What does "mac failed" mean exactly?

What does the “mac failed” error mean exactly? I am trying to use a Bitwarden account in an automated process so I log in on the host machine, create the BW_SESSION environment variable and give it to a container which runs my process. But this does not work as any bw command triggers a “mac failed” error.

Does this maybe mean that the session key cannot be used by the container because it has a different MAC address from the host machine?

Hello Pierre!

I am actually working on this issue currently for my company. So far, I have not resolved this but, I am able to recreate the issue by attempting in Powershell:

bw get organization $organization --session $sessionKey

This will only occur if I attempt this in two shells at the same time. For our CI, we sometimes authenticate with BitWarden and if they get to this portion at the same time, it will fail with a MAC Failed error.

I will respond should I find a resolution. Hopefully, someone from BitWarden will beat me to the punch!

Hello Robert,

Thanks for your response, much appreciated!

I have spent a fair amount of time on this, and in the end I did manage to dig quite deep and address almost all my issues. Someone from Bitwarden support explained that the “mac failed” error had nothing to do with a MAC address and that “mac” here meant Message Authentication Code. The error message would make more sense if the acronym were replaced by its definition actually.

After reading various parts of the Bitwarden documentation, I found this section which helped me figure things out, and more specifically this:
Data that is stored on your computer/device is also encrypted and only decrypted when you unlock your Vault. Vault data can be found in the following locations based on the client application in use…

So the session key goes hand in hand with this vault data, which is a json file containing all the Bitwarden account information but on an encrypted basis. The session key seems to act like a private key that can de-crypt everything.

From this point on, everything made a lot more sense to me.

I am now trying to understand how to use Duo as the 2-step method. Certain processes can be automated if all one needs to do is push a button on a phone.

I hope this helps.