This post by @mgibson refers to a number of risks associated with rotating one’s encryption key, including the risk of a network failure or closing the client during the rotation.
However, the Bitwarden help pages lists the only risk as being “Making changes in a session with a “stale” encryption key”. The help pages do not mention the risk of a network failure or closing the client.
Can anyone confirm if a key rotation is safe provided one first logs out of all other live Bitwarden sessions?
I think there will always be some risk in a multi stage operation, always potential for stage 1 to work and stage 2 to fail.
Just make sure you export your vault before you rotate, then your risk is limited.
I have rotated key and lived. I didn’t manually log out of other session though I did get logged out automatically.
Are you certain you need to rotate your key?
Personally, I would take @mgibson at his word:
The most likely ways for an issue mid-rotation would be either network issues or closing the client in the middle of the operation. In principle a Bitwarden server crash would do it, as would a client crash, but network or forced application stoppage are more likely.
Open source software is not about ‘taking anyone at their word’.
It would be a different story if someone had said “trust us, key rotation is safe provided one first logs out of all other live Bitwarden sessions”. But if a Bitwarden engineer discloses that there is a known condition that can result in vault corruption, I personally would just heed the warning.
If you want to research this yourself, the code is on GitHub. This may be a good starting place for answering your question:
And yet the Bitwarden help pages make no reference to the risk of a network outage or client closure during key rotation. I find that curious. Surely if this is a known risk there would be a warning on the Bitwarden help page.
At the bottom of the Help page there is a Make a Suggestion to this Article option where you can provide feedback for alterations or additions.
This may be a good note to have included, I would reference the same posting by the Bitwarden staff member as well.