Convert BitWarden JSON export file to Apple iCloud Keychain CSV import file saving TOTP and notes

README.md

BitWarden to Apple iCloud Keychain passwords converter

This Python scripts allows you to move your passwords from BitWarden to Apple iCloud.

You need to know:

• It ignores secure notes, credit cards and other types that are not passwords.
• It ignores BitWarden entries without usernames, passwords and URLs.
• It also ignores URLs that do not start with http:// or https://.
• It normalizes all TOTP tokens, e.g. wskg vtqa h5kl bhb4 v4v2 ybyo woc6 qme2 will be converted to otpauth://totp/example.com:dude@foo.bar?secret=WSKGVTQAH5KLBHB4V4V2YBYOWOC6QME2&issuer=example.com&algorithm=SHA1&digits=6&period=30.
• It preserves notes attached to accounts.
• It preserves all custom fields attached to accounts. They will be prepended to notes.
• BitWarden export does not contain any information about attachments. You should care about them manually.

All ignored (filtered) BitWarden entries will be logged to the console during convertion process.

Getting started

Export your BitWarden passwords

You should export your BitWarden vault in JSON format (not encrypted). See "Export Vault Data". Exported file will be named like bitwarden_export_20220426113920.json, you should rename it to bitwarden.json.

Run script

Download Python file attached to the Gist. Place this file in the same directory with bitwarden.json file and run it:

python3 convert.py

It will generate icloud.csv file.

Import passwords to iCloud

To import passwords, you should use generated icloud.csv file. See "Import bookmarks, history, and passwords in Safari on Mac".

Bonus

Get a shortcut to quickly open Passwords on your Apple devices: https://www.reddit.com/r/shortcuts/comments/w1sa8w/updated_for_macos_13_ventura_and_ios_16_go/

convert.py

import csv
import json
from urllib.parse import urlparse
from urllib.parse import urlunparse
from urllib.parse import urlencode
from urllib.parse import parse_qs

json_file = open('bitwarden.json')
parsed_json = json.load(json_file)

print('Found {:d} accounts in BitWarden'.format(len(parsed_json['items'])))

def is_account_credentials(credentials_entry):
    name = credentials_entry['name']
    type = credentials_entry['type']

    if type != 1:
        print('Skipping "{:s}" because it has wrong type: {:d}'.format(name, type))

        return False

    if 'uris' not in credentials_entry['login']:
        print('Skipping "{:s}" because it does not have website URLs'.format(name))

        return False

    if credentials_entry['login']['username'] is None:
        print('Skipping "{:s}" because it missing username'.format(name))

        return False

    if credentials_entry['login']['password'] is None:
        print('Skipping "{:s}" because it missing password'.format(name))

        return False

    return True

birwarden_accounts = filter(is_account_credentials, parsed_json['items'])

def format_totp_url(totp, hostname, username):
    if totp.startswith('otpauth://'):
        parsed_totp = urlparse(totp)

        totp = parse_qs(parsed_totp.query)['secret'][0]

    totp = totp.upper().replace(' ', '')

    return urlunparse((
        'otpauth',
        'totp',
        (hostname + ':' + username),
        '',
        urlencode({
            'secret': totp,
            'issuer': hostname,
            'algorithm': 'SHA1',
            'digits': '6',
            'period': '30',
        }),
        ''
    ))

def convert_bitwarden_credentials_to_icloud(credentials_entry):
    icloud_credentials = []

    for credentials_entry_uri_entry in credentials_entry['login']['uris']:
        parsed_url = urlparse(credentials_entry_uri_entry['uri'])

        if parsed_url.scheme != 'http' and parsed_url.scheme != 'https':
            continue

        notes = []

        if 'fields' in credentials_entry:
            notes = list(map(lambda field: "{:s}: {:s}".format(field['name'], field['value']), credentials_entry['fields']))

        if credentials_entry['notes'] is not None:
            notes.append(credentials_entry['notes'].strip())

        hostname = urlparse(credentials_entry_uri_entry['uri']).hostname
        username = credentials_entry['login']['username']

        icloud_credentials.append([
           hostname,
           credentials_entry_uri_entry['uri'],
           username,
           credentials_entry['login']['password'],
           "\n\n".join(notes),
           '' if credentials_entry['login']['totp'] is None else format_totp_url(
               credentials_entry['login']['totp'],
               hostname,
               username,
           )
       ])

    return icloud_credentials

icloud_accounts = []

for credentials_entry in birwarden_accounts:
    icloud_accounts.extend(convert_bitwarden_credentials_to_icloud(credentials_entry))

print('Saving {:d} accounts to iCloud CSV'.format(len(icloud_accounts)))

with open('icloud.csv', 'w', encoding='UTF8', newline='') as csv_file:
    writer = csv.writer(csv_file)

    writer.writerow(['Title', 'URL', 'Username', 'Password', 'Notes', 'OTPAuth'])
    writer.writerows(icloud_accounts)

Thanks!

