Display File Hash on Bitwarden Send Download Page


As a user of Bitwarden Send, I would like the Bitwarden Send page to display a hash of the resulting file (such as a SHA256) on the download page so that the receiving user can validate the hash before downloading the intended file.

At the moment, what’s usefull or reasuring on the recievers ends is that he can see the sender’s email (if they permit it).

Additionnaly, as the sender, I can compare the hash on the download page and the one calculated on my own device and validate that they match.


The ability to verify the integrity and authenticity of a file is crucial for many users, particularly when handling sensitive information. By displaying a file hash (e.g., SHA256) on the Send download page, Bitwarden can provide an additional layer of security and trust for users exchanging files through the Send feature.

It cloud just be like this:

Use Case

  • Scenario: A user sends a file through Bitwarden Send.
  • Action: The receiving user opens the Send link.
  • Result: The Send page displays a hash (such as SHA256) of the file.
  • Benefit: The receiving user can validate the hash against the file they receive, ensuring the file has not been tampered with and is indeed the intended file.

Proposed Solution

  1. Generate Hash: Calculate a SHA256 (or other specified hash algorithm) of the file on the sender’s device.
  2. Display Hash: Show the calculated hash prominently on the Send download page, along with the email and with instructions on how to verify the hash.
  3. Optional: Provide a link or instructions to popular hash verification tools for user convenience (sush as 7zip).


  • Security: Enhances the security and trustworthiness of file transfers by allowing users to verify file integrity.
  • Transparency: Provides transparency and reassurance for users receiving files, knowing they can confirm the file’s authenticity.
  • User Trust: Builds user trust in Bitwarden’s commitment to security and user privacy.
1 Like

@Kukivu, your proposal seems straightforward to me except for one query I have about the process: if someone has the opportunity to tamper with the file, how do they not have the opportunity to replace the hash given they are in the same place? The hash copy being compared is not your source copy, no longer within your control, just like the file.

Some reassurance on how (or why) that will provide additional validation would be good.

I tend not to invest high trust in hashes which are in the same digital location as the relevant file. I prefer to see the hash published not on the exact same path as the download. Commonly it is used for checking mirrors against original source.

Why not just send the hash directly in your advisory e-mail, a separate path from the Send?