migration bitwarden csv-import password-manager local-only securekeep

Switching from Bitwarden: A Local-Only Alternative for Families

Bitwarden trusted you with the data. SecureKeep doesn't even ask for it. Here is the step-by-step way to export your Bitwarden vault and import every entry into SecureKeep on iPhone or Android — and the architectural reason a lot of Bitwarden users are making the switch.

A notebook and an iPhone on a wooden table, representing data moving from one quiet place to another.

Bitwarden is the most architecturally honest password manager in the mainstream market. The codebase is open source. The free tier is genuinely useful. The paid tier is $10 a year, which is closer to "honest" than to "subscription tax." If you've been using Bitwarden, you've been making a defensible choice.

You can also leave it for an even simpler architecture — one where the encrypted vault doesn't sync, doesn't live on a server, and doesn't require a paid plan to do its core job. SecureKeep imports a Bitwarden CSV directly. Every login, every URL, every TOTP secret, in one bulk transaction, on your phone, with no cloud account in the middle.

If you've decided to switch — for the local-only architecture, or the family-vault model, or both — this is the guide.

What You'll Need

  • A Bitwarden account you can sign into through the web vault.
  • A computer. Bitwarden's mobile apps don't export to CSV — only the web vault and the desktop apps do. The web vault is the easiest path.
  • SecureKeep installed on your phone. iOS or Android. The CSV import lives in Settings → Tools → Import from CSV, or as the Import CSV button at the top of the credentials list.

That's the whole list.

Step 1 — Export Your Bitwarden Vault

The cleanest path is the web vault.

  1. Open https://vault.bitwarden.com/ and sign in.
  2. From the sidebar, choose Tools → Export Vault.
  3. Set the file format to .csv.
  4. Re-enter your master password.
  5. Bitwarden downloads a file named something like bitwarden_export_<timestamp>.csv.

The file contains: folder, favorite, type, name, notes, fields, reprompt, login_uri, login_username, login_password, login_totp. Login items, secure notes, identities, and cards all share the same CSV — distinguished by the type column.

It is also entirely plaintext. We will deal with that in Step 4.

A note on Bitwarden's encrypted JSON export. Bitwarden also offers a .json export and an encrypted .json export. Use the CSV path for SecureKeep's importer. The encrypted JSON is designed for re-importing into Bitwarden specifically; SecureKeep doesn't read that format.

Step 2 — Open SecureKeep and Tap "Import from CSV"

On your phone:

  1. Open SecureKeep and unlock your vault. (If you don't have one yet, the first-run wizard walks you through creating one in about six minutes — finish that first, then come back here.)
  2. From the dashboard, tap Passwords, then tap the Import CSV button at the top of the credentials list.
  3. The picker that opens is the standard iOS or Android files picker. Find the bitwarden_export_<timestamp>.csv you saved in Step 1.

A small v3.0.0 note: the document picker is exempted from SecureKeep's lock-on-background protection. The exemption was added precisely so file-picking — which the OS treats as backgrounding the app — doesn't lock your vault and force you to start over. Narrow exemption, scoped to known system pickers, ends the moment the picker closes.

Step 3 — Review the Detected Format

SecureKeep auto-detects the format from the column headers. For Bitwarden, it looks for login_uri, login_username, and login_password. When all three are present, the parser is set to Bitwarden.

You'll see a banner: "Detected format: Bitwarden" along with the row counts.

Three things happen automatically:

  • Type filtering. Rows where type is anything other than login (or empty) are skipped. Bitwarden's CSV mixes secure notes, identities, and cards into the same file — the importer only ingests login items, because that's what the credentials section in SecureKeep is for. Secure notes and identities go into SecureKeep's secure notes section manually.
  • Host-and-username deduplication. If you already have a credential for gmail.com with the same username, importing again won't create a duplicate. The importer matches by hostname plus username. Same hostname with a different username (your work and personal Gmail, for example) imports separately.
  • TOTP secrets land in the right place. Any login_totp value becomes a structured TOTP secret on the imported credential, separate from the password and separate from any backup codes. Bitwarden stored these as a single field — SecureKeep's v3.0.0 structured 2FA gives them a dedicated home.

Tap Import and confirm. The import is transactional and all-or-nothing: if any single row fails to encrypt and write to disk, the entire import is rolled back.

Step 4 — Delete the CSV

The Bitwarden export is plaintext. After the import succeeds:

  • Delete the CSV from your Downloads folder.
  • Empty Trash (macOS) or Recycle Bin (Windows).
  • If you saved a copy anywhere else, delete it there too.
  • Bitwarden's web vault names the export with a timestamp, which means you might have multiple exports if you've done this before. Check for those.
  • If you use Time Machine, exclude the Downloads folder before the next backup, or remove the export before backup time.

This is the step most guides skip. Don't.

