Hello. I’m not a security person in any way, I’m just curious, how unsecure a setup with gpg and copypasting is compared to using passkey.
Let’s say one has a gpg-encrypted master password, encrypted using a yubikey. Then the master password gets decrypted using the token and copied to clipboard by a script, and the master password is never shown on the screen. That’s the point of the setup, to avoid typing and avoid showing the password.
If the machine is compromised, all is lost, the master password is easily stolen.
Now, if the machine is compromised, unlocking the vault using passkey involves getting the account encryption key locally. So, either way, the account encryption key gets stolen.
Do I get it right? Are the schemes comparable in security? Well, assuming the complexities of the techniques for stealing are equal.
Other than that: you are speaking of “unlocking (the BW vault) with passkey”. That is currently not possible with Bitwarden… and I wonder, whether you mean “login-with-passkey” instead?
The PRF private key is used to decrypt your PRF-encrypted account encryption key, resulting in your account encryption key. Your account encryption key is used to decrypt your vault data.
Unlocking your vault causes the PIN or biometric key to decrypt the account encryption key in memory. The decrypted account encryption key is then used to decrypt all vault data in memory.
Nevertheless, there’s still no “unlock-with-passkey”-function for Bitwarden - and the whole “login-with-passkey”-process contains more steps… so it’s still the question, what you want to compare exactly?
I have a vague thought, that logging in with passkey is not strictly better than sneakily copypasting gpg-encrypted master password, and that these schemes have the same risks.
I changed the title now from “Unlocking the vault using passkey vs. gpg-encrypted master password” to “Security: “login-with-passkey” vs. gpg-encrypted master password”.
Logging in with a passkey is much more secure than logging in with a master password pasted from the clipboard.
When you login on any bitwarden client you are performing two actions:
The client authenticates to the server (and then the server lets the client download the encrypted vault).
The client decrypts that encrypted vault
Two (big) differences come to mind:
First one (and in my opinion the most important one): When you login with a passkey, the first action is protected by the phishing resistance of the webauthn protocol.
Second one: when you copy the master password to the clipboard it is at risk of leaking (by accidentally pasting where you shouldn’t, or by malware on your system).
Once you are logged in and with the vault unlocked, malware could steal the account encryption key (as you correctly point out). But that is independent of the login method you used.
The account encryption key has to be available on an unlocked client so that it can decrypt the vault (that’s the definition of an unlocked client).
Logging in with a master password exposes it to malware in the client
Logging in with a passkey does not.
Any client with an unlocked vault exposes the account encryption key to malware.
That’s why it’s so important to never use bitwarden on an untrusted device:
unlocked client + malware in the device = game over
I would say a compromise of the master password is a bit worse than a compromise of only the account encryption key (much worse if you don’t have 2-step-verification on your account).
If an attacker has a copy of your encrypted vault he can decrypt knowing the account encryption key. But he can also decrypt it knowing the master password (because the encrypted vault copy should include your account encryption key protected by a key derived from your master password).
If that same attacker did not have access to a copy of your encrypted vault (unlikely if he was able to obtain you account encryption key) then that key would be useless to him.
But if that attacker had your master password, he could attempt to use it to authenticate to the server; and then 2SV would be the only thing preventing him from getting an unencryped copy of your vault. At any point in the future (if the compromised master password is not changed, obviously).
Frankly, I read this as these schemes are relatively comparable in the worst case scenario and in everyday usage.
I understand all the arguments against gpg, but apparently, currently there’s no other way to use hardware tokens to unlock the vault directly, without accessing the service on the web. And the login with passkey is still in beta.
Yeah, and the pass utility makes this really easy. I have to switch apps to paste decrypted secrets, but it clears clipboard after timeout, the UX is great honestly for those who are used to command line.
It can’t do autofill though, that’s why I use bitwarden.
Login with passkey is great, looking forward to use it as well, when it’s out of beta.
Yes it does. I also use it as a meta password manager for bitwarden (and a couple of other accounts where having them available on the command line is convenient).
Why wait? It’s been many months in beta, but it’s very reliable. I have had to remove and re-add my yubikey a couple of times only. And in the rare cases where it wouldn’t work, you always have your master password as a fall back.
