Migration Procedures
This article will walk you through procedures for transitioning from cloud to self-hosted, from self-hosted to cloud, and from one self-hosted server to another:
To migrate from the cloud to a self-hosted server:
Install and deploy Bitwarden to your server. At a high-level, this procedure involves:
Configuring a domain for Bitwarden.
Installing Docker and Docker Compose.
Running the installation shell script.
Configuring your environment to setup the admin portal, an SMTP server connection, and more.
Start your server by running
./bitwarden.sh start
.Open the cloud web vault and download your license.
tip
There are separate files for an organization license and an individual license. You don't need both license files. If you are migrating an organization, you only need to retrieve the organization license and must be an organization owner to do so.
Still in the cloud web vault, export your individual vault data, export your organization vault data, or secrets data. If you are migrating an organization, encourage your end-users to export their individual vaults as well.
Open your self-hosted web vault and create an account. This account must use the same email address as the cloud account you downloaded the license with.
Still in your self-hosted web vault, upload your license.
tip
There are separate locations in which to upload an organization license or an individual license. As before, only upload the one that's relevant for you.
Still in the self-hosted web vault, import your individual vault data, organization vault data , or secrets data.
note
Importing data to an organization will automatically re-create your collections and add the relevant vault items to them.
Organizations-only next steps
If you are migrating an organization to a self-hosted server, continue with the following steps:
(Enterprise organizations only) Re-implement your enterprise policy specifications and/or configure login with SSO.
Manually re-create user groups in your self-hosted web vault and assign them to the proper collections.
Start inviting users to your organization manually or using directory connector.
To migrate from a self-hosted server to the cloud:
Create a full backup of the
./bwdata
directory of your self-hosted Bitwarden server. In particular, you will need access to./bwdata/core/attachments
to manually upload file attachments to the cloud (Step 5).tip
If users are exporting their individual vaults over a period of time, you may need to re-sync the items from your
./bwdata/core/attachments
directory to your backup location and upload any new items in the event that they change during the cut-over period.In your self-hosted web vault, export your individual vault data or export your organization vault data. If you are migrating an organization, encourage your end-users to export their individual vaults as well.
Open the cloud web vault. Most users will have previously created cloud accounts for billing purposes, so log in to that account. If you were previously a free user without a cloud account for billing, create an account now.
tip
If you are migrating an organization, you will already have a cloud organization established for billing and licensing purposes. For smoothest transition, we recommend using this already-established organization rather than creating a new one.
Still in the cloud web vault, import data to your individual vault or organization vault.
note
Importing data to an organization will automatically re-create your collections and add the relevant vault items to them.
Manually upload file attachments to your individual or organization vault.
Organizations-only next steps
If you are migrating an organization to the cloud, continue with the following steps:
(Enterprise organizations only) Re-implement your enterprise policy specifications and/or configure login with SSO.
Manually re-create user groups in the cloud and assign them to the proper collections.
Start inviting users to your organization manually or using directory connector.
tip
These instructions are currently only for migration from one Linux self-hosted server to another Linux self-hosted server.
To migrate from one self-hosted Bitwarden server to another:
Stop your existing Bitwarden server by running
./bitwarden.sh stop
. When you run this command, Bitwarden will go down for anyone currently using it.Make a full copy of the
./bwdata
directory of the old server. This copy will be used to recreate your configuration, database, attachments, and more, for the new server.Install and deploy Bitwarden to your new server.
Once the new Bitwarden server is set up, replace the newly-created
./bwdata
directory with the copy from the old server.Print the new Bitwarden server's UID by running
id -u bitwarden
.Open the file
./bwdata/env/uid.env
and check that the listed values match what was printed in the previous step. If they do not match, replace both values with the result ofid -u bitwarden
.If you specified a different server domain during Step 2, edit the following:
In
./bwdata/config.yml
, change theurl:
value to the new domain.In
./bwdata/env/global.override.env
, changeglobalSettings__baseServiceUri__vault=
to the new domain.
Run
./bitwarden.sh rebuild
to apply changes toconfig.yml
andglobal.override.env
.Start your Bitwarden server with
./bitwarden.sh start
.
To migrate from one Bitwarden cloud server to another, for example, from a US server to EU server:
Export your organization vault and instruct all organization members to export their individual vaults.
tip
Individually download any file attachments for vault items and note which items they belong to.
Create a new Bitwarden account in the desired region and start a trial organization. Bitwarden support will be able to migrate your subscription to the new region (see Step 4).
Set up your new organization, configuring things like enterprise policies, login with SSO, constructing group-collection relationships, and inviting users with Directory Connector or SCIM. For help, refer to the Proof-of-Concept Checklist.
Contact Bitwarden support to move your new organization off of trial and resume your subscription in your new region.
Import your organization vault data obtained in Step 1, and instruct organization members to import their individual vaults as well.
note
Manually upload the file attachments obtained in Step 1 back to the vault items they were associated with.
Migration FAQs
Q: Do I need to migrate?
A: Migrating regions is not required. The region selector allows organizations to specify the geographic location of vault data. Features and functions are identical across regions.
Q: Is there a process for migrating?
A: Bitwarden regions are distinct cloud environments. Bitwarden cannot migrate accounts from one region to another for customers. A script is available for organizations to help facilitate migrations. Subscriptions can be transferred from one region to another region by contacting us.
Q: What does the migration script do?
A: The script works with the Bitwarden CLI to move data from one installation to another. Instructions are available in this article. This script migrates all organization vault data, including attachments, as well as member roles (excluding the custom role), and collections permissions assigned both to members and groups. The script also automatically recreates your groups in the new organization if you’re not using directory integration for automatic provisioning. Note that this does not include the migration of individual user vaults.
Q: What does a manual migration look like?
A: A complete manual migration involves creating a new account in the preferred region and beginning the new organization creation process. Once the new organization is configured, re-invite users, and then export vault data from your old organization and import into the new one. Users will need to manually export/import their individual vaults.
Suggest changes to this page
How can we improve this page for you?
For technical, billing, and product questions, please contact support