bitwarden/help
1
0
Fork 0
mirror of https://github.com/bitwarden/help synced 2025-12-06 00:03:30 +00:00
Code Issues Releases Wiki Activity

Security Content (#342)

Browse Source 
* Data use (#336)

* re-purpose article for data use considerations

* Update stored-data.md

* security - everything but faqs

* security faqs

* split data article

* faq update

* faq fix

* faq fix #?

* title fix

* list reposition & title change

* faq fix

* final fixes
This commit is contained in:
fred_the_tech_writer
2021-01-05 08:47:39 -05:00
committed by GitHub
parent 2cdca9f136
commit 9e5eec3ac4
17 changed files with 256 additions and 231 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
_articles/security/administrative-data.md Normal file
View File

@@ -0,0 +1,30 @@
---
layout: article
title: Administrative Data
categories: [security]
featured: true
popular: false
tags: []
order: 02
---
Users provide personal information in connection with your account creation, usage of the Bitwarden Service and support, and payments for the Bitwarden Service. Bitwarden uses Administrative Data to provide the Bitwarden Service to you. We retain Administrative Data for as long as you are a customer of Bitwarden and as required by law. If you terminate your relationship with Bitwarden, we will delete your Personal Information in accordance with our data retention policies.
{% callout success %}
We encourage you to review our [Privacy Policy](https://bitwarden.com/privacy){:target="\_blank"} for more information.
{% endcallout %}
These data include:
- Your Name (*Only if provided during account creation*).
- Your Email Address (used for Email Verification, Account Administration, and communication between you and Bitwarden).
- A **Bitwarden-generated** device-specific GUID (sometimes referred to as a *Device ID*, and used to alert you when a new device logs into your Vault.)
For Organizations, these data also include:
- Equivalent Domains
- Organization Name
- Organization Business Name
- Organization Billing Email Address
- Collection External IDs
- Group Names and External IDs

14
_articles/security/can-bitwarden-see-my-passwords.md
View File

@@ -1,14 +0,0 @@
---
layout: article
title: Can the Bitwarden team see my passwords?
categories: [security]
featured: true
popular: false
tags: []
---
No.
Since your data is fully encrypted and/or hashed before ever leaving **your** local device, no one from the Bitwarden team can ever see, read, or reverse engineer to get to your real data. Bitwarden servers only store encrypted and hashed data. This is an important step that Bitwarden takes to protect you.
You can read more about how your data is encrypted and transmitted [here]({% link _articles/security/what-encryption-is-used.md %}).

12
_articles/security/cloud-server-security.md
View File

@@ -1,12 +0,0 @@
---
layout: article
title: How do you keep the cloud servers secure?
categories: [security]
featured: true
popular: false
tags: [cloud, azure]
---
Bitwarden processes and stores all data securely in the [Microsoft Azure cloud](https://en.wikipedia.org/wiki/Microsoft_Azure){:target="_blank"} using services that are managed by the team at Microsoft. Since Bitwarden only uses service offerings provided by Azure, there is no server infrastructure to manage and maintain. All uptime, scalability, and security updates and guarantees are backed by Microsoft and their cloud infrastructure.
Don't trust the Bitwarden cloud? You don't have to. Open source is beautiful. You can easily host the entire Bitwarden stack yourself. You control your data. Learn more [here]({% link _articles/hosting/install-on-premise.md %}).

34
_articles/security/where-is-data-stored-computer.md → _articles/security/data-storage.md
View File

