Thank you DoctorB! The reference to the official statement is much appreciated.
It’s odd that the official page doesn’t explicitly mention encrypting Secure Notes items. It looks like that could be an accidental omission, because I can’t imagine they aren’t encrypted. Or perhaps they are just lumping them in the generic “for all items” category.
Wouldn’t the text about “all items” cover a Secure Note? I think it would
There are various ways you can prove it to yourself, checking the REST calls in the developer tools in browser and desktop app, there are other ways. I confirmed to myself that BW are encrypting every sensitive item and encrypting end to end with my master password.
They are. The list is written to avoid redundancy. Thus, items of the Login, Card, and Identity type have their own lists that enumerate fields unique to those items types; in addition to their specific unique fields, the Login, Card, and Identity items also encrypt all of the fields listed under “For all items”.
The Secure Notes item type does not have any unique fields beyond those already shown under “For all items”, so there is no need to make an extra list for Secure Notes. Doing so would only repeat the field names shown under “For all items”, which would be redundant.
Yes, that’s why I did postulate that they are just lumping them in the generic “for all items” section.
By looking at the REST calls, how are you confirming that data is encrypted? Encrypted and encoded data can look nearly identical, but one is actually encrypted and the other is not.
For example, for the following plaintext:
this is a super secret phrase
one of the following is the output from a common encryption algorithm and one is simply encoded. By just looking at them, can you tell which is which?
The encrypted field always start with “2.” and there is a “|” seperator to divide into 2 parts (sometimes 3). You always see that same pattern. I don’t expect encoding to do that.
My belief is that the 1st part is the IV, the 2nd part is the ciphertext, 3rd part is the MAC.
For now. The number 2 identifies the encryption algorithm (AES-256 CBC with a SHA-256 HMAC and Base-64 encoding). There are 6 other possible values for this constant, though…