meaningful?

Limited; rely on disk encryption + logical deletion.

Q: Should I disable Bitwarden autofill before or during migration?

Yes. Disable (or uninstall) the Bitwarden extension/app’s autofill before validating Proton Pass so you don’t get overlapping prompts or accidentally test a login filled by the old manager. Keep Bitwarden accessible in a separate browser profile or window only for reference until the rollback window closes.

Q: What about passwords already saved in the browser (Chrome/Firefox/Edge/Safari)?

Export or review them first, then clear them out (after verifying Proton Pass has the entries) to avoid a “shadow” credential store leaking outdated passwords or creating confusing duplicate suggestions. Also disable the built‑in browser password manager’s offer‑to‑save and auto‑sign‑in features once Proton Pass is active.

14. Wrap‑Up

Migration is mostly data hygiene and verification. Take the chance to prune, rotate, and standardize naming. Once stable, remove legacy access paths to reduce attack surface.

Improvements or edge cases you hit? Add them to a running changelog file (not stored with secrets) so future migrations are even smoother.

Happy (secure) migrating! If you haven’t started yet, you can begin by creating your account at Proton Pass.

Share on: