Preventing backups from containing sensitive data

The Bitwarden web browser extension has an option to set the vault timeout to “never”. Obviously, this option is to only be considered if a device is in a physically secure location (and Bitwarden smartly has a message to this effect).

If this option were to be enabled:

  1. Where (exactly) would Bitwarden store the master password locally? Does it vary by web browser? If so, I would be interested in learning the answers for Chrome, Firefox, and Safari.
  2. Would the the master password be stored in plain text, or would it be hashed? Or would it be encrypted using another key generated by Bitwarden?
  3. If enabled, what web browser files should not be backed up to prevent the backups from being used to access all Bitwarden data without needing the master password? This is likely the same answer as the first question, but I want to be comprehensive with this question.
  1. It does not store the master password, it only use master password as the key. The following is true for all browsers. Start up the browser and log into Bitwarden, The act of logging in will bring in the vault from the central server, this is why you will need a internet connection to login. The master password you enter then decrypts the vault into memory. If you logout, the vault is destroyed and you will have to login again.

If you specified that the bitwarden never logs out, Bitwarden will store the master password key to disk. This is not the master password but the key to your vault. I believe the key is also tied to your computer, so you can copy it and use it on a different machine. However, one reason not to do this is that if a malware gain access to your machine, they will be able to get into your vault. Normally, you would add another access block such as a pin or biometrics to gain access to the vault.

  1. As mentioned before, the password itself is never stored. There is no way for even Bitwarden to extract your master password. If you lose your master password, Bitwarden cannot recover it.

  2. The vault exist in memory so there is really nothing to exclude. Technically, memory items can end up in Windows Page file if your memory gets page to disk. You could exclude those files during your backup. You should probably exclude those file any way because they are not useful to backup and will just take up space.

Thanks for your reply and sorry for my late response. Comments below:

If you specified that the bitwarden never logs out, Bitwarden will store the master password key to disk.

Right. Where exactly?

I believe the key is also tied to your computer, so you can copy it and use it on a different machine.

Did you mean to write “…also not tied to your computer…” or “…so you can’t copy it…”? If it’s tied to a specific device, then it won’t work on a different device.

“…the password itself is never stored…”

Thanks. Is the password key stored in plain text, hashed, or something else?

“The vault exist in memory so there is really nothing to exclude.”

Except it would be a good idea to exclude where the password key is stored if logout is disabled. The answer to the first question in this post will provide the answer.

Thanks again for your help.

I don’t know where the bitwarden key are store, probably somewhere in appdata? I made a typo where I indicated that the key is tied to your computer so you can’t just copy it it to another machine and expected to work.

I am no expert, but see the following link, read the section on PBKDF2. There is also an interactive link where you can see what gets generated when you enter some value.

https://help.bitwarden.com/article/what-encryption-is-used/

The takeaway is that the master password is not stored on disk but the encryption key LOCALLY derived from your master password.

The subject of memory safety has been hotly debated. The debated part is that if you dump your laptop’s memory and then search for your password, you will see it in memory. This issue affects all password managers because ultimately you need to decrypt the value somewhere in memory to use it so this is not something that can be eliminated. However, you can’t just search for field value like “password=”. Note that the vault is store in memory, but is not stored with the master password. The master password is used to decrypt the vault into memory.

I don’t know where the bitwarden key are store, probably somewhere in appdata?

For Firefox, it would have to be stored in a subfolder in the current browser profile, which can be defined by the user.

@tgreer Trey, do you know exactly how & where the master password key is stored within the profile, or can you find out?

I made a typo where I indicated that the key is tied to your computer so you can’t just copy it it to another machine and expected to work.

Are you saying it is or is not tied to a single device?

TIA.

The key is related to your account. The key that is generated from your email + master password is used to encrypt your account’s master key, which is used to encrypt your data.

The derived key (if saved to disk) is stored with Bitwarden data here:
https://bitwarden.com/help/article/data-storage/

Always a good idea to avoid storing keys on disk if possible, but if you do, leveraging disk encryption and a strong system password will help tremendously :+1:

1 Like

Thanks Trey.

  1. Could a derived key taken from 1 machine be used on another machine?
  2. Besides the derived key and the account’s email address, what is stored by the Bitwarden web browser extensions?

TIA.

@bit no problem :slight_smile:

  1. Not directly, the Bitwarden client apps handle the key derivation and decryption internally. But, there are apps out there that can take a pre-derived Bitwarden key and use it to decrypt an on-hand encrypted JSON data file.

  2. The client apps really just hold the encrypted data (data.JSON) as well as your user info (i.e. premium status) - unless you set your timeout to ‘never’, the derived key is stored in memory, attached to that client’s process, which means when you close the client, your vault locks.