diff --git a/.github/workflows/build-browser.yml b/.github/workflows/build-browser.yml
index b1242ee23ed..5e64dc35875 100644
--- a/.github/workflows/build-browser.yml
+++ b/.github/workflows/build-browser.yml
@@ -149,7 +149,11 @@ jobs:
           FILES=$(find . -maxdepth 1 -type f)
           for FILE in $FILES; do cp "$FILE" browser-source/; done
 
-          # Copy apps/browser to Browser source directory
+          # Copy patches to the Browser source directory
+          mkdir -p browser-source/patches
+          cp -r patches/* browser-source/patches
+
+          # Copy apps/browser to the Browser source directory
           mkdir -p browser-source/apps/browser
           cp -r apps/browser/* browser-source/apps/browser
 
diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml
index e47a2f40f53..7f6d5cc11c4 100644
--- a/.github/workflows/chromatic.yml
+++ b/.github/workflows/chromatic.yml
@@ -37,7 +37,7 @@ jobs:
         run: npm run build-storybook:ci
 
       - name: Publish to Chromatic
-        uses: chromaui/action@44caff7e88d584b04f79f04e31e819f9a95d4d8f
+        uses: chromaui/action@a45a922b9a7522a4cbb59a7bb7b288a768968924
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
diff --git a/.github/workflows/release-desktop.yml b/.github/workflows/release-desktop.yml
index 22b76f46408..3dbc08f9859 100644
--- a/.github/workflows/release-desktop.yml
+++ b/.github/workflows/release-desktop.yml
@@ -56,7 +56,7 @@ jobs:
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: Branch check
-        if: ${{ inputs.release_type != 'Dry Run' }}
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
         run: |
           if [[ "$GITHUB_REF" != "refs/heads/rc" ]] && [[ "$GITHUB_REF" != "refs/heads/hotfix-rc-desktop" ]]; then
             echo "==================================="
@@ -93,7 +93,7 @@ jobs:
           esac
 
       - name: Create GitHub deployment
-        if: ${{ inputs.release_type != 'Dry Run' }}
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
         uses: chrnorm/deployment-action@d42cde7132fcec920de534fffc3be83794335c00 # v2.0.5
         id: deployment
         with:
@@ -122,7 +122,7 @@ jobs:
             cf-prod-account"
 
       - name: Download all artifacts
-        if: ${{ inputs.release_type != 'Dry Run' }}
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
         uses: bitwarden/gh-actions/download-artifacts@67ab95d7a466bcefdedf3f93cbc10bcff436edfe
         with:
           workflow: build-desktop.yml
@@ -131,7 +131,7 @@ jobs:
           path: apps/desktop/artifacts
 
       - name: Dry Run - Download all artifacts
-        if: ${{ inputs.release_type == 'Dry Run' }}
+        if: ${{ github.event.inputs.release_type == 'Dry Run' }}
         uses: bitwarden/gh-actions/download-artifacts@67ab95d7a466bcefdedf3f93cbc10bcff436edfe
         with:
           workflow: build-desktop.yml
@@ -146,7 +146,7 @@ jobs:
         run: mv Bitwarden-${{ env.PKG_VERSION }}-universal.pkg Bitwarden-${{ env.PKG_VERSION }}-universal.pkg.archive
 
       - name: Set staged rollout percentage
-        if: ${{ inputs.electron_publish == 'true' }}
+        if: ${{ github.event.inputs.electron_publish == 'true' }}
         env:
           RELEASE_CHANNEL: ${{ steps.release-channel.outputs.channel }}
           ROLLOUT_PCT: ${{ inputs.rollout_percentage }}
@@ -156,7 +156,7 @@ jobs:
           echo "stagingPercentage: ${ROLLOUT_PCT}" >> apps/desktop/artifacts/${RELEASE_CHANNEL}-mac.yml
 
       - name: Publish artifacts to S3
-        if: ${{ inputs.release_type != 'Dry Run' && inputs.electron_publish == 'true' }}
+        if: ${{ github.event.inputs.release_type != 'Dry Run' && github.event.inputs.electron_publish == 'true' }}
         env:
           AWS_ACCESS_KEY_ID: ${{ steps.retrieve-secrets.outputs.aws-electron-access-id }}
           AWS_SECRET_ACCESS_KEY: ${{ steps.retrieve-secrets.outputs.aws-electron-access-key }}
@@ -170,7 +170,7 @@ jobs:
           --quiet
 
       - name: Publish artifacts to R2
-        if: ${{ inputs.release_type != 'Dry Run' && inputs.electron_publish == 'true' }}
+        if: ${{ github.event.inputs.release_type != 'Dry Run' && github.event.inputs.electron_publish == 'true' }}
         env:
           AWS_ACCESS_KEY_ID: ${{ steps.retrieve-secrets.outputs.r2-electron-access-id }}
           AWS_SECRET_ACCESS_KEY: ${{ steps.retrieve-secrets.outputs.r2-electron-access-key }}
@@ -192,7 +192,7 @@ jobs:
 
       - name: Create Release
         uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0
-        if: ${{ steps.release-channel.outputs.channel == 'latest' && inputs.release_type != 'Dry Run' && inputs.github_release == 'true' }}
+        if: ${{ steps.release-channel.outputs.channel == 'latest' && github.event.inputs.release_type != 'Dry Run' && github.event.inputs.github_release == 'true' }}
         env:
           PKG_VERSION: ${{ steps.version.outputs.version }}
           RELEASE_CHANNEL: ${{ steps.release-channel.outputs.channel }}
@@ -230,7 +230,7 @@ jobs:
           draft: true
 
       - name: Update deployment status to Success
-        if: ${{ inputs.release_type != 'Dry Run' && success() }}
+        if: ${{ github.event.inputs.release_type != 'Dry Run' && success() }}
         uses: chrnorm/deployment-status@2afb7d27101260f4a764219439564d954d10b5b0 # v2.0.1
         with:
           token: '${{ secrets.GITHUB_TOKEN }}'
@@ -238,7 +238,7 @@ jobs:
           deployment-id: ${{ steps.deployment.outputs.deployment_id }}
 
       - name: Update deployment status to Failure
-        if: ${{ inputs.release_type != 'Dry Run' && failure() }}
+        if: ${{ github.event.inputs.release_type != 'Dry Run' && failure() }}
         uses: chrnorm/deployment-status@2afb7d27101260f4a764219439564d954d10b5b0 # v2.0.1
         with:
           token: '${{ secrets.GITHUB_TOKEN }}'
@@ -249,7 +249,7 @@ jobs:
     name: Deploy Snap
     runs-on: ubuntu-22.04
     needs: setup
-    if: ${{ inputs.snap_publish == 'true' }}
+    if: ${{ github.event.inputs.snap_publish == 'true' }}
     env:
       _PKG_VERSION: ${{ needs.setup.outputs.release-version }}
     steps:
@@ -278,7 +278,7 @@ jobs:
         working-directory: apps/desktop
 
       - name: Download Snap artifact
-        if: ${{ inputs.release_type != 'Dry Run' }}
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
         uses: bitwarden/gh-actions/download-artifacts@67ab95d7a466bcefdedf3f93cbc10bcff436edfe
         with:
           workflow: build-desktop.yml
@@ -288,7 +288,7 @@ jobs:
           path: apps/desktop/dist
 
       - name: Dry Run - Download Snap artifact
-        if: ${{ inputs.release_type == 'Dry Run' }}
+        if: ${{ github.event.inputs.release_type == 'Dry Run' }}
         uses: bitwarden/gh-actions/download-artifacts@67ab95d7a466bcefdedf3f93cbc10bcff436edfe
         with:
           workflow: build-desktop.yml
@@ -298,7 +298,7 @@ jobs:
           path: apps/desktop/dist
 
       - name: Deploy to Snap Store
-        if: ${{ inputs.release_type != 'Dry Run' }}
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
         env:
           SNAPCRAFT_STORE_CREDENTIALS: ${{ steps.retrieve-secrets.outputs.snapcraft-store-token }}
         run: |
@@ -310,7 +310,7 @@ jobs:
     name: Deploy Choco
     runs-on: windows-2019
     needs: setup
-    if: ${{ inputs.choco_publish == 'true' }}
+    if: ${{ github.event.inputs.choco_publish == 'true' }}
     env:
       _PKG_VERSION: ${{ needs.setup.outputs.release-version }}
     steps:
@@ -346,7 +346,7 @@ jobs:
         working-directory: apps/desktop
 
       - name: Download choco artifact
-        if: ${{ inputs.release_type != 'Dry Run' }}
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
         uses: bitwarden/gh-actions/download-artifacts@67ab95d7a466bcefdedf3f93cbc10bcff436edfe
         with:
           workflow: build-desktop.yml
@@ -356,7 +356,7 @@ jobs:
           path: apps/desktop/dist
 
       - name: Dry Run - Download choco artifact
-        if: ${{ inputs.release_type == 'Dry Run' }}
+        if: ${{ github.event.inputs.release_type == 'Dry Run' }}
         uses: bitwarden/gh-actions/download-artifacts@67ab95d7a466bcefdedf3f93cbc10bcff436edfe
         with:
           workflow: build-desktop.yml
@@ -366,7 +366,7 @@ jobs:
           path: apps/desktop/dist
 
       - name: Push to Chocolatey
-        if: ${{ inputs.release_type != 'Dry Run' }}
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
         shell: pwsh
         run: choco push --source=https://push.chocolatey.org/
         working-directory: apps/desktop/dist
diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml
index 563facdb40c..c650e42ecf4 100644
--- a/.github/workflows/version-bump.yml
+++ b/.github/workflows/version-bump.yml
@@ -1,5 +1,6 @@
 ---
 name: Version Bump
+run-name: Version Bump - ${{ github.ref_name }}
 
 on:
   workflow_dispatch:
@@ -96,6 +97,26 @@ jobs:
       ########################
 
       ### Browser
+      - name: Browser - Verify input version
+        if: ${{ inputs.bump_browser == true }}
+        env:
+          NEW_VERSION: ${{ inputs.version_number }}  
+        run: |
+          CURRENT_VERSION=$(cat package.json | jq -r '.version')
+
+          # Error if version has not changed.
+          if [[ "$NEW_VERSION" == "$CURRENT_VERSION" ]]; then
+            echo "Version has not changed."
+            exit 1
+          fi
+
+          # Check if version is newer.
+          printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V
+          if [ $? -eq 0 ]; then 
+            echo "Version check successful." 
+          fi
+        working-directory: apps/browser
+
       - name: Bump Browser Version
         if: ${{ inputs.bump_browser == true }}
         env:
@@ -124,6 +145,26 @@ jobs:
           prettier --write apps/browser/src/manifest.v3.json
 
       ### CLI
+      - name: CLI - Verify input version
+        if: ${{ inputs.bump_cli == true }}
+        env:
+          NEW_VERSION: ${{ inputs.version_number }}  
+        run: |
+          CURRENT_VERSION=$(cat package.json | jq -r '.version')
+
+          # Error if version has not changed.
+          if [[ "$NEW_VERSION" == "$CURRENT_VERSION" ]]; then
+            echo "Version has not changed."
+            exit 1
+          fi
+
+          # Check if version is newer.
+          printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V
+          if [ $? -eq 0 ]; then 
+            echo "Version check successful." 
+          fi
+        working-directory: apps/cli
+
       - name: Bump CLI Version
         if: ${{ inputs.bump_cli == true }}
         env:
@@ -131,6 +172,26 @@ jobs:
         run: npm version --workspace=@bitwarden/cli ${VERSION}
 
       ### Desktop
+      - name: Desktop - Verify input version
+        if: ${{ inputs.bump_desktop == true }}
+        env:
+          NEW_VERSION: ${{ inputs.version_number }}  
+        run: |
+          CURRENT_VERSION=$(cat package.json | jq -r '.version')
+
+          # Error if version has not changed.
+          if [[ "$NEW_VERSION" == "$CURRENT_VERSION" ]]; then
+            echo "Version has not changed."
+            exit 1
+          fi
+
+          # Check if version is newer.
+          printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V
+          if [ $? -eq 0 ]; then 
+            echo "Version check successful." 
+          fi
+        working-directory: apps/desktop
+
       - name: Bump Desktop Version - Root
         if: ${{ inputs.bump_desktop == true }}
         env:
@@ -145,6 +206,26 @@ jobs:
         working-directory: "apps/desktop/src"
 
       ### Web
+      - name: Web - Verify input version
+        if: ${{ inputs.bump_web == true }}
+        env:
+          NEW_VERSION: ${{ inputs.version_number }}  
+        run: |
+          CURRENT_VERSION=$(cat package.json | jq -r '.version')
+
+          # Error if version has not changed.
+          if [[ "$NEW_VERSION" == "$CURRENT_VERSION" ]]; then
+            echo "Version has not changed."
+            exit 1
+          fi
+
+          # Check if version is newer.
+          printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V
+          if [ $? -eq 0 ]; then 
+            echo "Version check successful." 
+          fi
+        working-directory: apps/web
+
       - name: Bump Web Version
         if: ${{ inputs.bump_web == true }}
         env:
@@ -176,13 +257,13 @@ jobs:
         run: git commit -m "Bumped ${CLIENT} version to ${VERSION}" -a
 
       - name: Push changes
-        if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
+        if: ${{ (github.ref == 'refs/heads/master') && (steps.version-changed.outputs.changes_to_commit == 'TRUE') }}
         env:
           BRANCH: ${{ steps.branch.outputs.branch }}
         run: git push -u origin ${BRANCH}
 
       - name: Create Bump Version PR
-        if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
+        if: ${{ (github.ref == 'refs/heads/master') && (steps.version-changed.outputs.changes_to_commit == 'TRUE') }}
         env:
           BASE_BRANCH: master
           BRANCH: ${{ steps.branch.outputs.branch }}
diff --git a/apps/browser/package.json b/apps/browser/package.json
index cec3a9caab1..fb7b8ad19bf 100644
--- a/apps/browser/package.json
+++ b/apps/browser/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@bitwarden/browser",
-  "version": "2023.8.3",
+  "version": "2023.9.1",
   "scripts": {
     "build": "webpack",
     "build:mv3": "cross-env MANIFEST_VERSION=3 webpack",
diff --git a/apps/browser/src/_locales/az/messages.json b/apps/browser/src/_locales/az/messages.json
index 774ca11ecf0..b83fb91390e 100644
--- a/apps/browser/src/_locales/az/messages.json
+++ b/apps/browser/src/_locales/az/messages.json
@@ -1992,7 +1992,7 @@
     "message": "Şəxsi anbarın ixracı"
   },
   "exportingIndividualVaultDescription": {
-    "message": "Only the individual vault items associated with $EMAIL$ will be exported. Organization vault items will not be included. Only vault item information will be exported and will not include associated attachments.",
+    "message": "Yalnız $EMAIL$ ilə əlaqələndirilmiş fərdi anbar elementləri xaricə köçürüləcək. Təşkilat anbar elementləri daxil edilməyəcək. Yalnız anbar element məlumatları xaricə köçürüləcək və əlaqələndirilmiş qoşmalar daxil edilməyəcək.",
     "placeholders": {
       "email": {
         "content": "$1",
diff --git a/apps/browser/src/_locales/ca/messages.json b/apps/browser/src/_locales/ca/messages.json
index 08bef1a50c4..6bd4d028b41 100644
--- a/apps/browser/src/_locales/ca/messages.json
+++ b/apps/browser/src/_locales/ca/messages.json
@@ -1992,7 +1992,7 @@
     "message": "S'està exportant la caixa forta personal"
   },
   "exportingIndividualVaultDescription": {
-    "message": "Only the individual vault items associated with $EMAIL$ will be exported. Organization vault items will not be included. Only vault item information will be exported and will not include associated attachments.",
+    "message": "Només s'exportaran els elements de la caixa forta individuals associats a $EMAIL$. Els elements de la caixa de l'organització no s'inclouran. Només s'exportarà la informació de l'element de la caixa forta i no inclourà els fitxers adjunts associats.",
     "placeholders": {
       "email": {
         "content": "$1",
diff --git a/apps/browser/src/_locales/el/messages.json b/apps/browser/src/_locales/el/messages.json
index fc1c858e7db..a292bf175c3 100644
--- a/apps/browser/src/_locales/el/messages.json
+++ b/apps/browser/src/_locales/el/messages.json
@@ -44,7 +44,7 @@
     "message": "Η υπόδειξη του κύριου κωδικού μπορεί να σας βοηθήσει να θυμηθείτε τον κωδικό σας, σε περίπτωση που τον ξεχάσετε."
   },
   "reTypeMasterPass": {
-    "message": "Εισάγετε Ξανά τον Κύριο Κωδικό σας"
+    "message": "Εισάγετε ξανά τον Κύριο Κωδικό"
   },
   "masterPassHint": {
     "message": "Υπόδειξη Κύριου Κωδικού (προαιρετικό)"
@@ -997,7 +997,7 @@
     "message": "Μπορείτε να απενεργοποιήσετε την αυτόματη συμπλήρωση φόρτωσης σελίδας για μεμονωμένα στοιχεία σύνδεσης από την προβολή Επεξεργασία στοιχείου."
   },
   "itemAutoFillOnPageLoad": {
-    "message": "Αυτόματη συμπλήρωση της Φόρτισης Σελίδας (αν είναι ενεργοποιημένη στις Επιλογές)"
+    "message": "Αυτόματη συμπλήρωση κατά τη φόρτωση της σελίδας (αν έχει ενεργοποιηθεί στις Ρυθμίσεις)"
   },
   "autoFillOnPageLoadUseDefault": {
     "message": "Χρήση προεπιλεγμένης ρύθμισης"
diff --git a/apps/browser/src/_locales/en/messages.json b/apps/browser/src/_locales/en/messages.json
index e074e034412..4b15ef44e8a 100644
--- a/apps/browser/src/_locales/en/messages.json
+++ b/apps/browser/src/_locales/en/messages.json
@@ -771,8 +771,8 @@
   "featureUnavailable": {
     "message": "Feature unavailable"
   },
-  "updateKey": {
-    "message": "You cannot use this feature until you update your encryption key."
+  "encryptionKeyMigrationRequired": {
+    "message": "Encryption key migration required. Please login through the web vault to update your encryption key."
   },
   "premiumMembership": {
     "message": "Premium membership"
diff --git a/apps/browser/src/_locales/hi/messages.json b/apps/browser/src/_locales/hi/messages.json
index 697f04154ce..5fafd94ccf8 100644
--- a/apps/browser/src/_locales/hi/messages.json
+++ b/apps/browser/src/_locales/hi/messages.json
@@ -1992,7 +1992,7 @@
     "message": "Exporting individual vault"
   },
   "exportingIndividualVaultDescription": {
-    "message": "Only the individual vault items associated with $EMAIL$ will be exported. Organization vault items will not be included. Only vault item information will be exported and will not include associated attachments.",
+    "message": "केवल $EMAIL$ से संबद्ध, व्यक्तिगत वॉल्ट वस्तुएँ निर्यात की जाएंगी. संगठन वॉल्ट वस्तुएँ शामिल नहीं की जाएंगी. केवल वॉल्ट वस्तुओं की जानकारी निर्यात की जाएगी और इसमें संबंधित अनुलग्नक शामिल नहीं होंगे.",
     "placeholders": {
       "email": {
         "content": "$1",
diff --git a/apps/browser/src/_locales/sr/messages.json b/apps/browser/src/_locales/sr/messages.json
index 72d99fcecce..be561aad7c3 100644
--- a/apps/browser/src/_locales/sr/messages.json
+++ b/apps/browser/src/_locales/sr/messages.json
@@ -1992,7 +1992,7 @@
     "message": "Извоз личног сефа"
   },
   "exportingIndividualVaultDescription": {
-    "message": "Only the individual vault items associated with $EMAIL$ will be exported. Organization vault items will not be included. Only vault item information will be exported and will not include associated attachments.",
+    "message": "Само појединачне ставке сефа повезане са $EMAIL$ ће бити извењене. Ставке организационог сефа неће бити укључене. Само информације о ставкама из сефа ће бити извезене и неће укључивати повезане прилоге.",
     "placeholders": {
       "email": {
         "content": "$1",
diff --git a/apps/browser/src/_locales/zh_CN/messages.json b/apps/browser/src/_locales/zh_CN/messages.json
index 5325ef6a4f1..64df3ec8778 100644
--- a/apps/browser/src/_locales/zh_CN/messages.json
+++ b/apps/browser/src/_locales/zh_CN/messages.json
@@ -751,7 +751,7 @@
     "message": "附件已删除"
   },
   "newAttachment": {
-    "message": "添加新的附件"
+    "message": "添加新附件"
   },
   "noAttachments": {
     "message": "没有附件。"
@@ -853,7 +853,7 @@
     "message": "请输入您的验证器应用中的 6 位验证码。"
   },
   "enterVerificationCodeEmail": {
-    "message": "请输入通过电子邮件发送给 $EMAIL$ 的 6 位验证码。",
+    "message": "请输入发送给电子邮件 $EMAIL$ 的 6 位数验证码。",
     "placeholders": {
       "email": {
         "content": "$1",
@@ -1036,7 +1036,7 @@
     "message": "值"
   },
   "newCustomField": {
-    "message": "新建自定义字段"
+    "message": "新增自定义字段"
   },
   "dragToSort": {
     "message": "拖动排序"
@@ -1059,7 +1059,7 @@
     "description": "This describes a value that is 'linked' (tied) to another value."
   },
   "popup2faCloseMessage": {
-    "message": "如果您点击弹窗外的任何区域，将导致弹窗关闭。您想在新窗口中打开此弹窗，以便它不会关闭吗？"
+    "message": "如果您点击弹窗外的区域以检查您的验证码电子邮件，将导致弹窗关闭。您想在新窗口中打开此弹窗，以便它不会关闭吗？"
   },
   "popupU2fCloseMessage": {
     "message": "此浏览器无法处理此弹出窗口中的 U2F 请求。您想要在新窗口中打开此弹出窗口吗？"
@@ -1182,7 +1182,7 @@
     "message": "许可证号码"
   },
   "email": {
-    "message": "Email"
+    "message": "电子邮件"
   },
   "phone": {
     "message": "电话"
@@ -1615,7 +1615,7 @@
     "message": "未提供权限"
   },
   "nativeMessaginPermissionErrorDesc": {
-    "message": "没有与 Bitwarden 桌面应用程序通信的权限，我们无法在浏览器扩展中提供生物识别。请再试一次。"
+    "message": "没有与 Bitwarden 桌面应用程序通信的权限，我们无法在浏览器扩展中提供生物识别。请重试。"
   },
   "nativeMessaginPermissionSidebarTitle": {
     "message": "权限请求错误"
@@ -1896,7 +1896,7 @@
     "message": "选择文件夹..."
   },
   "ssoCompleteRegistration": {
-    "message": "要完成 SSO 登陆配置，请设置一个主密码以访问和保护您的密码库。"
+    "message": "要完成 SSO 登录配置，请设置一个主密码以访问和保护您的密码库。"
   },
   "hours": {
     "message": "小时"
@@ -1986,13 +1986,13 @@
     "message": "字符计数开关"
   },
   "sessionTimeout": {
-    "message": "您的会话已超时。请返回并尝试重新登录。"
+    "message": "您的会话已超时。请返回然后尝试重新登录。"
   },
   "exportingPersonalVaultTitle": {
     "message": "导出个人密码库"
   },
   "exportingIndividualVaultDescription": {
-    "message": "Only the individual vault items associated with $EMAIL$ will be exported. Organization vault items will not be included. Only vault item information will be exported and will not include associated attachments.",
+    "message": "仅会导出与 $EMAIL$ 关联的个人密码库项目，不包括组织密码库项目。仅会导出密码库项目信息，不包括关联的附件。",
     "placeholders": {
       "email": {
         "content": "$1",
@@ -2117,7 +2117,7 @@
     }
   },
   "loginWithMasterPassword": {
-    "message": "使用主密码登录"
+    "message": "主密码登录"
   },
   "loggingInAs": {
     "message": "正登录为"
diff --git a/apps/browser/src/auth/popup/home.component.html b/apps/browser/src/auth/popup/home.component.html
index da208a8d50c..6b42033c4bc 100644
--- a/apps/browser/src/auth/popup/home.component.html
+++ b/apps/browser/src/auth/popup/home.component.html
@@ -9,7 +9,7 @@
             <label for="email">{{ "emailAddress" | i18n }}</label>
             <input id="email" type="email" formControlName="email" appInputVerbatim="false" />
           </div>
-          <environment-selector class="environment-selector-padding"></environment-selector>
+          <environment-selector></environment-selector>
           <div class="remember-email-check">
             <input
               id="rememberEmail"
diff --git a/apps/browser/src/autofill/browser/context-menu-clicked-handler.ts b/apps/browser/src/autofill/browser/context-menu-clicked-handler.ts
index a6bff50a195..62c6c9c25a4 100644
--- a/apps/browser/src/autofill/browser/context-menu-clicked-handler.ts
+++ b/apps/browser/src/autofill/browser/context-menu-clicked-handler.ts
@@ -189,7 +189,7 @@ export class ContextMenuClickedHandler {
       // we are actually unlocked we will do our best to find a good match of an item to autofill this is useful
       // in scenarios like unlock on autofill
       const ciphers = await this.cipherService.getAllDecryptedForUrl(tab.url);
-      cipher = ciphers.find((c) => c.reprompt === CipherRepromptType.None);
+      cipher = ciphers[0];
     } else {
       const ciphers = await this.cipherService.getAllDecrypted();
       cipher = ciphers.find((c) => c.id === id);
diff --git a/apps/browser/src/autofill/content/autofill.js b/apps/browser/src/autofill/content/autofill.js
index 1833c09e159..2f3857d3fa8 100644
--- a/apps/browser/src/autofill/content/autofill.js
+++ b/apps/browser/src/autofill/content/autofill.js
@@ -986,13 +986,18 @@
           styleTimeout = 200;
 
