Skip to main content

P01 - Servers are zero knowledge

There is no possibility for an attacker or Bitwarden employee to access your unencrypted data by compromising Bitwarden's infrastructure. Bitwarden has no ability to decrypt or add to your data. Your key, which Bitwarden cannot access, is the only thing that can be used to decrypt your data or create new encrypted data.

More precisely, the special status of providing a network sync for client data does not grant the server, or any intermediary between the server and client, the ability to reduce the effective security of the protections that guard a user's data. If a user chooses a weaker form of protection (e.g., a password instead of a passkey), that is an intentional user decision, but the server must not be able to manipulate or coerce a client into reducing security beyond what the user knowingly configures. Additionally, the server or it's infrastructure cannot masquerade it's own plaintext data as belonging in the set of the user's encrypted data. The total sum of a user's encrypted data is fully isolated from the server and infrastructure; it cannot be read nor expanded outside of the user's client context.

This is what we mean when we sometimes refer to "end-to-end encrypted" or "zero knowledge".

Threat model

  • An attacker able to view and/or edit database data belonging to a user they do not own
  • An attacker able to create, edit, and fully control network responses to a client

Some examples of attackers included in this list could be Bitwarden employees, network administrators, CDNs, and any MITM that can circumvent TLS protection.

Security goals

  • Attackers cannot retrieve decrypted vault data
  • Attackers cannot retrieve user encryption keys
  • Attackers cannot inject arbitrary items as vault data
  • Attackers cannot edit vault data*

* Availability of vault data is not a security goal as attackers have full control over the database.

Account key sharing as a feature

This principle does not mean that plaintext data is never shared, but rather that any such exposure requires informed and explicit consent from the user and is exclusively between accounts, never to the server or infrastructure.

Exceptions

On occasion, product features require breaking this principle in a controlled manner. These exceptions are always a last resort, tightly limited scope, and we are always looking for improvements to remove them. All exceptions are outlined here.

Key Connector

Key connector is a self-host only feature that allows an organization user to log in and unlock with SSO and no password input. This feature is specifically limited to self-hosted instances due to this principle. It is possible for a Bitwarden server to create an authentication token, contact the Key Connector server, and retrieve key material that will allow decryption of a user's encrypted data. For these reasons we encourage strict isolation of key connector servers to private networks and only to be used by advanced self-hosted users.

Icons service

The Bitwarden icons service provides site favicons to decorate vault items in the Bitwarden clients. To enable this functionality, clients need to send plaintext domain name information to the service. Communicated information is limited to vault item URIs. These URIs are part of a user's encrypted content, but we do this to speed up loading of vaults, ensure favicons accurately represent the associated URI, and avoid leaking vault contents to local network administrators. This feature is easily disabled in client settings.

Automatic confirmation policy

By default, users invited to join a Bitwarden organization must be confirmed by an administrator once they accept an invitation to join. The confirmation step completes the key exchange which allows for end-to-end-encrypted sharing of items between organizations and their members.

Enterprise organizations can optionally set up automatic confirmation of users if they do not want to manually confirm each user. Once activated, a background process will run in the unlocked browser extension of some administrator roles, which will perform this key exchange automatically upon request from the server.

This is incompatible with end-to-end encryption because it allows the Bitwarden server to request a key exchange on demand. Any actor with control over Bitwarden infrastructure may fabricate an invite, which would trigger the automatic confirmation process and give the attacker a copy of the organization key. This can then be used to decrypt organization data.

For these reasons:

  1. The feature is opt-in only and administrators are warned about the security implications. The feature cannot be activated by the server acting alone - each browser extension that wishes to perform the key exchange must also enable a setting that can only be set locally on that device.

  2. The organization and its members are cryptographically isolated from other organizations, providers and users to prevent cryptographic traversal and the compromise of other parties. These measures are outlined in our help documentation.