Master Password & Key Rotation

I’ve changed master password before, but I’m curious about key rotation, given the warning to have all users within the Collections be logged out – otherwise the entire database could become corrupted.

Do the other users need to simply Quit the apps, or actively log-out of the apps ?
I’m curious if there’s any difference between the 2 states, as it relates to rotating key encryption.

They need to LOGOUT completely. Why? Because the logged in sessions are using the current/old encryption key. If you change the encryption key in the vault the still open sessions will be using a no longer valid encryption key and the vault can become hopelessly contaminated. Making the change is easy but you MUST logout of any sessions open before the change. Be warned!

1 Like

Yup, that seems legit - my question is more about whether quitting an app is the same as logout ? The iOS versions have specific options to logout, but I’m assuming that quitting the apps is the same result. Meaning, the main thing to avoid here is to have one app actively logged in while this encryption key is rotated.

Does that sound right ?

Since “Murphy” has a tendency to follow me around, LOL, I would never chance an app only quit/signoff. It only takes a few seconds to be absolutely confident that a particular app won’t burn you. I know this doesn’t specifically answer your technical question, but my goal is to make sure you are SAFE and won’t lose your vault. As a sidenote; it would always be prudent to backup your vault by exporting it to a secure location before the key swap! I and others have a thread running in here about how one might export a data file AND have it secure and not plain text.

1 Like

What if my account is compromised and I need to change the master password/key rotation. So, “hacker” could corrupt my entire vault? I understand the logic but why it is implemented in this fashion? I can’t get my head to wrap around it since I don’t fully understand.

I lost my computer once and somehow they were able to hack my password manager. Since that password manager was “local” and only sync to my Apple iCould, all my accounts were compromised and took me 2 months to regain control of everything and extremely time consuming and headache. However, I was able to clean up and fix everything. If I didn’t have the “complete” list of all the sites, emails and passwords, I wouldn’t able to get everything back.
So, corrupting vault is a big no no to me.

You can deauthorize all sessions with the click of a button from the web vault. Doing so will log you out from all devices. So you won’t face that much of a big problem.


That’s in the “red danger zone” at bottom, right? Which is why I didn’t want to touch that either. :slight_smile:

Also, how reliable does that “deauthorization” logout work? Even Bitwarden’s site states “we will try to logout all sessions, but some might still be active / logged in” or something to that effect.

There must be something that makes this process less reliable, for whatever reason. It would be a real shame to have a corrupted database just because one rotated the key for better security.