       /**
-       * Fll an element `el` using the value `op` from the fill script
+       * Fill an element `el` using the value `op` from the fill script
        * @param {HTMLElement} el
        * @param {string} op
        */
       function fillTheElement(el, op) {
           var shouldCheck;
           if (el && null !== op && void 0 !== op && !(el.disabled || el.a || el.readOnly)) {
+              const tabURLChanged = !fillScript.savedUrls?.some(url => url.startsWith(window.location.origin))
+              // Check to make sure the page location didn't change
+              if (tabURLChanged) {
+                return;
+              }
               switch (markTheFilling && el.form && !el.form.opfilled && (el.form.opfilled = true),
               el.type ? el.type.toLowerCase() : null) {
                   case 'checkbox':
diff --git a/apps/browser/src/autofill/services/autofill.service.spec.ts b/apps/browser/src/autofill/services/autofill.service.spec.ts
index 5fc4b76c4ca..e6a629cfc9d 100644
--- a/apps/browser/src/autofill/services/autofill.service.spec.ts
+++ b/apps/browser/src/autofill/services/autofill.service.spec.ts
@@ -75,7 +75,7 @@ describe("AutofillService", () => {
     const autofillV1Script = "autofill.js";
     const autofillV2Script = "autofill-init.js";
     const defaultAutofillScripts = ["autofiller.js", "notificationBar.js", "contextMenuHandler.js"];
-    const defaultExecuteScriptOptions = { allFrames: true, runAt: "document_start" };
+    const defaultExecuteScriptOptions = { runAt: "document_start" };
     let tabMock: chrome.tabs.Tab;
     let sender: chrome.runtime.MessageSender;
 
@@ -91,11 +91,13 @@ describe("AutofillService", () => {
       [autofillV1Script, ...defaultAutofillScripts].forEach((scriptName) => {
         expect(BrowserApi.executeScriptInTab).toHaveBeenCalledWith(tabMock.id, {
           file: `content/${scriptName}`,
+          frameId: sender.frameId,
           ...defaultExecuteScriptOptions,
         });
       });
       expect(BrowserApi.executeScriptInTab).not.toHaveBeenCalledWith(tabMock.id, {
         file: `content/${autofillV2Script}`,
+        frameId: sender.frameId,
         ...defaultExecuteScriptOptions,
       });
     });
diff --git a/apps/browser/src/autofill/services/autofill.service.ts b/apps/browser/src/autofill/services/autofill.service.ts
index dc2a4918c3b..fcf4dffd4aa 100644
--- a/apps/browser/src/autofill/services/autofill.service.ts
+++ b/apps/browser/src/autofill/services/autofill.service.ts
@@ -62,7 +62,7 @@ export default class AutofillService implements AutofillServiceInterface {
     for (const injectedScript of injectedScripts) {
       await BrowserApi.executeScriptInTab(sender.tab.id, {
         file: `content/${injectedScript}`,
-        allFrames: true,
+        frameId: sender.frameId,
         runAt: "document_start",
       });
     }
diff --git a/apps/browser/src/autofill/services/insert-autofill-content.service.spec.ts b/apps/browser/src/autofill/services/insert-autofill-content.service.spec.ts
index 828d768ca25..0ab74875fbf 100644
--- a/apps/browser/src/autofill/services/insert-autofill-content.service.spec.ts
+++ b/apps/browser/src/autofill/services/insert-autofill-content.service.spec.ts
@@ -108,6 +108,7 @@ describe("InsertAutofillContentService", () => {
       jest.spyOn(insertAutofillContentService as any, "fillingWithinSandboxedIframe");
       jest.spyOn(insertAutofillContentService as any, "userCancelledInsecureUrlAutofill");
       jest.spyOn(insertAutofillContentService as any, "userCancelledUntrustedIframeAutofill");
+      jest.spyOn(insertAutofillContentService as any, "tabURLChanged");
       jest.spyOn(insertAutofillContentService as any, "runFillScriptAction");
 
       insertAutofillContentService.fillForm(fillScript);
@@ -119,6 +120,7 @@ describe("InsertAutofillContentService", () => {
       expect(
         insertAutofillContentService["userCancelledUntrustedIframeAutofill"]
       ).not.toHaveBeenCalled();
+      expect(insertAutofillContentService["tabURLChanged"]).not.toHaveBeenCalled();
       expect(insertAutofillContentService["runFillScriptAction"]).not.toHaveBeenCalled();
     });
 
@@ -128,6 +130,7 @@ describe("InsertAutofillContentService", () => {
         .mockReturnValue(true);
       jest.spyOn(insertAutofillContentService as any, "userCancelledInsecureUrlAutofill");
       jest.spyOn(insertAutofillContentService as any, "userCancelledUntrustedIframeAutofill");
+      jest.spyOn(insertAutofillContentService as any, "tabURLChanged");
       jest.spyOn(insertAutofillContentService as any, "runFillScriptAction");
 
       insertAutofillContentService.fillForm(fillScript);
@@ -139,6 +142,7 @@ describe("InsertAutofillContentService", () => {
       expect(
         insertAutofillContentService["userCancelledUntrustedIframeAutofill"]
       ).not.toHaveBeenCalled();
+      expect(insertAutofillContentService["tabURLChanged"]).not.toHaveBeenCalled();
       expect(insertAutofillContentService["runFillScriptAction"]).not.toHaveBeenCalled();
     });
 
@@ -150,6 +154,7 @@ describe("InsertAutofillContentService", () => {
         .spyOn(insertAutofillContentService as any, "userCancelledInsecureUrlAutofill")
         .mockReturnValue(true);
       jest.spyOn(insertAutofillContentService as any, "userCancelledUntrustedIframeAutofill");
+      jest.spyOn(insertAutofillContentService as any, "tabURLChanged");
       jest.spyOn(insertAutofillContentService as any, "runFillScriptAction");
 
       insertAutofillContentService.fillForm(fillScript);
@@ -159,6 +164,7 @@ describe("InsertAutofillContentService", () => {
       expect(
         insertAutofillContentService["userCancelledUntrustedIframeAutofill"]
       ).not.toHaveBeenCalled();
+      expect(insertAutofillContentService["tabURLChanged"]).not.toHaveBeenCalled();
       expect(insertAutofillContentService["runFillScriptAction"]).not.toHaveBeenCalled();
     });
 
@@ -172,6 +178,7 @@ describe("InsertAutofillContentService", () => {
       jest
         .spyOn(insertAutofillContentService as any, "userCancelledUntrustedIframeAutofill")
         .mockReturnValue(true);
+      jest.spyOn(insertAutofillContentService as any, "tabURLChanged").mockReturnValue(false);
       jest.spyOn(insertAutofillContentService as any, "runFillScriptAction");
 
       insertAutofillContentService.fillForm(fillScript);
@@ -181,6 +188,31 @@ describe("InsertAutofillContentService", () => {
       expect(
         insertAutofillContentService["userCancelledUntrustedIframeAutofill"]
       ).toHaveBeenCalled();
+      expect(insertAutofillContentService["tabURLChanged"]).not.toHaveBeenCalled();
+      expect(insertAutofillContentService["runFillScriptAction"]).not.toHaveBeenCalled();
+    });
+
+    it("returns early if the page location origin does not match against any of the cipher saved URLs", () => {
+      jest
+        .spyOn(insertAutofillContentService as any, "fillingWithinSandboxedIframe")
+        .mockReturnValue(false);
+      jest
+        .spyOn(insertAutofillContentService as any, "userCancelledInsecureUrlAutofill")
+        .mockReturnValue(false);
+      jest
+        .spyOn(insertAutofillContentService as any, "userCancelledUntrustedIframeAutofill")
+        .mockReturnValue(false);
+      jest.spyOn(insertAutofillContentService as any, "tabURLChanged").mockReturnValue(true);
+      jest.spyOn(insertAutofillContentService as any, "runFillScriptAction");
+
+      insertAutofillContentService.fillForm(fillScript);
+
+      expect(insertAutofillContentService["fillingWithinSandboxedIframe"]).toHaveBeenCalled();
+      expect(insertAutofillContentService["userCancelledInsecureUrlAutofill"]).toHaveBeenCalled();
+      expect(
+        insertAutofillContentService["userCancelledUntrustedIframeAutofill"]
+      ).toHaveBeenCalled();
+      expect(insertAutofillContentService["tabURLChanged"]).toHaveBeenCalled();
       expect(insertAutofillContentService["runFillScriptAction"]).not.toHaveBeenCalled();
     });
 
@@ -194,6 +226,7 @@ describe("InsertAutofillContentService", () => {
       jest
         .spyOn(insertAutofillContentService as any, "userCancelledUntrustedIframeAutofill")
         .mockReturnValue(false);
+      jest.spyOn(insertAutofillContentService as any, "tabURLChanged").mockReturnValue(false);
       jest.spyOn(insertAutofillContentService as any, "runFillScriptAction");
 
       insertAutofillContentService.fillForm(fillScript);
@@ -203,6 +236,7 @@ describe("InsertAutofillContentService", () => {
       expect(
         insertAutofillContentService["userCancelledUntrustedIframeAutofill"]
       ).toHaveBeenCalled();
+      expect(insertAutofillContentService["tabURLChanged"]).toHaveBeenCalled();
       expect(insertAutofillContentService["runFillScriptAction"]).toHaveBeenCalledTimes(3);
       expect(insertAutofillContentService["runFillScriptAction"]).toHaveBeenNthCalledWith(
         1,
diff --git a/apps/browser/src/autofill/services/insert-autofill-content.service.ts b/apps/browser/src/autofill/services/insert-autofill-content.service.ts
index 89f644ba6be..4e47e73704b 100644
--- a/apps/browser/src/autofill/services/insert-autofill-content.service.ts
+++ b/apps/browser/src/autofill/services/insert-autofill-content.service.ts
@@ -38,7 +38,8 @@ class InsertAutofillContentService implements InsertAutofillContentServiceInterf
       !fillScript.script?.length ||
       this.fillingWithinSandboxedIframe() ||
       this.userCancelledInsecureUrlAutofill(fillScript.savedUrls) ||
-      this.userCancelledUntrustedIframeAutofill(fillScript)
+      this.userCancelledUntrustedIframeAutofill(fillScript) ||
+      this.tabURLChanged(fillScript.savedUrls)
     ) {
       return;
     }
@@ -46,6 +47,16 @@ class InsertAutofillContentService implements InsertAutofillContentServiceInterf
     fillScript.script.forEach(this.runFillScriptAction);
   }
 
+  /**
+   * Determines if the page URL no longer matches one of the cipher's savedURL domains
+   * @param {string[] | null} savedUrls
+   * @returns {boolean}
+   * @private
+   */
+  private tabURLChanged(savedUrls?: AutofillScript["savedUrls"]): boolean {
+    return savedUrls && !savedUrls.some((url) => url.startsWith(window.location.origin));
+  }
+
   /**
    * Identifies if the execution of this script is happening
    * within a sandboxed iframe.
diff --git a/apps/browser/src/manifest.json b/apps/browser/src/manifest.json
index a0a9548c7f3..0f21a10a84f 100644
--- a/apps/browser/src/manifest.json
+++ b/apps/browser/src/manifest.json
@@ -2,7 +2,7 @@
   "manifest_version": 2,
   "name": "__MSG_extName__",
   "short_name": "__MSG_appName__",
-  "version": "2023.8.3",
+  "version": "2023.9.1",
   "description": "__MSG_extDesc__",
   "default_locale": "en",
   "author": "Bitwarden Inc.",
diff --git a/apps/browser/src/manifest.v3.json b/apps/browser/src/manifest.v3.json
index af8700066f5..b02d7aec847 100644
--- a/apps/browser/src/manifest.v3.json
+++ b/apps/browser/src/manifest.v3.json
@@ -3,7 +3,7 @@
   "minimum_chrome_version": "102.0",
   "name": "__MSG_extName__",
   "short_name": "__MSG_appName__",
-  "version": "2023.8.3",
+  "version": "2023.9.1",
   "description": "__MSG_extDesc__",
   "default_locale": "en",
   "author": "Bitwarden Inc.",
diff --git a/apps/browser/src/platform/browser/browser-api.ts b/apps/browser/src/platform/browser/browser-api.ts
index d8143859e8f..5ad5ea17317 100644
--- a/apps/browser/src/platform/browser/browser-api.ts
+++ b/apps/browser/src/platform/browser/browser-api.ts
@@ -213,7 +213,10 @@ export class BrowserApi {
     chrome.windows.create({ url, focused, type });
   }
 
+  // Keep track of all the events registered in a Safari popup so we can remove
+  // them when the popup gets unloaded, otherwise we cause a memory leak
   private static registeredMessageListeners: any[] = [];
+  private static registeredStorageChangeListeners: any[] = [];
 
   static messageListener(
     name: string,
@@ -232,21 +235,38 @@ export class BrowserApi {
       }
     );
 
-    // Keep track of all the events registered in a Safari popup so we can remove
-    // them when the popup gets unloaded, otherwise we cause a memory leak
     if (BrowserApi.isSafariApi && !BrowserApi.isBackgroundPage(window)) {
       BrowserApi.registeredMessageListeners.push(callback);
-
-      // The MDN recommend using 'visibilitychange' but that event is fired any time the popup window is obscured as well
-      // 'pagehide' works just like 'unload' but is compatible with the back/forward cache, so we prefer using that one
-      window.onpagehide = () => {
-        for (const callback of BrowserApi.registeredMessageListeners) {
-          chrome.runtime.onMessage.removeListener(callback);
-        }
-      };
+      BrowserApi.setupUnloadListeners();
     }
   }
 
+  static storageChangeListener(
+    callback: Parameters<typeof chrome.storage.onChanged.addListener>[0]
+  ) {
+    chrome.storage.onChanged.addListener(callback);
+
+    if (BrowserApi.isSafariApi && !BrowserApi.isBackgroundPage(window)) {
+      BrowserApi.registeredStorageChangeListeners.push(callback);
+      BrowserApi.setupUnloadListeners();
+    }
+  }
+
+  // Setup the event to destroy all the listeners when the popup gets unloaded in Safari, otherwise we get a memory leak
+  private static setupUnloadListeners() {
+    // The MDN recommend using 'visibilitychange' but that event is fired any time the popup window is obscured as well
+    // 'pagehide' works just like 'unload' but is compatible with the back/forward cache, so we prefer using that one
+    window.onpagehide = () => {
+      for (const callback of BrowserApi.registeredMessageListeners) {
+        chrome.runtime.onMessage.removeListener(callback);
+      }
+
+      for (const callback of BrowserApi.registeredStorageChangeListeners) {
+        chrome.storage.onChanged.removeListener(callback);
+      }
+    };
+  }
+
   static messageListener$() {
     return new Observable<unknown>((subscriber) => {
       const handler = (message: unknown) => {
diff --git a/apps/browser/src/platform/services/browser-state.service.ts b/apps/browser/src/platform/services/browser-state.service.ts
index 5e356e7fbe8..ec6851beb8f 100644
--- a/apps/browser/src/platform/services/browser-state.service.ts
+++ b/apps/browser/src/platform/services/browser-state.service.ts
@@ -14,6 +14,7 @@ import { Account } from "../../models/account";
 import { BrowserComponentState } from "../../models/browserComponentState";
 import { BrowserGroupingsComponentState } from "../../models/browserGroupingsComponentState";
 import { BrowserSendComponentState } from "../../models/browserSendComponentState";
+import { BrowserApi } from "../browser/browser-api";
 import { browserSession, sessionSync } from "../decorators/session-sync-observable";
 
 import { BrowserStateService as StateServiceAbstraction } from "./abstractions/browser-state.service";
@@ -56,7 +57,7 @@ export class BrowserStateService
     // the background page that can get out of sync. We need to work out the
     // best way to handle caching with multiple instances of the state service.
     if (useAccountCache) {
-      chrome.storage.onChanged.addListener((changes, namespace) => {
+      BrowserApi.storageChangeListener((changes, namespace) => {
         if (namespace === "local") {
           for (const key of Object.keys(changes)) {
             if (key !== "accountActivity" && this.accountDiskCache.value[key]) {
diff --git a/apps/browser/src/popup/app.module.ts b/apps/browser/src/popup/app.module.ts
index d5a50687734..b666f55fc9d 100644
--- a/apps/browser/src/popup/app.module.ts
+++ b/apps/browser/src/popup/app.module.ts
@@ -62,7 +62,6 @@ import { PrivateModeWarningComponent } from "./components/private-mode-warning.c
 import { SetPinComponent } from "./components/set-pin.component";
 import { UserVerificationComponent } from "./components/user-verification.component";
 import { ServicesModule } from "./services/services.module";
-import { AboutComponent } from "./settings/about.component";
 import { AutofillComponent } from "./settings/autofill.component";
 import { ExcludedDomainsComponent } from "./settings/excluded-domains.component";
 import { FoldersComponent } from "./settings/folders.component";
@@ -152,7 +151,6 @@ import "../platform/popup/locales";
     ViewCustomFieldsComponent,
     RemovePasswordComponent,
     VaultSelectComponent,
-    AboutComponent,
     Fido2Component,
     HelpAndFeedbackComponent,
     AutofillComponent,
diff --git a/apps/browser/src/popup/scss/environment.scss b/apps/browser/src/popup/scss/environment.scss
index 1ac0f4240bd..f6adba86c2e 100644
--- a/apps/browser/src/popup/scss/environment.scss
+++ b/apps/browser/src/popup/scss/environment.scss
@@ -51,15 +51,11 @@ html.browser_safari {
   color: $text-muted;
   line-height: 25px;
   font-weight: 400;
-  padding-left: 5px;
+  padding-left: 15px;
 
-  label {
+  span {
     font-weight: 600;
-  }
-
-  a,
-  a label:hover {
-    cursor: pointer;
+    font-size: $font-size-small;
   }
 }
 
@@ -91,7 +87,3 @@ html.browser_safari {
     }
   }
 }
-
-.environment-selector-padding {
-  padding-left: 10px;
-}
diff --git a/apps/browser/src/popup/scss/popup.scss b/apps/browser/src/popup/scss/popup.scss
index 7d718b86645..0d7e4281386 100644
--- a/apps/browser/src/popup/scss/popup.scss
+++ b/apps/browser/src/popup/scss/popup.scss
@@ -12,3 +12,4 @@
 @import "environment.scss";
 @import "pages.scss";
 @import "@angular/cdk/overlay-prebuilt.css";
+@import "../../../../../libs/components/src/multi-select/scss/bw.theme";
diff --git a/apps/browser/src/popup/settings/about.component.html b/apps/browser/src/popup/settings/about.component.html
index 24fea4eb9da..b68f592492f 100644
--- a/apps/browser/src/popup/settings/about.component.html
+++ b/apps/browser/src/popup/settings/about.component.html
@@ -1,52 +1,46 @@
-<div class="modal fade" role="dialog" aria-modal="true">
-  <div class="modal-dialog modal-dialog-centered modal-dialog-scrollable" role="document">
-    <div class="modal-content">
-      <div class="modal-body">
-        <p class="text-center">
-          <i class="bwi bwi-shield bwi-3x" aria-hidden="true"></i>
-        </p>
-        <p class="text-center">
-          <b>Bitwarden</b>
-        </p>
-        <p class="text-center">&copy; Bitwarden Inc. 2015-{{ year }}</p>
-        <p class="text-center">{{ "version" | i18n }}: {{ version }}</p>
-        <ng-container *ngIf="serverConfig$ | async as serverConfig">
-          <p class="text-center" *ngIf="isCloud">
-            {{ "serverVersion" | i18n }}: {{ this.serverConfig?.version }}
+<bit-simple-dialog>
+  <div bitDialogIcon>
+    <i class="bwi bwi-shield bwi-3x" aria-hidden="true"></i>
+  </div>
+  <div bitDialogTitle>Bitwarden</div>
+  <div bitDialogContent>
+    <p>&copy; Bitwarden Inc. 2015-{{ year }}</p>
+    <p>{{ "version" | i18n }}: {{ version }}</p>
+    <ng-container *ngIf="serverConfig$ | async as serverConfig">
+      <p *ngIf="isCloud">
+        {{ "serverVersion" | i18n }}: {{ this.serverConfig?.version }}
+        <span *ngIf="!serverConfig.isValid()">
+          ({{ "lastSeenOn" | i18n : (serverConfig.utcDate | date : "mediumDate") }})
+        </span>
+      </p>
+
+      <ng-container *ngIf="!isCloud">
+        <ng-container *ngIf="serverConfig.server">
+          <p>
+            {{ "serverVersion" | i18n }} <small>({{ "thirdParty" | i18n }})</small>:
+            {{ this.serverConfig?.version }}
             <span *ngIf="!serverConfig.isValid()">
               ({{ "lastSeenOn" | i18n : (serverConfig.utcDate | date : "mediumDate") }})
             </span>
           </p>
-
-          <ng-container *ngIf="!isCloud">
-            <ng-container *ngIf="serverConfig.server">
-              <p class="text-center">
-                {{ "serverVersion" | i18n }} <small>({{ "thirdParty" | i18n }})</small>:
-                {{ this.serverConfig?.version }}
-                <span *ngIf="!serverConfig.isValid()">
-                  ({{ "lastSeenOn" | i18n : (serverConfig.utcDate | date : "mediumDate") }})
-                </span>
-              </p>
-              <div class="text-center">
-                <small>{{ "thirdPartyServerMessage" | i18n : serverConfig.server?.name }}</small>
-              </div>
-            </ng-container>
-
-            <p class="text-center" *ngIf="!serverConfig.server">
-              {{ "serverVersion" | i18n }} <small>({{ "selfHostedServer" | i18n }})</small>:
-              {{ this.serverConfig?.version }}
-              <span *ngIf="!serverConfig.isValid()">
-                ({{ "lastSeenOn" | i18n : (serverConfig.utcDate | date : "mediumDate") }})
-              </span>
-            </p>
-          </ng-container>
+          <div>
+            <small>{{ "thirdPartyServerMessage" | i18n : serverConfig.server?.name }}</small>
+          </div>
         </ng-container>
-      </div>
-      <div class="modal-footer">
-        <button type="button" class="btn btn-outline-secondary" data-dismiss="modal">
-          {{ "close" | i18n }}
-        </button>
-      </div>
-    </div>
+
+        <p *ngIf="!serverConfig.server">
+          {{ "serverVersion" | i18n }} <small>({{ "selfHostedServer" | i18n }})</small>:
+          {{ this.serverConfig?.version }}
+          <span *ngIf="!serverConfig.isValid()">
+            ({{ "lastSeenOn" | i18n : (serverConfig.utcDate | date : "mediumDate") }})
+          </span>
+        </p>
+      </ng-container>
+    </ng-container>
   </div>
-</div>
+  <div bitDialogFooter>
+    <button bitButton bitDialogClose buttonType="primary" type="button">
+      {{ "close" | i18n }}
+    </button>
+  </div>
+</bit-simple-dialog>
diff --git a/apps/browser/src/popup/settings/about.component.ts b/apps/browser/src/popup/settings/about.component.ts
index 459dd7850fa..c0c9012f341 100644
--- a/apps/browser/src/popup/settings/about.component.ts
+++ b/apps/browser/src/popup/settings/about.component.ts
@@ -1,25 +1,29 @@
+import { CommonModule } from "@angular/common";
 import { Component } from "@angular/core";
 import { Observable } from "rxjs";
 
+import { JslibModule } from "@bitwarden/angular/jslib.module";
 import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
 import { ServerConfig } from "@bitwarden/common/platform/abstractions/config/server-config";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
+import { ButtonModule, DialogModule } from "@bitwarden/components";
 
 import { BrowserApi } from "../../platform/browser/browser-api";
 
 @Component({
-  selector: "app-about",
   templateUrl: "about.component.html",
+  standalone: true,
+  imports: [CommonModule, JslibModule, DialogModule, ButtonModule],
 })
 export class AboutComponent {
-  serverConfig$: Observable<ServerConfig>;
+  protected serverConfig$: Observable<ServerConfig> = this.configService.serverConfig$;
 
-  year = new Date().getFullYear();
-  version = BrowserApi.getApplicationVersion();
-  isCloud: boolean;
+  protected year = new Date().getFullYear();
+  protected version = BrowserApi.getApplicationVersion();
+  protected isCloud = this.environmentService.isCloud();
 
-  constructor(configService: ConfigServiceAbstraction, environmentService: EnvironmentService) {
-    this.serverConfig$ = configService.serverConfig$;
-    this.isCloud = environmentService.isCloud();
-  }
+  constructor(
+    private configService: ConfigServiceAbstraction,
+    private environmentService: EnvironmentService
+  ) {}
 }
diff --git a/apps/browser/src/popup/settings/settings.component.ts b/apps/browser/src/popup/settings/settings.component.ts
index efeb6aba6d2..c2699ce498e 100644
--- a/apps/browser/src/popup/settings/settings.component.ts
+++ b/apps/browser/src/popup/settings/settings.component.ts
@@ -482,7 +482,7 @@ export class SettingsComponent implements OnInit {
   }
 
   about() {
-    this.modalService.open(AboutComponent);
+    this.dialogService.open(AboutComponent);
   }
 
   async fingerprint() {
diff --git a/apps/browser/src/tools/popup/generator/generator.component.html b/apps/browser/src/tools/popup/generator/generator.component.html
index 5c9c7492014..13d35b6cd7a 100644
--- a/apps/browser/src/tools/popup/generator/generator.component.html
+++ b/apps/browser/src/tools/popup/generator/generator.component.html
@@ -75,7 +75,7 @@
       </button>
     </div>
   </div>
-  <div class="box">
+  <div class="box" *ngIf="!comingFromAddEdit">
     <div class="box-content">
       <div class="box-content-row" role="radiogroup" aria-labelledby="typeHeading">
         <label id="typeHeading" class="radio-header">{{
@@ -90,7 +90,6 @@
             [value]="o.value"
             (change)="typeChanged()"
             [checked]="type === o.value"
-            [disabled]="comingFromAddEdit && type !== o.value"
           />
           <label for="type_{{ o.value }}">
             {{ o.name }}
diff --git a/apps/cli/package.json b/apps/cli/package.json
index f3c4a68b6d6..153b8d9ce89 100644
--- a/apps/cli/package.json
+++ b/apps/cli/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@bitwarden/cli",
   "description": "A secure and free password manager for all of your devices.",
-  "version": "2023.8.2",
+  "version": "2023.9.0",
   "keywords": [
     "bitwarden",
     "password",
diff --git a/apps/cli/src/auth/commands/login.command.ts b/apps/cli/src/auth/commands/login.command.ts
index c6e16ccecd8..5cef79a09fd 100644
--- a/apps/cli/src/auth/commands/login.command.ts
+++ b/apps/cli/src/auth/commands/login.command.ts
@@ -209,6 +209,11 @@ export class LoginCommand {
           new PasswordLogInCredentials(email, password, null, twoFactor)
         );
       }
+      if (response.requiresEncryptionKeyMigration) {
+        return Response.error(
+          "Encryption key migration required. Please login through the web vault to update your encryption key."
+        );
+      }
       if (response.captchaSiteKey) {
         const credentials = new PasswordLogInCredentials(email, password);
         const handledResponse = await this.handleCaptchaRequired(twoFactor, credentials);
diff --git a/apps/cli/src/tools/import.command.ts b/apps/cli/src/tools/import.command.ts
index c013d3c6b62..e3f24b960f8 100644
--- a/apps/cli/src/tools/import.command.ts
+++ b/apps/cli/src/tools/import.command.ts
@@ -66,7 +66,7 @@ export class ImportCommand {
 
     try {
       let contents;
-      if (format === "1password1pux") {
+      if (format === "1password1pux" && filepath.endsWith(".1pux")) {
         contents = await CliUtils.extractZipContent(filepath, "export.data");
       } else if (format === "protonpass" && filepath.endsWith(".zip")) {
         contents = await CliUtils.extractZipContent(filepath, "Proton Pass/data.json");
diff --git a/apps/desktop/package.json b/apps/desktop/package.json
index 6855485510a..719e680dd22 100644
--- a/apps/desktop/package.json
+++ b/apps/desktop/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@bitwarden/desktop",
   "description": "A secure and free password manager for all of your devices.",
-  "version": "2023.8.4",
+  "version": "2023.9.1",
   "keywords": [
     "bitwarden",
     "password",
diff --git a/apps/desktop/src/app/tools/generator.component.html b/apps/desktop/src/app/tools/generator.component.html
index 55084fd5c39..93d82d4d949 100644
--- a/apps/desktop/src/app/tools/generator.component.html
+++ b/apps/desktop/src/app/tools/generator.component.html
@@ -70,7 +70,7 @@
             </button>
           </div>
         </div>
-        <div class="box">
+        <div class="box" *ngIf="!comingFromAddEdit">
           <div class="box-content condensed">
             <div
               class="box-content-row box-content-row-radio"
@@ -95,7 +95,6 @@
                   [value]="o.value"
                   (change)="typeChanged()"
                   [checked]="type === o.value"
-                  [disabled]="comingFromAddEdit && type !== o.value"
                 />
                 <label class="unstyled" for="type_{{ o.value }}">
                   {{ o.name }}
diff --git a/apps/desktop/src/locales/az/messages.json b/apps/desktop/src/locales/az/messages.json
index 3d842ff3843..d14a5e369d9 100644
--- a/apps/desktop/src/locales/az/messages.json
+++ b/apps/desktop/src/locales/az/messages.json
@@ -1985,7 +1985,7 @@
     "message": "Şəxsi anbarın ixracı"
   },
   "exportingIndividualVaultDescription": {
-    "message": "Only the individual vault items associated with $EMAIL$ will be exported. Organization vault items will not be included. Only vault item information will be exported and will not include associated attachments.",
+    "message": "Yalnız $EMAIL$ ilə əlaqələndirilmiş fərdi anbar elementləri xaricə köçürüləcək. Təşkilat anbar elementləri daxil edilməyəcək. Yalnız anbar element məlumatları xaricə köçürüləcək və əlaqələndirilmiş qoşmalar daxil edilməyəcək.",
     "placeholders": {
       "email": {
         "content": "$1",
diff --git a/apps/desktop/src/locales/ca/messages.json b/apps/desktop/src/locales/ca/messages.json
index 365ca0dda4d..3cb44b3ecbb 100644
--- a/apps/desktop/src/locales/ca/messages.json
+++ b/apps/desktop/src/locales/ca/messages.json
@@ -1985,7 +1985,7 @@
     "message": "S'està exportant la caixa forta personal"
   },
   "exportingIndividualVaultDescription": {
-    "message": "Only the individual vault items associated with $EMAIL$ will be exported. Organization vault items will not be included. Only vault item information will be exported and will not include associated attachments.",
+    "message": "Només s'exportaran els elements de la caixa forta individuals associats a $EMAIL$. Els elements de la caixa de l'organització no s'inclouran. Només s'exportarà la informació de l'element de la caixa forta i no inclourà els fitxers adjunts associats.",
     "placeholders": {
       "email": {
         "content": "$1",
diff --git a/apps/desktop/src/locales/de/messages.json b/apps/desktop/src/locales/de/messages.json
index b946a3f5f37..ddb23c5aa33 100644
--- a/apps/desktop/src/locales/de/messages.json
+++ b/apps/desktop/src/locales/de/messages.json
@@ -1985,7 +1985,7 @@
     "message": "Persönlichen Tresor exportieren"
   },
   "exportingIndividualVaultDescription": {
-    "message": "Only the individual vault items associated with $EMAIL$ will be exported. Organization vault items will not be included. Only vault item information will be exported and will not include associated attachments.",
+    "message": "Es werden nur persönliche Tresoreinträge exportiert, die mit $EMAIL$ verbunden sind. Tresoreinträge der Organisation werden nicht berücksichtigt. Es werden nur Informationen der Tresoreinträge exportiert. Diese enthalten nicht die zugehörigen Anhänge.",
     "placeholders": {
       "email": {
         "content": "$1",
diff --git a/apps/desktop/src/locales/el/messages.json b/apps/desktop/src/locales/el/messages.json
index 8bab72d6219..4bb7f624193 100644
--- a/apps/desktop/src/locales/el/messages.json
+++ b/apps/desktop/src/locales/el/messages.json
@@ -929,7 +929,7 @@
     "message": "Όταν ελαχιστοποιείται το παράθυρο, εμφανίζεται ένα εικονίδιο στη γραμμή μενού."
   },
   "enableCloseToTray": {
-    "message": "Κλείσιμο στο Εικονίδιο Δίσκου"
+    "message": "Κλείσιμο σε εικονίδιο περιοχής ειδοποιήσεων"
   },
   "enableCloseToTrayDesc": {
     "message": "Κατά το κλείσιμο του παραθύρου, να εμφανίζεται ένα εικονίδιο στην περιοχή ειδοποιήσεων."
@@ -941,13 +941,13 @@
     "message": "Κατά το κλείσιμο του παραθύρου, εμφανίζεται ένα εικονίδιο στη γραμμή μενού."
   },
   "enableTray": {
-    "message": "Ενεργοποίηση Εικονιδίου Δίσκου"
+    "message": "Ενεργοποίηση εικονιδίου περιοχής ειδοποιήσεων"
   },
   "enableTrayDesc": {
     "message": "Να εμφανίζεται πάντα ένα εικονίδιο στην περιοχή ειδοποιήσεων."
   },
   "startToTray": {
-    "message": "Έναρξη στο εικονίδιο δίσκου"
+    "message": "Έναρξη σε εικονίδιο περιοχής ειδοποιήσεων"
   },
   "startToTrayDesc": {
     "message": "Όταν ξεκινάει για πρώτη φορά η εφαρμογή, να εμφανίζεται μόνο ένα εικονίδιο στην περιοχή ειδοποιήσεων."
@@ -1408,7 +1408,7 @@
     "message": "Ξεκλειδώστε το vault σας"
   },
   "autoPromptWindowsHello": {
-    "message": "Εμφάνιση Windows Hello κατά την εκκίνηση της εφαρμογής"
+    "message": "Να ζητείται Windows Hello κατά την εκκίνηση της εφαρμογής"
   },
   "autoPromptTouchId": {
     "message": "Ερώτηση για το Touch ID κατά την εκκίνηση"
@@ -2250,7 +2250,7 @@
     "message": "Ενημέρωση Προτεινόμενων Ρυθμίσεων"
   },
   "deviceApprovalRequired": {
-    "message": "Device approval required. Select an approval option below:"
+    "message": "Απαιτείται έγκριση συσκευής. Επιλέξτε μια επιλογή έγκρισης παρακάτω:"
   },
   "rememberThisDevice": {
     "message": "Remember this device"
@@ -2320,7 +2320,7 @@
     "message": "Input is required."
   },
   "required": {
-    "message": "required"
+    "message": "απαιτείται"
   },
   "search": {
     "message": "Search"
diff --git a/apps/desktop/src/locales/en/messages.json b/apps/desktop/src/locales/en/messages.json
index 3822b66aafa..fc2f9000913 100644
--- a/apps/desktop/src/locales/en/messages.json
+++ b/apps/desktop/src/locales/en/messages.json
@@ -475,8 +475,8 @@
   "maxFileSize": {
     "message": "Maximum file size is 500 MB."
   },
-  "updateKey": {
-    "message": "You cannot use this feature until you update your encryption key."
+  "encryptionKeyMigrationRequired": {
+    "message": "Encryption key migration required. Please login through the web vault to update your encryption key."
   },
   "editedFolder": {
     "message": "Folder saved"
diff --git a/apps/desktop/src/locales/sr/messages.json b/apps/desktop/src/locales/sr/messages.json
index 0e0a7c397e1..29b9ebd2a49 100644
--- a/apps/desktop/src/locales/sr/messages.json
+++ b/apps/desktop/src/locales/sr/messages.json
@@ -1985,7 +1985,7 @@
     "message": "Извоз личног сефа"
   },
   "exportingIndividualVaultDescription": {
-    "message": "Only the individual vault items associated with $EMAIL$ will be exported. Organization vault items will not be included. Only vault item information will be exported and will not include associated attachments.",
+    "message": "Само појединачне ставке сефа повезане са $EMAIL$ ће бити извењене. Ставке организационог сефа неће бити укључене. Само информације о ставкама из сефа ће бити извезене и неће укључивати повезане прилоге.",
     "placeholders": {
       "email": {
         "content": "$1",
diff --git a/apps/desktop/src/locales/zh_CN/messages.json b/apps/desktop/src/locales/zh_CN/messages.json
index a0c1e85b730..81b08101eb9 100644
--- a/apps/desktop/src/locales/zh_CN/messages.json
+++ b/apps/desktop/src/locales/zh_CN/messages.json
@@ -317,7 +317,7 @@
     "message": "文件夹"
   },
   "newCustomField": {
-    "message": "新建自定义字段"
+    "message": "新增自定义字段"
   },
   "value": {
     "message": "值"
@@ -555,7 +555,7 @@
     "message": "两次填写的主密码不一致。"
   },
   "newAccountCreated": {
-    "message": "已经为您建立了账户，您可以登录了。"
+    "message": "您的新账户已创建！您现在可以登录了。"
   },
   "masterPassSent": {
     "message": "我们已经为您发送了包含主密码提示的邮件。"
@@ -597,7 +597,7 @@
     "message": "请输入您的身份验证器应用中的 6 位验证码。"
   },
   "enterVerificationCodeEmail": {
-    "message": "请输入通过电子邮件发送给 $EMAIL$ 的 6 位验证码。",
+    "message": "请输入发送给电子邮件 $EMAIL$ 的 6 位数验证码。",
     "placeholders": {
       "email": {
         "content": "$1",
@@ -618,7 +618,7 @@
     "message": "记住我"
   },
   "sendVerificationCodeEmailAgain": {
-    "message": "重发验证码电子邮件"
+    "message": "再次发送验证码电子邮件"
   },
   "useAnotherTwoStepMethod": {
     "message": "使用其他两步登录方式"
@@ -663,7 +663,7 @@
     "message": "使用任何 WebAuthn 兼容的安全钥匙访问您的帐户。"
   },
   "emailTitle": {
-    "message": "电子邮件地址"
+    "message": "电子邮件"
   },
   "emailDesc": {
     "message": "验证码将会发送到您的电子邮箱。"
@@ -744,13 +744,13 @@
     "message": "注销"
   },
   "addNewLogin": {
-    "message": "添加新登录"
+    "message": "新增登录"
   },
   "addNewItem": {
     "message": "新增项目"
   },
   "addNewFolder": {
-    "message": "添加文件夹"
+    "message": "新增文件夹"
   },
   "view": {
     "message": "查看"
@@ -1414,7 +1414,7 @@
     "message": "应用程序启动时要求使用触控 ID"
   },
   "requirePasswordOnStart": {
-    "message": "应用程序启动时要求输入密码或 PIN"
+    "message": "应用程序启动时要求输入密码或 PIN 码"
   },
   "recommendedForSecurity": {
     "message": "安全起见，推荐设置。"
@@ -1534,7 +1534,7 @@
     "message": "设置主密码"
   },
   "ssoCompleteRegistration": {
-    "message": "要完成 SSO 登陆配置，请设置一个主密码以访问和保护您的密码库。"
+    "message": "要完成 SSO 登录配置，请设置一个主密码以访问和保护您的密码库。"
   },
   "currentMasterPass": {
     "message": "当前主密码"
@@ -1979,13 +1979,13 @@
     "message": "选项"
   },
   "sessionTimeout": {
-    "message": "您的会话已超时。请返回并尝试重新登录。"
+    "message": "您的会话已超时。请返回然后尝试重新登录。"
   },
   "exportingPersonalVaultTitle": {
     "message": "正在导出个人密码库"
   },
   "exportingIndividualVaultDescription": {
-    "message": "Only the individual vault items associated with $EMAIL$ will be exported. Organization vault items will not be included. Only vault item information will be exported and will not include associated attachments.",
+    "message": "仅会导出与 $EMAIL$ 关联的个人密码库项目，不包括组织密码库项目。仅会导出密码库项目信息，不包括关联的附件。",
     "placeholders": {
       "email": {
         "content": "$1",
@@ -2083,7 +2083,7 @@
     "message": "密码库"
   },
   "loginWithMasterPassword": {
-    "message": "使用主密码登录"
+    "message": "主密码登录"
   },
   "loggingInAs": {
     "message": "正登录为"
@@ -2244,7 +2244,7 @@
     }
   },
   "windowsBiometricUpdateWarning": {
-    "message": "Bitwarden 建议更新您的生物识别设置，以在首次解锁时要求输入您的主密码（或 PIN）。现在要更新您的设置吗？"
+    "message": "Bitwarden 建议更新您的生物识别设置，以在首次解锁时要求输入您的主密码（或 PIN 码）。现在要更新您的设置吗？"
   },
   "windowsBiometricUpdateWarningTitle": {
     "message": "推荐的设置更新"
diff --git a/apps/desktop/src/locales/zh_TW/messages.json b/apps/desktop/src/locales/zh_TW/messages.json
index 32a511beab1..50ab2e3a3d3 100644
--- a/apps/desktop/src/locales/zh_TW/messages.json
+++ b/apps/desktop/src/locales/zh_TW/messages.json
@@ -2196,10 +2196,10 @@
     "message": "登入要求已逾期。"
   },
   "thisRequestIsNoLongerValid": {
-    "message": "This request is no longer valid."
+    "message": "此請求已失效"
   },
   "approveLoginRequestDesc": {
-    "message": "Use this device to approve login requests made from other devices."
+    "message": "使用此裝置準予來自其他裝置的登入要求。"
   },
   "confirmLoginAtemptForMail": {
     "message": "確認 $EMAIL$ 的登入嘗試",
@@ -2259,19 +2259,19 @@
     "message": "Uncheck if using a public device"
   },
   "approveFromYourOtherDevice": {
-    "message": "Approve from your other device"
+    "message": "從其他裝置批准"
   },
   "requestAdminApproval": {
-    "message": "Request admin approval"
+    "message": "要求管理員核准"
   },
   "approveWithMasterPassword": {
-    "message": "Approve with master password"
+    "message": "使用主密碼批准"
   },
   "region": {
     "message": "區域"
   },
   "ssoIdentifierRequired": {
-    "message": "Organization SSO identifier is required."
+    "message": "需要單一登入 (SSO) 組織識別碼。"
   },
   "eu": {
     "message": "EU",
@@ -2287,7 +2287,7 @@
     "message": "bitwarden.eu"
   },
   "selfHostedServer": {
-    "message": "self-hosted"
+    "message": "自建"
   },
   "accessDenied": {
     "message": "拒絕存取。您沒有檢視此頁面的權限。"
@@ -2314,10 +2314,10 @@
     "message": "User email missing"
   },
   "deviceTrusted": {
-    "message": "Device trusted"
+    "message": "裝置已信任"
   },
   "inputRequired": {
-    "message": "Input is required."
+    "message": "必須輸入內容。"
   },
   "required": {
     "message": "必填"
diff --git a/apps/desktop/src/package-lock.json b/apps/desktop/src/package-lock.json
index c838b242b50..fc1f62db020 100644
--- a/apps/desktop/src/package-lock.json
+++ b/apps/desktop/src/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@bitwarden/desktop",
-  "version": "2023.8.4",
+  "version": "2023.9.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@bitwarden/desktop",
-      "version": "2023.8.4",
+      "version": "2023.9.1",
       "license": "GPL-3.0",
       "dependencies": {
         "@bitwarden/desktop-native": "file:../desktop_native"
diff --git a/apps/desktop/src/package.json b/apps/desktop/src/package.json
index bbef6bf36f5..eca9f715417 100644
--- a/apps/desktop/src/package.json
+++ b/apps/desktop/src/package.json
@@ -2,7 +2,7 @@
   "name": "@bitwarden/desktop",
   "productName": "Bitwarden",
   "description": "A secure and free password manager for all of your devices.",
-  "version": "2023.8.4",
+  "version": "2023.9.1",
   "author": "Bitwarden Inc. <hello@bitwarden.com> (https://bitwarden.com)",
   "homepage": "https://bitwarden.com",
   "license": "GPL-3.0",
diff --git a/apps/desktop/src/scss/environment.scss b/apps/desktop/src/scss/environment.scss
index eae8b4a2d5b..0f28ba1954a 100644
--- a/apps/desktop/src/scss/environment.scss
+++ b/apps/desktop/src/scss/environment.scss
@@ -18,15 +18,11 @@
   color: $text-muted;
   line-height: 25px;
   font-weight: 400;
-  padding-left: 5px;
+  padding-left: 15px;
 
-  label {
+  span {
     font-weight: 600;
-  }
-
-  a,
-  a label:hover {
-    cursor: pointer;
+    font-size: $font-size-small;
   }
 }
 
diff --git a/apps/desktop/src/scss/styles.scss b/apps/desktop/src/scss/styles.scss
index 049cf10b974..033a0f8b674 100644
--- a/apps/desktop/src/scss/styles.scss
+++ b/apps/desktop/src/scss/styles.scss
@@ -17,3 +17,4 @@
 @import "left-nav.scss";
 @import "loading.scss";
 @import "../../../../libs/angular/src/scss/icons.scss";
+@import "../../../../libs/components/src/multi-select/scss/bw.theme";
diff --git a/apps/web/package.json b/apps/web/package.json
index 08698b75a39..781d5d75265 100644
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@bitwarden/web-vault",
-  "version": "2023.8.4",
+  "version": "2023.9.0",
   "scripts": {
     "build:oss": "webpack",
     "build:bit": "webpack -c ../../bitwarden_license/bit-web/webpack.config.js",
diff --git a/apps/web/src/app/admin-console/organizations/manage/entity-users.component.html b/apps/web/src/app/admin-console/organizations/manage/entity-users.component.html
deleted file mode 100644
index e9296973a79..00000000000
--- a/apps/web/src/app/admin-console/organizations/manage/entity-users.component.html
+++ /dev/null
@@ -1,173 +0,0 @@
-<div class="modal fade" role="dialog" aria-modal="true" aria-labelledby="userAccessTitle">
-  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
-    <form
-      class="modal-content"
-      #form
-      (ngSubmit)="submit()"
-      [appApiAction]="formPromise"
-      ngNativeValidate
-    >
-      <div class="modal-header">
-        <h1 class="modal-title" id="userAccessTitle">
-          {{ "userAccess" | i18n }}
-          <small>{{ entityName }}</small>
-        </h1>
-        <button
-          type="button"
-          class="close"
-          data-dismiss="modal"
-          appA11yTitle="{{ 'close' | i18n }}"
-        >
-          <span aria-hidden="true">&times;</span>
-        </button>
-      </div>
-      <div class="modal-body" *ngIf="loading || !users">
-        <i
-          class="bwi bwi-spinner bwi-spin text-muted"
-          title="{{ 'loading' | i18n }}"
-          aria-hidden="true"
-        ></i>
-        <span class="sr-only">{{ "loading" | i18n }}</span>
-      </div>
-      <cdk-virtual-scroll-viewport
-        itemSize="46"
-        minBufferPx="600"
-        maxBufferPx="1200"
-        [style]="scrollViewportStyle"
-      >
-        <div class="modal-body" *ngIf="!loading && users && searchedUsers">
-          <div class="d-flex">
-            <div class="mr-3">
-              <label class="sr-only" for="search">{{ "search" | i18n }}</label>
-              <input
-                type="search"
-                class="form-control form-control-sm"
-                id="search"
-                placeholder="{{ 'search' | i18n }}"
-                name="SearchText"
-                [(ngModel)]="searchText"
-              />
-            </div>
-            <div class="btn-group btn-group-sm" role="group">
-              <button
-                type="button"
-                class="btn btn-outline-secondary"
-                [ngClass]="{ active: !showSelected }"
-                (click)="filterSelected(false)"
-              >
-                {{ "all" | i18n }}
-              </button>
-              <button
-                type="button"
-                class="btn btn-outline-secondary"
-                [ngClass]="{ active: showSelected }"
-                (click)="filterSelected(true)"
-              >
-                {{ "selected" | i18n }}
-                <span bitBadge badgeType="info" *ngIf="selectedCount">{{ selectedCount }}</span>
-              </button>
-            </div>
-          </div>
-          <ng-container *ngIf="!searchedUsers.length">
-            <hr />
-            {{ "noUsersInList" | i18n }}
-          </ng-container>
-          <table class="table table-hover table-list mb-0" [hidden]="!searchedUsers.length">
-            <thead>
-              <tr>
-                <th>&nbsp;</th>
-                <th>&nbsp;</th>
-                <th>{{ "name" | i18n }}</th>
-                <th *ngIf="entity === 'collection'">&nbsp;</th>
-                <th>{{ "userType" | i18n }}</th>
-                <th width="100" class="text-center" *ngIf="entity === 'collection'">
-                  {{ "hidePasswords" | i18n }}
-                </th>
-                <th width="100" class="text-center" *ngIf="entity === 'collection'">
-                  {{ "readOnly" | i18n }}
-                </th>
-              </tr>
-            </thead>
-            <tbody>
-              <tr *cdkVirtualFor="let u of searchedUsers" class="">
-                <td class="table-list-checkbox" (click)="check(u)">
-                  <input
-                    type="checkbox"
-                    [(ngModel)]="u.checked"
-                    name="{{ u.id.substr(0, 8) }}_Checked"
-                    [disabled]="entity === 'collection' && u.accessAll"
-                    (change)="selectedChanged(u)"
-                    appStopProp
-                  />
-                </td>
-                <td width="30" (click)="check(u)">
-                  <bit-avatar [text]="u | userName" [id]="u.id" size="small"></bit-avatar>
-                </td>
-                <td>
-                  {{ u.email }}
-                  <span
-                    bitBadge
-                    badgeType="secondary"
-                    *ngIf="u.status === organizationUserStatusType.Invited"
-                    >{{ "invited" | i18n }}</span
-                  >
-                  <span
-                    bitBadge
-                    badgeType="warning"
-                    *ngIf="u.status === organizationUserStatusType.Accepted"
-                    >{{ "accepted" | i18n }}</span
-                  >
-                  <small class="text-muted d-block" *ngIf="u.name">{{ u.name }}</small>
-                </td>
-                <td *ngIf="entity === 'collection'">
-                  <ng-container *ngIf="u.accessAll">
-                    <i
-                      class="bwi bwi-filter"
-                      title="{{ 'userAccessAllItems' | i18n }}"
-                      aria-hidden="true"
-                    ></i>
-                    <span class="sr-only">{{ "userAccessAllItems" | i18n }}</span>
-                  </ng-container>
-                </td>
-                <td>
-                  <span *ngIf="u.type === organizationUserType.Owner">{{ "owner" | i18n }}</span>
-                  <span *ngIf="u.type === organizationUserType.Admin">{{ "admin" | i18n }}</span>
-                  <span *ngIf="u.type === organizationUserType.Manager">{{
-                    "manager" | i18n
-                  }}</span>
-                  <span *ngIf="u.type === organizationUserType.User">{{ "user" | i18n }}</span>
-                  <span *ngIf="u.type === organizationUserType.Custom">{{ "custom" | i18n }}</span>
-                </td>
-                <td class="text-center" *ngIf="entity === 'collection'">
-                  <input
-                    type="checkbox"
-                    [(ngModel)]="u.hidePasswords"
-                    name="{{ u.id.substr(0, 8) }}_HidePasswords"
-                    [disabled]="u.accessAll || !u.checked"
-                  />
-                </td>
-                <td class="text-center" *ngIf="entity === 'collection'">
-                  <input
-                    type="checkbox"
-                    [(ngModel)]="u.readOnly"
-                    name="{{ u.id.substr(0, 8) }}_ReadOnly"
-                    [disabled]="u.accessAll || !u.checked"
-                  />
-                </td>
-              </tr>
-            </tbody>
-          </table>
-        </div>
-      </cdk-virtual-scroll-viewport>
-      <div class="modal-footer">
-        <button type="submit" class="btn btn-primary btn-submit" [disabled]="form.loading">
-          <i class="bwi bwi-spinner bwi-spin" title="{{ 'loading' | i18n }}" aria-hidden="true"></i>
-          <span>{{ "save" | i18n }}</span>
-        </button>
-        <button type="button" class="btn btn-outline-secondary" data-dismiss="modal">
-          {{ "close" | i18n }}
-        </button>
-      </div>
-    </form>
-  </div>
-</div>
diff --git a/apps/web/src/app/admin-console/organizations/manage/entity-users.component.ts b/apps/web/src/app/admin-console/organizations/manage/entity-users.component.ts
deleted file mode 100644
index af0c344a29e..00000000000
--- a/apps/web/src/app/admin-console/organizations/manage/entity-users.component.ts
+++ /dev/null
@@ -1,160 +0,0 @@
-import { Component, EventEmitter, Input, OnInit, Output } from "@angular/core";
-
-import { SearchPipe } from "@bitwarden/angular/pipes/search.pipe";
-import { ApiService } from "@bitwarden/common/abstractions/api.service";
-import { OrganizationUserService } from "@bitwarden/common/abstractions/organization-user/organization-user.service";
-import { OrganizationUserUserDetailsResponse } from "@bitwarden/common/abstractions/organization-user/responses";
-import {
-  OrganizationUserStatusType,
-  OrganizationUserType,
-} from "@bitwarden/common/admin-console/enums";
-import { SelectionReadOnlyRequest } from "@bitwarden/common/admin-console/models/request/selection-read-only.request";
-import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
-import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
-import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
-import { Utils } from "@bitwarden/common/platform/misc/utils";
-
-@Component({
-  selector: "app-entity-users",
-  templateUrl: "entity-users.component.html",
-  providers: [SearchPipe],
-})
-export class EntityUsersComponent implements OnInit {
-  @Input() entity: "group" | "collection";
-  @Input() entityId: string;
-  @Input() entityName: string;
-  @Input() organizationId: string;
-  @Output() onEditedUsers = new EventEmitter();
-
-  organizationUserType = OrganizationUserType;
-  organizationUserStatusType = OrganizationUserStatusType;
-
-  showSelected = false;
-  loading = true;
-  formPromise: Promise<any>;
-  selectedCount = 0;
-  searchText: string;
-
-  private allUsers: OrganizationUserUserDetailsResponse[] = [];
-
-  constructor(
-    private search: SearchPipe,
-    private apiService: ApiService,
-    private i18nService: I18nService,
-    private platformUtilsService: PlatformUtilsService,
-    private organizationUserService: OrganizationUserService,
-    private logService: LogService
-  ) {}
-
-  async ngOnInit() {
-    await this.loadUsers();
-    this.loading = false;
-  }
-
-  get users() {
-    if (this.showSelected) {
-      return this.allUsers.filter((u) => (u as any).checked);
-    } else {
-      return this.allUsers;
-    }
-  }
-
-  get searchedUsers() {
-    return this.search.transform(this.users, this.searchText, "name", "email", "id");
-  }
-
-  get scrollViewportStyle() {
-    return `min-height: 120px; height: ${120 + this.searchedUsers.length * 46}px`;
-  }
-
-  async loadUsers() {
-    const users = await this.organizationUserService.getAllUsers(this.organizationId);
-    this.allUsers = users.data.map((r) => r).sort(Utils.getSortFunction(this.i18nService, "email"));
-    if (this.entity === "group") {
-      const response = await this.apiService.getGroupUsers(this.organizationId, this.entityId);
-      if (response != null && users.data.length > 0) {
-        response.forEach((s) => {
-          const user = users.data.filter((u) => u.id === s);
-          if (user != null && user.length > 0) {
-            (user[0] as any).checked = true;
-          }
-        });
-      }
-    } else if (this.entity === "collection") {
-      const response = await this.apiService.getCollectionUsers(this.organizationId, this.entityId);
-      if (response != null && users.data.length > 0) {
-        response.forEach((s) => {
-          const user = users.data.filter((u) => !u.accessAll && u.id === s.id);
-          if (user != null && user.length > 0) {
-            (user[0] as any).checked = true;
-            (user[0] as any).readOnly = s.readOnly;
-            (user[0] as any).hidePasswords = s.hidePasswords;
-          }
-        });
-      }
-    }
-
-    this.allUsers.forEach((u) => {
-      if (this.entity === "collection" && u.accessAll) {
-        (u as any).checked = true;
-      }
-      if ((u as any).checked) {
-        this.selectedCount++;
-      }
-    });
-  }
-
-  check(u: OrganizationUserUserDetailsResponse) {
-    if (this.entity === "collection" && u.accessAll) {
-      return;
-    }
-    (u as any).checked = !(u as any).checked;
-    this.selectedChanged(u);
-  }
-
-  selectedChanged(u: OrganizationUserUserDetailsResponse) {
-    if ((u as any).checked) {
-      this.selectedCount++;
-    } else {
-      if (this.entity === "collection") {
-        (u as any).readOnly = false;
-        (u as any).hidePasswords = false;
-      }
-      this.selectedCount--;
-    }
-  }
-
-  filterSelected(showSelected: boolean) {
-    this.showSelected = showSelected;
-  }
-
-  async submit() {
-    try {
-      if (this.entity === "group") {
-        const selections = this.users.filter((u) => (u as any).checked).map((u) => u.id);
-        this.formPromise = this.apiService.putGroupUsers(
-          this.organizationId,
-          this.entityId,
-          selections
-        );
-      } else {
-        const selections = this.users
-          .filter((u) => (u as any).checked && !u.accessAll)
-          .map(
-            (u) =>
-              new SelectionReadOnlyRequest(u.id, !!(u as any).readOnly, !!(u as any).hidePasswords)
-          );
-        this.formPromise = this.apiService.putCollectionUsers(
-          this.organizationId,
-          this.entityId,
-          selections
-        );
-      }
-      await this.formPromise;
-      this.platformUtilsService.showToast("success", null, this.i18nService.t("updatedUsers"));
-      this.onEditedUsers.emit();
-    } catch (e) {
-      this.logService.error(e);
-    }
-  }
-}
diff --git a/apps/web/src/app/admin-console/organizations/manage/organization-manage.module.ts b/apps/web/src/app/admin-console/organizations/manage/organization-manage.module.ts
deleted file mode 100644
index 9a7b166962d..00000000000
--- a/apps/web/src/app/admin-console/organizations/manage/organization-manage.module.ts
+++ /dev/null
@@ -1,12 +0,0 @@
-import { ScrollingModule } from "@angular/cdk/scrolling";
-import { NgModule } from "@angular/core";
-
-import { EntityUsersComponent } from "../../../admin-console/organizations/manage/entity-users.component";
-import { SharedModule } from "../../../shared";
-
-@NgModule({
-  imports: [SharedModule, ScrollingModule],
-  declarations: [EntityUsersComponent],
-  exports: [EntityUsersComponent],
-})
-export class OrganizationManageModule {}
diff --git a/apps/web/src/app/auth/login/login.component.ts b/apps/web/src/app/auth/login/login.component.ts
index 431f0bac265..f6b83d6bf57 100644
--- a/apps/web/src/app/auth/login/login.component.ts
+++ b/apps/web/src/app/auth/login/login.component.ts
@@ -15,6 +15,7 @@ import { PolicyResponse } from "@bitwarden/common/admin-console/models/response/
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { DevicesApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/devices-api.service.abstraction";
 import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
+import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
 import { ListResponse } from "@bitwarden/common/models/response/list.response";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
 import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
@@ -204,4 +205,12 @@ export class LoginComponent extends BaseLoginComponent implements OnInit {
     }
     await super.submit(false);
   }
+
+  protected override handleMigrateEncryptionKey(result: AuthResult): boolean {
+    if (!result.requiresEncryptionKeyMigration) {
+      return false;
+    }
+    this.router.navigate(["migrate-legacy-encryption"]);
+    return true;
+  }
 }
diff --git a/apps/web/src/app/auth/migrate-encryption/migrate-legacy-encryption.component.html b/apps/web/src/app/auth/migrate-encryption/migrate-legacy-encryption.component.html
new file mode 100644
index 00000000000..2fdb4711cdd
--- /dev/null
+++ b/apps/web/src/app/auth/migrate-encryption/migrate-legacy-encryption.component.html
@@ -0,0 +1,36 @@
+<form [formGroup]="formGroup" [bitSubmit]="submit">
+  <div class="tw-mt-12 tw-flex tw-justify-center">
+    <div class="tw-max-w-xl">
+      <h1 bitTypography="h1" class="tw-mb-4 tw-text-center">{{ "updateEncryptionKey" | i18n }}</h1>
+      <div
+        class="tw-block tw-rounded tw-border tw-border-solid tw-border-secondary-300 tw-bg-background tw-p-8"
+      >
+        <p>
+          {{ "updateEncryptionSchemeDesc" | i18n }}
+          <a
+            href="https://bitwarden.com/help/account-encryption-key/#rotate-your-encryption-key"
+            target="_blank"
+            rel="noopener"
+            >{{ "learnMore" | i18n }}</a
+          >
+        </p>
+        <bit-callout type="warning">{{ "updateEncryptionKeyWarning" | i18n }}</bit-callout>
+
+        <bit-form-field>
+          <bit-label>{{ "masterPass" | i18n }}</bit-label>
+          <input
+            id="masterPassword"
+            bitInput
+            type="password"
+            formControlName="masterPassword"
+            appAutofocus
+          />
+          <button type="button" bitIconButton bitSuffix bitPasswordInputToggle></button>
+        </bit-form-field>
+        <button type="submit" bitButton bitFormButton buttonType="primary" block>
+          {{ "updateEncryptionKey" | i18n }}
+        </button>
+      </div>
+    </div>
+  </div>
+</form>
diff --git a/apps/web/src/app/auth/migrate-encryption/migrate-legacy-encryption.component.ts b/apps/web/src/app/auth/migrate-encryption/migrate-legacy-encryption.component.ts
new file mode 100644
index 00000000000..d1bb74c066c
--- /dev/null
+++ b/apps/web/src/app/auth/migrate-encryption/migrate-legacy-encryption.component.ts
@@ -0,0 +1,82 @@
+import { Component } from "@angular/core";
+import { FormControl, FormGroup, Validators } from "@angular/forms";
+
+import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
+import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
+import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
+
+import { SharedModule } from "../../shared";
+
+import { MigrateFromLegacyEncryptionService } from "./migrate-legacy-encryption.service";
+
+// The master key was originally used to encrypt user data, before the user key was introduced.
+// This component is used to migrate from the old encryption scheme to the new one.
+@Component({
+  standalone: true,
+  imports: [SharedModule],
+  providers: [MigrateFromLegacyEncryptionService],
+  templateUrl: "migrate-legacy-encryption.component.html",
+})
+export class MigrateFromLegacyEncryptionComponent {
+  protected formGroup = new FormGroup({
+    masterPassword: new FormControl("", [Validators.required]),
+  });
+
+  constructor(
+    private i18nService: I18nService,
+    private platformUtilsService: PlatformUtilsService,
+    private migrationService: MigrateFromLegacyEncryptionService,
+    private cryptoService: CryptoService,
+    private messagingService: MessagingService,
+    private logService: LogService
+  ) {}
+
+  submit = async () => {
+    this.formGroup.markAsTouched();
+
+    if (this.formGroup.invalid) {
+      return;
+    }
+
+    const hasUserKey = await this.cryptoService.hasUserKey();
+    if (hasUserKey) {
+      this.messagingService.send("logout");
+      throw new Error("User key already exists, cannot migrate legacy encryption.");
+    }
+
+    const masterPassword = this.formGroup.value.masterPassword;
+
+    try {
+      // Create new user key
+      const [newUserKey, masterKeyEncUserKey] = await this.migrationService.createNewUserKey(
+        masterPassword
+      );
+
+      // Update admin recover keys
+      await this.migrationService.updateAllAdminRecoveryKeys(masterPassword, newUserKey);
+
+      // Update emergency access
+      await this.migrationService.updateEmergencyAccesses(newUserKey);
+
+      // Update keys, folders, ciphers, and sends
+      await this.migrationService.updateKeysAndEncryptedData(
+        masterPassword,
+        newUserKey,
+        masterKeyEncUserKey
+      );
+
+      this.platformUtilsService.showToast(
+        "success",
+        this.i18nService.t("keyUpdated"),
+        this.i18nService.t("logBackInOthersToo"),
+        { timeout: 15000 }
+      );
+      this.messagingService.send("logout");
+    } catch (e) {
+      this.logService.error(e);
+      throw e;
+    }
+  };
+}
diff --git a/apps/web/src/app/auth/migrate-encryption/migrate-legacy-encryption.service.spec.ts b/apps/web/src/app/auth/migrate-encryption/migrate-legacy-encryption.service.spec.ts
new file mode 100644
index 00000000000..88bbdc4e5b2
--- /dev/null
+++ b/apps/web/src/app/auth/migrate-encryption/migrate-legacy-encryption.service.spec.ts
@@ -0,0 +1,345 @@
+import { mock } from "jest-mock-extended";
+import { BehaviorSubject } from "rxjs";
+
+import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { OrganizationUserService } from "@bitwarden/common/abstractions/organization-user/organization-user.service";
+import { OrganizationUserResetPasswordEnrollmentRequest } from "@bitwarden/common/abstractions/organization-user/requests";
+import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
+import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
+import { OrganizationKeysResponse } from "@bitwarden/common/admin-console/models/response/organization-keys.response";
+import { OrganizationApiService } from "@bitwarden/common/admin-console/services/organization/organization-api.service";
+import { EmergencyAccessStatusType } from "@bitwarden/common/auth/enums/emergency-access-status-type";
+import { EmergencyAccessUpdateRequest } from "@bitwarden/common/auth/models/request/emergency-access-update.request";
+import { EmergencyAccessGranteeDetailsResponse } from "@bitwarden/common/auth/models/response/emergency-access.response";
+import { EncryptionType, KdfType } from "@bitwarden/common/enums";
+import { ListResponse } from "@bitwarden/common/models/response/list.response";
+import { UserKeyResponse } from "@bitwarden/common/models/response/user-key.response";
+import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
+import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
+import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
+import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
+import {
+  MasterKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import { Send } from "@bitwarden/common/tools/send/models/domain/send";
+import { SendService } from "@bitwarden/common/tools/send/services/send.service.abstraction";
+import { CsprngArray } from "@bitwarden/common/types/csprng";
+import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
+import { FolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction";
+import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
+import { Cipher } from "@bitwarden/common/vault/models/domain/cipher";
+import { Folder } from "@bitwarden/common/vault/models/domain/folder";
+import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
+import { FolderView } from "@bitwarden/common/vault/models/view/folder.view";
+
+import { MigrateFromLegacyEncryptionService } from "./migrate-legacy-encryption.service";
+
+describe("migrateFromLegacyEncryptionService", () => {
+  let migrateFromLegacyEncryptionService: MigrateFromLegacyEncryptionService;
+
+  const organizationService = mock<OrganizationService>();
+  const organizationApiService = mock<OrganizationApiService>();
+  const organizationUserService = mock<OrganizationUserService>();
+  const apiService = mock<ApiService>();
+  const encryptService = mock<EncryptService>();
+  const cryptoService = mock<CryptoService>();
+  const syncService = mock<SyncService>();
+  const cipherService = mock<CipherService>();
+  const folderService = mock<FolderService>();
+  const sendService = mock<SendService>();
+  const stateService = mock<StateService>();
+  let folderViews: BehaviorSubject<FolderView[]>;
+  let sends: BehaviorSubject<Send[]>;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+
+    migrateFromLegacyEncryptionService = new MigrateFromLegacyEncryptionService(
+      organizationService,
+      organizationApiService,
+      organizationUserService,
+      apiService,
+      cryptoService,
+      encryptService,
+      syncService,
+      cipherService,
+      folderService,
+      sendService,
+      stateService
+    );
+  });
+
+  it("instantiates", () => {
+    expect(migrateFromLegacyEncryptionService).not.toBeFalsy();
+  });
+
+  describe("createNewUserKey", () => {
+    it("validates master password and legacy user", async () => {
+      const mockMasterPassword = "mockMasterPassword";
+      const mockRandomBytes = new Uint8Array(64) as CsprngArray;
+      const mockMasterKey = new SymmetricCryptoKey(mockRandomBytes) as MasterKey;
+      stateService.getEmail.mockResolvedValue("mockEmail");
+      stateService.getKdfType.mockResolvedValue(KdfType.PBKDF2_SHA256);
+      stateService.getKdfConfig.mockResolvedValue({ iterations: 100000 });
+      cryptoService.makeMasterKey.mockResolvedValue(mockMasterKey);
+      cryptoService.isLegacyUser.mockResolvedValue(false);
+
+      await expect(
+        migrateFromLegacyEncryptionService.createNewUserKey(mockMasterPassword)
+      ).rejects.toThrowError("Invalid master password or user may not be legacy");
+    });
+  });
+
+  describe("updateKeysAndEncryptedData", () => {
+    let mockMasterPassword: string;
+    let mockUserKey: UserKey;
+    let mockEncUserKey: EncString;
+
+    beforeEach(() => {
+      mockMasterPassword = "mockMasterPassword";
+
+      const mockRandomBytes = new Uint8Array(64) as CsprngArray;
+      mockUserKey = new SymmetricCryptoKey(mockRandomBytes) as UserKey;
+      mockEncUserKey = new EncString("mockEncUserKey");
+
+      const mockFolders = [createMockFolder("1", "Folder 1"), createMockFolder("2", "Folder 2")];
+      const mockCiphers = [createMockCipher("1", "Cipher 1"), createMockCipher("2", "Cipher 2")];
+      const mockSends = [createMockSend("1", "Send 1"), createMockSend("2", "Send 2")];
+
+      cryptoService.getPrivateKey.mockResolvedValue(new Uint8Array(64) as CsprngArray);
+
+      folderViews = new BehaviorSubject<FolderView[]>(mockFolders);
+      folderService.folderViews$ = folderViews;
+
+      cipherService.getAllDecrypted.mockResolvedValue(mockCiphers);
+
+      sends = new BehaviorSubject<Send[]>(mockSends);
+      sendService.sends$ = sends;
+
+      encryptService.encrypt.mockImplementation((plainValue, userKey) => {
+        return Promise.resolve(
+          new EncString(EncryptionType.AesCbc256_HmacSha256_B64, "Encrypted: " + plainValue)
+        );
+      });
+
+      folderService.encrypt.mockImplementation((folder, userKey) => {
+        const encryptedFolder = new Folder();
+        encryptedFolder.id = folder.id;
+        encryptedFolder.name = new EncString(
+          EncryptionType.AesCbc256_HmacSha256_B64,
+          "Encrypted: " + folder.name
+        );
+        return Promise.resolve(encryptedFolder);
+      });
+
+      cipherService.encrypt.mockImplementation((cipher, userKey) => {
+        const encryptedCipher = new Cipher();
+        encryptedCipher.id = cipher.id;
+        encryptedCipher.name = new EncString(
+          EncryptionType.AesCbc256_HmacSha256_B64,
+          "Encrypted: " + cipher.name
+        );
+        return Promise.resolve(encryptedCipher);
+      });
+    });
+
+    it("derives the master key in case it hasn't been set", async () => {
+      await migrateFromLegacyEncryptionService.updateKeysAndEncryptedData(
+        mockMasterPassword,
+        mockUserKey,
+        mockEncUserKey
+      );
+
+      expect(cryptoService.getOrDeriveMasterKey).toHaveBeenCalled();
+    });
+
+    it("syncs latest data", async () => {
+      await migrateFromLegacyEncryptionService.updateKeysAndEncryptedData(
+        mockMasterPassword,
+        mockUserKey,
+        mockEncUserKey
+      );
+      expect(syncService.fullSync).toHaveBeenCalledWith(true);
+    });
+
+    it("does not post new account data if sync fails", async () => {
+      syncService.fullSync.mockRejectedValueOnce(new Error("sync failed"));
+
+      await expect(
+        migrateFromLegacyEncryptionService.updateKeysAndEncryptedData(
+          mockMasterPassword,
+          mockUserKey,
+          mockEncUserKey
+        )
+      ).rejects.toThrowError("sync failed");
+
+      expect(apiService.postAccountKey).not.toHaveBeenCalled();
+    });
+
+    it("does not post new account data if data retrieval fails", async () => {
+      (migrateFromLegacyEncryptionService as any).encryptCiphers = async () => {
+        throw new Error("Ciphers failed to be retrieved");
+      };
+
+      await expect(
+        migrateFromLegacyEncryptionService.updateKeysAndEncryptedData(
+          mockMasterPassword,
+          mockUserKey,
+          mockEncUserKey
+        )
+      ).rejects.toThrowError("Ciphers failed to be retrieved");
+
+      expect(apiService.postAccountKey).not.toHaveBeenCalled();
+    });
+  });
+
+  describe("updateEmergencyAccesses", () => {
+    let mockUserKey: UserKey;
+
+    beforeEach(() => {
+      const mockRandomBytes = new Uint8Array(64) as CsprngArray;
+      mockUserKey = new SymmetricCryptoKey(mockRandomBytes) as UserKey;
+
+      const mockEmergencyAccess = {
+        data: [
+          createMockEmergencyAccess("0", "EA 0", EmergencyAccessStatusType.Invited),
+          createMockEmergencyAccess("1", "EA 1", EmergencyAccessStatusType.Accepted),
+          createMockEmergencyAccess("2", "EA 2", EmergencyAccessStatusType.Confirmed),
+          createMockEmergencyAccess("3", "EA 3", EmergencyAccessStatusType.RecoveryInitiated),
+          createMockEmergencyAccess("4", "EA 4", EmergencyAccessStatusType.RecoveryApproved),
+        ],
+      } as ListResponse<EmergencyAccessGranteeDetailsResponse>;
+      apiService.getEmergencyAccessTrusted.mockResolvedValue(mockEmergencyAccess);
+      apiService.getUserPublicKey.mockResolvedValue({
+        userId: "mockUserId",
+        publicKey: "mockPublicKey",
+      } as UserKeyResponse);
+
+      cryptoService.rsaEncrypt.mockImplementation((plainValue, publicKey) => {
+        return Promise.resolve(
+          new EncString(EncryptionType.Rsa2048_OaepSha1_B64, "Encrypted: " + plainValue)
+        );
+      });
+    });
+
+    it("Only updates emergency accesses with allowed statuses", async () => {
+      await migrateFromLegacyEncryptionService.updateEmergencyAccesses(mockUserKey);
+
+      expect(apiService.putEmergencyAccess).not.toHaveBeenCalledWith(
+        "0",
+        expect.any(EmergencyAccessUpdateRequest)
+      );
+      expect(apiService.putEmergencyAccess).not.toHaveBeenCalledWith(
+        "1",
+        expect.any(EmergencyAccessUpdateRequest)
+      );
+    });
+  });
+
+  describe("updateAllAdminRecoveryKeys", () => {
+    let mockMasterPassword: string;
+    let mockUserKey: UserKey;
+
+    beforeEach(() => {
+      mockMasterPassword = "mockMasterPassword";
+
+      const mockRandomBytes = new Uint8Array(64) as CsprngArray;
+      mockUserKey = new SymmetricCryptoKey(mockRandomBytes) as UserKey;
+
+      organizationService.getAll.mockResolvedValue([
+        createOrganization("1", "Org 1", true),
+        createOrganization("2", "Org 2", true),
+        createOrganization("3", "Org 3", false),
+        createOrganization("4", "Org 4", false),
+      ]);
+
+      organizationApiService.getKeys.mockImplementation((orgId) => {
+        return Promise.resolve({
+          publicKey: orgId + "mockPublicKey",
+          privateKey: orgId + "mockPrivateKey",
+        } as OrganizationKeysResponse);
+      });
+    });
+
+    it("Only updates organizations that are enrolled in admin recovery", async () => {
+      await migrateFromLegacyEncryptionService.updateAllAdminRecoveryKeys(
+        mockMasterPassword,
+        mockUserKey
+      );
+
+      expect(
+        organizationUserService.putOrganizationUserResetPasswordEnrollment
+      ).toHaveBeenCalledWith(
+        "1",
+        expect.any(String),
+        expect.any(OrganizationUserResetPasswordEnrollmentRequest)
+      );
+      expect(
+        organizationUserService.putOrganizationUserResetPasswordEnrollment
+      ).toHaveBeenCalledWith(
+        "2",
+        expect.any(String),
+        expect.any(OrganizationUserResetPasswordEnrollmentRequest)
+      );
+      expect(
+        organizationUserService.putOrganizationUserResetPasswordEnrollment
+      ).not.toHaveBeenCalledWith(
+        "3",
+        expect.any(String),
+        expect.any(OrganizationUserResetPasswordEnrollmentRequest)
+      );
+      expect(
+        organizationUserService.putOrganizationUserResetPasswordEnrollment
+      ).not.toHaveBeenCalledWith(
+        "4",
+        expect.any(String),
+        expect.any(OrganizationUserResetPasswordEnrollmentRequest)
+      );
+    });
+  });
+});
+
+function createMockFolder(id: string, name: string): FolderView {
+  const folder = new FolderView();
+  folder.id = id;
+  folder.name = name;
+  return folder;
+}
+
+function createMockCipher(id: string, name: string): CipherView {
+  const cipher = new CipherView();
+  cipher.id = id;
+  cipher.name = name;
+  return cipher;
+}
+
+function createMockSend(id: string, name: string): Send {
+  const send = new Send();
+  send.id = id;
+  send.name = new EncString(EncryptionType.AesCbc256_HmacSha256_B64, name);
+  return send;
+}
+
+function createMockEmergencyAccess(
+  id: string,
+  name: string,
+  status: EmergencyAccessStatusType
+): EmergencyAccessGranteeDetailsResponse {
+  const emergencyAccess = new EmergencyAccessGranteeDetailsResponse({});
+  emergencyAccess.id = id;
+  emergencyAccess.name = name;
+  emergencyAccess.type = 0;
+  emergencyAccess.status = status;
+  return emergencyAccess;
+}
+
+function createOrganization(id: string, name: string, resetPasswordEnrolled: boolean) {
+  const org = new Organization();
+  org.id = id;
+  org.name = name;
+  org.resetPasswordEnrolled = resetPasswordEnrolled;
+  org.userId = "mockUserID";
+  return org;
+}
diff --git a/apps/web/src/app/auth/migrate-encryption/migrate-legacy-encryption.service.ts b/apps/web/src/app/auth/migrate-encryption/migrate-legacy-encryption.service.ts
new file mode 100644
index 00000000000..35005fdce40
--- /dev/null
+++ b/apps/web/src/app/auth/migrate-encryption/migrate-legacy-encryption.service.ts
@@ -0,0 +1,215 @@
+import { Injectable } from "@angular/core";
+import { firstValueFrom } from "rxjs";
+
+import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { OrganizationUserService } from "@bitwarden/common/abstractions/organization-user/organization-user.service";
+import { OrganizationUserResetPasswordEnrollmentRequest } from "@bitwarden/common/abstractions/organization-user/requests";
+import { OrganizationApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization/organization-api.service.abstraction";
+import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
+import { EmergencyAccessStatusType } from "@bitwarden/common/auth/enums/emergency-access-status-type";
+import { EmergencyAccessUpdateRequest } from "@bitwarden/common/auth/models/request/emergency-access-update.request";
+import { UpdateKeyRequest } from "@bitwarden/common/models/request/update-key.request";
+import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
+import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
+import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
+import { Utils } from "@bitwarden/common/platform/misc/utils";
+import { EncryptedString, EncString } from "@bitwarden/common/platform/models/domain/enc-string";
+import { UserKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import { SendWithIdRequest } from "@bitwarden/common/tools/send/models/request/send-with-id.request";
+import { SendService } from "@bitwarden/common/tools/send/services/send.service.abstraction";
+import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
+import { FolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction";
+import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
+import { CipherWithIdRequest } from "@bitwarden/common/vault/models/request/cipher-with-id.request";
+import { FolderWithIdRequest } from "@bitwarden/common/vault/models/request/folder-with-id.request";
+
+// TODO: PM-3797 - This service should be expanded and used for user key rotations in change-password.component.ts
+@Injectable()
+export class MigrateFromLegacyEncryptionService {
+  constructor(
+    private organizationService: OrganizationService,
+    private organizationApiService: OrganizationApiServiceAbstraction,
+    private organizationUserService: OrganizationUserService,
+    private apiService: ApiService,
+    private cryptoService: CryptoService,
+    private encryptService: EncryptService,
+    private syncService: SyncService,
+    private cipherService: CipherService,
+    private folderService: FolderService,
+    private sendService: SendService,
+    private stateService: StateService
+  ) {}
+
+  /**
+   * Validates the master password and creates a new user key.
+   * @returns A new user key along with the encrypted version
+   */
+  async createNewUserKey(masterPassword: string): Promise<[UserKey, EncString]> {
+    // Create master key to validate the master password
+    const masterKey = await this.cryptoService.makeMasterKey(
+      masterPassword,
+      await this.stateService.getEmail(),
+      await this.stateService.getKdfType(),
+      await this.stateService.getKdfConfig()
+    );
+
+    if (!masterKey) {
+      throw new Error("Invalid master password");
+    }
+
+    if (!(await this.cryptoService.isLegacyUser(masterKey))) {
+      throw new Error("Invalid master password or user may not be legacy");
+    }
+
+    // Set master key again in case it was lost (could be lost on refresh)
+    await this.cryptoService.setMasterKey(masterKey);
+    return await this.cryptoService.makeUserKey(masterKey);
+  }
+
+  /**
+   * Updates the user key, master key hash, private key, folders, ciphers, and sends
+   * on the server.
+   * @param masterPassword The master password
+   * @param newUserKey The new user key
+   * @param newEncUserKey The new encrypted user key
+   */
+  async updateKeysAndEncryptedData(
+    masterPassword: string,
+    newUserKey: UserKey,
+    newEncUserKey: EncString
+  ): Promise<void> {
+    // Create new request and add master key and hash
+    const request = new UpdateKeyRequest();
+    request.key = newEncUserKey.encryptedString;
+    request.masterPasswordHash = await this.cryptoService.hashMasterKey(
+      masterPassword,
+      await this.cryptoService.getOrDeriveMasterKey(masterPassword)
+    );
+
+    // Sync before encrypting to make sure we have latest data
+    await this.syncService.fullSync(true);
+
+    request.privateKey = await this.encryptPrivateKey(newUserKey);
+    request.folders = await this.encryptFolders(newUserKey);
+    request.ciphers = await this.encryptCiphers(newUserKey);
+    request.sends = await this.encryptSends(newUserKey);
+
+    return this.apiService.postAccountKey(request);
+  }
+
+  /**
+   * Gets user's emergency access details from server and encrypts with new user key
+   * on the server.
+   * @param newUserKey The new user key
+   */
+  async updateEmergencyAccesses(newUserKey: UserKey) {
+    const emergencyAccess = await this.apiService.getEmergencyAccessTrusted();
+    // Any Invited or Accepted requests won't have the key yet, so we don't need to update them
+    const allowedStatuses = new Set([
+      EmergencyAccessStatusType.Confirmed,
+      EmergencyAccessStatusType.RecoveryInitiated,
+      EmergencyAccessStatusType.RecoveryApproved,
+    ]);
+    const filteredAccesses = emergencyAccess.data.filter((d) => allowedStatuses.has(d.status));
+
+    for (const details of filteredAccesses) {
+      // Get public key of grantee
+      const publicKeyResponse = await this.apiService.getUserPublicKey(details.granteeId);
+      const publicKey = Utils.fromB64ToArray(publicKeyResponse.publicKey);
+
+      // Encrypt new user key with public key
+      const encryptedKey = await this.cryptoService.rsaEncrypt(newUserKey.key, publicKey);
+
+      const updateRequest = new EmergencyAccessUpdateRequest();
+      updateRequest.type = details.type;
+      updateRequest.waitTimeDays = details.waitTimeDays;
+      updateRequest.keyEncrypted = encryptedKey.encryptedString;
+
+      await this.apiService.putEmergencyAccess(details.id, updateRequest);
+    }
+  }
+
+  /** Updates all admin recovery keys on the server with the new user key
+   * @param masterPassword The user's master password
+   * @param newUserKey The new user key
+   */
+  async updateAllAdminRecoveryKeys(masterPassword: string, newUserKey: UserKey) {
+    const allOrgs = await this.organizationService.getAll();
+
+    for (const org of allOrgs) {
+      // If not already enrolled, skip
+      if (!org.resetPasswordEnrolled) {
+        continue;
+      }
+
+      // Retrieve public key
+      const response = await this.organizationApiService.getKeys(org.id);
+      const publicKey = Utils.fromB64ToArray(response?.publicKey);
+
+      // Re-enroll - encrypt user key with organization public key
+      const encryptedKey = await this.cryptoService.rsaEncrypt(newUserKey.key, publicKey);
+
+      // Create/Execute request
+      const request = new OrganizationUserResetPasswordEnrollmentRequest();
+      request.resetPasswordKey = encryptedKey.encryptedString;
+      request.masterPasswordHash = await this.cryptoService.hashMasterKey(
+        masterPassword,
+        await this.cryptoService.getOrDeriveMasterKey(masterPassword)
+      );
+
+      await this.organizationUserService.putOrganizationUserResetPasswordEnrollment(
+        org.id,
+        org.userId,
+        request
+      );
+    }
+  }
+
+  private async encryptPrivateKey(newUserKey: UserKey): Promise<EncryptedString | null> {
+    const privateKey = await this.cryptoService.getPrivateKey();
+    if (!privateKey) {
+      return;
+    }
+    return (await this.encryptService.encrypt(privateKey, newUserKey)).encryptedString;
+  }
+
+  private async encryptFolders(newUserKey: UserKey): Promise<FolderWithIdRequest[] | null> {
+    const folders = await firstValueFrom(this.folderService.folderViews$);
+    if (!folders) {
+      return;
+    }
+    return await Promise.all(
+      folders.map(async (folder) => {
+        const encryptedFolder = await this.folderService.encrypt(folder, newUserKey);
+        return new FolderWithIdRequest(encryptedFolder);
+      })
+    );
+  }
+
+  private async encryptCiphers(newUserKey: UserKey): Promise<CipherWithIdRequest[] | null> {
+    const ciphers = await this.cipherService.getAllDecrypted();
+    if (!ciphers) {
+      return;
+    }
+    return await Promise.all(
+      ciphers.map(async (cipher) => {
+        const encryptedCipher = await this.cipherService.encrypt(cipher, newUserKey);
+        return new CipherWithIdRequest(encryptedCipher);
+      })
+    );
+  }
+
+  private async encryptSends(newUserKey: UserKey): Promise<SendWithIdRequest[] | null> {
+    const sends = await firstValueFrom(this.sendService.sends$);
+    if (!sends) {
+      return;
+    }
+    return await Promise.all(
+      sends.map(async (send) => {
+        const sendKey = await this.encryptService.decryptToBytes(send.key, null);
+        send.key = (await this.encryptService.encrypt(sendKey, newUserKey)) ?? send.key;
+        return new SendWithIdRequest(send);
+      })
+    );
+  }
+}
diff --git a/apps/web/src/app/auth/settings/change-password.component.ts b/apps/web/src/app/auth/settings/change-password.component.ts
index 00baee44d0a..9ed8227316c 100644
--- a/apps/web/src/app/auth/settings/change-password.component.ts
+++ b/apps/web/src/app/auth/settings/change-password.component.ts
@@ -145,12 +145,6 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
   }
 
   async submit() {
-    const hasUserKey = await this.cryptoService.hasUserKey();
-    if (!hasUserKey) {
-      this.platformUtilsService.showToast("error", null, this.i18nService.t("updateKey"));
-      return;
-    }
-
     if (this.masterPasswordHint != null && this.masterPasswordHint == this.masterPassword) {
       this.platformUtilsService.showToast(
         "error",
diff --git a/apps/web/src/app/auth/two-factor.component.ts b/apps/web/src/app/auth/two-factor.component.ts
index 29903317619..2dbb650874a 100644
--- a/apps/web/src/app/auth/two-factor.component.ts
+++ b/apps/web/src/app/auth/two-factor.component.ts
@@ -9,6 +9,7 @@ import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
 import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
 import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
+import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
 import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
@@ -86,6 +87,14 @@ export class TwoFactorComponent extends BaseTwoFactorComponent {
     );
   }
 
+  protected override handleMigrateEncryptionKey(result: AuthResult): boolean {
+    if (!result.requiresEncryptionKeyMigration) {
+      return false;
+    }
+    this.router.navigate(["migrate-legacy-encryption"]);
+    return true;
+  }
+
   goAfterLogIn = async () => {
     this.loginService.clearValues();
     const previousUrl = this.routerService.getPreviousUrl();
diff --git a/apps/web/src/app/billing/organizations/organization-subscription-cloud.component.ts b/apps/web/src/app/billing/organizations/organization-subscription-cloud.component.ts
index b419f743262..5d5e644925c 100644
--- a/apps/web/src/app/billing/organizations/organization-subscription-cloud.component.ts
+++ b/apps/web/src/app/billing/organizations/organization-subscription-cloud.component.ts
@@ -12,8 +12,6 @@ import { Organization } from "@bitwarden/common/admin-console/models/domain/orga
 import { BitwardenProductType, PlanType } from "@bitwarden/common/billing/enums";
 import { OrganizationSubscriptionResponse } from "@bitwarden/common/billing/models/response/organization-subscription.response";
 import { BillingSubscriptionItemResponse } from "@bitwarden/common/billing/models/response/subscription.response";
-import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
-import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
@@ -62,7 +60,6 @@ export class OrganizationSubscriptionCloudComponent implements OnInit, OnDestroy
     private organizationApiService: OrganizationApiServiceAbstraction,
     private route: ActivatedRoute,
     private dialogService: DialogService,
-    private configService: ConfigServiceAbstraction,
     private datePipe: DatePipe
   ) {}
 
@@ -133,13 +130,6 @@ export class OrganizationSubscriptionCloudComponent implements OnInit, OnDestroy
       !this.subscriptionMarkedForCancel;
 
     this.loading = false;
-
-    // Remove the remaining lines when the sm-ga-billing flag is deleted
-    const smBillingEnabled = await this.configService.getFeatureFlag<boolean>(
-      FeatureFlag.SecretsManagerBilling
-    );
-    this.showSecretsManagerSubscribe = this.showSecretsManagerSubscribe && smBillingEnabled;
-    this.showAdjustSecretsManager = this.showAdjustSecretsManager && smBillingEnabled;
   }
 
   get subscription() {
diff --git a/apps/web/src/app/billing/settings/organization-plans.component.html b/apps/web/src/app/billing/settings/organization-plans.component.html
index b9331579033..06d04dc4e41 100644
--- a/apps/web/src/app/billing/settings/organization-plans.component.html
+++ b/apps/web/src/app/billing/settings/organization-plans.component.html
@@ -276,7 +276,7 @@
   <!-- Secrets Manager -->
   <div class="tw-my-10">
     <sm-subscribe
-      *ngIf="showSecretsManagerSubscribe && planOffersSecretsManager"
+      *ngIf="planOffersSecretsManager"
       [formGroup]="formGroup.controls.secretsManager"
       [selectedPlan]="selectedSecretsManagerPlan"
       [upgradeOrganization]="!createOrganization"
diff --git a/apps/web/src/app/billing/settings/organization-plans.component.ts b/apps/web/src/app/billing/settings/organization-plans.component.ts
index 6b0bd65d196..3d898de2140 100644
--- a/apps/web/src/app/billing/settings/organization-plans.component.ts
+++ b/apps/web/src/app/billing/settings/organization-plans.component.ts
@@ -23,8 +23,6 @@ import { ProviderOrganizationCreateRequest } from "@bitwarden/common/admin-conso
 import { BitwardenProductType, PaymentMethodType, PlanType } from "@bitwarden/common/billing/enums";
 import { PlanResponse } from "@bitwarden/common/billing/models/response/plan.response";
 import { ProductType } from "@bitwarden/common/enums";
-import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
-import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -94,7 +92,6 @@ export class OrganizationPlansComponent implements OnInit, OnDestroy {
   singleOrgPolicyAppliesToActiveUser = false;
   isInTrialFlow = false;
   discount = 0;
-  showSecretsManagerSubscribe: boolean;
 
   secretsManagerSubscription = secretsManagerSubscribeFormFactory(this.formBuilder);
 
@@ -129,8 +126,7 @@ export class OrganizationPlansComponent implements OnInit, OnDestroy {
     private logService: LogService,
     private messagingService: MessagingService,
     private formBuilder: FormBuilder,
-    private organizationApiService: OrganizationApiServiceAbstraction,
-    private configService: ConfigServiceAbstraction
+    private organizationApiService: OrganizationApiServiceAbstraction
   ) {
     this.selfHosted = platformUtilsService.isSelfHost();
   }
@@ -169,11 +165,6 @@ export class OrganizationPlansComponent implements OnInit, OnDestroy {
         this.singleOrgPolicyAppliesToActiveUser = policyAppliesToActiveUser;
       });
 
-    this.showSecretsManagerSubscribe = await this.configService.getFeatureFlag<boolean>(
-      FeatureFlag.SecretsManagerBilling,
-      false
-    );
-
     this.loading = false;
   }
 
diff --git a/apps/web/src/app/oss-routing.module.ts b/apps/web/src/app/oss-routing.module.ts
index e6f4caa112b..3a08a5863a5 100644
--- a/apps/web/src/app/oss-routing.module.ts
+++ b/apps/web/src/app/oss-routing.module.ts
@@ -175,6 +175,13 @@ const routes: Routes = [
         canActivate: [AuthGuard],
         data: { titleId: "removeMasterPassword" },
       },
+      {
+        path: "migrate-legacy-encryption",
+        loadComponent: () =>
+          import("./auth/migrate-encryption/migrate-legacy-encryption.component").then(
+            (mod) => mod.MigrateFromLegacyEncryptionComponent
+          ),
+      },
     ],
   },
   {
diff --git a/apps/web/src/app/oss.module.ts b/apps/web/src/app/oss.module.ts
index 1428aaea193..d15addba3ef 100644
--- a/apps/web/src/app/oss.module.ts
+++ b/apps/web/src/app/oss.module.ts
@@ -1,7 +1,6 @@
 import { NgModule } from "@angular/core";
 
 import { OrganizationCreateModule } from "./admin-console/organizations/create/organization-create.module";
-import { OrganizationManageModule } from "./admin-console/organizations/manage/organization-manage.module";
 import { OrganizationUserModule } from "./admin-console/organizations/users/organization-user.module";
 import { LoginModule } from "./auth/login/login.module";
 import { TrialInitiationModule } from "./auth/trial-initiation/trial-initiation.module";
@@ -16,7 +15,6 @@ import { VaultFilterModule } from "./vault/individual-vault/vault-filter/vault-f
     TrialInitiationModule,
     VaultFilterModule,
     OrganizationBadgeModule,
-    OrganizationManageModule,
     OrganizationUserModule,
     OrganizationCreateModule,
     LoginModule,
diff --git a/apps/web/src/app/settings/change-email.component.ts b/apps/web/src/app/settings/change-email.component.ts
index 76e78fcba9d..3321187af83 100644
--- a/apps/web/src/app/settings/change-email.component.ts
+++ b/apps/web/src/app/settings/change-email.component.ts
@@ -42,12 +42,6 @@ export class ChangeEmailComponent implements OnInit {
   }
 
   async submit() {
-    const hasUserKey = await this.cryptoService.hasUserKey();
-    if (!hasUserKey) {
-      this.platformUtilsService.showToast("error", null, this.i18nService.t("updateKey"));
-      return;
-    }
-
     this.newEmail = this.newEmail.trim().toLowerCase();
     if (!this.tokenSent) {
       const request = new EmailTokenRequest();
diff --git a/apps/web/src/app/settings/change-kdf/change-kdf-confirmation.component.ts b/apps/web/src/app/settings/change-kdf/change-kdf-confirmation.component.ts
index dd2a8c45d95..169b1bbdfa6 100644
--- a/apps/web/src/app/settings/change-kdf/change-kdf-confirmation.component.ts
+++ b/apps/web/src/app/settings/change-kdf/change-kdf-confirmation.component.ts
@@ -46,11 +46,6 @@ export class ChangeKdfConfirmationComponent {
 
   async submit() {
     this.loading = true;
-    const hasUserKey = await this.cryptoService.hasUserKey();
-    if (!hasUserKey) {
-      this.platformUtilsService.showToast("error", null, this.i18nService.t("updateKey"));
-      return;
-    }
 
     try {
       this.formPromise = this.makeKeyAndSaveAsync();
diff --git a/apps/web/src/app/settings/update-key.component.html b/apps/web/src/app/settings/update-key.component.html
deleted file mode 100644
index 7b94a6dca04..00000000000
--- a/apps/web/src/app/settings/update-key.component.html
+++ /dev/null
@@ -1,55 +0,0 @@
-<div class="modal fade" role="dialog" aria-modal="true" aria-labelledby="updateUserKeyTitle">
-  <div class="modal-dialog modal-dialog-scrollable" role="document">
-    <form
-      class="modal-content"
-      #form
-      (ngSubmit)="submit()"
-      [appApiAction]="formPromise"
-      ngNativeValidate
-    >
-      <div class="modal-header">
-        <h1 class="modal-title" id="updateUserKeyTitle">{{ "updateEncryptionKey" | i18n }}</h1>
-        <button
-          type="button"
-          class="close"
-          data-dismiss="modal"
-          appA11yTitle="{{ 'close' | i18n }}"
-        >
-          <span aria-hidden="true">&times;</span>
-        </button>
-      </div>
-      <div class="modal-body">
-        <p>
-          {{ "updateEncryptionKeyShortDesc" | i18n }} {{ "updateEncryptionKeyDesc" | i18n }}
-          <a
-            href="https://bitwarden.com/help/account-encryption-key/#rotate-your-encryption-key"
-            target="_blank"
-            rel="noopener"
-            >{{ "learnMore" | i18n }}</a
-          >
-        </p>
-        <app-callout type="warning">{{ "updateEncryptionKeyWarning" | i18n }}</app-callout>
-        <label for="masterPassword">{{ "masterPass" | i18n }}</label>
-        <input
-          id="masterPassword"
-          type="password"
-          name="MasterPasswordHash"
-          class="form-control"
-          [(ngModel)]="masterPassword"
-          required
-          appAutofocus
-          appInputVerbatim
-        />
-      </div>
-      <div class="modal-footer">
-        <button type="submit" class="btn btn-primary btn-submit" [disabled]="form.loading">
-          <i class="bwi bwi-spinner bwi-spin" title="{{ 'loading' | i18n }}" aria-hidden="true"></i>
-          <span>{{ "updateEncryptionKey" | i18n }}</span>
-        </button>
-        <button type="button" class="btn btn-outline-secondary" data-dismiss="modal">
-          {{ "close" | i18n }}
-        </button>
-      </div>
-    </form>
-  </div>
-</div>
diff --git a/apps/web/src/app/settings/update-key.component.ts b/apps/web/src/app/settings/update-key.component.ts
deleted file mode 100644
index 8c7d7cf882f..00000000000
--- a/apps/web/src/app/settings/update-key.component.ts
+++ /dev/null
@@ -1,108 +0,0 @@
-import { Component } from "@angular/core";
-import { firstValueFrom } from "rxjs";
-
-import { ApiService } from "@bitwarden/common/abstractions/api.service";
-import { UpdateKeyRequest } from "@bitwarden/common/models/request/update-key.request";
-import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
-import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
-import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
-import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
-import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
-import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
-import { CipherWithIdRequest } from "@bitwarden/common/vault//models/request/cipher-with-id.request";
-import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
-import { FolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction";
-import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
-import { FolderWithIdRequest } from "@bitwarden/common/vault/models/request/folder-with-id.request";
-
-@Component({
-  selector: "app-update-key",
-  templateUrl: "update-key.component.html",
-})
-export class UpdateKeyComponent {
-  masterPassword: string;
-  formPromise: Promise<any>;
-
-  constructor(
-    private apiService: ApiService,
-    private i18nService: I18nService,
-    private platformUtilsService: PlatformUtilsService,
-    private cryptoService: CryptoService,
-    private messagingService: MessagingService,
-    private syncService: SyncService,
-    private folderService: FolderService,
-    private cipherService: CipherService,
-    private logService: LogService
-  ) {}
-
-  async submit() {
-    const hasUserKey = await this.cryptoService.hasUserKey();
-    if (hasUserKey) {
-      return;
-    }
-
-    if (this.masterPassword == null || this.masterPassword === "") {
-      this.platformUtilsService.showToast(
-        "error",
-        this.i18nService.t("errorOccurred"),
-        this.i18nService.t("masterPasswordRequired")
-      );
-      return;
-    }
-
-    try {
-      this.formPromise = this.makeRequest().then((request) => {
-        return this.apiService.postAccountKey(request);
-      });
-      await this.formPromise;
-      this.platformUtilsService.showToast(
-        "success",
-        this.i18nService.t("keyUpdated"),
-        this.i18nService.t("logBackInOthersToo"),
-        { timeout: 15000 }
-      );
-      this.messagingService.send("logout");
-    } catch (e) {
-      this.logService.error(e);
-    }
-  }
-
-  private async makeRequest(): Promise<UpdateKeyRequest> {
-    const masterKey = await this.cryptoService.getMasterKey();
-    const newUserKey = await this.cryptoService.makeUserKey(masterKey);
-    const privateKey = await this.cryptoService.getPrivateKey();
-    let encPrivateKey: EncString = null;
-    if (privateKey != null) {
-      encPrivateKey = await this.cryptoService.encrypt(privateKey, newUserKey[0]);
-    }
-    const request = new UpdateKeyRequest();
-    request.privateKey = encPrivateKey != null ? encPrivateKey.encryptedString : null;
-    request.key = newUserKey[1].encryptedString;
-    request.masterPasswordHash = await this.cryptoService.hashMasterKey(
-      this.masterPassword,
-      await this.cryptoService.getOrDeriveMasterKey(this.masterPassword)
-    );
-
-    await this.syncService.fullSync(true);
-
-    const folders = await firstValueFrom(this.folderService.folderViews$);
-    for (let i = 0; i < folders.length; i++) {
-      if (folders[i].id == null) {
-        continue;
-      }
-      const folder = await this.folderService.encrypt(folders[i], newUserKey[0]);
-      request.folders.push(new FolderWithIdRequest(folder));
-    }
-
-    const ciphers = await this.cipherService.getAllDecrypted();
-    for (let i = 0; i < ciphers.length; i++) {
-      if (ciphers[i].organizationId != null) {
-        continue;
-      }
-      const cipher = await this.cipherService.encrypt(ciphers[i], newUserKey[0]);
-      request.ciphers.push(new CipherWithIdRequest(cipher));
-    }
-
-    return request;
-  }
-}
diff --git a/apps/web/src/app/shared/loose-components.module.ts b/apps/web/src/app/shared/loose-components.module.ts
index 4552162cc8d..b9c220ab5ef 100644
--- a/apps/web/src/app/shared/loose-components.module.ts
+++ b/apps/web/src/app/shared/loose-components.module.ts
@@ -86,7 +86,6 @@ import { PurgeVaultComponent } from "../settings/purge-vault.component";
 import { SecurityKeysComponent } from "../settings/security-keys.component";
 import { SecurityComponent } from "../settings/security.component";
 import { SettingsComponent } from "../settings/settings.component";
-import { UpdateKeyComponent } from "../settings/update-key.component";
 import { UpdateLicenseComponent } from "../settings/update-license.component";
 import { VaultTimeoutInputComponent } from "../settings/vault-timeout-input.component";
 import { GeneratorComponent } from "../tools/generator.component";
@@ -216,7 +215,6 @@ import { SharedModule } from "./shared.module";
     TwoFactorVerifyComponent,
     TwoFactorWebAuthnComponent,
     TwoFactorYubiKeyComponent,
-    UpdateKeyComponent,
     UpdateLicenseComponent,
     UpdatePasswordComponent,
     UpdateTempPasswordComponent,
@@ -319,7 +317,6 @@ import { SharedModule } from "./shared.module";
     TwoFactorVerifyComponent,
     TwoFactorWebAuthnComponent,
     TwoFactorYubiKeyComponent,
-    UpdateKeyComponent,
     UpdateLicenseComponent,
     UpdatePasswordComponent,
     UpdateTempPasswordComponent,
diff --git a/apps/web/src/app/tools/import-export/import.component.ts b/apps/web/src/app/tools/import-export/import.component.ts
index fb7d1d5501d..de2de35777e 100644
--- a/apps/web/src/app/tools/import-export/import.component.ts
+++ b/apps/web/src/app/tools/import-export/import.component.ts
@@ -309,7 +309,7 @@ export class ImportComponent implements OnInit, OnDestroy {
   }
 
   private getFileContents(file: File): Promise<string> {
-    if (this.format === "1password1pux") {
+    if (this.format === "1password1pux" && file.name.endsWith(".1pux")) {
       return this.extractZipContent(file, "export.data");
     }
     if (
diff --git a/apps/web/src/app/vault/individual-vault/vault.component.html b/apps/web/src/app/vault/individual-vault/vault.component.html
index dece0ea10fb..265bdec2cee 100644
--- a/apps/web/src/app/vault/individual-vault/vault.component.html
+++ b/apps/web/src/app/vault/individual-vault/vault.component.html
@@ -77,19 +77,6 @@
       </div>
     </div>
     <div class="col-3">
-      <div class="card border-warning mb-4" *ngIf="showUpdateKey">
-        <div class="card-header bg-warning text-white">
-          <i class="bwi bwi-exclamation-triangle bwi-fw" aria-hidden="true"></i>
-          {{ "updateKeyTitle" | i18n }}
-        </div>
-        <div class="card-body">
-          <p>{{ "updateEncryptionKeyShortDesc" | i18n }}</p>
-          <button class="btn btn-block btn-outline-secondary" type="button" (click)="updateKey()">
-            {{ "updateEncryptionKey" | i18n }}
-          </button>
-        </div>
-      </div>
-
       <app-low-kdf class="d-block mb-4" *ngIf="showLowKdf"> </app-low-kdf>
 
       <app-verify-email
diff --git a/apps/web/src/app/vault/individual-vault/vault.component.ts b/apps/web/src/app/vault/individual-vault/vault.component.ts
index 139fce27669..29dad9624b8 100644
--- a/apps/web/src/app/vault/individual-vault/vault.component.ts
+++ b/apps/web/src/app/vault/individual-vault/vault.component.ts
@@ -60,7 +60,6 @@ import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
 import { CollectionView } from "@bitwarden/common/vault/models/view/collection.view";
 import { DialogService, Icons } from "@bitwarden/components";
 
-import { UpdateKeyComponent } from "../../settings/update-key.component";
 import { CollectionDialogAction, openCollectionDialog } from "../components/collection-dialog";
 import { VaultItemEvent } from "../components/vault-items/vault-item-event";
 import { getNestedCollectionTree } from "../utils/collection-utils";
@@ -114,12 +113,9 @@ export class VaultComponent implements OnInit, OnDestroy {
   @ViewChild("share", { read: ViewContainerRef, static: true }) shareModalRef: ViewContainerRef;
   @ViewChild("collectionsModal", { read: ViewContainerRef, static: true })
   collectionsModalRef: ViewContainerRef;
-  @ViewChild("updateKeyTemplate", { read: ViewContainerRef, static: true })
-  updateKeyModalRef: ViewContainerRef;
 
   showVerifyEmail = false;
   showBrowserOutdated = false;
-  showUpdateKey = false;
   showPremiumCallout = false;
   showLowKdf = false;
   trashCleanupWarning: string = null;
@@ -197,7 +193,6 @@ export class VaultComponent implements OnInit, OnDestroy {
         const canAccessPremium = await this.stateService.getCanAccessPremium();
         this.showPremiumCallout =
           !this.showVerifyEmail && !canAccessPremium && !this.platformUtilsService.isSelfHost();
-        this.showUpdateKey = !(await this.cryptoService.hasUserKey());
 
         const cipherId = getCipherIdFromParams(params);
         if (!cipherId) {
@@ -405,11 +400,7 @@ export class VaultComponent implements OnInit, OnDestroy {
 
   get isShowingCards() {
     return (
-      this.showBrowserOutdated ||
-      this.showPremiumCallout ||
-      this.showUpdateKey ||
-      this.showVerifyEmail ||
-      this.showLowKdf
+      this.showBrowserOutdated || this.showPremiumCallout || this.showVerifyEmail || this.showLowKdf
     );
   }
 
@@ -877,10 +868,6 @@ export class VaultComponent implements OnInit, OnDestroy {
       : this.cipherService.softDeleteWithServer(id);
   }
 
-  async updateKey() {
-    await this.modalService.openViewRef(UpdateKeyComponent, this.updateKeyModalRef);
-  }
-
   async isLowKdfIteration() {
     const kdfType = await this.stateService.getKdfType();
     const kdfOptions = await this.stateService.getKdfConfig();
diff --git a/apps/web/src/locales/en/messages.json b/apps/web/src/locales/en/messages.json
index eb551d83b2f..b45accdf994 100644
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -508,9 +508,6 @@
   "maxFileSize": {
     "message": "Maximum file size is 500 MB."
   },
-  "updateKey": {
-    "message": "You cannot use this feature until you update your encryption key."
-  },
   "addedItem": {
     "message": "Item added"
   },
@@ -3476,17 +3473,11 @@
   "keyUpdated": {
     "message": "Key updated"
   },
-  "updateKeyTitle": {
-    "message": "Update key"
-  },
   "updateEncryptionKey": {
     "message": "Update encryption key"
   },
-  "updateEncryptionKeyShortDesc": {
-    "message": "You are currently using an outdated encryption scheme."
-  },
-  "updateEncryptionKeyDesc": {
-    "message": "We've moved to larger encryption keys that provide better security and access to newer features. Updating your encryption key is quick and easy. Just type your master password below. This update will eventually become mandatory."
+  "updateEncryptionSchemeDesc": {
+    "message": "We've changed the encryption scheme to provide better security. Update your encryption key now by entering your master password below."
   },
   "updateEncryptionKeyWarning": {
     "message": "After updating your encryption key, you are required to log out and back in to all Bitwarden applications that you are currently using (such as the mobile app or browser extensions). Failure to log out and back in (which downloads your new encryption key) may result in data corruption. We will attempt to log you out automatically, however, it may be delayed."
diff --git a/apps/web/src/locales/zh_CN/messages.json b/apps/web/src/locales/zh_CN/messages.json
index 2136611a2be..008ad22a980 100644
--- a/apps/web/src/locales/zh_CN/messages.json
+++ b/apps/web/src/locales/zh_CN/messages.json
@@ -142,7 +142,7 @@
     "message": "文件夹"
   },
   "newCustomField": {
-    "message": "新建自定义字段"
+    "message": "新增自定义字段"
   },
   "value": {
     "message": "值"
@@ -606,13 +606,13 @@
     "message": "登录或者创建一个账户来访问您的安全密码库。"
   },
   "loginWithDevice": {
-    "message": "使用设备登录"
+    "message": "设备登录"
   },
   "loginWithDeviceEnabledNote": {
     "message": "设备登录必须在 Bitwarden 应用程序的设置中启用。需要其他登录选项吗？"
   },
   "loginWithMasterPassword": {
-    "message": "使用主密码登录"
+    "message": "主密码登录"
   },
   "createAccount": {
     "message": "创建账户"
@@ -791,7 +791,7 @@
     "message": "请输入验证器应用程序中的 6 位验证码。"
   },
   "enterVerificationCodeEmail": {
-    "message": "请输入发送给电子邮件 $EMAIL$ 的 6 位验证码。",
+    "message": "请输入发送给电子邮件 $EMAIL$ 的 6 位数验证码。",
     "placeholders": {
       "email": {
         "content": "$1",
@@ -812,7 +812,7 @@
     "message": "记住我"
   },
   "sendVerificationCodeEmailAgain": {
-    "message": "重发验证码电子邮件"
+    "message": "再次发送验证码电子邮件"
   },
   "useAnotherTwoStepMethod": {
     "message": "使用其他两步登录方式"
@@ -1104,7 +1104,7 @@
     "message": "继续操作将更改您的账户电子邮件地址。这不会更改用于双重身份验证的电子邮件地址。您可以在两步登录设置中更改它。"
   },
   "newEmail": {
-    "message": "新电子邮件"
+    "message": "新电子邮件地址"
   },
   "code": {
     "message": "代码"
@@ -1663,7 +1663,7 @@
     "message": "单击下面的「保存」按钮，以启用此安全钥匙用于两步登录。"
   },
   "twoFactorU2fProblemReadingTryAgain": {
-    "message": "读取安全钥匙时出现问题，请再试一次。"
+    "message": "读取安全钥匙时出现问题，请重试。"
   },
   "twoFactorWebAuthnWarning": {
     "message": "由于平台限制，无法在所有 Bitwarden 应用程序中使用 WebAuthn。您应该启用另一个两步登录提供程序，以便在 WebAuthn 无法使用时可以访问您的账户。支持的平台有："
@@ -1968,7 +1968,7 @@
     }
   },
   "bitwardenFamiliesPlan": {
-    "message": "Bitwarden 家庭计划。"
+    "message": "Bitwarden 家庭版计划。"
   },
   "addons": {
     "message": "附加项目"
@@ -2304,7 +2304,7 @@
     }
   },
   "planNameFamilies": {
-    "message": "家庭"
+    "message": "家庭版"
   },
   "planDescFamilies": {
     "message": "适用于个人使用，与家人和朋友共享。"
@@ -2499,7 +2499,7 @@
     "message": "群组"
   },
   "newGroup": {
-    "message": "新建群组"
+    "message": "新增群组"
   },
   "addGroup": {
     "message": "添加群组"
@@ -2553,7 +2553,7 @@
     "message": "只读"
   },
   "newCollection": {
-    "message": "新建集合"
+    "message": "新增集合"
   },
   "addCollection": {
     "message": "添加集合"
@@ -4152,7 +4152,7 @@
     "message": "紧急访问已批准"
   },
   "viewDesc": {
-    "message": "可以查看您拥有的密码库中的所有项目。"
+    "message": "可以查看您的密码库中的所有项目。"
   },
   "takeover": {
     "message": "接管"
@@ -4646,7 +4646,7 @@
     "message": "回收站中超过 30 天的条目将会被自动删除。"
   },
   "trashCleanupWarningSelfHosted": {
-    "message": "回收站中超过一定时间的项目将会被自动删除。"
+    "message": "回收站中超过一定时间的条目将会被自动删除。"
   },
   "passwordPrompt": {
     "message": "主密码重新提示"
@@ -4730,7 +4730,7 @@
     "message": "错误"
   },
   "accountRecoveryManageUsers": {
-    "message": "管理用户也必须被授予管理账户恢复的权限"
+    "message": "授予「管理账户恢复」的权限，同时必须授予「管理用户」的权限"
   },
   "setupProvider": {
     "message": "提供商设置"
@@ -5080,7 +5080,7 @@
     "message": "免费 Bitwarden 家庭"
   },
   "sponsoredFamiliesEligible": {
-    "message": "您和您的家人可使用免费的 Bitwarden 家庭版计划。即使您不在公司上班，您也可以使用个人电子邮件兑换此计划，以保护您的数据安全。"
+    "message": "您和您的家人有资格享受免费的 Bitwarden 家庭版计划。即使您不在公司上班，您也可以使用个人电子邮件兑换此计划，以保护您的数据安全。"
   },
   "sponsoredFamiliesEligibleCard": {
     "message": "立即兑换免费的 Bitwarden 家庭版计划，即使您不在公司上班也能确保您的数据安全。"
@@ -5374,19 +5374,19 @@
     "message": "计费同步令牌"
   },
   "active": {
-    "message": "生效中"
+    "message": "已生效"
   },
   "inactive": {
     "message": "已失效"
   },
   "sentAwaitingSync": {
-    "message": "已发送（正在等待同步）"
+    "message": "已发送（等待同步）"
   },
   "sent": {
-    "message": "发送"
+    "message": "已发送"
   },
   "requestRemoved": {
-    "message": "已移除（正在等待同步）"
+    "message": "已移除（等待同步）"
   },
   "requested": {
     "message": "已请求"
@@ -5614,7 +5614,7 @@
     "message": "启用设备验证"
   },
   "deviceVerificationDesc": {
-    "message": "登录未识别的设备时，验证码会发送到您的电子邮件地址"
+    "message": "登录未识别的设备时，验证码会发送到您的电子邮箱"
   },
   "updatedDeviceVerification": {
     "message": "已更新设备验证"
@@ -6230,7 +6230,7 @@
     "description": "Toast message after deleting one or multiple access tokens."
   },
   "noAccessTokenSelected": {
-    "message": "未选中任何要撤销的访问令牌",
+    "message": "未选中任何要吊销的访问令牌",
     "description": "Toast error message after trying to delete access tokens but not selecting any access tokens."
   },
   "submenu": {
diff --git a/apps/web/src/scss/styles.scss b/apps/web/src/scss/styles.scss
index 2c0f9c21fd6..05cd9fef4eb 100644
--- a/apps/web/src/scss/styles.scss
+++ b/apps/web/src/scss/styles.scss
@@ -20,7 +20,7 @@
 @import "~bootstrap/scss/_buttons";
 @import "~bootstrap/scss/_transitions";
 @import "~bootstrap/scss/_dropdown";
-@import "~bootstrap/scss/_button-group";
+// @import "~bootstrap/scss/_button-group";
 @import "~bootstrap/scss/_input-group";
 // @import "~bootstrap/scss/_custom-forms";
 @import "~bootstrap/scss/_nav";
diff --git a/bitwarden_license/bit-web/src/app/admin-console/providers/manage/people.component.html b/bitwarden_license/bit-web/src/app/admin-console/providers/manage/people.component.html
index 152253fe4d1..90160daeadb 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/providers/manage/people.component.html
+++ b/bitwarden_license/bit-web/src/app/admin-console/providers/manage/people.component.html
@@ -1,48 +1,37 @@
 <div class="page-header d-flex">
   <h1>{{ "people" | i18n }}</h1>
   <div class="ml-auto d-flex">
-    <div class="btn-group btn-group-sm" role="group">
-      <button
-        type="button"
-        class="btn btn-outline-secondary"
-        [ngClass]="{ active: status == null }"
-        (click)="filter(null)"
-      >
+    <bit-toggle-group
+      [selected]="status"
+      (selectedChange)="filter($event)"
+      [attr.aria-label]="'memberStatusFilter' | i18n"
+    >
+      <bit-toggle [value]="null">
         {{ "all" | i18n }}
         <span bitBadge badgeType="info" *ngIf="allCount">{{ allCount }}</span>
-      </button>
-      <button
-        type="button"
-        class="btn btn-outline-secondary"
-        [ngClass]="{ active: status == userStatusType.Invited }"
-        (click)="filter(userStatusType.Invited)"
-      >
+      </bit-toggle>
+
+      <bit-toggle [value]="userStatusType.Invited">
         {{ "invited" | i18n }}
         <span bitBadge badgeType="info" *ngIf="invitedCount">{{ invitedCount }}</span>
-      </button>
-      <button
-        type="button"
-        class="btn btn-outline-secondary"
-        [ngClass]="{ active: status == userStatusType.Accepted }"
-        (click)="filter(userStatusType.Accepted)"
-      >
+      </bit-toggle>
+
+      <bit-toggle [value]="userStatusType.Accepted">
         {{ "accepted" | i18n }}
         <span bitBadge badgeType="warning" *ngIf="acceptedCount">{{ acceptedCount }}</span>
-      </button>
-    </div>
+      </bit-toggle>
+    </bit-toggle-group>
+
     <div class="ml-3">
-      <label class="sr-only" for="search">{{ "search" | i18n }}</label>
-      <input
-        type="search"
-        class="form-control form-control-sm"
-        id="search"
-        placeholder="{{ 'search' | i18n }}"
+      <bit-search
+        class="tw-grow"
         [(ngModel)]="searchText"
-      />
+        [placeholder]="'search' | i18n"
+      ></bit-search>
     </div>
     <div class="dropdown ml-3" appListDropdown>
       <button
-        class="btn btn-sm btn-outline-secondary dropdown-toggle"
+        class="btn btn-outline-secondary dropdown-toggle"
         type="button"
         id="bulkActionsButton"
         data-toggle="dropdown"
@@ -82,7 +71,7 @@
         </button>
       </div>
     </div>
-    <button type="button" class="btn btn-sm btn-outline-primary ml-3" (click)="invite()">
+    <button type="button" class="btn btn-outline-primary ml-3" (click)="invite()">
       <i class="bwi bwi-plus bwi-fw" aria-hidden="true"></i>
       {{ "inviteUser" | i18n }}
     </button>
diff --git a/bitwarden_license/bit-web/src/app/admin-console/providers/manage/people.component.ts b/bitwarden_license/bit-web/src/app/admin-console/providers/manage/people.component.ts
index 3f365271168..6afa4ac9ff4 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/providers/manage/people.component.ts
+++ b/bitwarden_license/bit-web/src/app/admin-console/providers/manage/people.component.ts
@@ -50,6 +50,7 @@ export class PeopleComponent
 
   userType = ProviderUserType;
   userStatusType = ProviderUserStatusType;
+  status: ProviderUserStatusType = null;
   providerId: string;
   accessEvents = false;
 
diff --git a/bitwarden_license/bit-web/src/app/admin-console/providers/providers.module.ts b/bitwarden_license/bit-web/src/app/admin-console/providers/providers.module.ts
index cda2a108f7f..70bc6241b6f 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/providers/providers.module.ts
+++ b/bitwarden_license/bit-web/src/app/admin-console/providers/providers.module.ts
@@ -4,6 +4,7 @@ import { FormsModule } from "@angular/forms";
 
 import { JslibModule } from "@bitwarden/angular/jslib.module";
 import { ModalService } from "@bitwarden/angular/services/modal.service";
+import { SearchModule } from "@bitwarden/components";
 import { OssModule } from "@bitwarden/web-vault/app/oss.module";
 
 import { AddOrganizationComponent } from "./clients/add-organization.component";
@@ -26,7 +27,14 @@ import { SetupProviderComponent } from "./setup/setup-provider.component";
 import { SetupComponent } from "./setup/setup.component";
 
 @NgModule({
-  imports: [CommonModule, FormsModule, OssModule, JslibModule, ProvidersRoutingModule],
+  imports: [
+    CommonModule,
+    FormsModule,
+    OssModule,
+    JslibModule,
+    SearchModule,
+    ProvidersRoutingModule,
+  ],
   declarations: [
     AcceptProviderComponent,
     AccountComponent,
diff --git a/libs/angular/src/auth/components/environment-selector.component.html b/libs/angular/src/auth/components/environment-selector.component.html
index 4e8d33bde68..2765787c317 100644
--- a/libs/angular/src/auth/components/environment-selector.component.html
+++ b/libs/angular/src/auth/components/environment-selector.component.html
@@ -1,40 +1,51 @@
-<label class="environment-selector-btn">
+<div class="environment-selector-btn">
   {{ "loggingInOn" | i18n }}:
-  <a
+  <button
+    type="button"
     (click)="toggle(null)"
     cdkOverlayOrigin
     #trigger="cdkOverlayOrigin"
-    aria-haspopup="menu"
+    aria-haspopup="dialog"
     aria-controls="cdk-overlay-container"
     [ngSwitch]="selectedEnvironment"
   >
-    <label *ngSwitchCase="ServerEnvironmentType.US" class="text-primary">{{
+    <span *ngSwitchCase="ServerEnvironmentType.US" class="text-primary">{{
       "usDomain" | i18n
-    }}</label>
-    <label *ngSwitchCase="ServerEnvironmentType.EU" class="text-primary">{{
+    }}</span>
+    <span *ngSwitchCase="ServerEnvironmentType.EU" class="text-primary">{{
       "euDomain" | i18n
-    }}</label>
-    <label *ngSwitchCase="ServerEnvironmentType.SelfHosted" class="text-primary">{{
+    }}</span>
+    <span *ngSwitchCase="ServerEnvironmentType.SelfHosted" class="text-primary">{{
       "selfHostedServer" | i18n
-    }}</label>
+    }}</span>
     <i class="bwi bwi-fw bwi-sm bwi-angle-down" aria-hidden="true"></i>
-  </a>
-</label>
+  </button>
+</div>
 
 <ng-template
   cdkConnectedOverlay
   [cdkConnectedOverlayOrigin]="trigger"
-  (backdropClick)="close()"
-  (detach)="close()"
   [cdkConnectedOverlayOpen]="isOpen"
   [cdkConnectedOverlayPositions]="overlayPosition"
+  [cdkConnectedOverlayHasBackdrop]="true"
+  [cdkConnectedOverlayBackdropClass]="'cdk-overlay-transparent-backdrop'"
+  (backdropClick)="isOpen = false"
+  (detach)="close()"
 >
   <div class="box-content">
-    <div class="environment-selector-dialog" [@transformPanel]="'open'" role="dialog">
+    <div
+      class="environment-selector-dialog"
+      [@transformPanel]="'open'"
+      cdkTrapFocus
+      cdkTrapFocusAutoCapture
+      role="dialog"
+      aria-modal="true"
+    >
       <button
         type="button"
         class="environment-selector-dialog-item"
         (click)="toggle(ServerEnvironmentType.US)"
+        [attr.aria-pressed]="selectedEnvironment === ServerEnvironmentType.US ? 'true' : 'false'"
       >
         <i
           class="bwi bwi-fw bwi-sm bwi-check"
@@ -51,6 +62,7 @@
         type="button"
         class="environment-selector-dialog-item"
         (click)="toggle(ServerEnvironmentType.EU)"
+        [attr.aria-pressed]="selectedEnvironment === ServerEnvironmentType.EU ? 'true' : 'false'"
         *ngIf="euServerFlagEnabled"
       >
         <i
@@ -68,6 +80,9 @@
         type="button"
         class="environment-selector-dialog-item"
         (click)="toggle(ServerEnvironmentType.SelfHosted)"
+        [attr.aria-pressed]="
+          selectedEnvironment === ServerEnvironmentType.SelfHosted ? 'true' : 'false'
+        "
       >
         <i
           class="bwi bwi-fw bwi-sm bwi-check"
diff --git a/libs/angular/src/auth/components/login.component.ts b/libs/angular/src/auth/components/login.component.ts
index 38fa4faf543..74a8388a3ac 100644
--- a/libs/angular/src/auth/components/login.component.ts
+++ b/libs/angular/src/auth/components/login.component.ts
@@ -152,6 +152,8 @@ export class LoginComponent extends CaptchaProtectedComponent implements OnInit,
       await this.loginService.saveEmailSettings();
       if (this.handleCaptchaRequired(response)) {
         return;
+      } else if (this.handleMigrateEncryptionKey(response)) {
+        return;
       } else if (response.requiresTwoFactor) {
         if (this.onSuccessfulLoginTwoFactorNavigate != null) {
           this.onSuccessfulLoginTwoFactorNavigate();
@@ -283,6 +285,21 @@ export class LoginComponent extends CaptchaProtectedComponent implements OnInit,
     await this.loginService.saveEmailSettings();
   }
 
+  // Legacy accounts used the master key to encrypt data. Migration is required
+  // but only performed on web
+  protected handleMigrateEncryptionKey(result: AuthResult): boolean {
+    if (!result.requiresEncryptionKeyMigration) {
+      return false;
+    }
+
+    this.platformUtilsService.showToast(
+      "error",
+      this.i18nService.t("errorOccured"),
+      this.i18nService.t("encryptionKeyMigrationRequired")
+    );
+    return true;
+  }
+
   private getErrorToastMessage() {
     const error: AllValidationErrors = this.formValidationErrorService
       .getFormValidationErrors(this.formGroup.controls)
diff --git a/libs/angular/src/auth/components/sso.component.spec.ts b/libs/angular/src/auth/components/sso.component.spec.ts
index 894232af443..6d81b3d61ec 100644
--- a/libs/angular/src/auth/components/sso.component.spec.ts
+++ b/libs/angular/src/auth/components/sso.component.spec.ts
@@ -352,7 +352,7 @@ describe("SsoComponent", () => {
       describe("Given Trusted Device Encryption is enabled, user doesn't need to set a MP, and forcePasswordReset is required", () => {
         [
           ForceResetPasswordReason.AdminForcePasswordReset,
-          ForceResetPasswordReason.WeakMasterPassword,
+          // ForceResetPasswordReason.WeakMasterPassword, -- not possible in SSO flow as set client side
         ].forEach((forceResetPasswordReason) => {
           const reasonString = ForceResetPasswordReason[forceResetPasswordReason];
           let authResult;
@@ -449,7 +449,7 @@ describe("SsoComponent", () => {
     describe("Force Master Password Reset scenarios", () => {
       [
         ForceResetPasswordReason.AdminForcePasswordReset,
-        ForceResetPasswordReason.WeakMasterPassword,
+        // ForceResetPasswordReason.WeakMasterPassword, -- not possible in SSO flow as set client side
       ].forEach((forceResetPasswordReason) => {
         const reasonString = ForceResetPasswordReason[forceResetPasswordReason];
 
diff --git a/libs/angular/src/auth/components/sso.component.ts b/libs/angular/src/auth/components/sso.component.ts
index 7e6aca7ec07..c52902d49a0 100644
--- a/libs/angular/src/auth/components/sso.component.ts
+++ b/libs/angular/src/auth/components/sso.component.ts
@@ -226,9 +226,9 @@ export class SsoComponent {
         return await this.handleChangePasswordRequired(orgIdentifier);
       }
 
-      // Users can be forced to reset their password via an admin or org policy
-      // disallowing weak passwords
-      if (authResult.forcePasswordReset !== ForceResetPasswordReason.None) {
+      // Users enrolled in admin acct recovery can be forced to set a new password after
+      // having the admin set a temp password for them
+      if (authResult.forcePasswordReset == ForceResetPasswordReason.AdminForcePasswordReset) {
         return await this.handleForcePasswordReset(orgIdentifier);
       }
 
diff --git a/libs/angular/src/auth/components/two-factor.component.ts b/libs/angular/src/auth/components/two-factor.component.ts
index 9a6352283a0..817a562b557 100644
--- a/libs/angular/src/auth/components/two-factor.component.ts
+++ b/libs/angular/src/auth/components/two-factor.component.ts
@@ -215,9 +215,24 @@ export class TwoFactorComponent extends CaptchaProtectedComponent implements OnI
     await this.handleLoginResponse(authResult);
   }
 
+  protected handleMigrateEncryptionKey(result: AuthResult): boolean {
+    if (!result.requiresEncryptionKeyMigration) {
+      return false;
+    }
+
+    this.platformUtilsService.showToast(
+      "error",
+      this.i18nService.t("errorOccured"),
+      this.i18nService.t("encryptionKeyMigrationRequired")
+    );
+    return true;
+  }
+
   private async handleLoginResponse(authResult: AuthResult) {
     if (this.handleCaptchaRequired(authResult)) {
       return;
+    } else if (this.handleMigrateEncryptionKey(authResult)) {
+      return;
     }
 
     this.loginService.clearValues();
@@ -282,8 +297,10 @@ export class TwoFactorComponent extends CaptchaProtectedComponent implements OnI
       return await this.handleChangePasswordRequired(orgIdentifier);
     }
 
-    // Users can be forced to reset their password via an admin or org policy
-    // disallowing weak passwords
+    // Users can be forced to reset their password via an admin or org policy disallowing weak passwords
+    // Note: this is different from SSO component login flow as a user can
+    // login with MP and then have to pass 2FA to finish login and we can actually
+    // evaluate if they have a weak password at this time.
     if (authResult.forcePasswordReset !== ForceResetPasswordReason.None) {
       return await this.handleForcePasswordReset(orgIdentifier);
     }
diff --git a/libs/angular/src/auth/guards/lock.guard.ts b/libs/angular/src/auth/guards/lock.guard.ts
index ea0f38d7742..551391b8c25 100644
--- a/libs/angular/src/auth/guards/lock.guard.ts
+++ b/libs/angular/src/auth/guards/lock.guard.ts
@@ -10,7 +10,10 @@ import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
 import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
+import { ClientType } from "@bitwarden/common/enums";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
+import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
+import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 
 /**
  * Only allow access to this route if the vault is locked.
@@ -25,9 +28,21 @@ export function lockGuard(): CanActivateFn {
     const authService = inject(AuthService);
     const cryptoService = inject(CryptoService);
     const deviceTrustCryptoService = inject(DeviceTrustCryptoServiceAbstraction);
+    const platformUtilService = inject(PlatformUtilsService);
+    const messagingService = inject(MessagingService);
     const router = inject(Router);
     const userVerificationService = inject(UserVerificationService);
 
+    // If legacy user on web, redirect to migration page
+    if (await cryptoService.isLegacyUser()) {
+      if (platformUtilService.getClientType() === ClientType.Web) {
+        return router.createUrlTree(["migrate-legacy-encryption"]);
+      }
+      // Log out legacy users on other clients
+      messagingService.send("logout");
+      return false;
+    }
+
     const authStatus = await authService.getAuthStatus();
     if (authStatus !== AuthenticationStatus.Locked) {
       return router.createUrlTree(["/"]);
diff --git a/libs/angular/src/tools/send/add-edit.component.ts b/libs/angular/src/tools/send/add-edit.component.ts
index ffe0b6a4f9d..32d14db471c 100644
--- a/libs/angular/src/tools/send/add-edit.component.ts
+++ b/libs/angular/src/tools/send/add-edit.component.ts
@@ -154,8 +154,13 @@ export class AddEditComponent implements OnInit, OnDestroy {
       .policyAppliesToActiveUser$(PolicyType.SendOptions, (p) => p.data.disableHideEmail)
       .pipe(takeUntil(this.destroy$))
       .subscribe((policyAppliesToActiveUser) => {
-        if ((this.disableHideEmail = policyAppliesToActiveUser)) {
+        if (
+          (this.disableHideEmail = policyAppliesToActiveUser) &&
+          !this.formGroup.controls.hideEmail.value
+        ) {
           this.formGroup.controls.hideEmail.disable();
+        } else {
+          this.formGroup.controls.hideEmail.enable();
         }
       });
 
diff --git a/libs/angular/src/vault/components/attachments.component.ts b/libs/angular/src/vault/components/attachments.component.ts
index 164735e6f3f..c7a8dd2ee27 100644
--- a/libs/angular/src/vault/components/attachments.component.ts
+++ b/libs/angular/src/vault/components/attachments.component.ts
@@ -24,7 +24,6 @@ export class AttachmentsComponent implements OnInit {
 
   cipher: CipherView;
   cipherDomain: Cipher;
-  hasUpdatedKey: boolean;
   canAccessAttachments: boolean;
   formPromise: Promise<any>;
   deletePromises: { [id: string]: Promise<any> } = {};
@@ -50,15 +49,6 @@ export class AttachmentsComponent implements OnInit {
   }
 
   async submit() {
-    if (!this.hasUpdatedKey) {
-      this.platformUtilsService.showToast(
-        "error",
-        this.i18nService.t("errorOccurred"),
-        this.i18nService.t("updateKey")
-      );
-      return;
-    }
-
     const fileEl = document.getElementById("file") as HTMLInputElement;
     const files = fileEl.files;
     if (files == null || files.length === 0) {
@@ -191,7 +181,6 @@ export class AttachmentsComponent implements OnInit {
     this.cipherDomain = await this.loadCipher();
     this.cipher = await this.cipherDomain.decrypt();
 
-    this.hasUpdatedKey = await this.cryptoService.hasUserKey();
     const canAccessPremium = await this.stateService.getCanAccessPremium();
     this.canAccessAttachments = canAccessPremium || this.cipher.organizationId != null;
 
@@ -206,19 +195,6 @@ export class AttachmentsComponent implements OnInit {
       if (confirmed) {
         this.platformUtilsService.launchUri("https://vault.bitwarden.com/#/?premium=purchase");
       }
-    } else if (!this.hasUpdatedKey) {
-      const confirmed = await this.dialogService.openSimpleDialog({
-        title: { key: "featureUnavailable" },
-        content: { key: "updateKey" },
-        acceptButtonText: { key: "learnMore" },
-        type: "warning",
-      });
-
-      if (confirmed) {
-        this.platformUtilsService.launchUri(
-          "https://bitwarden.com/help/account-encryption-key/#rotate-your-encryption-key"
-        );
-      }
     }
   }
 
diff --git a/libs/common/src/auth/login-strategies/login.strategy.ts b/libs/common/src/auth/login-strategies/login.strategy.ts
index 6e51f215012..d8b0f5ca89d 100644
--- a/libs/common/src/auth/login-strategies/login.strategy.ts
+++ b/libs/common/src/auth/login-strategies/login.strategy.ts
@@ -1,4 +1,5 @@
 import { ApiService } from "../../abstractions/api.service";
+import { ClientType } from "../../enums";
 import { KeysRequest } from "../../models/request/keys.request";
 import { AppIdService } from "../../platform/abstractions/app-id.service";
 import { CryptoService } from "../../platform/abstractions/crypto.service";
@@ -151,8 +152,19 @@ export abstract class LogInStrategy {
 
   protected async processTokenResponse(response: IdentityTokenResponse): Promise<AuthResult> {
     const result = new AuthResult();
+
+    // Old encryption keys must be migrated, but is currently only available on web.
+    // Other clients shouldn't continue the login process.
+    if (this.encryptionKeyMigrationRequired(response)) {
+      result.requiresEncryptionKeyMigration = true;
+      if (this.platformUtilsService.getClientType() !== ClientType.Web) {
+        return result;
+      }
+    }
+
     result.resetMasterPassword = response.resetMasterPassword;
 
+    // Convert boolean to enum
     if (response.forcePasswordReset) {
       result.forcePasswordReset = ForceResetPasswordReason.AdminForcePasswordReset;
     }
@@ -165,9 +177,7 @@ export abstract class LogInStrategy {
     }
 
     await this.setMasterKey(response);
-
     await this.setUserKey(response);
-
     await this.setPrivateKey(response);
 
     this.messagingService.send("loggedIn");
@@ -182,6 +192,12 @@ export abstract class LogInStrategy {
 
   protected abstract setPrivateKey(response: IdentityTokenResponse): Promise<void>;
 
+  // Old accounts used master key for encryption. We are forcing migrations but only need to
+  // check on password logins
+  protected encryptionKeyMigrationRequired(response: IdentityTokenResponse): boolean {
+    return false;
+  }
+
   protected async createKeyPairForOldAccount() {
     try {
       const [publicKey, privateKey] = await this.cryptoService.makeKeyPair();
diff --git a/libs/common/src/auth/login-strategies/password-login.strategy.ts b/libs/common/src/auth/login-strategies/password-login.strategy.ts
index 7f7ec585699..0bcc679ae9a 100644
--- a/libs/common/src/auth/login-strategies/password-login.strategy.ts
+++ b/libs/common/src/auth/login-strategies/password-login.strategy.ts
@@ -147,6 +147,10 @@ export class PasswordLogInStrategy extends LogInStrategy {
   }
 
   protected override async setUserKey(response: IdentityTokenResponse): Promise<void> {
+    // If migration is required, we won't have a user key to set yet.
+    if (this.encryptionKeyMigrationRequired(response)) {
+      return;
+    }
     await this.cryptoService.setMasterKeyEncryptedUserKey(response.key);
 
     const masterKey = await this.cryptoService.getMasterKey();
@@ -162,6 +166,10 @@ export class PasswordLogInStrategy extends LogInStrategy {
     );
   }
 
+  protected override encryptionKeyMigrationRequired(response: IdentityTokenResponse): boolean {
+    return !response.key;
+  }
+
   private getMasterPasswordPolicyOptionsFromResponse(
     response: IdentityTokenResponse | IdentityTwoFactorResponse | IdentityCaptchaResponse
   ): MasterPasswordPolicyOptions {
diff --git a/libs/common/src/auth/login-strategies/sso-login.strategy.ts b/libs/common/src/auth/login-strategies/sso-login.strategy.ts
index 09dbca72fea..328dda527ae 100644
--- a/libs/common/src/auth/login-strategies/sso-login.strategy.ts
+++ b/libs/common/src/auth/login-strategies/sso-login.strategy.ts
@@ -14,6 +14,7 @@ import { DeviceTrustCryptoServiceAbstraction } from "../abstractions/device-trus
 import { KeyConnectorService } from "../abstractions/key-connector.service";
 import { TokenService } from "../abstractions/token.service";
 import { TwoFactorService } from "../abstractions/two-factor.service";
+import { ForceResetPasswordReason } from "../models/domain/force-reset-password-reason";
 import { SsoLogInCredentials } from "../models/domain/log-in-credentials";
 import { SsoTokenRequest } from "../models/request/identity-token/sso-token.request";
 import { IdentityTokenResponse } from "../models/response/identity-token.response";
@@ -73,6 +74,11 @@ export class SsoLogInStrategy extends LogInStrategy {
     this.email = ssoAuthResult.email;
     this.ssoEmail2FaSessionToken = ssoAuthResult.ssoEmail2FaSessionToken;
 
+    // Auth guard currently handles redirects for this.
+    if (ssoAuthResult.forcePasswordReset == ForceResetPasswordReason.AdminForcePasswordReset) {
+      await this.stateService.setForcePasswordResetReason(ssoAuthResult.forcePasswordReset);
+    }
+
     return ssoAuthResult;
   }
 
diff --git a/libs/common/src/auth/models/domain/auth-result.ts b/libs/common/src/auth/models/domain/auth-result.ts
index c0a6f034aef..6900cba1c48 100644
--- a/libs/common/src/auth/models/domain/auth-result.ts
+++ b/libs/common/src/auth/models/domain/auth-result.ts
@@ -17,6 +17,7 @@ export class AuthResult {
   twoFactorProviders: Map<TwoFactorProviderType, { [key: string]: string }> = null;
   ssoEmail2FaSessionToken?: string;
   email: string;
+  requiresEncryptionKeyMigration: boolean;
 
   get requiresCaptcha() {
     return !Utils.isNullOrWhitespace(this.captchaSiteKey);
diff --git a/libs/common/src/auth/models/domain/force-reset-password-reason.ts b/libs/common/src/auth/models/domain/force-reset-password-reason.ts
index c70a4cb33cb..99e461c2ea1 100644
--- a/libs/common/src/auth/models/domain/force-reset-password-reason.ts
+++ b/libs/common/src/auth/models/domain/force-reset-password-reason.ts
@@ -1,3 +1,7 @@
+/*
+ * This enum is used to determine if a user should be forced to reset their password
+ * on login (server flag) or unlock via MP (client evaluation).
+ */
 export enum ForceResetPasswordReason {
   /**
    * A password reset should not be forced.
@@ -6,12 +10,14 @@ export enum ForceResetPasswordReason {
 
   /**
    * Occurs when an organization admin forces a user to reset their password.
+   * Communicated via server flag.
    */
   AdminForcePasswordReset,
 
   /**
    * Occurs when a user logs in / unlocks their vault with a master password that does not meet an organization's
    * master password policy that is enforced on login/unlock.
+   * Only set client side b/c server can't evaluate MP.
    */
   WeakMasterPassword,
 }
diff --git a/libs/common/src/enums/feature-flag.enum.ts b/libs/common/src/enums/feature-flag.enum.ts
index 2de36006f6d..d0775160f1c 100644
--- a/libs/common/src/enums/feature-flag.enum.ts
+++ b/libs/common/src/enums/feature-flag.enum.ts
@@ -4,7 +4,6 @@ export enum FeatureFlag {
   Fido2VaultCredentials = "fido2-vault-credentials",
   TrustedDeviceEncryption = "trusted-device-encryption",
   AutofillV2 = "autofill-v2",
-  SecretsManagerBilling = "sm-ga-billing",
 }
 
 // Replace this with a type safe lookup of the feature flag values in PM-2282
diff --git a/libs/common/src/platform/abstractions/crypto.service.ts b/libs/common/src/platform/abstractions/crypto.service.ts
index 42f60bde845..a868484bd04 100644
--- a/libs/common/src/platform/abstractions/crypto.service.ts
+++ b/libs/common/src/platform/abstractions/crypto.service.ts
@@ -42,6 +42,12 @@ export abstract class CryptoService {
    * @returns The user key
    */
   getUserKey: (userId?: string) => Promise<UserKey>;
+
+  /**
+   * Checks if the user is using an old encryption scheme that used the master key
+   * for encryption of data instead of the user key.
+   */
+  isLegacyUser: (masterKey?: MasterKey, userId?: string) => Promise<boolean>;
   /**
    * Use for encryption/decryption of data in order to support legacy
    * encryption models. It will return the user key if available,
diff --git a/libs/common/src/platform/services/crypto.service.ts b/libs/common/src/platform/services/crypto.service.ts
index 1f5cd10edc4..3b4090ef344 100644
--- a/libs/common/src/platform/services/crypto.service.ts
+++ b/libs/common/src/platform/services/crypto.service.ts
@@ -77,6 +77,12 @@ export class CryptoService implements CryptoServiceAbstraction {
     }
   }
 
+  async isLegacyUser(masterKey?: MasterKey, userId?: string): Promise<boolean> {
+    return await this.validateUserKey(
+      (masterKey ?? (await this.getMasterKey(userId))) as unknown as UserKey
+    );
+  }
+
   async getUserKeyWithLegacySupport(userId?: string): Promise<UserKey> {
     const userKey = await this.getUserKey(userId);
     if (userKey) {
@@ -510,7 +516,8 @@ export class CryptoService implements CryptoServiceAbstraction {
   }
 
   async makeKeyPair(key?: SymmetricCryptoKey): Promise<[string, EncString]> {
-    key ||= await this.getUserKey();
+    // Default to user key
+    key ||= await this.getUserKeyWithLegacySupport();
 
     const keyPair = await this.cryptoFunctionService.rsaGenerateKeyPair(2048);
     const publicB64 = Utils.fromBufferToB64(keyPair[0]);
@@ -943,23 +950,30 @@ export class CryptoService implements CryptoServiceAbstraction {
 
   async migrateAutoKeyIfNeeded(userId?: string) {
     const oldAutoKey = await this.stateService.getCryptoMasterKeyAuto({ userId: userId });
-    if (oldAutoKey) {
-      // decrypt
-      const masterKey = new SymmetricCryptoKey(Utils.fromB64ToArray(oldAutoKey)) as MasterKey;
-      const encryptedUserKey = await this.stateService.getEncryptedCryptoSymmetricKey({
-        userId: userId,
-      });
-      const userKey = await this.decryptUserKeyWithMasterKey(
-        masterKey,
-        new EncString(encryptedUserKey),
-        userId
-      );
-      // migrate
-      await this.stateService.setUserKeyAutoUnlock(userKey.keyB64, { userId: userId });
-      await this.stateService.setCryptoMasterKeyAuto(null, { userId: userId });
-      // set encrypted user key in case user immediately locks without syncing
-      await this.setMasterKeyEncryptedUserKey(encryptedUserKey);
+    if (!oldAutoKey) {
+      return;
     }
+    // Decrypt
+    const masterKey = new SymmetricCryptoKey(Utils.fromB64ToArray(oldAutoKey)) as MasterKey;
+    if (await this.isLegacyUser(masterKey, userId)) {
+      // Legacy users don't have a user key, so no need to migrate.
+      // Instead, set the master key for additional isLegacyUser checks that will log the user out.
+      await this.setMasterKey(masterKey, userId);
+      return;
+    }
+    const encryptedUserKey = await this.stateService.getEncryptedCryptoSymmetricKey({
+      userId: userId,
+    });
+    const userKey = await this.decryptUserKeyWithMasterKey(
+      masterKey,
+      new EncString(encryptedUserKey),
+      userId
+    );
+    // Migrate
+    await this.stateService.setUserKeyAutoUnlock(userKey.keyB64, { userId: userId });
+    await this.stateService.setCryptoMasterKeyAuto(null, { userId: userId });
+    // Set encrypted user key in case user immediately locks without syncing
+    await this.setMasterKeyEncryptedUserKey(encryptedUserKey);
   }
 
   async decryptAndMigrateOldPinKey(
diff --git a/libs/common/src/services/vault-timeout/vault-timeout.service.ts b/libs/common/src/services/vault-timeout/vault-timeout.service.ts
index 0fbbf51bd60..9e5a78834f7 100644
--- a/libs/common/src/services/vault-timeout/vault-timeout.service.ts
+++ b/libs/common/src/services/vault-timeout/vault-timeout.service.ts
@@ -5,6 +5,7 @@ import { VaultTimeoutSettingsService } from "../../abstractions/vault-timeout/va
 import { VaultTimeoutService as VaultTimeoutServiceAbstraction } from "../../abstractions/vault-timeout/vault-timeout.service";
 import { AuthService } from "../../auth/abstractions/auth.service";
 import { AuthenticationStatus } from "../../auth/enums/authentication-status";
+import { ClientType } from "../../enums";
 import { VaultTimeoutAction } from "../../enums/vault-timeout-action.enum";
 import { CryptoService } from "../../platform/abstractions/crypto.service";
 import { MessagingService } from "../../platform/abstractions/messaging.service";
@@ -141,10 +142,18 @@ export class VaultTimeoutService implements VaultTimeoutServiceAbstraction {
   }
 
   private async migrateKeyForNeverLockIfNeeded(): Promise<void> {
+    // Web can't set vault timeout to never
+    if (this.platformUtilsService.getClientType() == ClientType.Web) {
+      return;
+    }
     const accounts = await firstValueFrom(this.stateService.accounts$);
     for (const userId in accounts) {
       if (userId != null) {
         await this.cryptoService.migrateAutoKeyIfNeeded(userId);
+        // Legacy users should be logged out since we're not on the web vault and can't migrate.
+        if (await this.cryptoService.isLegacyUser(null, userId)) {
+          await this.logOut(userId);
+        }
       }
     }
   }
diff --git a/libs/common/src/vault/services/cipher.service.ts b/libs/common/src/vault/services/cipher.service.ts
index 70436484e5a..916690cb132 100644
--- a/libs/common/src/vault/services/cipher.service.ts
+++ b/libs/common/src/vault/services/cipher.service.ts
@@ -330,11 +330,6 @@ export class CipherService implements CipherServiceAbstraction {
       return await this.getDecryptedCipherCache();
     }
 
-    const hasKey = await this.cryptoService.hasUserKey();
-    if (!hasKey) {
-      throw new Error("No user key found.");
-    }
-
     const ciphers = await this.getAll();
     const orgKeys = await this.cryptoService.getOrgKeys();
     const userKey = await this.cryptoService.getUserKeyWithLegacySupport();
@@ -404,14 +399,21 @@ export class CipherService implements CipherServiceAbstraction {
     defaultMatch ??= await this.stateService.getDefaultUriMatch();
 
     return ciphers.filter((cipher) => {
-      if (cipher.deletedDate != null) {
+      const cipherIsLogin = cipher.type === CipherType.Login && cipher.login !== null;
+
+      if (cipher.deletedDate !== null) {
         return false;
       }
-      if (includeOtherTypes != null && includeOtherTypes.indexOf(cipher.type) > -1) {
+
+      if (
+        Array.isArray(includeOtherTypes) &&
+        includeOtherTypes.includes(cipher.type) &&
+        !cipherIsLogin
+      ) {
         return true;
       }
 
-      if (cipher.type === CipherType.Login && cipher.login !== null) {
+      if (cipherIsLogin) {
         return cipher.login.matchesUri(url, equivalentDomains, defaultMatch);
       }
 
diff --git a/libs/components/src/form-field/form-field.stories.ts b/libs/components/src/form-field/form-field.stories.ts
index 4c85a18607f..305b514266e 100644
--- a/libs/components/src/form-field/form-field.stories.ts
+++ b/libs/components/src/form-field/form-field.stories.ts
@@ -157,6 +157,24 @@ export const Disabled: Story = {
   args: {},
 };
 
+export const Readonly: Story = {
+  render: (args) => ({
+    props: args,
+    template: `
+      <bit-form-field>
+        <bit-label>Input</bit-label>
+        <input bitInput value="Foobar" readonly />
+      </bit-form-field>
+
+      <bit-form-field>
+        <bit-label>Textarea</bit-label>
+        <textarea bitInput rows="4" readonly>Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.</textarea>
+      </bit-form-field>
+    `,
+  }),
+  args: {},
+};
+
 export const InputGroup: Story = {
   render: (args) => ({
     props: args,
diff --git a/libs/components/src/input/input.directive.ts b/libs/components/src/input/input.directive.ts
index 60589208d52..b9f71ff8d59 100644
--- a/libs/components/src/input/input.directive.ts
+++ b/libs/components/src/input/input.directive.ts
@@ -44,6 +44,7 @@ export class BitInputDirective implements BitFormFieldControl {
       "focus:tw-ring-primary-700",
       "focus:tw-z-10",
       "disabled:tw-bg-secondary-100",
+      "[&:is(input,textarea):read-only]:tw-bg-secondary-100",
     ].filter((s) => s != "");
   }
 
diff --git a/libs/components/src/link/link.directive.ts b/libs/components/src/link/link.directive.ts
index b2e551ddeff..0841388a948 100644
--- a/libs/components/src/link/link.directive.ts
+++ b/libs/components/src/link/link.directive.ts
@@ -58,7 +58,6 @@ const commonStyles = [
   "before:tw-rounded-md",
   "before:tw-transition",
   "focus-visible:before:tw-ring-2",
-  "focus-visible:before:tw-ring-text-contrast",
   "focus-visible:tw-z-10",
 ];
 
diff --git a/libs/importer/src/models/import-options.ts b/libs/importer/src/models/import-options.ts
index 2afe801d202..03c4e72e047 100644
--- a/libs/importer/src/models/import-options.ts
+++ b/libs/importer/src/models/import-options.ts
@@ -12,7 +12,7 @@ export const featuredImportOptions = [
   { id: "keepass2xml", name: "KeePass 2 (xml)" },
   { id: "lastpasscsv", name: "LastPass (csv)" },
   { id: "safaricsv", name: "Safari and macOS (csv)" },
-  { id: "1password1pux", name: "1Password (1pux)" },
+  { id: "1password1pux", name: "1Password (1pux/json)" },
 ] as const;
 
 export const regularImportOptions = [
diff --git a/package-lock.json b/package-lock.json
index d4174b7111f..d5e40478d20 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -191,11 +191,11 @@
     },
     "apps/browser": {
       "name": "@bitwarden/browser",
-      "version": "2023.8.3"
+      "version": "2023.9.1"
     },
     "apps/cli": {
       "name": "@bitwarden/cli",
-      "version": "2023.8.2",
+      "version": "2023.9.0",
       "license": "GPL-3.0-only",
       "dependencies": {
         "@koa/multer": "3.0.2",
@@ -231,7 +231,7 @@
     },
     "apps/desktop": {
       "name": "@bitwarden/desktop",
-      "version": "2023.8.4",
+      "version": "2023.9.1",
       "hasInstallScript": true,
       "license": "GPL-3.0"
     },
@@ -261,7 +261,7 @@
     },
     "apps/web": {
       "name": "@bitwarden/web-vault",
-      "version": "2023.8.4"
+      "version": "2023.9.0"
     },
     "libs/angular": {
       "name": "@bitwarden/angular",