Security question about importing a CSV file

Froulik · April 7, 2019, 6:52am

Hi

I just created an account on Bitwarden.com and I plan to use it (also) with my Firefox browser.
For now, my Bitwarden vault is empty and I mean to import data from an Enpass vault I use for years.
I red in the help section that I have to export the database from Enpass in CSV format and import it.
I red in security pages that all the data is encrypted and that I am the only one who can access it.

My question is :
The file will travel directly from my harddisk to the bitwarden server. I will use neither a firefox extension nor any desktop application.
The enpass CSV file is not protected, all the data is readable by anybody. So, when will this data been encrypted ?
Is it before, during or after the transfer from my computer to the server ?
As my data is very sensitive (as everyboby, sure) I am a bit worried with that.

I only want to get a trustworthy answer…

Thank you or reading … and answering

Crocmagnon · April 7, 2019, 8:10am

Hello !
While I’m not able to confirm this, my hypothesis is the following :

Your file is processed by some javascript code that runs in your browser.
Resulting data is encrypted
Encrypted data is sent to the server to be stored and synced to your other devices.

Maybe @kspearrin can confirm this ?

The important thing to note here is that when you use vault.bitwarden.com, you’re not directly communicating with BW server. Your browser downloads some javascript code that it’s able to run by itself. So your data is only decrypted in your browser and the server never knows it.

Plus, when BW sends encrypted data to its server, the communication itself is also encrypted with TLS (HTTPS).

Froulik · April 7, 2019, 8:25am

Thank you Crocmagnon for your fast and precise reply
It reassures me a lot.
However, I’ll wait for - kspearrin maybe - more answers
Have a nice day

kspearrin · April 8, 2019, 1:28am

Imported data is encrypted locally the same as any other data in your vault. The file is not uploaded to Bitwarden servers. @Crocmagnon is correct.

Froulik · April 8, 2019, 6:15am

OK, kspearrin, I am reassured, so I’m gonna use the bitwarden vault fearless

opgobee · September 13, 2020, 9:07pm

I had the same question and also wanted to see myself that the sent information was indeed encrypted. I tried with a (json) file with 1 password. Indeed it was encrypted. Also when I after that submitted all my sites/passwords, I saw their URL, login name and password were all encrypted.
You can test/see it yourself:
I used Firefox, the following information is for Firefox, but Chrome has a similar functionality and I assume Safari and Edge too (but I have no experience with those).

Being in your browser press F12. This will open an ‘under the hood’ window (it is used by developers).
Select the tab ‘Network’. This will show all traffic going out from and coming into your browser
Go to the https://vault.bitwarden.com/ where you import your passwords (tools> import) and import your passwords (or just a test file with one password). When you press the ‘Import data’ button, you will see a lot of traffic showing up in the ‘under the hood’ window.
Look in the ‘under the hood’ window for a row somewhere at the top of all the rows that reads ‘POST’. This is the actual sending of your submission from your browser to the Bitwarden server. Click/ select this row.
(in Firefox): to the right in the ‘under the hood’ window is a sub window with a number of tabs. Click the tab ‘Request’. This shows what actually was sent off from your browser to the Bitwarden server.
I saw a numbered list, for each password an entry. Click on one to see what is in it.
I saw the URL, my login name, my password where all encrypted to long, unrecognizable scrambled strings.
See the shot below.

Screenshot Bitwarden import passwords see encrypted1659×1043 255 KB

Froulik · September 14, 2020, 6:46am

Hi opgobee
I tried what you wrote. and yes, i am completly quiet now.
So, thank you for your (precise) work