What security is used for data transfer from vault to local application

Hi folks,

I installed a local bitwarden server in my network. Since it is not reachable from the outside world, I do consider not using an SSL certificate.

So I wonder what security measures are in place on transfer the data between my own hosted server and for instance my desktop computer.

Can someone elaborate or show me some documents?

would be important to know if a Man In The Middle attack could fetch data when not using HTTPS

We have a white paper available here that should help: Security White Paper | Bitwarden

1 Like

I found something.

Next, Bitwarden uses Password-Based Key Derivation Function 2 (PBKDF2) with a default of
100,000 iteration rounds to stretch your Master Password with a salt of your Email Address.
The resulting salted value is the 256 bit Master Key. A hash of the master key is sent to the
server upon account creation and login, and used to authenticate the user account.
The Master Key is additionally stretched to 512 bits in length using HMAC-based
Extract-and-Expand Key Derivation Function (HKDF). The Protected Symmetric Key is
decrypted using the Stretched Master Key. The Symmetric Key is used to decrypt Vault Items.
> The decryption is done entirely on the Bitwarden Client because your Master Password or
> Stretched Master Key is never stored on or transmitted to Bitwarden servers.

Seems like SSL is not required (in my case and for my needs), as the master Key is hashed transmitted to server and vault data is encrypted transmitted to client.

decryption is done on client side.

thanks a lot for sharing the paper

1 Like