Bitwarden Encrypts and Decrypts Secrets
The article explores how Bitwarden and its open-source clone Vaultwarden encrypt and store user secrets, emphasizing client-side encryption and the role of a master key. It highlights a recent supply chain attack on the official Bitwarden CLI, prompting interest in self-hosted and custom solutions for managing passwords securely. The author provides technical details and Python code to demonstrate how encryption and decryption work in practice.
- ▪Bitwarden stores all user secrets encrypted on the server, with decryption handled exclusively by the client.
- ▪The master key, used to encrypt and decrypt secrets, is itself encrypted using the user's passphrase before being stored on the server.
- ▪A recent supply chain attack compromised the official Bitwarden CLI client, raising concerns about reliance on official tools.
- ▪The master key is a 64-byte random value, split into a 32-byte encryption key and a 32-byte key for message authentication codes (MACs).
- ▪Vaultwarden is an open-source, self-hostable alternative to Bitwarden's cloud server, allowing users to maintain encrypted backups of their password databases.
Opening excerpt (first ~120 words) tap to expand
As part of my efforts in reducing my dependency on Big Tech, I have been researching how to self-host my password manager. One solution that looks very promising is Vaultwarden, an open source clone of the Bitwarden cloud server. An interesting aspect of this server is that it stores all the secrets in a standard SQLite database, so in addition to having the self-hosted password server I could keep a backup copy of the database on my machine and query it directly. But of course, the secrets are encrypted in this database, so they are useless unless I learn how to decrypt them, similar to how the Bitwarden clients do it. Speaking of the Bitwarden clients, while I was writing this article it came out that the official Bitwarden CLI client was compromised in a supply chain attack.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Miguelgrinberg.
Discussion
0 commentsMore from Miguelgrinberg
