What informations can be extracted from a memory dump when client is unlocked?

Hi !

I’m concerned about the fact that the vault is copied locally.
If a malware infected my PC and dumped the RAM, would it be able to retrieve :

  1. All my passwords
  2. Only opened password/items since the client is unlocked
  3. Other things
  4. Obi-Wan Kenobi

Thanks !

When the vault is unlocked, all of the vault contents exist in a decrypted state in the process memory. In rare cases, your master password or PIN can also be found in the process memory.

The bottom line is that you should not use Bitwarden on any device that could potentially be infected by malware, and you should never leave a device with an unlocked Bitwarden instance unattended.

However, none of this has anything to do with the fact that Bitwarden stores a local copy of your vault on the device. The locally cached vault copy is stored in an encrypted state.

Thank you for your answer !

Do you know if it’s in memory even after the unlocking process is finished ?

In other systems (that are NOT available offline !), you don’t have access to the whole vault from a memory dump.
You COULD get all the vault items by making API requests using a token found in memory, but it’s not as easy as getting them from the memory.

I’m not sure that this is possible, since Bitwarden is working “online” (at least “on-intranet-line”), so the device can be infected through the network at the end. But i get the idea.

Your quote of my response conveniently omitted the part where I said “in rare cases”. For more information about this matter, please refer to Issue #3166 on GitHub, including the 8/5/22 response from @djsmith85 and the 8/29/22 update posted by @dbosompem.


Not sure which product in particular you are referring to above, but this is not a general truth, and it has nothing to do with offline availability. For example an ISE report from 2019 demonstrated that the entire vault was stored decrypted in memory when using 1Password or Dashlane; even in KeePass, every vault entry that the user has interacted with remains stored in memory. In addition, unless you have personally verified the claim (or can reference a report in which the claim has been tested), I would take any assertion about memory management with a grain of salt.


It is your responsibility to properly secure your devices against malware. You should worry about this maybe if you are a high-value target who may be attacked using a zero-day exploit, but otherwise, you should not be at risk if you practice good internet hygiene and use appropriate malware defenses.

Thank you again for your great answer !

I’m a Bitwarden fan and I didn’t wanted to be mean when I dropped the “in rare cases” : that was just not the important thing for me and I though it could be disturbing for others. But I could/should have left it in my quote. Sorry for that. :face_with_open_eyes_and_hand_over_mouth:

Thank you for that. I was thinking of Passbolt and LockSelf, that seems to not copy the vault locally when accessing it but I haven’t tested it, so this is NOT accurate.
I was talking about theoretical attack possibilities.

I’m OK about your last point. It’s just that (to my mind) no system connected to a network is secure enough to not “potentially be infected by malware”, so Bitwarden should not be installed on any device in this case. But that seems to be extreme. That was my point and I think we’re OK at the end. :slight_smile:

The point is that if an attacker is able to install malware running on your device, it is impossible for any password management system to protect your secrets — there will always be a multitude of ways that the secrets can be accessed in such scenario (for example, by using a key logger to sniff your master password, or by sending API requests, etc.).

Thus, it is somewhat meaningless to theorize about securing a password manager on a system that has already been compromised by malware.