Bitwarden master password and public server auth - eviltoast

I have what may be a stupid question…

How is it your master password is both used to decrypt your vault and used to authenticate with bitwardens public servers to acquire a copy of your vault/view it in the web app, but bitwarden can’t use that password entry to decrypt the vault themselves?

(please correct me if I’m misunderstanding, as I use self-hosted vaultwarden for my server instead of the public ones)

  • oktoberpaard@feddit.nl
    link
    fedilink
    English
    arrow-up
    2
    ·
    9 months ago

    I see. Well, that’s a valid concern, I guess. That’s similar to how WhatsApp is end-to-end encrypted, but they might as well be sending your private key somewhere, or your locally decrypted messages. In the end it’s to a certain extent based on trust, unless you can and are willing to control and/or audit the critical parts.