Cell phone will soon be sold, but wondering if it’s safe to leave traces of Bitwarden behind, even after a factory reset? I know deleted files aren’t really wiped, so wondering if anything could potentially be recovered by someone after it’s reset. Running Android 13, if that’s of any value.
After a factory reset, the old encryption key is wiped. Although traces of the encrypted data may remain on the phone, no one, including you, can access the encrypted data without the now forever-lost encryption key.
Thanks. So the encryption key itself is not just “deleted”, it’s actually actively wiped so it becomes completely unrecoverable, even with data recovery tools, etc…?
If you open Settings > Security & Location > Encryption & Credentials >Trusted Execution Environment or Settings > Security & Location > Encryption & Credentials > Storage type being “Hardware backed”, then most likely your device encryption key is derived from something that is stored on the chip which is not written to the SSD storage. When you reset your device, the info in the TEE is erased and can’t definitely be retrieved. As far as the info written to the SSD? Who knows? But just remember that your BW vault is stored encrypted with something derived from your master password. If you require entering the master password on every reboot, then your vault’s encryption key is not in the keystore (and hence, not on the SSD, nor the TEE).
Thanks for the explanation. I checked, and my phone is indeed set to ‘hardware-backed’. I got paranoid from reading this - saying credentials could be restored after a reset: Selling your smartphone? A factory reset alone won't protect your data | nextpit . Is this maybe an outdated fear? I was reading that Full Disk Encryption can help keep things more secure, but I also thought all Android phones were fully encrypted by default. In my settings, though, I have an option for a master password before it starts up (which is not activated). I thought the screen lock was the encryption key, but maybe not after all?
I personally believe that this is outdated. Device encryption is turned on by default now, and I can’t even turn it off on my phone.
We know for sure that your encryption key is written to the Android Keystore, which is what your option would do (not requiring the master password on reboot). Ideally, to unlock the encryption key from the keystore, it requires a credential (which it does), and this is a per-app thing (which is most likely the case). However, this behavior (or any platform-based protection) is not explicitly documented by Bitwarden. Assuming that Bitwarden uses the safest implementation may be a folly. See this kind of assumption on the Windows Hello implementation thread: Does bitwarden save master password in TPM - #15 by Neuron5569 Some people on Reddit regularly advocate for not persisting the encryption key across reboots regardless of platforms.
On an unrooted Android phone, access to the /data/data directory is restricted to the app itself. As a user, you cannot access it except through an adb command from a desktop computer. Malware cannot access the encrypted vault except through Bitwarden or operating system vulnerabilities. See Storage | Bitwarden Help Center
Wow, thanks for all of the detailed info, including the link you provided. Great information. I have to admit, some of it is a little over my head, so I don’t fully understand everything described, but I will take the time to research as I read to get a full understanding. In the meantime, if I understand the concept correctly (including our assumptions), it seems safe the way it’s currently set up - no phone boot password; but there is a screen lock; access BW via fingerprint authentication even w/out having to enter BW password after reboot, since the encryption is stored in TEE. Thanks for taking your time with this!