The Organization Vault - How is its encryption managed?

I cant seem to find the answer to this question. I think I’m clear on how my personal vault is encrypted and I know I can manage the KDF algorithm for it.
But if I have an organizational vault, (Family, Teams or Enterprise), how is that vault protected?

If I have my KDF algorithm set to Argon2 and another member uses PBKDF2, I’d think that we much each have a personal copy and it would inherit our respective settings. Maybe I’m wrong about how that works but in any event, I still wonder about the actual source of the Organizational vault.

Can anyone answer this or point me to some doc by Google-Fu failed to find?

Thanks… :slight_smile:


The section Sharing Data between Users in the Security Whitepaper should get you started:

I don’t think that Security Whitepaper addresses my question(s). What am I missing?

From the linked whitepaper:

When you create an Organization, an Organization Symmetric key is generated using a Cryptographically Secure Pseudorandom Number Generator (CSPRNG). The Organization Symmetric Key is encrypted using the public key from your Generated RSA Key Pair. The private key from your Generated RSA Key Pair is encrypted with your Generated Symmetric Key using AES-256.


So basically, the organization has its own encryption key (used to encode and decode all shared secrets, using AES-256; this is the same encryption algorithm that is used for your individual vault — albeit with a different key — so the organization’s shared secrets are just as secure as the secrets in your individual vault). For you to access the organization’s encryption key, you need a private key (because the organization key has been encrypted by RSA, using the corresponding public key). To get access to your private key, you need your own account encryption key (because the private key is AES-encrypted using your account encryption key, which is the same key that us used for endoding/decoding all of your individual vault items). To get access to your account encryption key, you need the stretched master key, which is derived from your master password according to your KDF settings.

I just found this topic because I was wondering if the encryption was done on a per-organization or on a per-collection level. I find it somewhat surprising, from a purely cryptographic standpoint, that every organization member seemingly has access to every collection, and that access management is entirely delegated to the server. At least, that’s my interpretation based on the white paper.

Wouldn’t it make more sense to create a separate symmetric key for each collection? That way, you can limit access to chosen users in a cryptographic way. But I guess it depends on how you see a “collection.” I’d rather think of it as a shared vault among many in an organization, instead of just a “folder” with restricted access in a single vault.