I’ve read pretty much everything I could find, but this is something I can’t seem to wrap my head around. I understand that the encryption key for anything stored in the vault is created using PBKDF2 SHA-256. Although I don’t know exactly how this function works, I would assume that, as the word “derivated” suggests, the key is obtained directly from the master password.
In that case, how is it physically possible to change my password while not changing the encryption key ? How do you obtain the encryption key then ? I hope I’m wrong, but my intuition would tell me that the master password becomes just an access token to the data, with the old encryption key being stored somewhere.
Thanks, this is simpler than the wikipedia page of PBKDF2. So basically, normal hashing repeated.
I don’t think this answers my question, though.
Bitwarden doesn’t store your real passwords. Your data will be encrypted/hashed on your local device before being sent to their server. Watch this video for proof. You can also test this yourself at home.
Quote from the Encryption page:
As interesting as what the demo video shows may be, that’s not what I’m asking. I’m not asking wether my stored passwords are transmitted encrypted either.
My question is about the fact that you can change the master password without changing the encryption key. This makes me wonder how I can still access my encrypted data, assuming that the encryption key is obtained from my master password.
What I want to know is, what are my stored passwords encrypted with (an encryption key, alright), and where does this encryption key come from, and is it stored anywhere, given that it seems I can change the master password without changing the encryption key.
As stated in the first post, my understanding is that data is encrypted with the master password, or something derivated from it, as the encyrption key, so I’d just like to understand how you can possibly change the master password without changing the encryption.
When you create your Bitwarden account many keys are created that are needed to run your account. One of those keys is your encryption key that is used to encrypt your data.
The encryption key is long, 256bits, and most people can’t remember all of that so a master password is used.
All keys that are used for your account go into a “meta password manager” that lives in your account and is encrypted with your master password. It’s not possible for all users to remember every key that is used for their account since most of them are really long and complex. They all go into a “lockbox” and a padlock, which is your master password, locks that box.
The word “derive” can be misleading but is correct to use. When you derive something you obtain it just like you would obtain a car key from a lockbox but unlocking the box.
There’s already a long discussion about this on Reddit:
Also, our whitepaper explains how it all works 
1 Like
Nice, these 3 answers were what I was looking for !
Also, I hadn’t found this white paper but it was very interesting to read 