There should be a feature to re-key the master encryption key.
If my master password leaked, and I have reason to believe that someone decrypted and stole my encryption key (by decrypting the “ProtectedKey” using my master password)… changing my password does not protect my encrypted data anymore and new entries moving forward… and I have no choice but to abandon my Bitwarden account.
A rekey option should:
- download all entries
- Decrypt all entries locally
- Generate a new encryption key and mac key (to be encrypted with the new master password) and use that to re-encrypt all entries.
- Replace all entries on the server with the newly encrypted ones and replace the protected key with the new protected key.
Perhaps the rekey option should always coincide with a master password change… So default is to just re-encrypt the encryption and mac key… but if you check a box, it will take a while and generate a new encryption key as well.