What Gets Imported, What Doesn't

Bitwarden field Imported into SecureKeep
name Credential label
login_uri URL (normalized — first URI only if multiple are present)
login_username Username
login_password Password
notes Notes
login_totp TOTP secret (structured 2FA)
folder Not imported in v3.0.0 — SecureKeep is flat with category filtering
favorite Not imported in v3.0.0
type (other than login) Skipped — secure notes / identities / cards are not credential entries
fields (custom fields) Not imported in v3.0.0
reprompt Not imported (SecureKeep applies vault-wide unlock policy instead)

What lives outside the CSV in Bitwarden, and how to handle it:

  • Secure notes. Bitwarden Note items aren't part of SecureKeep's credentials section. Copy them manually into SecureKeep's secure notes — there's a dedicated section per vault.
  • Identities and cards. Manual copy. SecureKeep's secure notes section is the right place for identity records; cards can also go there.
  • Custom fields. If you used Bitwarden's custom fields heavily, plan to migrate them into the notes field of the corresponding SecureKeep credential.
  • Sends, attachments, organizations. Not part of SecureKeep's model. Sends are a Bitwarden-specific feature. Attachments map to SecureKeep's encrypted documents — upload them directly. Organizations are a Bitwarden Teams concept and don't translate to a local-only vault.

Why People Are Switching from Bitwarden

This guide doesn't need you to be unhappy with Bitwarden. But three reasons come up repeatedly:

The architecture trade. Bitwarden's encrypted vault syncs to Bitwarden's servers (or your self-hosted server, if you went that route). The encryption is real. The vault still exists somewhere outside your phone — sitting on infrastructure that, however well-secured, exists. SecureKeep doesn't sync. Your vault lives on your phone, encrypted with a key derived from your master password, and the only way it leaves the device is an explicit user-initiated backup. There is no SecureKeep server holding a copy of your vault to be stolen, because there is no SecureKeep server.

The family model. Bitwarden's family plan (Bitwarden Families, $40/year) is a multi-user product where each family member has their own account and shared organizations are used to share credentials. SecureKeep's family model is different: one device holds multiple vaults, one per trusted person — a spouse vault, a parent vault, a child vault. A single trusted person handles everything from one phone. Different fit, depending on what your family actually needs.

The pricing fit. Bitwarden's free tier is excellent. Bitwarden Premium is $10/year — easily the cheapest mainstream option. SecureKeep is $7.99 once. For users who don't need cross-device sync (because they keep their vault on the device they actually use it from), the one-time-purchase model maps better to how the app gets used.

None of these are reasons to leave Bitwarden if you're happy. They are reasons to think about whether your password manager's architecture actually matches how you use it.

After the Import — A Five-Minute Cleanup

  1. Open Password Health (Settings → Password Health) and run the analysis. Bitwarden's reports vary by tier; SecureKeep's runs the same audit on every vault. Knock out the top three offenders.
  2. Walk through any TOTP codes you imported. Confirm one or two against your authenticator app. If they match, you can retire the authenticator app for those sites (or keep both — entirely your call).
  3. Set up your Emergency Card and your trusted person. The whole point of having credentials in one place is so the people who depend on you can reach them when they need to.
  4. Decide whether to keep your Bitwarden account. If you're committed to the switch, archive or delete it. If you want to keep it as a fallback for 30–90 days, set yourself a calendar reminder to revisit.

Frequently Asked Questions

Is the CSV import secure? The CSV is read on your device, parsed in memory, and each credential is encrypted with your vault's per-vault data encryption key (AES-256-GCM) before being written to disk. The plaintext CSV exists only in memory during the import.

What about my Bitwarden organizations / shared collections? SecureKeep doesn't model multi-user organizations the way Bitwarden does. If you need shared credentials across people, the SecureKeep approach is one device + one trusted person + a separate vault per relationship. If you need true multi-user collaboration in real time, SecureKeep isn't the right tool — Bitwarden Teams is.

Can I import the encrypted JSON instead? No — SecureKeep reads CSV. The encrypted JSON is Bitwarden's own internal format, designed for re-importing into Bitwarden.

What if I self-host Bitwarden (Vaultwarden)? Same export path. The web UI is identical and the CSV format is identical.

Will the import overwrite my existing credentials? No. Host-and-username dedupe preserves existing credentials. Only new ones are added. To replace an existing entry, edit it manually after the import.

Does it import my Bitwarden Sends? No. Sends are a Bitwarden-specific shared-link feature. SecureKeep's family model uses backup files and the Emergency Card export instead.

Does the import work on iPad? Yes. Same Files-based picker, same flow.

Related reading:

SecureKeep is a $7.99 one-time-purchase encrypted vault for iOS and Android. Multi-vault, emergency cards, voice messages, password health, CSV import from seven password managers — all encrypted locally, no cloud account required. See all features →