Backups created successfully, but restore/import fails in both bitwarden and raw modes

[sk8er000]

I can create backups successfully with BackVault, but I am unable to validate restore/import.

I tested both encryption modes:

1. "bitwarden" mode
   The backup file is created successfully as ".enc", but importing it with Bitwarden CLI fails with:

   • "The decryption operation failed"
   • "no elements in sequence"

2. "raw" mode
   I can decrypt the ".enc" file using the Python script from the README, but importing the resulting ".json" into another Bitwarden account still fails with:

   • "no elements in sequence"

The README states that "bitwarden" mode uses Bitwarden's native encrypted JSON format and can be restored into the same or a different Bitwarden account via:

bw import bitwardenjson /path/to/backup.enc

In my case, that restore path does not work.

To Reproduce

"bitwarden" mode

1. Deploy BackVault against a self-hosted Vaultwarden instance.
2. Complete the one-time setup UI successfully.
3. Let BackVault create the initial backup in "bitwarden" mode.
4. Try to import the backup with Bitwarden CLI:

bw import bitwardenjson /path/to/backup.enc

5. Enter the master password and import file password when prompted.

"raw" mode

1. Create a backup in "raw" mode.
2. Decrypt it using the Python script from the README.
3. Import the resulting JSON into another Bitwarden account.

Actual behavior

"bitwarden" mode

Import fails with:

ERROR bitwarden_crypto::store::context: error=The decryption operation failed
ERROR bitwarden_vault::cipher::cipher: error=The decryption operation failed
Failed to encrypt ciphers in batch: CipherError: The decryption operation failed
no elements in sequence

"raw" mode

The file decrypts successfully, but the resulting JSON still fails to import with:

no elements in sequence

Expected behavior

At least one of the documented restore paths should work:

• "bitwarden" mode should be importable with:
  bw import bitwardenjson /path/to/backup.enc
• "raw" mode should decrypt to a JSON export that Bitwarden can import successfully.

Environment

• BackVault image/tag: "latest"
• Vault backend: self-hosted Vaultwarden
• Vaultwarden deployment: Docker on Linux
• Bitwarden CLI version used for restore test: "2026.3.0"
• Restore target: another Bitwarden account used only for disaster recovery testing
• Access path to Vaultwarden: HTTPS via Cloudflare Tunnel for normal GUI access

Additional context

I compared the top-level JSON keys of two files:

BackVault "raw" backup after decryption

['encrypted', 'folders', 'items']

Bitwarden GUI encrypted export

['encrypted', 'passwordProtected', 'salt', 'kdfType', 'kdfIterations', 'encKeyValidation_DO_NOT_EDIT', 'data']

This suggests the BackVault-decrypted "raw" JSON is not the same format as Bitwarden's password-protected encrypted export, which is expected, but the resulting JSON still does not import successfully.

Also, for "bitwarden" mode, the restore/import failure seems to contradict the documented restore instructions.

Questions

1. Is "bitwarden" mode currently expected to work when restoring into a different Bitwarden account?
2. Is "raw" mode expected to produce a JSON file directly importable by Bitwarden Web/Desktop?
3. Are there any known compatibility issues between:
   • BackVault
   • Vaultwarden
   • current Bitwarden CLI versions
4. Would you like me to provide:
   • the exact BackVault image tag
   • sanitized docker-compose
   • sanitized sample JSON structure
   • full logs from backup creation and restore attempts

Logs

"bitwarden" mode restore attempt

ERROR bitwarden_crypto::store::context: error=The decryption operation failed
ERROR bitwarden_vault::cipher::cipher: error=The decryption operation failed
Failed to encrypt ciphers in batch: CipherError: The decryption operation failed
no elements in sequence

"raw" mode JSON structure comparison

BackVault decrypted JSON keys:
['encrypted', 'folders', 'items']

Bitwarden GUI encrypted export JSON keys:
['encrypted', 'passwordProtected', 'salt', 'kdfType', 'kdfIterations', 'encKeyValidation_DO_NOT_EDIT', 'data']

[mvfc]

Hi @sk8er000 thanks for the issue and for the thorough descriptions.

I've just tested on my local install of vaultwarden and on bitwarden web, using RAW mode and the unencrypted JSON right after decrypting with the copypaste script of the README.md

They both imported successfully.

Be sure you're selecting "Bitwarden (json)" on the import type and the .enc file was decrypted successfully.

Using bitwarden encryption also works, but you don't need to decrypt the file for that one, just use it on the UI on import and type in the password file you chose for the encryption when doing the setup

I sadly cannot reproduce the issues you're having, as both modes are functioning both on my local vaultwarden setup and my bitwarden EU account.

CLI also working to import raw and bitwarden modes.

[sk8er000]

Thank you for your reply.

I actually tried running a second container using your exact compose file and tested again, but unfortunately I still got the same error:

no elements in sequence

This is the initial log of the container:

