When I add a user to an organization, how exactly does the new user get access to the vault?
Does the organization have a list of keys that can decrypt the vault?
Or does the user have a list of keys for different organizations?
Searched around Organizations | Bitwarden Help Center but couldn’t find the specifics about how it works.
In short as I understand, the Bitwarden server will store an encrypted copy of the Organization’s symmetric encryption key, which is encrypted with the public-key of an RSA key pair associated with your account. (Hence this can only be appropriately unencrypted with the User’s private-key, so maintaining zero-knowledge architecture where only you hold your keys.)
While onboarding new users in an organization, the “confirmation” process performs an exchange of the organization’s encryption key from the organization admin to the new organization user. The organization admin user asks the server for the new user’s public key, which is then used to encrypt the organization key before being transmitted back to the server for storage.