Thank you DoctorB! The reference to the official statement is much appreciated.
It’s odd that the official page doesn’t explicitly mention encrypting Secure Notes items. It looks like that could be an accidental omission, because I can’t imagine they aren’t encrypted. Or perhaps they are just lumping them in the generic “for all items” category.
Wouldn’t the text about “all items” cover a Secure Note? I think it would
There are various ways you can prove it to yourself, checking the REST calls in the developer tools in browser and desktop app, there are other ways. I confirmed to myself that BW are encrypting every sensitive item and encrypting end to end with my master password.
They are. The list is written to avoid redundancy. Thus, items of the Login, Card, and Identity type have their own lists that enumerate fields unique to those items types; in addition to their specific unique fields, the Login, Card, and Identity items also encrypt all of the fields listed under “For all items”.
The Secure Notes item type does not have any unique fields beyond those already shown under “For all items”, so there is no need to make an extra list for Secure Notes. Doing so would only repeat the field names shown under “For all items”, which would be redundant.
The encrypted field always start with “2.” and there is a “|” seperator to divide into 2 parts (sometimes 3). You always see that same pattern. I don’t expect encoding to do that.
My belief is that the 1st part is the IV, the 2nd part is the ciphertext, 3rd part is the MAC.