@@ -1,17 +1,31 @@
---
layout: article
title: Where is my data stored on my computer/device?
title: Storage
categories: [security]
featured: true
popular: false
tags: []
tags: [cloud]
order: 04
redirect_from:
- /article/where-is-data-stored-cloud/
- /article/where-is-data-stored-computer/
- /article/cloud-server-security/
---
Your data is also automatically synced to our [cloud servers]({% link _articles/security/where-is-data-stored-cloud.md %}). In the event that you need to recover your data due to a device crash, simply reinstall the Bitwarden application and log in and your data will be re-synced.
This articles describes **where** Bitwarden stores your Vault Data and Administrative Data.
All sensitive data stored on your computer/device is encrypted. The data can be found in the following locations:
Bitwarden **always** encrypts and/or hashes your data on your local device before anything is sent to cloud servers for storage. **Bitwarden servers are only used for storing encrypted data.** For more information, see [Encryption]({% link _articles/security/what-encryption-is-used.md %}).
## Desktop
## On Bitwarden Servers
Bitwarden processes and stores all data securely in the [Microsoft Azure Cloud](https://en.wikipedia.org/wiki/Microsoft_Azure){:target="\_blank"} using services that are managed by the team at microsoft. Since Bitwarden only uses service offerings provided by Azure, there is no server infrastructure to manage and maintain. All uptime, scalability, and security updates and guarantees and backed by Microsoft and their cloud infrastructure. Review the [Microsoft Azure Compliance Offerings](https://azure.microsoft.com/en-us/resources/microsoft-azure-compliance-offerings/) documentation for more detail.
Don't trust Bitwarden Servers? You don't have to. Open source is beautiful. You can easily host the entire Bitwarden stack yourself. You control your data. Learn more [here]({% link _articles/hosting/install-on-premise.md %}).
## On your Local Machine
Data that is stored on your computer/device is also encrypted and only decrypted when you unlock your Vault. Vault data can be found in the following locations based on the client application in use:
#### Desktop App
- Windows
- Standard Installations & Store: `%AppData%\Bitwarden`
@@ -27,7 +41,7 @@ All sensitive data stored on your computer/device is encrypted. The data can be
You can override the storage location for your Bitwarden desktop application data by setting the `BITWARDEN_APPDATA_DIR` environment variable to an absolute path.
{% endcallout %}
## Browser Extension
#### Browser Extension
- Windows
- Chrome: `%LocalAppData%\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb`
@@ -46,15 +60,17 @@ You can override the storage location for your Bitwarden desktop application dat
- Firefox: `~/.mozilla/firefox/your_profile/storage/default/moz-extension+++[UUID]^userContextID=[integer]`
{% callout info %}
To enhance security, Firefox uses Universally Unique Identifiers (UUIDs) within extension storage folder names. Use the `about:debugging#/runtime/this-firefox` page (navigate from Firefox's address bar) to locate your Bitwarden extension UUID. Replace [UUID] with that UUID. Note also that Firefox allows users to customize where to store their profiles (and thus local Bitwarden extension data). The location specified above is the default.
To enhance security, Firefox uses Universally Unique Identifiers (UUIDs) within extension storage folder names. In the address bar, navigate to `about:debugging#/runtime/this-firefox` to locate your Bitwarden extension UUID. Replace [UUID] with that UUID.
Firefox also allows users to customize where to store their profiles (and thus local Bitwarden extension data). The location specified above is the default.
{% endcallout %}
## Mobile
#### Mobile
- iOS: app group for `group.com.8bit.bitwarden`
- Android: `/data/data/com.x8bit.bitwarden/`
## CLI
#### CLI
- Windows: `%AppData%\Bitwarden CLI`
- macOS: `~/Library/Application Support/Bitwarden CLI`

14
_articles/security/how-is-data-securely-transmitted-and-stored.md
View File

@@ -1,14 +0,0 @@
---
layout: article
title: How is my data securely transmitted and stored on Bitwarden servers?
categories: [security]
featured: true
popular: false
tags: [encryption]
---
Bitwarden takes security very seriously when it comes to handling your sensitive data. Your data is never sent to the Bitwarden cloud servers without first being encrypted on your local device using [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard){:target="blank"} 256 bit encryption. You can read more about Bitwarden encryption [here]({% link _articles/security/what-encryption-is-used.md %}). Bitwarden never stores meaningful data on its servers.
When your devices sync with the Bitwarden cloud servers, a copy of the encrypted data is downloaded and securely stored to your local device. Whenever you use the Bitwarden apps or extensions your data is decrypted only in memory as needed. Data is never stored in its decrypted form on the remote Bitwarden servers or on your local device.
Bitwarden servers are securely hosted and managed in the [Microsoft Azure cloud](https://en.wikipedia.org/wiki/Microsoft_Azure){:target="_blank"}.