Thanks!

says this error.. followed every step as detailed:

I have the exact same error as skripter888. Do you know what is wrong? Thank you!

Thanks!!!

@flaksp I get the same error as @skripter888. Any idea how to fix it?

@nicx For anyone having the error "unsupported format string passed to NoneType,format" you can comment those 2 lines in the script, the issue is with the parsing of the "fields" from Bitwarden that are anyways added as Note.

        # if 'fields' in credentials_entry:
        #     notes = list(map(lambda field: "{:s}: {:s}".format(field['name'], field['value']), credentials_entry['fields']))

        # if credentials_entry['notes'] is not None:
        #     notes.append(credentials_entry['notes'].strip())

Thank you! this is invaluable

Thanks, but beware that this program silently discard uri that does not start with 'http' or 'https'
(line 70/71)

I have updated the script:

• An exported file will contain names of your BitWarden records.
• Added more validations to prevent errors during script execution.
• And also it is more verbose on logging now. It will be easier to understand why a record was skipped. And no more "silent" skips (@Tracnac, thanks for noticing this).

Also I made it a bit more readable. It should be easier for you to understand what's happening and modify it for your needs.

If you face some issues try the previous version of the script: https://gist.github.com/flaksp/6fe1042e12b6b6908c5193c0d6c124a7/054ba12d96a063a1ee901de2c503eec94567018e

• And also it is more verbose on logging now. It will be easier to understand why a record was skipped. And no more "silent" skips (@Tracnac, thanks for noticing this).

Thanks for your update.

Thankssss

Thank you :)

Thank you! Works fine and did what I expected!

Is it able to handle multiple URLs? I have had this issue where if I use same username and password for primevideo.com and amazon.com and amazon.ca. Will it create 3 accounts or merge them into 1?

@anuraagm0, it will create 3 accounts in that case. That's the limitation of iCloud Keychain.

Unfortunately that causes too much noise. It’s like 300 passwords suddenly become 500 and keep complaining that I am reusing them while they are part of the same login experience.

@flaksp, thank you for this great script. I noticed that some of my entries with Japanese characters in fields were not converted correctly, probably due to a Unicode issue. Do you have any idea how to fix it?

@lotfielhafi, I've tested the script with Japanese characters (in the fields especially) and didn't found any oblivious issues. What kind of problem do you experience? Some more information that fill help with reproduction of the issue would be nice :)

@flaksp My bad, after reading your comment, I confirmed that the issue was on my side. I inspected the output file with Excel, which did not render it in Unicode. I am very sorry for the trouble. Thank you again for your script. I could import 600+ entries into Keychain.

Looks like 2 websites per credential is now possible, curious what the format for this is?

When exporting this one specifically, there is no url in the column. strange...

Looks like 2 websites per credential is now possible, curious what the format for this is?

When exporting this one specifically, there is no url in the column. strange...

I noticed the same issue. It seems the URL is being pulled from the title field. I understand it’s unusual how the data is stored, but in your screenshot, website1.com will be exported if it’s entered in the title during creation. However, you still won’t be able to export website2.net. Since Apple doesn’t support exporting multiple URLs, it’s unclear whether we can programmatically add them.

I filed a bug report via the feedback app 🤷 🤞

How is this script different from the inbuilt import option that is available in password app File>Import Passwords and using it with Bitwarden app exported .csv? Any advantage it offers?

Thanks for your work, I made some changes for "It ignores BitWarden entries without usernames, passwords and URLs." which i wanted to be replace with placeholders.

https://gist.github.com/10bn/a18248bb8e96eeda98f1071ad3c38059

is this safe to execute?

When exporting this one specifically, there is no url in the column. strange...

It seems there is a bug occurring during the export process, specifically concerning URLs. When exporting, the system only includes URLs that begin with https:// (e.g., https://example.com) and ignores others, (e.g. example.com). Here’s a summary of my findings:

1. When importing multiple URLs that start with https:// (e.g., https://a.example.com and https://b.example.com) via CSV, they display correctly within the app, and the export functionality operates as expected.
2. However, if domains are added directly through the app, the export feature fails to include them, regardless of whether they are entered as example.com or https://example.com. The app internally interprets them as example.com, resulting in their exclusion from the export.

Example of a CSV that works fine

Title,Username,Password,OTPAuth,URL
Hello1,username,password,totp,https://a.example.com
Hello1,username,password,totp,https://b.example.com

Note: the URLs must have the same domain, in the above example, the URL can have any prefix, but the domain must be example.com

Love this script, but I needed a solution that could transfer everything seamlessly. That’s why I developed PasswordManagerTools. This tool transfers all your data, including notes, custom fields, multiple URLs, and password history. It also handles items with multiple URLs and offers additional features.