Hi everyone,
I moved some logins from my vault to the organization that I own. My question now is if I can move them back from the organization to my vault. I’ve been trying for days but I don’t find the way, maybe is not possible??
Thanks a lot
Hello @Simo and welcome to the community,
Due to the nature in how items are encrypted from your individual vault and then encrypted with an Organizational Vault for sharing purposes, items that are Moved into an Organization vault from your personal vault are essentially “owned” by that Organization at that point.
What you can do though as an Owner of your Organization, is clone the items in your Organization vault and then clone these to your personal vault.
Since these are Organization owned items you will need to clone them from the Organization vault view in the Bitwarden web-vault.
After these items are cloned into your personal vault, you can then delete them from the Organization vault.
One other thing you may due depending on how many logins you are attempting to move back into your personal vault, you can try to export these from the Org and then back into your personal vault.
You may need to first condition some of the formatting from the Organizational Vault export to be compatible with an Individual Vault import depending on if you export to .csv or .json
How is it that Org items are encrypted? they are still safe to store in an org as normally?
the phrase makes me a bit worried
Short answer,
Yes!
Vault items are absolutely still fully encrypted and safe to store in an Organization.
Long answer,
Encryption is complicated.
Individual vault items that are “moved” to an Organization have to be encrypted with the Org’s Symmetric Key (as I understand), which is then shared between users of the Org with a combination of public/private RSA keypairs.
As detailed
More specifics can be found in the Sharing Data between Users section of the Bitwarden Whitepaper, which also notes a new form of RSA public/private key pairs
Note
The mid 2021 release of Admin Password Reset introduced a new RSA public/private key pair for all Organizations. The private key is further encrypted with the Organizationʼs pre-existing symmetric key before being stored. The key pair is generated and encrypted client-side upon creation of a new Organization, or for an existing Organization upon:
- Navigation to the Manage→ People screen.
- Updates to anything on the Settings→MyOrganization screen.
- Upgrades from one Organization type to another.
More details of which can be found in the encryption section of the Admin Password Reset feature.