How are private keys secured?


#1

Hi, I’m interested in security. I read that before data is sent to the server, it is encrypted on the local PC. This is fine. But the private key is stored on a server with which data can be decrypted. How secure is this, no one has access to these private keys?

I suppose there is another certificate on the server (about 4KB RSA) with which these private user keys are encrypted. But again, someone could get this private server certificate (even if it was a stupid employee) and decrypt private keys and then data with them.

How does this work?

Thank you for answer.


#2

Bitwarden uses AES 265 bit only for encryption. They don’t use RSA which means they will not have a copy of your private key. As your your decryption key, it is generated by running your master password though 100001 iterations (by default) of PBKDF2 SHA-256 upon account creation on your computer then another 100001 iterations on their servers. They then store the hash on their servers and compare it to the hash generated when a login attempt is made. If the hash is the same then you’ll be logged in or trigger the 2FA prompt.