Exporting and Backing Up Your Vault#

RabbitKey provides two distinct export paths, plus encrypted sync as a third form of backup. They serve different purposes and carry very different security properties — one is ciphertext you can store anywhere, the other is plaintext you must handle with care.

The Two Export Formats#

Encrypted Vault Backup#

The encrypted vault backup exports the vault as a binary file containing a magic header followed by an encrypted payload. The file is not human-readable; without your master password, its contents are computationally infeasible to access.

When to use it:

• Archiving a point-in-time backup before a major change (password rotation pass, bulk import, app update)
• Storing an offline backup on a USB drive or separate device
• Moving your vault to a new device manually (without cloud sync)

Key properties:

• The payload is encrypted — the same XChaCha20-Poly1305 encryption that protects your on-device vault
• Restoring requires your master password (or Recovery Kit)
• Safe to store in cloud storage, on a USB drive, or on a NAS without additional encryption — the file is already ciphertext

To restore: RabbitKey will prompt for your master password. If you have lost your master password but have your Recovery Kit, see Your Recovery Kit, Explained for the restore path.

CSV Export (Plaintext)#

The CSV export writes your vault contents to a UTF-8 text file. It is not encrypted. Anyone who opens the file reads your passwords.

When to use it:

• Migrating to a different password manager that accepts CSV import
• Creating a one-time human-readable reference (print and store securely, then delete the file)
• Importing a selection of entries into another tool

When NOT to use it as a backup:

CSV is not a backup format. It lacks folder structure, attachment data, and any custom fields beyond the standard set. More importantly, it is unencrypted — a CSV backup stored anywhere accessible is a plaintext copy of your entire credential set.

Mandatory precaution: Delete the CSV file as soon as you have finished using it. On iOS, delete from the Files app and then clear the Recently Deleted folder; note that flash storage offers no guaranteed secure overwrite, so the real defense is keeping the file's lifetime short. On Mac, remove it from the Trash and empty it, or use a dedicated secure-delete utility.

The Difference at a Glance#

Property	Encrypted vault backup	CSV export
Encrypted	Yes	No
Safe to store in cloud	Yes (as-is)	No
Needs master password to restore	Yes	N/A — opens in any spreadsheet
Retains full vault structure	Yes	Partial
Use case	Backup, device migration	Cross-app migration, plaintext reference

Encrypted Sync as a Continuous Backup#

If you have sync enabled (iCloud Drive, Google Drive, or WebDAV), the encrypted vault file is continuously uploaded as you make changes. This provides an offsite encrypted backup automatically, without any manual export step.

This is the recommended ongoing backup strategy for most users:

• No manual action required
• Always current
• Encrypted — the sync provider sees ciphertext only

Conflicts from concurrent edits are surfaced for you to resolve rather than silently overwritten. For sync setup and conflict handling, see How Zero-Knowledge Sync Works.

Recommended Backup Strategy#

A layered approach combines multiple methods, so no single failure loses your data:

1. Encrypted sync enabled — continuous, automatic, encrypted offsite copy
2. Periodic encrypted vault backup — export and store on a USB drive or separate secure location; useful if you ever need a point-in-time restore
3. Recovery Kit stored securely — not a backup of entries, but the recovery mechanism that makes any backup restorable if you lose your master password

The CSV export does not belong in a regular backup rotation. Use it only when you need plaintext access to your data for a specific, time-limited purpose, and delete it immediately after.

A Note on Recovery Kit vs Encrypted Backup#

These are related but distinct:

• The Recovery Kit is your master key, encoded as a 69-character RKRK-... code. It lets you unlock the vault without your master password. It does not contain your vault entries.
• The encrypted vault backup contains your vault entries, encrypted. Restoring it requires either your master password or (combined with the Recovery Kit) your master key.

You need both to recover from a worst-case scenario where you have lost your master password and your device. See Your Recovery Kit, Explained for Recovery Kit details.