Does bitwarden save master password in TPM

ON some of the other password manager, you can save the master password key into the TPM so that when you reboot the computer, you do not need to log into password manager with the master password. Does Bitwarden have a feature like this?

For more information, please refer this page
https://bitwarden.com/help/article/data-storage/#on-your-local-machine

Thanks Vachan, but that is not what I am looking for. I am wondering about the behavior for the desktop client. Let’s say I reboot the computer and reopen bitwarden desktop client, does it allow me to unlock using Wndows Hello using biometrics or does it require you to enter the master password the first time you start the app. On some password manager, you have to enter the master paasword everytime the desktop client is restarted unless there is a TPM to store the master password.

Paul

You don’t have to enter your master password, just validate your Biometrics :slight_smile:

In Bitwarden documentation, it talked about the difference between login and unlocking. I was under the impression that you can only unlock using windows Hello, so rebooting it would mean relogging in using master password?

I may tried this out later on a windows pc, but currently Bitwarden lives on a chromebox and so doesn’t even have this feature.

You can also unlock with a PIN code that you setup. Just be sure to disable the option to “Lock with master password on restart

See the help docs here:

https://bitwarden.com/help/article/unlock-with-pin/#enable-unlock-with-pin

Ok,
I managed to install bitwarden on a windows box and the behavior is not what I expected. Bitwarden has two states logout when the bitwarden is disconnected from the network and have no access to the vault, and lock where the vault exists in memory is locked. The documentation say that when the vault is logged out, you must enter the master password to re-entered.

Scenario 1 - quit from the bitwarden window client and then relaunch it. I was able to get in using windows hello. I thought this would be mean relogging in, but I got in with just the windows hello Pin.

Scenario 2 - restart windows machine. I was able to access Bitwarden with windows hello PIN. Doesn’t this mean I have to re-login using master password, but this is not the case. I can get in using the windows pin.

This is not a complain but I am trying to get clarification on the behavior. If quitting and restarting machine doesn’t require master password, where is the master password stored?

What is also weird is that when I bring up the desktop client, it flashes a warning that I need to enter the master password and then disappear. The client then work without issue and do not prompt for master password, just the windows hello one.

Your master password is not stored locally - it is only used to generate a key for encryption.

https://bitwarden.com/help/article/security-faqs/#q-is-my-bitwarden-master-password-stored-locally

There is a wealth of useful information in the online documentation that you might find helpful.

Thanks David, but I don’t think the faq answer my question.

When you enable windows hello on bitwarden, it’s proobably not storing the master password but a key. It seems to be storing the key because I don’t need to use master password to get into the vault after a reboot. I can get unlocking using windows Hello. How is that key stored?

The technical bits of how Windows Hello secures keys can be found here:

1 Like

Thanks Trey,
So basically it just uses Hello’s method of storing keys, which tries to use TPM when available. When it’s not available, a less less secure method is used?

Paul

So I switch off TPM and rebooted my computer, I am still able to decrypt the vault without TPM. This mean the key is not being stored in TPM. Perhaps, it will do that if TPM was available, but apparently it is not needed, so how does bitwarden store that key :-).

I am curious because another password I am using enpass, will force you to re-enter master password if TPM is not available on startup citing that that without TPM there is no safe place to stash the key.

Vendors claim a lot of outrageous things - I wouldn’t get too alarmed.

If you want more details about the BW security process, you should be able to find your answers here:

Also if a dedicated TPM isn’t available most modern processors have secure areas that can store secure data.