Migrate User Keys
Key Connector provides a utility for migration from one database to another, or from one RSA key pair configuration to another. Before executing this migration, it is highly recommended that you take a backup of the database being used by Key Connector to store encrypted user keys.
waarschuwing
Schedule a maintenance window in which to execute the procedures in this article; they will require you to stop services which will result in downtime for users of your Bitwarden server.
Key Connector must access a database which stored encrypted user keys for your organization members. Create a new secure database and complete the following steps to migrate user keys to it:
Stop the Key Connector container.
In your
.bwdata/env/key-connector.override.env
file, replace the existingkeyConnectorSettings__database__
values with the required values for your new database (learn more).tip
Copy the old values to somewhere where you can easily access them, as you'll need them in a future step.
Start the Key Connector container to initialize the database. Once it's initialize, stop the Key Connector container again.
In
key-connector.override.env
, add the oldkeyConnectorSettings__database__
values back in and inserttransferTo__
into each of the new values that you added in Step 2.
For example, at this stage a configuration migrating from a local JSON file to using a Microsoft SQL Server would include the following values:BashkeyConnectorSettings__database__provider=json keyConnectorSettings__database__jsonFilePath=/etc/bitwarden/database.json keyConnectorSettings__transferTo__database__provider=sqlserver keyConnectorSettings__transferTo__database__sqlServerConnectionString={Connection_String}
Restart your self-hosted Bitwarden installation in order to apply the configuration changes:
Bash./bitwarden.sh restart
Now that your user keys are migrated, clean up your
key-connector.override.env
file. Stop the Key Connector container, remove the old values, and removetransferTo__
from each of the new values added in Step 2.
Key Connector uses an RSA key pair to protect user keys at rest. To migrate from your existing RSA key pair configuration:
Stop the Key Connector container.
In your
.bwdata/env/key-connector.override.env
file, add the required values for a new RSA configuration (see here) withtransferTo__
inserted in each value immediately followingkeyConnectorSettings__
.
For example, thekey-connector.override.env
for a configuration migrating from a certificate stored on the filesystem to using AWS Key Management Service (KMS) would include the following values:BashkeyConnectorSettings__rsaKey__provider=certificate keyConnectorSettings__certificate__provider=filesystem keyConnectorSettings__certificate__filesystemPath=/etc/bitwarden/bw-kc.pfx keyConnectorSettings__certificate__filesystemPassword=******** keyConnectorSettings__transferTo__rsaKey__provider=awskms keyConnectorSettings__transferTo__rsaKey__awsAccessKeyId={AccessKey_Id} keyConnectorSettings__transferTo__rsaKey__awsAccessKeySecret={AccessKey_Secret} keyConnectorSettings__transferTo__rsaKey__awsRegion={Region_Name} keyConnectorSettings__transferTo__rsaKey__awsKeyId={Key_Id}
Restart your self-hosted Bitwarden installation in order to apply the configuration changes:
Bash./bitwarden.sh restart
Suggest changes to this page
How can we improve this page for you?
For technical, billing, and product questions, please contact support