What do "keyHash", "encKey", and "encPrivateKey mean in data.json

Hi,
I found the following keys: “keyHash”, “encKey”, and “encPrivateKey” in a file called data.json located in %AppData%\Bitwarden. My browser extension timeout option is “On Browser Restart”, and the Bitwarden App (Version 1.20.1) Log-out (NOT lock) option is “On Restart”. But all the encrypted data together with the “key” is still in the data.json even after computer reboot.

What does each of those keys mean? Are they the decryption key (that is, the 100,001 or as configured iteration of the Master Password)? If so, isn’t it unsafe to keep the key on the hard disk?

Also, how many bits is the encryption key? Is it 128-bits, or is it more, since SHA-256 keys seems longer than 128-bits?

Thank you very much! Any help is appreciated! :grinning:
Nat

The AES encryption key is 256-bits.

keyHash:
A hash derived from your Master Password and derived Master Key. This cannot be used to obtain your Master Password or Master Key.

encKey:
An encrypted version of the Generated Symmetric Key (which contains the encryption key and MAC key). This is protected by the encryption key derived from your Master Key.

encPrivateKey:
An encrypted version of your RSA Private Key. This is protected by the encryption key derived from your Master Key.

See: What encryption is being used?



Since both encKey and encPrivateKey are encrypted by a key derived from your Master Password (the derived key is not saved in data.json) there is little risk in storing these locally. The upside of having the data.json is you have a locally cached version of your vault available in case Bitwarden is down/offline (or the company disappears).

I’ll refrain from commenting on keyHash until I’ve studied it’s use more and reviewed the upcoming whitepaper.

2 Likes

Thank you so much for your kind help! @RobertT

Since these keys are not the actual encryption key, why are they needed? I mean, shouldn’t the Encryption Key be strong enough to protect the whole vault, without need of other keys? Also, as I’m not using the organization version of Bitwarden, why does it use RSA?

The encrypted Vault data should be stored on the hard disk (in data.json) when in “Lock” mode, but NOT in “Logout” mode. There should be a way to permanently delete all Bitwarden Vault data, which I previously thought is the “Logout” option. Is there a way to delete all data from data.json without uninstalling the Desktop App? @tgreer

Thank you very much! Looking forward to your reply!
Nat

These are the actual encryption keys that protect items in your vault. Every account generates an RSA key pair on creation for use with Organizations/Collections even if you are not using that feature.


This is exactly how things are working on my computer.

But it doesn’t seem to work well on my computer though. I first configured the Desktop App Vault Timeout to “On Restart” and the Vault Timeout action to “Logout”. Then, I closed the App without logging out manually and rebooted my computer. After that, however, all the data is still in the data.json file. But I can’t log in without my wifi turned on.
Is this a bug? Acting like it’s logged out, but still keeps all the data…

Thank you very much! Looking forward to your reply!
Nat

What happens when you manually click the Log Out button?

@RobertT When I manually click the logout button, it would delete nearly all the data in data.json. But shouldn’t auto-logout be the same as manual logout? I hope Bitwarden doesn’t expect everyone to manually logout every time…Seems like a bug to me…

1 Like

A very good point. Isn’t there an option to pick whether it Locks or Logsout in Preferences too ? Does that help (somehwhat) ? I do agree that if you Quit, ideally the app should logout - or let there be a preference that does that for your as it shuts down.

1 Like

@BitMDP123
Thanks for your suggestion!
I tried the “Quit” function, but it didn’t work.
I use the “Logout” and “On Restart” option in Settings.
Logging out should delete all the data, or else hackers could just take the encrypted data and try to decrypt it. Seems like there isn’t any difference between logout and lock mode for hackers…