Changing appuser group to PGID 1000
addgroup: group 'appgroup' in use
Changing appuser UID to 1000
Initializing Backvault container...
Secure DB not found; starting one-time setup UI at http://0.0.0.0:8080
INFO:     Started server process [24]
INFO:     Waiting for application startup.
INFO:     Application startup complete.
INFO:     Uvicorn running on http://0.0.0.0:8080 (Press CTRL+C to quit)
INFO:     192.168.1.39:52480 - "GET / HTTP/1.1" 200 OK
INFO:     192.168.1.39:52480 - "GET /favicon.ico HTTP/1.1" 404 Not Found
2026-04-21 07:05:13,701 INFO: Connecting to database at /app/db/backvault.db
2026-04-21 07:05:13,702 ERROR: Database file does not exist.
2026-04-21 07:05:13,703 INFO: Initializing database, attempting to find or create pragma key at /app/db/backvault.db.pragma
2026-04-21 07:05:13,704 INFO: Database file created.
2026-04-21 07:05:13,705 INFO: Pragma set. Database encrypted.
2026-04-21 07:05:14,134 INFO: Creating table.
2026-04-21 07:05:14,140 INFO: Table created.
INFO:     192.168.1.39:50792 - "POST /init HTTP/1.1" 302 Found
2026-04-21 07:05:14,689 INFO: Setup complete, shutting down UI...
INFO:     192.168.1.39:50792 - "GET /done HTTP/1.1" 200 OK
Setup complete detected, stopping UI...
INFO:     Shutting down
INFO:     Waiting for application shutdown.
INFO:     Application shutdown complete.
INFO:     Finished server process [24]
Running initial backup...
2026-04-21 07:05:17,789 INFO: Connecting to database at /app/db/backvault.db
2026-04-21 07:05:18,212 INFO: Connecting to vault...
2026-04-21 07:05:25,470 INFO: Logging in via API key
2026-04-21 07:05:35,299 INFO: Logged in successfully
2026-04-21 07:05:44,916 INFO: Vault unlocked successfully
2026-04-21 07:05:44,916 INFO: Starting export with mode: 'raw'
2026-04-21 07:05:44,918 INFO: Exporting raw data from Bitwarden...
2026-04-21 07:05:52,695 INFO: Encrypting data in-memory...
2026-04-21 07:05:53,379 INFO: Encryption successful.
2026-04-21 07:05:53,382 INFO: Export completed successfully to /app/backups/backup_20260421_070544.enc.
2026-04-21 07:06:00,048 INFO: Logged out successfully
2026-04-21 07:06:00,048 INFO: Successfully logged out.
Starting supercronic scheduler...
time="2026-04-21T07:06:00+02:00" level=info msg="reaping dead processes"
time="2026-04-21T07:06:00+02:00" level=info msg="read crontab: /app/crontab"

I then decrypted the .enc file using your script, which completed without any issue:

python3 decrypt.py backup_20260421_070544.enc
Enter backup password: 
Decryption successful. Output saved to: backup_20260421_070544.json

When importing into my Bitwarden account I always select the Bitwarden (json) format.

I also verified the backup contents to confirm the data was actually exported:

python3 -c "import json; d=json.load(open('backup_20260421_070544.json')); print('items:', len(d.get('items',[])), 'folders:', len(d.get('folders',[])), 'encrypted:', d.get('encrypted'), 'keys:', list(d.keys()))"

items: 387 folders: 5 encrypted: False keys: ['encrypted', 'folders', 'items']

So the JSON structure looks correct and the data is clearly present, but the import into Bitwarden still fails with no elements in sequence.

I also tried a different test:

1. Exported my Vaultwarden vault into a Bitwarden-compatible encrypted JSON using the script I wrote for my own scheduled backups (see below)
2. Linked my BackVault container to my Bitwarden account
3. Created a new backup with BackVault (raw mode)
4. Erased the entire vault on the Bitwarden account
5. Decrypted the BackVault backup using your script
6. Imported the resulting JSON into Bitwarden

This time the import completed successfully, but I'm not sure whether that's because I imported into the same account that had generated the export, rather than a different one.

For reference, here is the script I use with cron for my own scheduled backups. With this approach I'm able to transfer data from one account to another without issues. The difference compared to BackVault is that I don't need to decrypt the JSON beforehand — the Bitwarden GUI asks me for the file password directly during import:

#!/bin/bash
set -euo pipefail

# Explicit PATH for cron
export PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"

# Load credentials
source /path/to/vault_backup.env

# Export variables for bw
export BW_CLIENTID
export BW_CLIENTSECRET
export BW_PASSWORD

# Config
BW_SERVER="https://your-local-vaultwarden.example.com"
BACKUP_DIR="/path/to/vault_backup"
BACKUP_USER="youruser"
RETENTION_DAYS=30
DATE=$(date +%Y-%m-%d)
BACKUP_FILE="${BACKUP_DIR}/${DATE}_vaultwarden-backup.json"
PCLOUD_DIR="pcloud:YourBackupFolder"
GDRIVE_DIR="gdrive:YourBackupFolder"

# Telegram notification function
send_telegram() {
    curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
        -d chat_id="${TELEGRAM_CHAT_ID}" \
        -d text="$1" > /dev/null
}

# Trap for failure notification
trap 'bw logout > /dev/null 2>&1 || true; send_telegram "❌ Vaultwarden backup FAILED"' ERR

# Prepare directory
mkdir -p "$BACKUP_DIR"

# Preventive logout
bw logout > /dev/null 2>&1 || true

# Config server
bw config server "$BW_SERVER" > /dev/null

# Login
bw login --apikey > /dev/null

# Unlock
BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw)
export BW_SESSION

# Sync
bw sync > /dev/null

# Export
bw export --format encrypted_json --password "$FILE_PASSWORD" --output "$BACKUP_FILE" > /dev/null

# Fix ownership and permissions
chown "${BACKUP_USER}:${BACKUP_USER}" "$BACKUP_FILE"
chmod 640 "$BACKUP_FILE"

# Logout
bw logout > /dev/null 2>&1 || true

# Local retention
find "$BACKUP_DIR" -name "*_vaultwarden-backup.json" -mtime +${RETENTION_DAYS} -delete

# Sync pCloud
rclone copy "$BACKUP_DIR" "$PCLOUD_DIR"

# Sync Google Drive
rclone copy "$BACKUP_DIR" "$GDRIVE_DIR"

send_telegram "✅ Vaultwarden backup completed: ${DATE}_vaultwarden-backup.json"
echo "Backup completed: $BACKUP_FILE"

Hope it helps to debug my probem.

Thank you in advance