I was actually quite suprised to find that there seems to be no request for this yet. There are some pretty similar ones but nothing that quite fits:
- Manage organizations and collections from clients
- Allow organization management in the CLI
- Create collections from the desktop client
I see the need for organization/collection management via client. For me this at least includes:
- Member on-/offboarding
- Management of Groups (Creation, Deletion, Modification, Membership)
- Management of Collection (Creation, Deletion, Modification)
The reason for this lies in the trust model. While bitwardenâs cryptographic architecture makes it perfectly safe when used via app, users have to trust they always receive correct javascript when using the webvault. This contradicts bitwardenâs âzero-knowledgeâ approach (actually meaning zero-trust, not cryptographic zero-knowledge) because you indeed have to fully rely on bitwarden being trustworthy and that there is no man-in-the-middle in this scenario. For private use cases this may not be that problematic, as the webvault does not offer many additional features which individual users need on a regular basis. But for enterprise usecases this is quite different, as management of the organization and itâs collections and groups can currently only be done using the webvault.
This is actually not a new issue. In the 2018 pentest by cure53 one of the three findings deemed Critical was BWN-01-008 âCrypto: Server obtaining encryption keys for organizationsâ. Though the proposed mitigation (use of fingerprint phrases) was implemented, it was only implemented for the webvault despite the report clearly stating that âthe web version of Bitwarden may not substantially benefit from this improvementâ.