Limit access by machine or other

Problem statement: Using a remote desktop, I’m looking for a way to limit access to the remote desktop to select Vault items.

As an example, I have a Kasm Workspace set up for software development. I don’t want to use my master password while still being able to access certain vault items. Items such as Github credentials, ssh keys, developer forums, etc should be accessible. Items like medical accounts, Amazon login, shopping accounts should not be accessible.

I don’t want to use the same credentials as I use to access my “normal” vault. This would defeat the purpose. An example would be like how Github allows you to upload different SSH credentials for different repositories. If somehow one credential is compromised, the risk is limited.

Another use case is mobile. Most people shouldn’t need access to every vault item from their phone. Put another way, if my phone has access to my vault, and my phone can be accessed with a pin, then my vault is only as secure as the pin needed to unlock the phone.

The secrets manager might provide what I am looking for… But it seems to be limited to items of type “Key=Value”. Not sure how I would use that in place of the Chrome Plugin to enable logging into websites. However, I could see using the secrets manager to provide a key which automatically unlocks the Bitwarden app in a way that restricts what becomes accessible.

Possible solutions are something like a whitelist. Or a “device key” which provides access only to specific vault items, which can be further restricted to “read or write” for the item. Another solution is to create another bitwarden account, but this is less than ideal for a number of reasons.

Is there another way to handle this?

There are many similar discussions. Here is one Reddit - Please wait for verification . I don’t want to maintain multiple accounts, which seems to be the overall gist of the recommendations. The problem statement is the same. Having the ability to limit the risk to the entire vault where possible. “I wanted to keep the practicality of not having to carry the key everywhere to access another vault with less sensitive passwords”. Maintaining separate accounts is one solution, but not great. It would be better to have the ability to create an “access token” which allows restricted access to only certain items. I would still be able to manage everything under one account while providing a method to limit risk where possible.

Maybe a plugin could be made - but I don’t see how that would solve the problem of exposing the master credentials. Unless a server plugin could be made which would add the ability to access vault records with a token.

From the gist of your post (and my understanding), I don’t think Bitwarden offers all the capabilities you’re looking for. You can submit feature requests (probably multiples), but each should be scoped very specifically.

Maybe a fit for what you want would be passkey login (already available for PRF-capable authenticators) and passkey-per-entry access control. In the past, though, the per-entry password requirement hasn’t provided extra cryptographic protection for the cached local vault; they only serve as access control.

With current capabilities, accessing a shared collection from multiple accounts remains the quickest option, especially with passkey logins. The email used for each account can be aliases.

A family plan ($48/yr) allows you to have 6 accounts that each have their own vault and also access to a shared (“family”) vault to which you can assign access permissions to “collections” of vault entries. So for example, you and the spouse can see the bank entry, but the kids can not.

You might leverage this for your specific need, having one account for your kasm workspace, another for your phone and an “owner” account that you only use on your home desktop that you would use to configure which vault entries each device/account could see.

Personally, I do not worry about this sort of granularity of access, instead focusing on maintaining short timeouts on my vaults and the use of biometrics to reduce the friction when I need to unlock. For example, the copy of my vault on my phone locks after 1 minute; my home desktop’s after 15. Do note that a locked vault is encrypted and considered secure.