I noticed when migrating passwords from a different password manager that password imports typically come from files in which the passwords are in clear text. I migrated myself from LastPass, and there is an option for encrypted export. I control the key for this encrypted export and I think it would be a good idea to enable the import of encrypted passwords from various providers if the user controls the key.
But how should the team at Bitwarden know the routines that are necessary to decrypt your encrypted file?
sigh… I considered and we can likely determine the the commercial solutions one is migrating from would not provide these routine specifically to the bitwarden community, but maybe they would deliver such information to a paid user of their service attempting to take control of their own encrypted file.
I guess the only other solution would be inference or cracking… not very practical.
I will request more information from my paid vendor and report back. I think another good solution could be to alert users whom choose the plaintext import option to consider the transit their confidential information made in plaintext and prompt them with a “time to change your passwords” activity- which would probably have some good side effects anyway… but time consuming.
In the meantime, a very workable alternative is to export your LastPass data directly on to a secure encrypted portable drive or into an encrypted container such as a TrueCrypt/VeraCrypt container or encrypted disk image (DMG) on a Mac. Not quite as secure as what you have suggested, but probably more than enough to get the job done without having to worry.
@dh024 not a bad call- at this point the transit info is at least encrypted in tls?
update: LastPass customer service denied giving up the routine… expected but sigh.
Is it possible for us to close our own topic? or do we just delete them at this point
There is no concern with unencrypted information being transferred from the server with Bitwarden. Vault information is always transferred as encrypted data and decrypted client-side.
And there is no need to delete this topic - you posted to the user-to-user support category, not the feature requests. I say leave it here in case others find the discussion helpful. Cheers!
Apologies- specifically I am referring to the transit and storage prior to entering the Bitwarden environment (so in my example, leaving LastPass and arriving at the secure storage, as well as the initial transit from secure storage to Bitwarden server).
Ah - I should have realized this is what you meant. Sorry!
I don’t know how Lastpass handles exports, but I would be shocked if the decryption of your user data is not handled client side. I don’t think any reputable password manager would send your passwords as clear-text unencrypted over the internet.
As far as the import process into Bitwarden goes, it will all be handled by the local client, so as long as you have the encrypted drive/container mounted on your local machine, it should not be exposed in any way on import. Once Bitwarden stores the data in your vault, the data is always encrypted with a key derived from your master password before it is synced to the server.
Just like bitwarden, last pass decrypts the vault locally, so your vault and master password is not send across the network.