Rotate the account encryption key if the account has no master password?


our company uses enterprise sso with trusted devices.

So, our users which are not admins of the org do not have a master password.

If I’m not mistaken, in case of a device compromise (malware infection, device loss, etc.) the recommended thing to do is to rotate the account encryption key.

Even more if that device is a trusted one, I guess…

Am I right?

In that case: how should we proceed if the compromised device is from a user that has no master password? Because only users who have a master password can rotate their account encryption key.


I ended up asking this to support.

I was told that, as of now, there is no way to rotate the account encryption key if the account uses enterprise sso and has no master password.

The only way to ensure that a compromised trusted device will not be able to access the account is to delete that account and create a new one.

Having to repeat all the tasks related to onboarding that account to the enterprise organization.

Plus all the exporting and importing of the account’s vault data.

This last bit means losing metadata associated witl all items. And if the account has several attachments, this can translate to a significant amount of work, downloading and re-uploading all of them.

Not ideal… at all.


1 Like