Does bitwarden save master password in TPM

I only had a brief look at the biometrics update, and never really looked closely at the Windows code besides what was required to reimplement it for Linux. Still, how I understand it:

Before the biometrics update the biometrics were just an access control.The symmetric master key was stored in the Windows keystore api.

Now, a symmetric encryption key is derived from a signature created by the Windows hello API (which might internally use the TPM, but that would be windows internal, if it did). The key is still stored in the Windows keystore API, but encrypted with the symmetric key derived from Windows hello. Bitwarden does not directly access the TPM to store cryptographic keys.

The issue with windows (and linux) in general is that the security model is fundamentally different compared to more locked down systems such as Android. The OS can’t make guarantees about providing per-app cryptographic keys, and does not provide APIs for this (besides something like Windows UWP and flatpak on Linux).

I can’t speak for the reasons the option to require password on restart was added, but my guess would be exactly the reason above. (Again can’t speak for Windows and haven’t tested it on Windows but this does work on the Linux code which is very similar, but feel free to correct me if I made a wrong assumption):

Before the rework, a valid threat would be malicious code running under the same user. It could ask the OS keystore for the cryptographic keys, and since there is no per-app cryptographic key distinction the OS keystore happily hands the malicious code the keys required to decrypt the vault.

After the rework, malicious code running under the same user would only get an encrypted copy of the key required to decrypt the vault. The malicious code would need to invoke the Windows hello API and have a user happily confirm the Windows hello prompt. Still, if the malicious code manages to do these steps, it could decrypt the vault.

Asking for the master password on reboot and not persisting the biometrics key to the keystore would eliminate this issue entirely. This is why I think it could be the reason for adding the option.

3 Likes