Backup Vaultwarden Data to Google Drive with Restic and rclone

Vaultwarden is a lightweight password manager that I recently started using to manage my passwords and sensitive data. To ensure data safety, I decided to regularly back up Vaultwarden data to Google Drive using Restic for incremental backups, combined with rclone for cloud storage connectivity. This post shares my complete backup workflow — from configuration to automation to data recovery — all based on my hands-on experience. Hope it helps!

Prerequisites

Before getting started, make sure you have the following ready:

• Vaultwarden: Running properly, with data directory at ~/Vaultwarden/vw-data.
• System: I’m using Ubuntu (Linux), but the process applies to other Linux distributions as well.
• Tools: Restic and rclone need to be installed (installation steps below).
• Google Drive: An account with sufficient storage space.
• Basic tools: bash for scripting, cron for scheduled tasks.

Step 1: Install and Configure rclone

rclone is a powerful tool that lets us easily connect Google Drive as a backup storage backend.

1.1 Install rclone

On Ubuntu, installing rclone is straightforward:

1
2

sudo apt update
sudo apt install rclone

If you’re not on Ubuntu, you can download the appropriate version from the rclone website.

1.2 Configure Google Drive

Run the following command to start configuring rclone:

1

rclone config

Follow the prompts:

• Select n to create a new remote storage.
• Enter a name, such as gdrive.
• Choose the storage type as drive (Google Drive).
• Client ID and Client Secret: I left these blank to use the defaults.
• Scope: Select drive (full access).
• Root Folder ID: Leave blank to use the entire Google Drive.
• During authorization, rclone will provide a URL. Copy it to your browser, log in to your Google account, authorize, get the code, and paste it back into the terminal.

After configuration, test it:

1

rclone lsd gdrive:

If you can see the directories in your Google Drive, the configuration is successful!

1.3 Create a Dedicated Backup Folder

To keep things organized, I created a dedicated backup folder on Google Drive:

1

rclone mkdir gdrive:VaultwardenBackups

Step 2: Install and Configure Restic

Restic is an efficient incremental backup tool with encryption support — perfect for our needs.

2.1 Install Restic

On Ubuntu:

1
2

sudo apt update
sudo apt install restic

Or download the latest version from the Restic website.

2.2 Initialize the Restic Repository

We’ll store the Restic backup repository on Google Drive using rclone as the backend. First, set the environment variables:

1
2

export RESTIC_REPOSITORY="rclone:gdrive:VaultwardenBackups/restic"
export RESTIC_PASSWORD="your-secure-password"

Note: Replace your-secure-password with a strong password — write it down and keep it safe! Then initialize the repository:

1

restic init

This creates a Restic repository under gdrive:VaultwardenBackups/restic. Verify with:

1

restic snapshots

There won’t be any snapshots right after initialization, but the command should run without errors.

Step 3: Back Up Vaultwarden Data

The Vaultwarden data directory ~/Vaultwarden/vw-data contains the following:

1

attachments  db.sqlite3  db.sqlite3-shm  db.sqlite3-wal  icon_cache  rsa_key.pem  sends  tmp

Among these, db.sqlite3-shm and db.sqlite3-wal are SQLite temporary files that can be excluded during backup. The tmp directory doesn’t need backup either. Key items to back up include:

• db.sqlite3 (main database)
• attachments (user attachments)
• icon_cache (icon cache, optional)
• rsa_key.pem (encryption key — extremely important!)
• sends (Send feature data)

3.1 First Backup

Run the following command for the initial backup:

1

restic backup ~/Vaultwarden/vw-data --exclude "*.sqlite3-shm" --exclude "*.sqlite3-wal" --exclude "tmp"

This backs up the specified directory while excluding temporary files. The first backup uploads all data; subsequent backups only upload changes, saving time and space.

3.2 Verify the Backup

Check if the backup was successful:

1

restic snapshots

You should see a new snapshot showing the backup time and path.

3.3 Set a Retention Policy

To prevent backups from filling up Google Drive, I set a retention policy: keep the last 7 daily backups, 4 weekly backups, and 6 monthly backups:

1

restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune

--prune cleans up old data that is no longer needed, freeing up space.

Step 4: Automate the Backup

Manual backups are tedious — let’s automate with a script and cron.

4.1 Create a Backup Script

I created a script at ~/backup-vaultwarden.sh:

1
2
3
4
5
6
7
8
9
10
11
12

#!/bin/bash
export RESTIC_REPOSITORY="rclone:gdrive:VaultwardenBackups/restic"
export RESTIC_PASSWORD="your-secure-password"

# Backup
restic backup ~/Vaultwarden/vw-data --exclude "*.sqlite3-shm" --exclude "*.sqlite3-wal" --exclude "tmp"

# Clean up old backups
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune

# Check backup integrity
restic check

After saving, make it executable:

1

chmod +x ~/backup-vaultwarden.sh

4.2 Set Up a Scheduled Task

Use cron to run the backup automatically every day at 2 AM:

1

crontab -e

Add the following line:

1

0 2 * * * /bin/bash ~/backup-vaultwarden.sh >> ~/backup-vaultwarden.log 2>&1

This outputs backup logs to ~/backup-vaultwarden.log.

4.3 Test the Script

Run the script manually to confirm everything works:

1

/bin/bash ~/backup-vaultwarden.sh

Step 5: Restore Data

If you need to restore data, the process is straightforward.

5.1 List Snapshots

View all available snapshots:

1

restic snapshots

Note down the snapshot ID you want to restore.

5.2 Restore Data

Restore the backup to a specified directory, such as ~/Vaultwarden/restore:

1

restic restore <snapshot-id> --target ~/Vaultwarden/restore

Replace <snapshot-id> with the actual snapshot ID.

5.3 Verify and Apply

Check the restored files:

1

ls ~/Vaultwarden/restore/vw-data

Then stop the Vaultwarden service and copy the restored data:

1
2
3
4

cd ~/Vaultwarden
docker-compose down
cp -r ~/Vaultwarden/restore/vw-data/* ~/Vaultwarden/vw-data/
docker-compose up -d

Step 6: Security and Best Practices

6.1 Protect Your Password

I store the Restic password in a separate file:

1
2

echo "export RESTIC_PASSWORD=your-secure-password" > ~/.restic-env
chmod 600 ~/.restic-env

Then load it in the script:

1

source ~/.restic-env

6.2 Monitor Backups

Regularly check ~/backup-vaultwarden.log to ensure backups are running normally. You can also use ntfy to send backup result notifications.

6.3 Check Backup Integrity

Run an integrity check once a month:

1

restic check

6.4 Mind Google Drive Limits

Google Drive has a file count limit (approximately 400,000 files). Running restic forget --prune regularly helps keep the file count down.

6.5 Ensure Data Security

Restic encrypts all backup data by default — even if Google Drive is compromised, your data remains safe. Pay special attention to keeping rsa_key.pem safe, otherwise your data may become undecryptable!

FAQ

1. rclone authorization expired:
   Re-run rclone config to update the token.
2. Slow backup speed:
   Check your network connection or Google Drive storage limits.
3. Database file inconsistency:
   Pause Vaultwarden before backup (docker-compose down).
4. Restic repository locked:
   Run restic unlock to unlock it.

Conclusion

With Restic and rclone, I’ve successfully set up automatic incremental backups of Vaultwarden data to Google Drive. The entire process is simple, secure, and efficient. I hope this post helps you back up your Vaultwarden data smoothly! Feel free to leave a comment if you have any questions.

References:

• Restic Official Documentation
• rclone Official Documentation

• ← Previous Post
• Next Post →