How I Keep My Password Manager Travel-Ready Without Lockouts

My entire business lives in 1Password and Bitwarden. If a border agent confiscates my MacBook, or if I fat-finger the master password after a red-eye, I could strand myself outside 73 client portals and two factor apps. That used to keep me awake on overnight buses. Now I run a travel-ready password routine that keeps vaults lean, backed up, and recoverable—even if I’m locked out for 24 hours in a time zone twelve hours from home.

Photo: Unsplash / Dan Nelson

Vault Architecture: Never One Basket

• 1Password (Personal + Business) handles daily logins. Travel Mode is my emergency brake.
• Bitwarden (self-hosted on Fly.io) stores shared client creds behind an approval workflow.
• Standard Notes stores a plain-text “vault map” with hints and non-secret metadata (last rotation, contact owner).

Each vault is tagged by risk:

| Tag | Meaning | Travel Action | | --- | --- | --- | | BorderSafe | Accounts safe to show under inspection | Keep enabled during Travel Mode | | Critical | Banking, payroll, admin | Move to Travel Mode hidden vault | | Disposable | Promo accounts, test logins | Wipe entirely before departure |

One Week Out: Vault Hygiene

1. Rotate Master Passwords

I use 5 dice to generate a passphrase with the EFF wordlist. Example from last month: muffin-cloak-gymnast-telescope-vacuum-hamlet. I memorize it using the memory palace method while walking to the coworking space.

2. Reassign Recovery Contacts

1Password now lets me designate recovery contacts. I assign two trusted friends on different continents. They receive prearranged instructions via Signal: “If I call saying ‘the library is closed,’ start recovery.”

3. Export Encrypted Backups

• 1Password: File > Export > Encrypted Archive (.1pux) stored in Tresorit folder Backups/1P-2025-07-04.1pux.
• Bitwarden: CLI command bw export --format encrypted_json --password $BW_BACKUP piped into a VeraCrypt volume.

I park the VeraCrypt container in my Synology NAS and replicate it to Backblaze B2.

4. Clean Up Rotting Credentials

1Password > Watchtower lists unused passwords. I delete anything inactive for 18+ months. Less surface area if a vault gets exposed.

Travel Mode Ritual (1Password)

1. Tag sensitive vaults as Travel Mode Excluded via command palette.
2. Toggle Travel Mode on the web dashboard minutes before boarding.
3. Run op vault list from the CLI to confirm only BorderSafe vaults remain synced.
4. Re-authenticate on each device to purge hidden vaults locally.

If border agents demand access, they see social media accounts, airline loyalty programs, and nothing more.

Bitwarden On The Road

Bitwarden lacks Travel Mode, so I improvise:

• Create a travel organization with only low-risk collections and share to my travel Bitwarden account.
• Temporarily disable my personal account on the server using bw lock and remove the API key from devices.
• Keep the admin account accessible only via WireGuard connection to my Fly.io deployment (firewalled to my Mullvad IP).

2FA & Recovery Codes

• Primary: YubiKey 5C NFC (on keychain).
• Secondary: YubiKey 5 Nano (permanently in MacBook USB-C port but disabled via YubiKey Manager until needed).
• Fallback: Raivo OTP with encrypted iCloud backup + 10 one-time recovery codes printed, cut into strips, and stored with my passport.

Before I leave, I verify every critical service has at least two hardware keys registered. If not, I add them. Nothing like fighting with Google support from a hostel lobby.

When Things Go Sideways (And They Have)

Case: Buenos Aires 2024 I triggered Travel Mode but forgot to re-enable the hidden vault once I got home. 12 hours later I needed payroll credentials and they weren’t there. Fix: create an OmniFocus task “Disable Travel Mode” scheduled for the day I land. Now it pings me while I’m still at the gate.

Case: Lisbon 2025 Bitwarden container got corrupted after a power outage. The encrypted backup saved me. Restoration steps: bw import --encrypted into a fresh Docker container, verify integrity with bw verify.

Automation & Scripts

I keep a shell script prepare_travel_vaults.sh:

#!/usr/bin/env bash
set -euo pipefail
log() { printf "[%s] %s\n" "$(date -u +%Y-%m-%dT%H:%M:%SZ)" "$1"; }
log "Locking Bitwarden"
BW_SESSION=$(bw lock --raw)
log "Exporting encrypted Bitwarden backup"
bw export --session "$BW_SESSION" --format encrypted_json --password "$BW_BACKUP" \
  > "$HOME/backups/bitwarden-$(date +%Y%m%d).json.enc"
log "Triggering 1Password CLI Travel Mode"
op signin --account my.1password.com "$OP_EMAIL" "$OP_SECRET" --raw >/dev/null
op account set-preference travel-mode true
log "Travel Mode enabled"

It isn’t glamorous, but it prevents last-minute mistakes.

Quick Reference Sheet (Printed & Laminated)

Master passphrase: stored in brain + Standard Notes secret (encrypted)
Recovery contacts: Jules (Lisbon) / Priya (Seattle)
Travel Mode toggle: https://my.1password.com/profile/travel
Bitwarden admin: https://vault.pixeltechnology.cloud (WireGuard only)
Support numbers: 1Password +1-888-710-9964, Yubico +1-844-205-6787

Post-Trip Decompression

• Disable Travel Mode immediately.
• Rotate master passwords again (paranoid? yes).
• Review Watchtower/Bitwarden breach monitor for new exposure notices.
• Update the vault map with any account changes made while abroad.

TL;DR

[ ] Rotate master passphrases
[ ] Export & store encrypted backups
[ ] Enable 1Password Travel Mode / Bitwarden travel org
[ ] Carry two hardware keys + OTP backups
[ ] Automate reminders to disable Travel Mode on return

A password manager isn’t optional for remote work, but it’s a liability if you treat it like a black box. With the right prep, you can cross borders, survive airport lockouts, and still log into payroll from a hostel bunk without breaking a sweat.