Are notes WITHIN login and credit card items encrypted the same as everything else?

I’m 98% sure the answer is “yes”, but I would like to be sure.

Within login and credit card items, is text in the notes field encrypted the same as everything else (e.g. usernames and passwords)?

Please note (no pun intended) that I am not referring to Secure Notes, which are their own item type.

1 Like

Yes all encrypted. Even the URL !!

Official statements here

2 Likes

Thank you DoctorB! The reference to the official statement is much appreciated.

It’s odd that the official page doesn’t explicitly mention encrypting Secure Notes items. It looks like that could be an accidental omission, because I can’t imagine they aren’t encrypted. Or perhaps they are just lumping them in the generic “for all items” category.

Wouldn’t the text about “all items” cover a Secure Note? I think it would :+1:

There are various ways you can prove it to yourself, checking the REST calls in the developer tools in browser and desktop app, there are other ways. I confirmed to myself that BW are encrypting every sensitive item and encrypting end to end with my master password.

They are. The list is written to avoid redundancy. Thus, items of the Login, Card, and Identity type have their own lists that enumerate fields unique to those items types; in addition to their specific unique fields, the Login, Card, and Identity items also encrypt all of the fields listed under “For all items”.

The Secure Notes item type does not have any unique fields beyond those already shown under “For all items”, so there is no need to make an extra list for Secure Notes. Doing so would only repeat the field names shown under “For all items”, which would be redundant.

1 Like

Yes, that’s why I did postulate that they are just lumping them in the generic “for all items” section. :slight_smile:

By looking at the REST calls, how are you confirming that data is encrypted? Encrypted and encoded data can look nearly identical, but one is actually encrypted and the other is not.

For example, for the following plaintext:

this is a super secret phrase

one of the following is the output from a common encryption algorithm and one is simply encoded. By just looking at them, can you tell which is which?

dd36dad8212a754f7d8703467d56becd3ef99a19b056b457931f403894b608a1

A4L<[email protected][@sLCS8OuT2@n0RF8OuTm=YiZdA4&-@7X"(@kq$

That makes sense. Different people’s brains organize things different ways, but how you described it does make good sense to me too. :slight_smile:

1 Like

A Bitwarden encrypted secure note looks like this

The encrypted field always start with “2.” and there is a “|” seperator to divide into 2 parts (sometimes 3). You always see that same pattern. I don’t expect encoding to do that.
My belief is that the 1st part is the IV, the 2nd part is the ciphertext, 3rd part is the MAC.

To convince yourself then check here Bitwarden · GitHub

The first one is HEX whereas the second isn’t so the first is most likely to be the encoded string and the 2nd the ciphertext.
What do I win? :confetti_ball:

For now. The number 2 identifies the encryption algorithm (AES-256 CBC with a SHA-256 HMAC and Base-64 encoding). There are 6 other possible values for this constant, though… :eyes: