[PM-5363] PinService State Providers (#8244)

* move pinKeyEncryptedUserKey * move pinKeyEncryptedUserKeyEphemeral * remove comments, move docs * cleanup * use UserKeyDefinition * refactor methods * add migration * fix browser dependency * add tests for migration * rename to pinService * move state to PinService * add PinService dep to CryptoService * move protectedPin to state provider * update service deps * renaming * move decryptUserKeyWithPin to pinService * update service injection * move more methods our of crypto service * remove CryptoService dep from PinService and update service injection * remove cryptoService reference * add method to FakeMasterPasswordService * fix circular dependency * fix desktop service injection * update browser dependencies * add protectedPin to migrations * move storePinKey to pinService * update and clarify documentation * more jsdoc updates * update import paths * refactor isPinLockSet method * update state definitions * initialize service before injecting into other services * initialize service before injecting into other services (bw.ts) * update clearOn and do additional cleanup * clarify docs and naming * assign abstract & private methods, add clarity to decryptAndMigrateOldPinKeyEncryptedMasterKey() method * derived state (attempt) * fix typos * use accountService to get active user email * use constant userId * add derived state * add get and clear for oldPinKeyEncryptedMasterKey * require userId * move pinProtected * add clear methods * remove pinProtected from account.ts and replace methods * add methods to create and store pinKeyEncryptedUserKey * add pinProtected/oldPinKeyEncrypterMasterKey to migration * update migration tests * update migration rollback tests * update to systemService and decryptAndMigrate... method * remove old test * increase length of state definition name to meet test requirements * rename 'TRANSIENT' to 'EPHEMERAL' for consistency * fix tests for login strategies, vault-export, and fake MP service * more updates to login-strategy tests * write new tests for core pinKeyEncrypterUserKey methods and isPinSet * write new tests for pinProtected and oldPinKeyEncryptedMasterKey methods * minor test reformatting * update test for decryptUserKeyWithPin() * fix bug with oldPinKeyEncryptedMasterKey * fix tests for vault-timeout-settings.service * fix bitwarden-password-protected-importer test * fix login strategy tests and auth-request.service test * update pinService tests * fix crypto service tests * add jsdoc * fix test file import * update jsdocs for decryptAndMigrateOldPinKeyEncryptedMasterKey() * update error messages and jsdocs * add null checks, move userId retrievals * update migration tests * update stateService calls to require userId * update test for decryptUserKeyWithPin() * update oldPinKeyEncryptedMasterKey migration tests * more test updates * fix factory import * update tests for isPinSet() and createProtectedPin() * add test for makePinKey() * add test for createPinKeyEncryptedUserKey() * add tests for getPinLockType() * consolidate userId verification tests * add tests for storePinKeyEncryptedUserKey() * fix service dep * get email based on userId * use MasterPasswordService instead of internal * rename protectedPin to userKeyEncryptedPin * rename to pinKeyEncryptedUserKeyPersistent * update method params * fix CryptoService tests * jsdoc update * use EncString for userKeyEncryptedPin * remove comment * use cryptoFunctionService.compareFast() * update tests * cleanup, remove comments * resolve merge conflict * fix DI of MasterPasswordService * more DI fixes
2025-12-15 07:43:35 +00:00 · 2024-05-08 11:34:47 -07:00
parent c2812fc21d
commit a42de41587
84 changed files with 2182 additions and 998 deletions
--- a/libs/common/src/platform/abstractions/crypto.service.ts
+++ b/libs/common/src/platform/abstractions/crypto.service.ts
@@ -5,7 +5,7 @@ import { ProfileProviderOrganizationResponse } from "../../admin-console/models/
 import { ProfileProviderResponse } from "../../admin-console/models/response/profile-provider.response";
 import { KdfConfig } from "../../auth/models/domain/kdf-config";
 import { OrganizationId, ProviderId, UserId } from "../../types/guid";
-import { UserKey, MasterKey, OrgKey, ProviderKey, PinKey, CipherKey } from "../../types/key";
+import { UserKey, MasterKey, OrgKey, ProviderKey, CipherKey } from "../../types/key";
 import { KeySuffixOptions, HashPurpose } from "../enums";
 import { EncArrayBuffer } from "../models/domain/enc-array-buffer";
 import { EncString } from "../models/domain/enc-string";
@@ -139,18 +139,6 @@ export abstract class CryptoService {
    masterKey: MasterKey,
    userKey?: UserKey,
  ): Promise<[UserKey, EncString]>;
-  /**
-   * Decrypts the user key with the provided master key
-   * @param masterKey The user's master key
-   * @param userKey The user's encrypted symmetric key
-   * @param userId The desired user
-   * @returns The user key
-   */
-  abstract decryptUserKeyWithMasterKey(
-    masterKey: MasterKey,
-    userKey?: EncString,
-    userId?: string,
-  ): Promise<UserKey>;
  /**
   * Creates a master password hash from the user's master password. Can
   * be used for local authentication or for server authentication depending
@@ -268,13 +256,6 @@ export abstract class CryptoService {
   * @throws If the provided key is a null-ish value.
   */
  abstract makeKeyPair(key: SymmetricCryptoKey): Promise<[string, EncString]>;
-  /**
-   * @param pin The user's pin
-   * @param salt The user's salt
-   * @param kdfConfig The user's kdf config
-   * @returns A key derived from the user's pin
-   */
-  abstract makePinKey(pin: string, salt: string, kdfConfig: KdfConfig): Promise<PinKey>;
  /**
   * Clears the user's pin keys from storage
   * Note: This will remove the stored pin and as a result,
@@ -282,39 +263,6 @@ export abstract class CryptoService {
   * @param userId The desired user
   */
  abstract clearPinKeys(userId?: string): Promise<void>;
-  /**
-   * Decrypts the user key with their pin
-   * @param pin The user's PIN
-   * @param salt The user's salt
-   * @param kdfConfig The user's KDF config
-   * @param pinProtectedUserKey The user's PIN protected symmetric key, if not provided
-   * it will be retrieved from storage
-   * @returns The decrypted user key
-   */
-  abstract decryptUserKeyWithPin(
-    pin: string,
-    salt: string,
-    kdfConfig: KdfConfig,
-    protectedKeyCs?: EncString,
-  ): Promise<UserKey>;
-  /**
-   * Creates a new Pin key that encrypts the user key instead of the
-   * master key. Clears the old Pin key from state.
-   * @param masterPasswordOnRestart True if Master Password on Restart is enabled
-   * @param pin User's PIN
-   * @param email User's email
-   * @param kdfConfig User's KdfConfig
-   * @param oldPinKey The old Pin key from state (retrieved from different
-   * places depending on if Master Password on Restart was enabled)
-   * @returns The user key
-   */
-  abstract decryptAndMigrateOldPinKey(
-    masterPasswordOnRestart: boolean,
-    pin: string,
-    email: string,
-    kdfConfig: KdfConfig,
-    oldPinKey: EncString,
-  ): Promise<UserKey>;
  /**
   * @param keyMaterial The key material to derive the send key from
   * @returns A new send key
@@ -358,16 +306,6 @@ export abstract class CryptoService {
    publicKey: string;
    privateKey: EncString;
  }>;
-
-  /**
-   * @deprecated Left for migration purposes. Use decryptUserKeyWithPin instead.
-   */
-  abstract decryptMasterKeyWithPin(
-    pin: string,
-    salt: string,
-    kdfConfig: KdfConfig,
-    protectedKeyCs?: EncString,
-  ): Promise<MasterKey>;
  /**
   * Previously, the master key was used for any additional key like the biometrics or pin key.
   * We have switched to using the user key for these purposes. This method is for clearing the state
--- a/libs/common/src/platform/abstractions/key-generation.service.ts
+++ b/libs/common/src/platform/abstractions/key-generation.service.ts
@@ -53,4 +53,11 @@ export abstract class KeyGenerationService {
    salt: string | Uint8Array,
    kdfConfig: KdfConfig,
  ): Promise<SymmetricCryptoKey>;
+
+  /**
+   * Derives a 64 byte key from a 32 byte key using a key derivation function.
+   * @param key 32 byte key.
+   * @returns 64 byte derived key.
+   */
+  abstract stretchKey(key: SymmetricCryptoKey): Promise<SymmetricCryptoKey>;
 }
--- a/libs/common/src/platform/abstractions/state.service.ts
+++ b/libs/common/src/platform/abstractions/state.service.ts
@@ -4,7 +4,6 @@ import { GeneratedPasswordHistory, PasswordGeneratorOptions } from "../../tools/
 import { UsernameGeneratorOptions } from "../../tools/generator/username";
 import { UserId } from "../../types/guid";
 import { Account } from "../models/domain/account";
-import { EncString } from "../models/domain/enc-string";
 import { StorageOptions } from "../models/domain/storage-options";

 /**
@@ -47,26 +46,6 @@ export abstract class StateService<T extends Account = Account> {
   * Sets the user's biometric key
   */
  setUserKeyBiometric: (value: BiometricKey, options?: StorageOptions) => Promise<void>;
-  /**
-   * Gets the user key encrypted by the Pin key.
-   * Used when Lock with MP on Restart is disabled
-   */
-  getPinKeyEncryptedUserKey: (options?: StorageOptions) => Promise<EncString>;
-  /**
-   * Sets the user key encrypted by the Pin key.
-   * Used when Lock with MP on Restart is disabled
-   */
-  setPinKeyEncryptedUserKey: (value: EncString, options?: StorageOptions) => Promise<void>;
-  /**
-   * Gets the ephemeral version of the user key encrypted by the Pin key.
-   * Used when Lock with MP on Restart is enabled
-   */
-  getPinKeyEncryptedUserKeyEphemeral: (options?: StorageOptions) => Promise<EncString>;
-  /**
-   * Sets the ephemeral version of the user key encrypted by the Pin key.
-   * Used when Lock with MP on Restart is enabled
-   */
-  setPinKeyEncryptedUserKeyEphemeral: (value: EncString, options?: StorageOptions) => Promise<void>;
  /**
   * @deprecated For backwards compatible purposes only, use DesktopAutofillSettingsService
   */
@@ -101,14 +80,6 @@ export abstract class StateService<T extends Account = Account> {
    value: GeneratedPasswordHistory[],
    options?: StorageOptions,
  ) => Promise<void>;
-  /**
-   * @deprecated For migration purposes only, use getDecryptedUserKeyPin instead
-   */
-  getDecryptedPinProtected: (options?: StorageOptions) => Promise<EncString>;
-  /**
-   * @deprecated For migration purposes only, use setDecryptedUserKeyPin instead
-   */
-  setDecryptedPinProtected: (value: EncString, options?: StorageOptions) => Promise<void>;
  getDuckDuckGoSharedKey: (options?: StorageOptions) => Promise<string>;
  setDuckDuckGoSharedKey: (value: string, options?: StorageOptions) => Promise<void>;
  getEmail: (options?: StorageOptions) => Promise<string>;
@@ -127,14 +98,6 @@ export abstract class StateService<T extends Account = Account> {
    value: GeneratedPasswordHistory[],
    options?: StorageOptions,
  ) => Promise<void>;
-  /**
-   * @deprecated For migration purposes only, use getEncryptedUserKeyPin instead
-   */
-  getEncryptedPinProtected: (options?: StorageOptions) => Promise<string>;
-  /**
-   * @deprecated For migration purposes only, use setEncryptedUserKeyPin instead
-   */
-  setEncryptedPinProtected: (value: string, options?: StorageOptions) => Promise<void>;
  getIsAuthenticated: (options?: StorageOptions) => Promise<boolean>;
  getLastSync: (options?: StorageOptions) => Promise<string>;
  setLastSync: (value: string, options?: StorageOptions) => Promise<void>;
@@ -154,14 +117,6 @@ export abstract class StateService<T extends Account = Account> {
  ) => Promise<void>;
  getGeneratorOptions: (options?: StorageOptions) => Promise<GeneratorOptions>;
  setGeneratorOptions: (value: GeneratorOptions, options?: StorageOptions) => Promise<void>;
-  /**
-   * Gets the user's Pin, encrypted by the user key
-   */
-  getProtectedPin: (options?: StorageOptions) => Promise<string>;
-  /**
-   * Sets the user's Pin, encrypted by the user key
-   */
-  setProtectedPin: (value: string, options?: StorageOptions) => Promise<void>;
  getUserId: (options?: StorageOptions) => Promise<string>;
  getVaultTimeout: (options?: StorageOptions) => Promise<number>;
  setVaultTimeout: (value: number, options?: StorageOptions) => Promise<void>;
--- a/libs/common/src/platform/models/domain/account-settings.spec.ts
+++ b/libs/common/src/platform/models/domain/account-settings.spec.ts
@@ -1,24 +1,9 @@
-import { AccountSettings, EncryptionPair } from "./account";
-import { EncString } from "./enc-string";
+import { AccountSettings } from "./account";

 describe("AccountSettings", () => {
  describe("fromJSON", () => {
    it("should deserialize to an instance of itself", () => {
      expect(AccountSettings.fromJSON(JSON.parse("{}"))).toBeInstanceOf(AccountSettings);
    });
-
-    it("should deserialize pinProtected", () => {
-      const accountSettings = new AccountSettings();
-      accountSettings.pinProtected = EncryptionPair.fromJSON<string, EncString>({
-        encrypted: "encrypted",
-        decrypted: "3.data",
-      });
-      const jsonObj = JSON.parse(JSON.stringify(accountSettings));
-      const actual = AccountSettings.fromJSON(jsonObj);
-
-      expect(actual.pinProtected).toBeInstanceOf(EncryptionPair);
-      expect(actual.pinProtected.encrypted).toEqual("encrypted");
-      expect(actual.pinProtected.decrypted.encryptedString).toEqual("3.data");
-    });
  });
 });
--- a/libs/common/src/platform/models/domain/account.ts
+++ b/libs/common/src/platform/models/domain/account.ts
@@ -11,7 +11,6 @@ import { DeepJsonify } from "../../../types/deep-jsonify";
 import { KdfType } from "../../enums";
 import { Utils } from "../../misc/utils";

-import { EncryptedString, EncString } from "./enc-string";
 import { SymmetricCryptoKey } from "./symmetric-crypto-key";

 export class EncryptionPair<TEncrypted, TDecrypted> {
@@ -148,26 +147,15 @@ export class AccountSettings {
  passwordGenerationOptions?: PasswordGeneratorOptions;
  usernameGenerationOptions?: UsernameGeneratorOptions;
  generatorOptions?: GeneratorOptions;
-  pinKeyEncryptedUserKey?: EncryptedString;
-  pinKeyEncryptedUserKeyEphemeral?: EncryptedString;
-  protectedPin?: string;
  vaultTimeout?: number;
  vaultTimeoutAction?: string = "lock";

-  /** @deprecated July 2023, left for migration purposes*/
-  pinProtected?: EncryptionPair<string, EncString> = new EncryptionPair<string, EncString>();
-
  static fromJSON(obj: Jsonify<AccountSettings>): AccountSettings {
    if (obj == null) {
      return null;
    }

-    return Object.assign(new AccountSettings(), obj, {
-      pinProtected: EncryptionPair.fromJSON<string, EncString>(
-        obj?.pinProtected,
-        EncString.fromJSON,
-      ),
-    });
+    return Object.assign(new AccountSettings(), obj);
  }
 }

--- a/libs/common/src/platform/services/crypto.service.spec.ts
+++ b/libs/common/src/platform/services/crypto.service.spec.ts
@@ -1,6 +1,7 @@
 import { mock } from "jest-mock-extended";
 import { firstValueFrom, of, tap } from "rxjs";

+import { PinServiceAbstraction } from "../../../../auth/src/common/abstractions";
 import { FakeAccountService, mockAccountServiceWith } from "../../../spec/fake-account-service";
 import { FakeActiveUserState, FakeSingleUserState } from "../../../spec/fake-state";
 import { FakeStateProvider } from "../../../spec/fake-state-provider";
@@ -8,7 +9,7 @@ import { KdfConfigService } from "../../auth/abstractions/kdf-config.service";
 import { FakeMasterPasswordService } from "../../auth/services/master-password/fake-master-password.service";
 import { CsprngArray } from "../../types/csprng";
 import { UserId } from "../../types/guid";
-import { UserKey, MasterKey, PinKey } from "../../types/key";
+import { UserKey, MasterKey } from "../../types/key";
 import { CryptoFunctionService } from "../abstractions/crypto-function.service";
 import { EncryptService } from "../abstractions/encrypt.service";
 import { KeyGenerationService } from "../abstractions/key-generation.service";
@@ -32,6 +33,7 @@ import {
 describe("cryptoService", () => {
  let cryptoService: CryptoService;

+  const pinService = mock<PinServiceAbstraction>();
  const keyGenerationService = mock<KeyGenerationService>();
  const cryptoFunctionService = mock<CryptoFunctionService>();
  const encryptService = mock<EncryptService>();
@@ -51,6 +53,7 @@ describe("cryptoService", () => {
    stateProvider = new FakeStateProvider(accountService);

    cryptoService = new CryptoService(
+      pinService,
      masterPasswordService,
      keyGenerationService,
      cryptoFunctionService,
@@ -251,60 +254,50 @@ describe("cryptoService", () => {
    });

    describe("Pin Key refresh", () => {
-      let cryptoSvcMakePinKey: jest.SpyInstance;
-      const protectedPin =
-        "2.jcow2vTUePO+CCyokcIfVw==|DTBNlJ5yVsV2Bsk3UU3H6Q==|YvFBff5gxWqM+UsFB6BKimKxhC32AtjF3IStpU1Ijwg=";
-      let encPin: EncString;
+      const mockPinKeyEncryptedUserKey = new EncString(
+        "2.AAAw2vTUePO+CCyokcIfVw==|DTBNlJ5yVsV2Bsk3UU3H6Q==|YvFBff5gxWqM+UsFB6BKimKxhC32AtjF3IStpU1Ijwg=",
+      );
+      const mockUserKeyEncryptedPin = new EncString(
+        "2.BBBw2vTUePO+CCyokcIfVw==|DTBNlJ5yVsV2Bsk3UU3H6Q==|YvFBff5gxWqM+UsFB6BKimKxhC32AtjF3IStpU1Ijwg=",
+      );

-      beforeEach(() => {
-        cryptoSvcMakePinKey = jest.spyOn(cryptoService, "makePinKey");
-        cryptoSvcMakePinKey.mockResolvedValue(new SymmetricCryptoKey(new Uint8Array(64)) as PinKey);
-        encPin = new EncString(
-          "2.jcow2vTUePO+CCyokcIfVw==|DTBNlJ5yVsV2Bsk3UU3H6Q==|YvFBff5gxWqM+UsFB6BKimKxhC32AtjF3IStpU1Ijwg=",
-        );
-        encryptService.encrypt.mockResolvedValue(encPin);
-      });
-
-      it("sets a UserKeyPin if a ProtectedPin and UserKeyPin is set", async () => {
-        stateService.getProtectedPin.mockResolvedValue(protectedPin);
-        stateService.getPinKeyEncryptedUserKey.mockResolvedValue(
-          new EncString(
-            "2.OdGNE3L23GaDZGvu9h2Brw==|/OAcNnrYwu0rjiv8+RUr3Tc+Ef8fV035Tm1rbTxfEuC+2LZtiCAoIvHIZCrM/V1PWnb/pHO2gh9+Koks04YhX8K29ED4FzjeYP8+YQD/dWo=|+12xTcIK/UVRsOyawYudPMHb6+lCHeR2Peq1pQhPm0A=",
-          ),
+      it("sets a pinKeyEncryptedUserKeyPersistent if a userKeyEncryptedPin and pinKeyEncryptedUserKey is set", async () => {
+        pinService.createPinKeyEncryptedUserKey.mockResolvedValue(mockPinKeyEncryptedUserKey);
+        pinService.getUserKeyEncryptedPin.mockResolvedValue(mockUserKeyEncryptedPin);
+        pinService.getPinKeyEncryptedUserKeyPersistent.mockResolvedValue(
+          mockPinKeyEncryptedUserKey,
        );

        await cryptoService.setUserKey(mockUserKey, mockUserId);

-        expect(stateService.setPinKeyEncryptedUserKey).toHaveBeenCalledWith(expect.any(EncString), {
-          userId: mockUserId,
-        });
-      });
-
-      it("sets a PinKeyEphemeral if a ProtectedPin is set, but a UserKeyPin is not set", async () => {
-        stateService.getProtectedPin.mockResolvedValue(protectedPin);
-        stateService.getPinKeyEncryptedUserKey.mockResolvedValue(null);
-
-        await cryptoService.setUserKey(mockUserKey, mockUserId);
-
-        expect(stateService.setPinKeyEncryptedUserKeyEphemeral).toHaveBeenCalledWith(
-          expect.any(EncString),
-          {
-            userId: mockUserId,
-          },
+        expect(pinService.storePinKeyEncryptedUserKey).toHaveBeenCalledWith(
+          mockPinKeyEncryptedUserKey,
+          false,
+          mockUserId,
        );
      });

-      it("clears the UserKeyPin and UserKeyPinEphemeral if the ProtectedPin is not set", async () => {
-        stateService.getProtectedPin.mockResolvedValue(null);
+      it("sets a pinKeyEncryptedUserKeyEphemeral if a userKeyEncryptedPin is set, but a pinKeyEncryptedUserKey is not set", async () => {
+        pinService.createPinKeyEncryptedUserKey.mockResolvedValue(mockPinKeyEncryptedUserKey);
+        pinService.getUserKeyEncryptedPin.mockResolvedValue(mockUserKeyEncryptedPin);
+        pinService.getPinKeyEncryptedUserKeyPersistent.mockResolvedValue(null);

        await cryptoService.setUserKey(mockUserKey, mockUserId);

-        expect(stateService.setPinKeyEncryptedUserKey).toHaveBeenCalledWith(null, {
-          userId: mockUserId,
-        });
-        expect(stateService.setPinKeyEncryptedUserKeyEphemeral).toHaveBeenCalledWith(null, {
-          userId: mockUserId,
-        });
+        expect(pinService.storePinKeyEncryptedUserKey).toHaveBeenCalledWith(
+          mockPinKeyEncryptedUserKey,
+          true,
+          mockUserId,
+        );
+      });
+
+      it("clears the pinKeyEncryptedUserKeyPersistent and pinKeyEncryptedUserKeyEphemeral if the UserKeyEncryptedPin is not set", async () => {
+        pinService.getUserKeyEncryptedPin.mockResolvedValue(null);
+
+        await cryptoService.setUserKey(mockUserKey, mockUserId);
+
+        expect(pinService.clearPinKeyEncryptedUserKeyPersistent).toHaveBeenCalledWith(mockUserId);
+        expect(pinService.clearPinKeyEncryptedUserKeyEphemeral).toHaveBeenCalledWith(mockUserId);
      });
    });
  });
--- a/libs/common/src/platform/services/crypto.service.ts
+++ b/libs/common/src/platform/services/crypto.service.ts
@@ -1,6 +1,7 @@
 import * as bigInt from "big-integer";
 import { Observable, filter, firstValueFrom, map } from "rxjs";

+import { PinServiceAbstraction } from "../../../../auth/src/common/abstractions";
 import { EncryptedOrganizationKeyData } from "../../admin-console/models/data/encrypted-organization-key.data";
 import { ProfileOrganizationResponse } from "../../admin-console/models/response/profile-organization.response";
 import { ProfileProviderOrganizationResponse } from "../../admin-console/models/response/profile-provider-organization.response";
@@ -17,7 +18,6 @@ import {
  UserKey,
  MasterKey,
  ProviderKey,
-  PinKey,
  CipherKey,
  UserPrivateKey,
  UserPublicKey,
@@ -74,6 +74,7 @@ export class CryptoService implements CryptoServiceAbstraction {
  readonly everHadUserKey$: Observable<boolean>;

  constructor(
+    protected pinService: PinServiceAbstraction,
    protected masterPasswordService: InternalMasterPasswordServiceAbstraction,
    protected keyGenerationService: KeyGenerationService,
    protected cryptoFunctionService: CryptoFunctionService,
@@ -254,7 +255,7 @@ export class CryptoService implements CryptoServiceAbstraction {
    if (keySuffix === KeySuffixOptions.Pin) {
      // FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
      // eslint-disable-next-line @typescript-eslint/no-floating-promises
-      this.stateService.setPinKeyEncryptedUserKeyEphemeral(null, { userId: userId });
+      this.pinService.clearPinKeyEncryptedUserKeyEphemeral(userId);
      // FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
      // eslint-disable-next-line @typescript-eslint/no-floating-promises
      this.clearDeprecatedKeys(KeySuffixOptions.Pin, userId);
@@ -303,46 +304,6 @@ export class CryptoService implements CryptoServiceAbstraction {
    return await this.buildProtectedSymmetricKey(masterKey, userKey.key);
  }

-  // TODO: move to master password service
-  async decryptUserKeyWithMasterKey(
-    masterKey: MasterKey,
-    userKey?: EncString,
-    userId?: UserId,
-  ): Promise<UserKey> {
-    userId ??= await firstValueFrom(this.stateProvider.activeUserId$);
-    userKey ??= await this.masterPasswordService.getMasterKeyEncryptedUserKey(userId);
-    masterKey ??= await firstValueFrom(this.masterPasswordService.masterKey$(userId));
-    if (masterKey == null) {
-      throw new Error("No master key found.");
-    }
-
-    // Try one more way to get the user key if it still wasn't found.
-    if (userKey == null) {
-      const deprecatedKey = await this.stateService.getEncryptedCryptoSymmetricKey({
-        userId: userId,
-      });
-      if (deprecatedKey == null) {
-        throw new Error("No encrypted user key found.");
-      }
-      userKey = new EncString(deprecatedKey);
-    }
-
-    let decUserKey: Uint8Array;
-    if (userKey.encryptionType === EncryptionType.AesCbc256_B64) {
-      decUserKey = await this.encryptService.decryptToBytes(userKey, masterKey);
-    } else if (userKey.encryptionType === EncryptionType.AesCbc256_HmacSha256_B64) {
-      const newKey = await this.stretchKey(masterKey);
-      decUserKey = await this.encryptService.decryptToBytes(userKey, newKey);
-    } else {
-      throw new Error("Unsupported encryption type.");
-    }
-    if (decUserKey == null) {
-      return null;
-    }
-
-    return new SymmetricCryptoKey(decUserKey) as UserKey;
-  }
-
  // TODO: move to MasterPasswordService
  async hashMasterKey(
    password: string,
@@ -548,53 +509,19 @@ export class CryptoService implements CryptoServiceAbstraction {
    await this.stateProvider.setUserState(USER_ENCRYPTED_PRIVATE_KEY, null, userId);
  }

-  async makePinKey(pin: string, salt: string, kdfConfig: KdfConfig): Promise<PinKey> {
-    const pinKey = await this.keyGenerationService.deriveKeyFromPassword(pin, salt, kdfConfig);
-    return (await this.stretchKey(pinKey)) as PinKey;
-  }
-
  async clearPinKeys(userId?: UserId): Promise<void> {
-    await this.stateService.setPinKeyEncryptedUserKey(null, { userId: userId });
-    await this.stateService.setPinKeyEncryptedUserKeyEphemeral(null, { userId: userId });
-    await this.stateService.setProtectedPin(null, { userId: userId });
+    userId ??= await firstValueFrom(this.stateProvider.activeUserId$);
+
+    if (userId == null) {
+      throw new Error("Cannot clear PIN keys, no user Id resolved.");
+    }
+
+    await this.pinService.clearPinKeyEncryptedUserKeyPersistent(userId);
+    await this.pinService.clearPinKeyEncryptedUserKeyEphemeral(userId);
+    await this.pinService.clearUserKeyEncryptedPin(userId);
    await this.clearDeprecatedKeys(KeySuffixOptions.Pin, userId);
  }

-  async decryptUserKeyWithPin(
-    pin: string,
-    salt: string,
-    kdfConfig: KdfConfig,
-    pinProtectedUserKey?: EncString,
-  ): Promise<UserKey> {
-    pinProtectedUserKey ||= await this.stateService.getPinKeyEncryptedUserKey();
-    pinProtectedUserKey ||= await this.stateService.getPinKeyEncryptedUserKeyEphemeral();
-    if (!pinProtectedUserKey) {
-      throw new Error("No PIN protected key found.");
-    }
-    const pinKey = await this.makePinKey(pin, salt, kdfConfig);
-    const userKey = await this.encryptService.decryptToBytes(pinProtectedUserKey, pinKey);
-    return new SymmetricCryptoKey(userKey) as UserKey;
-  }
-
-  // only for migration purposes
-  async decryptMasterKeyWithPin(
-    pin: string,
-    salt: string,
-    kdfConfig: KdfConfig,
-    pinProtectedMasterKey?: EncString,
-  ): Promise<MasterKey> {
-    if (!pinProtectedMasterKey) {
-      const pinProtectedMasterKeyString = await this.stateService.getEncryptedPinProtected();
-      if (pinProtectedMasterKeyString == null) {
-        throw new Error("No PIN protected key found.");
-      }
-      pinProtectedMasterKey = new EncString(pinProtectedMasterKeyString);
-    }
-    const pinKey = await this.makePinKey(pin, salt, kdfConfig);
-    const masterKey = await this.encryptService.decryptToBytes(pinProtectedMasterKey, pinKey);
-    return new SymmetricCryptoKey(masterKey) as MasterKey;
-  }
-
  async makeSendKey(keyMaterial: CsprngArray): Promise<SymmetricCryptoKey> {
    return await this.keyGenerationService.deriveKeyFromMaterial(
      keyMaterial,
@@ -798,6 +725,12 @@ export class CryptoService implements CryptoServiceAbstraction {
   * @param userId The desired user
   */
  protected async storeAdditionalKeys(key: UserKey, userId?: UserId) {
+    userId ??= await firstValueFrom(this.stateProvider.activeUserId$);
+
+    if (userId == null) {
+      throw new Error("Cannot store additional keys, no user Id resolved.");
+    }
+
    const storeAuto = await this.shouldStoreKey(KeySuffixOptions.Auto, userId);
    if (storeAuto) {
      await this.stateService.setUserKeyAutoUnlock(key.keyB64, { userId: userId });
@@ -808,37 +741,31 @@ export class CryptoService implements CryptoServiceAbstraction {

    const storePin = await this.shouldStoreKey(KeySuffixOptions.Pin, userId);
    if (storePin) {
-      await this.storePinKey(key, userId);
+      // Decrypt userKeyEncryptedPin with user key
+      const pin = await this.encryptService.decryptToUtf8(
+        await this.pinService.getUserKeyEncryptedPin(userId),
+        key,
+      );
+
+      const pinKeyEncryptedUserKey = await this.pinService.createPinKeyEncryptedUserKey(
+        pin,
+        key,
+        userId,
+      );
+      const noPreExistingPersistentKey =
+        (await this.pinService.getPinKeyEncryptedUserKeyPersistent(userId)) == null;
+
+      await this.pinService.storePinKeyEncryptedUserKey(
+        pinKeyEncryptedUserKey,
+        noPreExistingPersistentKey,
+        userId,
+      );
      // We can't always clear deprecated keys because the pin is only
      // migrated once used to unlock
      await this.clearDeprecatedKeys(KeySuffixOptions.Pin, userId);
    } else {
-      await this.stateService.setPinKeyEncryptedUserKey(null, { userId: userId });
-      await this.stateService.setPinKeyEncryptedUserKeyEphemeral(null, { userId: userId });
-    }
-  }
-
-  /**
-   * Stores the pin key if needed. If MP on Reset is enabled, stores the
-   * ephemeral version.
-   * @param key The user key
-   */
-  protected async storePinKey(key: UserKey, userId?: UserId) {
-    const pin = await this.encryptService.decryptToUtf8(
-      new EncString(await this.stateService.getProtectedPin({ userId: userId })),
-      key,
-    );
-    const pinKey = await this.makePinKey(
-      pin,
-      await this.stateService.getEmail({ userId: userId }),
-      await this.kdfConfigService.getKdfConfig(),
-    );
-    const encPin = await this.encryptService.encrypt(key.key, pinKey);
-
-    if ((await this.stateService.getPinKeyEncryptedUserKey({ userId: userId })) != null) {
-      await this.stateService.setPinKeyEncryptedUserKey(encPin, { userId: userId });
-    } else {
-      await this.stateService.setPinKeyEncryptedUserKeyEphemeral(encPin, { userId: userId });
+      await this.pinService.clearPinKeyEncryptedUserKeyPersistent(userId);
+      await this.pinService.clearPinKeyEncryptedUserKeyEphemeral(userId);
    }
  }

@@ -851,8 +778,8 @@ export class CryptoService implements CryptoServiceAbstraction {
        break;
      }
      case KeySuffixOptions.Pin: {
-        const protectedPin = await this.stateService.getProtectedPin({ userId: userId });
-        shouldStoreKey = !!protectedPin;
+        const userKeyEncryptedPin = await this.pinService.getUserKeyEncryptedPin(userId);
+        shouldStoreKey = !!userKeyEncryptedPin;
        break;
      }
    }
@@ -874,16 +801,7 @@ export class CryptoService implements CryptoServiceAbstraction {

  protected async clearAllStoredUserKeys(userId?: UserId): Promise<void> {
    await this.stateService.setUserKeyAutoUnlock(null, { userId: userId });
-    await this.stateService.setPinKeyEncryptedUserKeyEphemeral(null, { userId: userId });
-  }
-
-  private async stretchKey(key: SymmetricCryptoKey): Promise<SymmetricCryptoKey> {
-    const newKey = new Uint8Array(64);
-    const encKey = await this.cryptoFunctionService.hkdfExpand(key.key, "enc", 32, "sha256");
-    const macKey = await this.cryptoFunctionService.hkdfExpand(key.key, "mac", 32, "sha256");
-    newKey.set(new Uint8Array(encKey));
-    newKey.set(new Uint8Array(macKey), 32);
-    return new SymmetricCryptoKey(newKey);
+    await this.pinService.clearPinKeyEncryptedUserKeyEphemeral(userId);
  }

  private async hashPhrase(hash: Uint8Array, minimumEntropy = 64) {
@@ -912,7 +830,7 @@ export class CryptoService implements CryptoServiceAbstraction {
  ): Promise<[T, EncString]> {
    let protectedSymKey: EncString = null;
    if (encryptionKey.key.byteLength === 32) {
-      const stretchedEncryptionKey = await this.stretchKey(encryptionKey);
+      const stretchedEncryptionKey = await this.keyGenerationService.stretchKey(encryptionKey);
      protectedSymKey = await this.encryptService.encrypt(newSymKey, stretchedEncryptionKey);
    } else if (encryptionKey.key.byteLength === 64) {
      protectedSymKey = await this.encryptService.encrypt(newSymKey, encryptionKey);
@@ -931,42 +849,10 @@ export class CryptoService implements CryptoServiceAbstraction {
    if (keySuffix === KeySuffixOptions.Auto) {
      await this.stateService.setCryptoMasterKeyAuto(null, { userId: userId });
    } else if (keySuffix === KeySuffixOptions.Pin) {
-      await this.stateService.setEncryptedPinProtected(null, { userId: userId });
-      await this.stateService.setDecryptedPinProtected(null, { userId: userId });
+      await this.pinService.clearOldPinKeyEncryptedMasterKey(userId);
    }
  }

-  async decryptAndMigrateOldPinKey(
-    masterPasswordOnRestart: boolean,
-    pin: string,
-    email: string,
-    kdfConfig: KdfConfig,
-    oldPinKey: EncString,
-  ): Promise<UserKey> {
-    // Decrypt
-    const masterKey = await this.decryptMasterKeyWithPin(pin, email, kdfConfig, oldPinKey);
-    const encUserKey = await this.stateService.getEncryptedCryptoSymmetricKey();
-    const userKey = await this.decryptUserKeyWithMasterKey(masterKey, new EncString(encUserKey));
-    // Migrate
-    const pinKey = await this.makePinKey(pin, email, kdfConfig);
-    const pinProtectedKey = await this.encryptService.encrypt(userKey.key, pinKey);
-    if (masterPasswordOnRestart) {
-      await this.stateService.setDecryptedPinProtected(null);
-      await this.stateService.setPinKeyEncryptedUserKeyEphemeral(pinProtectedKey);
-    } else {
-      await this.stateService.setEncryptedPinProtected(null);
-      await this.stateService.setPinKeyEncryptedUserKey(pinProtectedKey);
-      // We previously only set the protected pin if MP on Restart was enabled
-      // now we set it regardless
-      const encPin = await this.encryptService.encrypt(pin, userKey);
-      await this.stateService.setProtectedPin(encPin.encryptedString);
-    }
-    // This also clears the old Biometrics key since the new Biometrics key will
-    // be created when the user key is set.
-    await this.stateService.setCryptoMasterKeyBiometric(null);
-    return userKey;
-  }
-
  // --DEPRECATED METHODS--

  /**
--- a/libs/common/src/platform/services/key-generation.service.ts
+++ b/libs/common/src/platform/services/key-generation.service.ts
@@ -81,4 +81,15 @@ export class KeyGenerationService implements KeyGenerationServiceAbstraction {
    }
    return new SymmetricCryptoKey(key);
  }
+
+  async stretchKey(key: SymmetricCryptoKey): Promise<SymmetricCryptoKey> {
+    const newKey = new Uint8Array(64);
+    const encKey = await this.cryptoFunctionService.hkdfExpand(key.key, "enc", 32, "sha256");
+    const macKey = await this.cryptoFunctionService.hkdfExpand(key.key, "mac", 32, "sha256");
+
+    newKey.set(new Uint8Array(encKey));
+    newKey.set(new Uint8Array(macKey), 32);
+
+    return new SymmetricCryptoKey(newKey);
+  }
 }
--- a/libs/common/src/platform/services/state.service.ts
+++ b/libs/common/src/platform/services/state.service.ts
@@ -19,7 +19,6 @@ import { HtmlStorageLocation, StorageLocation } from "../enums";
 import { StateFactory } from "../factories/state-factory";
 import { Utils } from "../misc/utils";
 import { Account, AccountData, AccountSettings } from "../models/domain/account";
-import { EncString } from "../models/domain/enc-string";
 import { GlobalState } from "../models/domain/global-state";
 import { State } from "../models/domain/state";
 import { StorageOptions } from "../models/domain/storage-options";
@@ -220,45 +219,6 @@ export class StateService<
    await this.saveSecureStorageKey(partialKeys.userBiometricKey, value, options);
  }

-  async getPinKeyEncryptedUserKey(options?: StorageOptions): Promise<EncString> {
-    return EncString.fromJSON(
-      (await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions())))
-        ?.settings?.pinKeyEncryptedUserKey,
-    );
-  }
-
-  async setPinKeyEncryptedUserKey(value: EncString, options?: StorageOptions): Promise<void> {
-    const account = await this.getAccount(
-      this.reconcileOptions(options, await this.defaultOnDiskOptions()),
-    );
-    account.settings.pinKeyEncryptedUserKey = value?.encryptedString;
-    await this.saveAccount(
-      account,
-      this.reconcileOptions(options, await this.defaultOnDiskOptions()),
-    );
-  }
-
-  async getPinKeyEncryptedUserKeyEphemeral(options?: StorageOptions): Promise<EncString> {
-    return EncString.fromJSON(
-      (await this.getAccount(this.reconcileOptions(options, await this.defaultInMemoryOptions())))
-        ?.settings?.pinKeyEncryptedUserKeyEphemeral,
-    );
-  }
-
-  async setPinKeyEncryptedUserKeyEphemeral(
-    value: EncString,
-    options?: StorageOptions,
-  ): Promise<void> {
-    const account = await this.getAccount(
-      this.reconcileOptions(options, await this.defaultInMemoryOptions()),
-    );
-    account.settings.pinKeyEncryptedUserKeyEphemeral = value?.encryptedString;
-    await this.saveAccount(
-      account,
-      this.reconcileOptions(options, await this.defaultInMemoryOptions()),
-    );
-  }
-
  /**
   * @deprecated Use UserKeyAuto instead
   */
@@ -369,29 +329,6 @@ export class StateService<
    );
  }

-  /**
-   * @deprecated Use getPinKeyEncryptedUserKeyEphemeral instead
-   */
-  async getDecryptedPinProtected(options?: StorageOptions): Promise<EncString> {
-    return (
-      await this.getAccount(this.reconcileOptions(options, await this.defaultInMemoryOptions()))
-    )?.settings?.pinProtected?.decrypted;
-  }
-
-  /**
-   * @deprecated Use setPinKeyEncryptedUserKeyEphemeral instead
-   */
-  async setDecryptedPinProtected(value: EncString, options?: StorageOptions): Promise<void> {
-    const account = await this.getAccount(
-      this.reconcileOptions(options, await this.defaultInMemoryOptions()),
-    );
-    account.settings.pinProtected.decrypted = value;
-    await this.saveAccount(
-      account,
-      this.reconcileOptions(options, await this.defaultInMemoryOptions()),
-    );
-  }
-
  async getDuckDuckGoSharedKey(options?: StorageOptions): Promise<string> {
    options = this.reconcileOptions(options, await this.defaultSecureStorageOptions());
    if (options?.userId == null) {
@@ -512,23 +449,6 @@ export class StateService<
    );
  }

