Bitwarden and android keystore

When biomentric authentication is on Bitwarden on android use Android Keystore. But what exactly bitwarden store in Keystore? MasterKey, EncKey or some additional keys?
Thanks in advance.

1 Like

Hello and welcome to the community!

I’m interested to know as well.

These are some previous discussions with answers from the developer(s). Master key, definitely.

But if you need to authenticate yourself to Bitwarden with a master password hash, then you need:

  • Authentication/Access token (most likely, because of 2FA)
  • the master password hash itself
  • the master key + the master password (you have to store the master password!)

Because of the “remember me” feature for 2FA, you probably would have to keep a 2FA token around too, separated from the master password hash.

Hello, thanks for your reply.
Yes, I checked the discussions you mentioned, and I’ve done some self-education by reading traffic dumps from my self-hosted environment.
So, I think the only thing you need to store in the keystore is the master key.
Biometric authentication can be enabled only after fully authenticating your device, and then we talk about unlock operations (before you choose to exit your account on your device). For unlocking (decrypting the vault), we need the master key. For the sync procedure, the app will use tokens (refresh and access) that can be stored on your device because they are not connected to your master password or master key and are rotated from time to time (you can check RFC 6749 about tokens).

1 Like

Thanks for the update!

BTW, looks like on Windows, they store Access+Refresh tokens in the Credential Manager, so they might have taken the same approach with Android.


Could you check Credential Manager on your PC and verify that you have two values in there with the Bitwarden/ prefix? One should be your accessTokenKey and the other your refreshToken.