tl;dr I’d just like to know if there’s some action I should take, if this seems concerning, or it just looks like an already-known/common bug.
I’m seeing the following line output from bitwarden desktop app:
Feb 28 22:16:21 myhost bitwarden.desktop[8956]: 22:16:21.311 › [Encrypt service] decryptToUtf8 MAC comparison failed. Key or payload has changed. Key type AesCbc256_HmacSha256_B64Payload type AesCbc256_HmacSha256_B64 Decrypt context: no context
Feb 28 22:16:21 myhost bitwarden.desktop[8956]: 22:16:21.335 › [Encrypt service] decryptToUtf8 MAC comparison failed. Key or payload has changed. Key type AesCbc256_HmacSha256_B64Payload type AesCbc256_HmacSha256_B64 Decrypt context: no context
Seems to be this exact line checking cryptoFunctionService.compareFast(...)
response:
async decryptToUtf8(
encString: EncString,
key: SymmetricCryptoKey,
decryptContext: string = "no context",
): Promise<string> {
if (key == null) {
throw new Error("No key provided for decryption.");
}
// ...snipped for brevity...
if (fastParams.macKey != null && fastParams.mac != null) {
const computedMac = await this.cryptoFunctionService.hmacFast(
fastParams.macData,
fastParams.macKey,
"sha256",
);
const macsEqual = await this.cryptoFunctionService.compareFast(fastParams.mac, computedMac);
if (!macsEqual) {
this.logMacFailed(
"[Encrypt service] decryptToUtf8 MAC comparison failed. Key or payload has changed. Key type " +
encryptionTypeName(key.encType) +
"Payload type " +
encryptionTypeName(encString.encryptionType) +
" Decrypt context: " +
decryptContext,
);
return null;
}
}
return await this.cryptoFunctionService.aesDecryptFast({ mode: "cbc", parameters: fastParams });
}
At the time these logs output (I was watching logs for some other reason) bitwarden desktop app was up, but it was locked and not the currently focused window, so I wasn’t interacting with it.
some system/environment info:
- bitwarden desktop → help → about
- Version 2025.2.0
- SDK
main (28c7e29)
- Shell 34.2.0
- Renderer 132.0.6834.196
- Node 20.18.2
- Architecture x64
- desktop app is currently logged in and working well (but was locked, as I said)
- account: older and now the web UI for vault gives me warnings about “low KDF iterations” but I’m guessing that’s unrelated.
- OS/environment: nixos + gnome 47;
/etc/lsb-release
says:
DISTRIB_CODENAME=warbler
DISTRIB_DESCRIPTION="NixOS 25.05 (Warbler)"
DISTRIB_ID=nixos
DISTRIB_RELEASE="25.05"
LSB_VERSION="25.05 (Warbler)"