What does "mac failed" mean exactly?

What does the “mac failed” error mean exactly? I am trying to use a Bitwarden account in an automated process so I log in on the host machine, create the BW_SESSION environment variable and give it to a container which runs my process. But this does not work as any bw command triggers a “mac failed” error.

Does this maybe mean that the session key cannot be used by the container because it has a different MAC address from the host machine?

Hello Pierre!

I am actually working on this issue currently for my company. So far, I have not resolved this but, I am able to recreate the issue by attempting in Powershell:

bw get organization $organization --session $sessionKey

This will only occur if I attempt this in two shells at the same time. For our CI, we sometimes authenticate with BitWarden and if they get to this portion at the same time, it will fail with a MAC Failed error.

I will respond should I find a resolution. Hopefully, someone from BitWarden will beat me to the punch!

Hello Robert,

Thanks for your response, much appreciated!

I have spent a fair amount of time on this, and in the end I did manage to dig quite deep and address almost all my issues. Someone from Bitwarden support explained that the “mac failed” error had nothing to do with a MAC address and that “mac” here meant Message Authentication Code. The error message would make more sense if the acronym were replaced by its definition actually.

After reading various parts of the Bitwarden documentation, I found this section which helped me figure things out, and more specifically this:
Data that is stored on your computer/device is also encrypted and only decrypted when you unlock your Vault. Vault data can be found in the following locations based on the client application in use…

So the session key goes hand in hand with this vault data, which is a json file containing all the Bitwarden account information but on an encrypted basis. The session key seems to act like a private key that can de-crypt everything.

From this point on, everything made a lot more sense to me.

I am now trying to understand how to use Duo as the 2-step method. Certain processes can be automated if all one needs to do is push a button on a phone.

I hope this helps.

Pierre

@mical @Robert_Lowstetter Have you been able to resolve this issue? I’m getting this too now.

Hello @boundless,

I still get a “mac failed” error from time to time, but in my experience it will go away by using one of these workarounds:

  • Simply do bw logout and then bw login
  • If the above does not work, deleting data.json[^1] always works

What is harder to figure out is what triggered the “mac failed” error. Here are a few culprits which caused me a few problems:

  • Using a version of the Bitwarden CLI which is not compatible with the version which generated the data.json file
  • Using the Bitwarden CLI and REST API simultaneously (I have found a way to reproduce this “mac failed” error and will report it to the Bitwarden support team soon)

[^1]: as per my prior comment, this section explains where data.json is stored

@boundless and @mical , The way I solved this for now (a workaround) is that I utilized ubuntu 21.04. If you use the latest Ubuntu you get the error.

Many thanks @Robert_Lowstetter. I have not upgraded to 21.04 yet but I have experienced this problem under Windows, WSL and Ubuntu 20.04. I’ll add to this post if I observe anything else of interest.

Thanks @Robert_Lowstetter but I’m seeing this on Mac and Ubuntu 20.04. I can’t upgrade Ubuntu just yet, but it won’t help the Mac anyway.

FWIW, I had the message coming up on the BW CLI today as I was writing a backup script. It was odd because it was just refusing my SESSION_ID variable and forcing me to enter my password instead, but once I did it would work again. This was on MacOS Monterey.