Why is passkey-based vault encryption done differently than when using a password?

Not sure where this post belongs, so feel free to redirect me if needed as my question seemingly can only be answered by Bitwarden employees. Anyway, I am curious why, when using passkey-based encryption, the vault key is encrypted with a public (presumably RSA) key; and the corresponding private key is encrypted with the output of the HMAC when it would appear to be as secure if like password-based encryption, the output of the HMAC was used as an AES key to encrypt the vault key.

According to FIDO2 CTAP 2.2, the HMAC secret is a random 32-byte key and the output is also 32 bytes which seemingly makes it fit perfectly with AES-256 similar to the 32-byte stretched master key that is used when password-based encryption is employed.

This seems to have no security disadvantages, but it has simplicity advantages in that it’s consistent with how password-based encryption is done and should make code simpler since there is no need to generate more keys.

1 Like

I get a 422 error code when attempting to edit the post, so I’m adding the references to the whitepaper here in a separate post.


I’m not yet fully grasping the account encryption whitepaper,

but I’m guessing it could be related to the fact that an account can have only one master password, but it can have multiple passkeys with encryption.

Key rotation. If the vault key is rotated, and no asymmetric crypto is used, then a user would have to insert each registered passkey to rotate the corresponding encrypted userkey.

1 Like

I don’t know why I didn’t think of that. That makes a lot of sense. Thanks.