-  async getEncryptedPinProtected(options?: StorageOptions): Promise<string> {
-    return (
-      await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions()))
-    )?.settings?.pinProtected?.encrypted;
-  }
-
-  async setEncryptedPinProtected(value: string, options?: StorageOptions): Promise<void> {
-    const account = await this.getAccount(
-      this.reconcileOptions(options, await this.defaultOnDiskOptions()),
-    );
-    account.settings.pinProtected.encrypted = value;
-    await this.saveAccount(
-      account,
-      this.reconcileOptions(options, await this.defaultOnDiskOptions()),
-    );
-  }
-
  async getIsAuthenticated(options?: StorageOptions): Promise<boolean> {
    return (
      (await this.tokenService.getAccessToken(options?.userId as UserId)) != null &&
@@ -645,23 +565,6 @@ export class StateService<
    );
  }

-  async getProtectedPin(options?: StorageOptions): Promise<string> {
-    return (
-      await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions()))
-    )?.settings?.protectedPin;
-  }
-
-  async setProtectedPin(value: string, options?: StorageOptions): Promise<void> {
-    const account = await this.getAccount(
-      this.reconcileOptions(options, await this.defaultOnDiskOptions()),
-    );
-    account.settings.protectedPin = value;
-    await this.saveAccount(
-      account,
-      this.reconcileOptions(options, await this.defaultOnDiskOptions()),
-    );
-  }
-
  async getUserId(options?: StorageOptions): Promise<string> {
    return (
      await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions()))
--- a/libs/common/src/platform/services/system.service.ts
+++ b/libs/common/src/platform/services/system.service.ts
@@ -1,5 +1,6 @@
 import { firstValueFrom, map, timeout } from "rxjs";

+import { PinServiceAbstraction } from "../../../../auth/src/common/abstractions";
 import { VaultTimeoutSettingsService } from "../../abstractions/vault-timeout/vault-timeout-settings.service";
 import { AccountService } from "../../auth/abstractions/account.service";
 import { AuthService } from "../../auth/abstractions/auth.service";
@@ -20,6 +21,7 @@ export class SystemService implements SystemServiceAbstraction {
  private clearClipboardTimeoutFunction: () => Promise<any> = null;

  constructor(
+    private pinService: PinServiceAbstraction,
    private messagingService: MessagingService,
    private platformUtilsService: PlatformUtilsService,
    private reloadCallback: () => Promise<void> = null,
@@ -50,10 +52,13 @@ export class SystemService implements SystemServiceAbstraction {
      return;
    }

-    // User has set a PIN, with ask for master password on restart, to protect their vault
-    const ephemeralPin = await this.stateService.getPinKeyEncryptedUserKeyEphemeral();
-    if (ephemeralPin != null) {
-      return;
+    // If there is an active user, check if they have a pinKeyEncryptedUserKeyEphemeral. If so, prevent process reload upon lock.
+    const userId = (await firstValueFrom(this.accountService.activeAccount$))?.id;
+    if (userId != null) {
+      const ephemeralPin = await this.pinService.getPinKeyEncryptedUserKeyEphemeral(userId);
+      if (ephemeralPin != null) {
+        return;
+      }
    }

    this.cancelProcessReload();
--- a/libs/common/src/platform/state/state-definitions.ts
+++ b/libs/common/src/platform/state/state-definitions.ts
@@ -35,31 +35,33 @@ export const BILLING_DISK = new StateDefinition("billing", "disk");

 // Auth

+export const ACCOUNT_DISK = new StateDefinition("account", "disk");
+export const ACCOUNT_MEMORY = new StateDefinition("account", "memory");
+export const AUTH_REQUEST_DISK_LOCAL = new StateDefinition("authRequestLocal", "disk", {
+  web: "disk-local",
+});
+export const AVATAR_DISK = new StateDefinition("avatar", "disk", { web: "disk-local" });
+export const DEVICE_TRUST_DISK_LOCAL = new StateDefinition("deviceTrust", "disk", {
+  web: "disk-local",
+});
 export const KDF_CONFIG_DISK = new StateDefinition("kdfConfig", "disk");
 export const KEY_CONNECTOR_DISK = new StateDefinition("keyConnector", "disk");
-export const ACCOUNT_MEMORY = new StateDefinition("account", "memory");
-export const ACCOUNT_DISK = new StateDefinition("account", "disk");
-export const MASTER_PASSWORD_MEMORY = new StateDefinition("masterPassword", "memory");
-export const MASTER_PASSWORD_DISK = new StateDefinition("masterPassword", "disk");
-export const TWO_FACTOR_MEMORY = new StateDefinition("twoFactor", "memory");
-export const AVATAR_DISK = new StateDefinition("avatar", "disk", { web: "disk-local" });
-export const ROUTER_DISK = new StateDefinition("router", "disk");
 export const LOGIN_EMAIL_DISK = new StateDefinition("loginEmail", "disk", {
  web: "disk-local",
 });
 export const LOGIN_STRATEGY_MEMORY = new StateDefinition("loginStrategy", "memory");
-export const AUTH_REQUEST_DISK_LOCAL = new StateDefinition("authRequestLocal", "disk", {
-  web: "disk-local",
-});
+export const MASTER_PASSWORD_DISK = new StateDefinition("masterPassword", "disk");
+export const MASTER_PASSWORD_MEMORY = new StateDefinition("masterPassword", "memory");
+export const PIN_DISK = new StateDefinition("pinUnlock", "disk");
+export const PIN_MEMORY = new StateDefinition("pinUnlock", "memory");
+export const ROUTER_DISK = new StateDefinition("router", "disk");
 export const SSO_DISK = new StateDefinition("ssoLogin", "disk");
 export const TOKEN_DISK = new StateDefinition("token", "disk");
 export const TOKEN_DISK_LOCAL = new StateDefinition("tokenDiskLocal", "disk", {
  web: "disk-local",
 });
 export const TOKEN_MEMORY = new StateDefinition("token", "memory");
-export const DEVICE_TRUST_DISK_LOCAL = new StateDefinition("deviceTrust", "disk", {
-  web: "disk-local",
-});
+export const TWO_FACTOR_MEMORY = new StateDefinition("twoFactor", "memory");
 export const USER_DECRYPTION_OPTIONS_DISK = new StateDefinition("userDecryptionOptions", "disk");

 // Autofill