bitwarden/server
Imports & exports
Active contributors: tools team.
Purpose
Importing from another password manager (1Password, LastPass, Dashlane, KeePass, browser exports, CSV…) is one of the most common onboarding paths. Exporting your vault is also part of the privacy promise. Both flows live under src/Core/Tools/ImportFeatures/ and src/Api/Tools/Controllers/ImportCiphersController.cs.
The vast majority of import logic happens client-side — the client parses the third-party format, builds Bitwarden-shaped ciphers and folders, encrypts them with the user key, and submits them. The server's job is to validate, persist, and trigger the appropriate downstream events.
Where the code lives
| Concern | Path |
|---|---|
| Domain | src/Core/Tools/ImportFeatures/ |
| API | src/Api/Tools/Controllers/ImportCiphersController.cs, ImportPersonalCiphersController.cs, etc. |
| Service registration | services.AddImportServices(...) from src/Core/Tools/ImportFeatures/ImportFeaturesServiceCollectionExtensions.cs |
| Schema | None new — imports write to existing Cipher, Folder, Collection, CollectionCipher tables. |
Key abstractions
| Type | Description |
|---|---|
IImportCiphersCommand |
Single command interface; one implementation per import target (personal vs. org). |
ImportCiphersRequestModel |
The bulk-create payload: array of folders + array of ciphers + array of folder-cipher links. |
ImportOrganizationUsersCommand |
Bulk import of organization members from a CSV. |
How it works
sequenceDiagram
participant Client
participant Api
participant Cmd as IImportCiphersCommand
participant Db
participant Push
Client->>Client: parse 3rd-party export
Client->>Client: encrypt all ciphers / folders client-side
Client->>Api: POST /ciphers/import (bulk payload)
Api->>Cmd: validate counts vs. plan limits
Cmd->>Db: bulk-insert via Cipher_CreateMany sprocs
Cmd->>Push: PushSyncCiphers
Api-->>Client: 200 okThe bulk-create stored procedures (Cipher_CreateMany, Folder_CreateMany, CollectionCipher_CreateMany) keep the server-side step bounded; the client typically batches large imports into ~100-cipher chunks.
Plan limits
- Free / Premium personal vaults have generous-but-not-unlimited cipher counts.
- Org imports are gated by the org's seat / cipher allotment.
- Attachments are not part of imports — they must be re-uploaded once the cipher exists.
Exports
Exports are fully client-side. The server endpoints that exist (e.g. POST /accounts/api-key) exist only to generate API keys for tools that wrap export.
Audit events
Every successful import logs Cipher_Imported events and Cipher_Created events for each row. Mass-import is one of the highest-volume audit-event sources.
Entry points for modification
- Tighten import validation →
IImportCiphersCommandimplementations. - Bulk import optimisation → ensure the relevant
Create_Manysproc exists and the EF equivalent usesBulkExtensionsrather than per-rowAdd. - New client-side parser → no server change required; the parser ships with the client.
- Org-member import format change →
ImportOrganizationUsersCommandand theOrganizationUsersController.PostImportendpoint.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.