Encrypted Folder within your Vault + 2FA support

TL;DR: Let users create a password protected / encrypted folder inside vaults.

I suggest that Bitwarden adds a feature so users can create encrypted folders (protected by a “folder password”). The folder stays encrypted until the folder password is entered which decrypts it (much like the how the general vault functions today). By being able to have an encrypted folder inside your encrypted vault creates an extra layer of protection. This can be used in different ways obviously.

I can see different use cases for why this is vaulable:

  1. It can be used to protect extra sensitive / important passwords or documents. It could for example be bank information, passport documents or something else you consider important to keep save (e.g. facebook, google, mails) but you rarely use or log into so it is unnecessary expose it when you decrypt your general vault. A protected folder would “solve” this.

  2. You can have your “non-important stuff”/“Stuff used often” in the general vault which only requires you to lock into the vault to decrypt while the important stuff is secure.

  3. It can be designed by the individual user in a vivid of ways (level of importance, by topic, by frequency of use… etc).

  4. Protected folders make the vault much more “flexible” and removes any need to create several accounts/vaults to different things (and it removes the “fiction” by having to log in and out of different accounts).

In this way you can avoid have “two sets of password managers” as suggested in this acticle.

@pakellywood
I don’t understand why this would be needed? Honestly, the entire vault is heavily encrypted and the encryption key is your master pass, the ability for a hacker or somebody to decrypt your vault would be nearly impossible especially if you have BitWarden setup with all the proper security settings like 2FA and high enough KDF Iterations to prevent brute force.

I have my KDF set to 1,000,000 and I could technically go higher, as my computer has no issues with it being at 1,000,000 I also have 2FA enabled.

1 Like

It see the possibility to protect parts of your vault even through it is “open”. So not the entire vault is decrypted.

1 Like

I’d like to store my 2FA backup codes in my vault, by storing them with my passwords, it ruins the whole point of having 2FA. With an encrypted folder, I could store them on that instead of creating a new account. Maybe a better option would be having multiple vaults on one account? That way this wouldn’t break the existing security checks and whatever.

2 Likes

I am new here, so Hi.

I am really looking for functionality like this. I own an iPhone 11 pro and have a pretty lengthy complicated main vault code that I never store digitally. However, going through this max level functionality restrains for some website I have nothing to loose if breached, it makes me not want to use the app at all.

I would appreciate some some more easy going access to most of my stored passwords. So I have arranged folders by severity of possible negative effects if breached (number of f’s given).

The no f’s given folder I want autofilled upon Face-ID, and not have to go through the master vault login. A level higher just the pincode. Next PIN + 2fa. And a 3rd level full on alphanumerical pass and one 2fa. You could basically set like 5 levels of inconvenience the more sensitive the info gets.

Hi, I am new to Bitwarden. Can you please explain How to set high KDF? Where it is?

Go to vault.bitwarden.com
Login with your account.
Click on settings
Scroll down to Encryption Key Settings under My Account. Here you can change your PKBDF value

3 Likes

Thank you. I was searching this option all over the desktop app/browser extension.

1 Like

Feature name

  • 2FA Locked Folder

Feature function

  • Requires 2FA to access a folder in your vault
  • Provides an extra layer of security for important accounts/credentials

Related topics + references

A pin should be used for general low-impact accounts.

A pin + 2FA should be used for high-impact accounts such as sensitive identity information, federated login accounts (i.e. Google/Facebook and email accounts), crypto credentials, possibly bank accounts, etc.

If your device gets compromised with virus/malware, you can be assured that only your frequently-used low-impact accounts have been affected.

@Mark_C I moved your post to this thread and adjusted the title to reflect that the encrypted state should offer both an additional encryption key as well as additional 2FA.