Bitwarden sends are E2EE by design because the Send Keys are generated on the client side (i.e. Bitwarden does not know the Send Keys). But anyone with the Send ID and Send Key can access a send’s contents until the send expires or is deleted.
My concern is what happens after a send is deleted?
The Send ID is #mS2LfeyK3xn3fVEQXzYnnh and the Send Key is Hayk8N7x792Ydx3wYD4cPf
Assume further that the send is deleted.
What happens if Bitwarden is subpoenaed to produce the contents of Send ID #mS2LfeyK3xn3fVEQXzYnnh with Send Key Hayk8N7x792Ydx3wYD4cPf? If the send is 100% purged from all of Bitwarden’s servers, including backup servers, then Bitwarden can not produce the contents of the send. But I’m concerned that copies of each send (even deleted sends) remain on Bitwarden servers for some defined period of time. If so, then deleted Bitwarden sends can be recovered despite their E2EE design.
So my question boils down to what, precisely, happens when a send is deleted? How is the send’s record purged?
Your send data is most likely encrypted by the Send Key (yours Hayk8N7x792Ydx3wYD4cPf), so the info is most likely not accessible by anyone except those who has the key (your vault, you, your sendee, your communication channel, BW log?, etc).
My concern is that the full link (which includes the de/encryption key) will survive on my email service’s servers for effectively forever. It will survive on my sendee’s email server effectively forever too. Therefore, the full link will remain fully discoverable. The link being discoverable is not an issue provided that the send truly does not exist any longer. If it no longer exists in any way, Bitwarden cannot be forced to turn anything over. But if the send record does exist in some form (beyond 7 days or otherwise) then Bitwarden can be forced to turn over its contents – and then those contents can be decrypted with the known encryption key.
I don’t have this concern with the password manager itself, because my master password remains private (i.e. only known by me). But in the case of a send record, the encryption key is public because it’s in the send link itself.
I suppose the solution is to add a password to any send that contains anything super sensitive.