69
_articles/security/is-bitwarden-audited.md
View File

@@ -1,20 +1,75 @@
---
layout: article
title: Is Bitwarden audited?
title: Compliance, Audits, and Certifications
categories: [security]
featured: true
popular: false
tags: [audit]
order: 05
---
Yes.
Bitwarden is a global company with customers located all over the world. Our business is to help customers protect, store, and share their sensitive data. We prioritize protecting the personal data of our customers and their end-users as paramount to our company mission. Bitwarden complies with industry standards, and conducts regular audits shared transparently with our customers and users. Our open source approach puts us in a unique position, where our software is viewed and scrutinized by a globally engaged community.
By making 100% of our source code available under an open source GPLv3 license, our goal is to be as transparent as possible about how Bitwarden works and how it handles your sensitive data. Being open source also allows thousands of developers to quickly identify potential issues and to verify the quality of our solutions. However, we also understand the need for reputable, independent third-party experts to officially audit the Bitwarden codebase.
## Privacy
In October 2018, Bitwarden successfully completed a source code audit and cryptographic analysis by security firm [Cure53](https://cure53.de/). You can read more about this security audit [here](https://bitwarden.com/blog/post/third-party-security-audit).
For our privacy policy, visit [bitwarden.com/privacy](https://bitwarden.com/privacy){:target="\_blank"}.
In July 2020, Bitwarden successfully completed a thorough security assessment and penetration test by auditing firm [Insight Risk Consulting](https://www.insightriskconsulting.com/). You can read more about this security audit [here](https://bitwarden.com/blog/post/bitwarden-network-security-assessment-2020/).
### GDPR
In August 2020, Bitwarden achieved SOC 2 Type 2 and SOC 3 certification. You can learn more about this [here](https://bitwarden.com/blog/post/bitwarden-achieves-soc-2-certification/)
Bitwarden participates in the EU-U.S. and Swiss Privacy Shield Frameworks and complies with GDPR and current applicable EU data protection rules.
Bitwarden also interacts with independent security researchers through our public bug bounty program on [HackerOne](https://hackerone.com/bitwarden/).
### CCPA
Bitwarden is compliant with the California Consumer Privacy Act (CCPA).
### Privacy Shield
Bitwarden complies with EU-U.S. Privacy Shield Frameworks. In addition, Bitwarden uses and complies with EU Standard Contractual Clauses (SCCs). For more information, please see [Bitwarden Privacy Shield Frameworks](https://www.privacyshield.gov/participant?id=a2zt0000000CoURAA0){:target="\_blank"}.
### HIPAA
Bitwarden is HIPPA compliant.
## Third Party Security Audits
### SOC 2 Type 2 and SOC 3
Bitwarden has completed SOC Type 2 and SOC 3 compliance. For more information, see the blog post [Bitwarden achieves SOC 2 certification](https://bitwarden.com/blog/post/bitwarden-achieves-soc-2-certification/){:target="\_blank"}.
### 2020 Security Assessment
Bitwarden completed a thorough security assessment and penetration test by auditing firm [Insight Risk Consulting](https://www.insightriskconsulting.com/){:target="\_blank"}. For more information, please see the blog post [Bitwarden 2020 Security Audit is Complete](https://bitwarden.com/blog/post/bitwarden-network-security-assessment-2020/){:target="\_blank"}.
[Read the report](https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Assessment%20Report.pdf).
### 2018 Security Assessment
Bitwarden completed a thorough security audit and cryptographic analysis by security firm [Cure53](https://cure53.de/){:target="\_blank"}. For more information, please see the blog post [Bitwarden Completes Third-party Security Audit](https://bitwarden.com/blog/post/third-party-security-audit/){:target="\_blank"}.
## Open Source Codebase
### Codebase on GitHub
Bitwarden is focused on open source software with the entirety of the codebase available on GitHub.com. For more information, please see [github.com/bitwarden](github.com/bitwarden){:target="\_blank"}.
### Open Source at Bitwarden
Bitwarden is an open source password manager. For more information please visit [our open source page](https://bitwarden.com/open-source/){:target="\_blank"}.
## Cloud Hosting
The Bitwarden cloud service is hosted on Microsoft Azure. Please visit [Microsoft Azure Compliance Offerings](https://azure.microsoft.com/en-us/resources/microsoft-azure-compliance-offerings/){:target="\_blank"} for more detail.
## Security Information
### Zero Knowledge Encryption
Bitwarden takes a zero knowledge encryption approach to password management, meaning every piece of information in your Vault is encrypted. For more information on this approach, please see the blog post [How End-to-End Encryption Paves the Way for Zero Knowledge](https://bitwarden.com/blog/post/end-to-end-encryption-and-zero-knowledge/){:target="\_blank"}.
### Vault Security in Bitwarden
For more information on how Bitwarden Vaults are protected, including options for Bitwarden client applications, please see the blog post [Vault Security in the Bitwarden Password Manager](https://bitwarden.com/blog/post/vault-security-bitwarden-password-manager/){:target="\_blank"}.
### Bug Bounty Program
Bitwarden also interacts with independent security researchers through our public bug bounty program on [HackerOne](https://hackerone.com/bitwarden/){:target="\_blank"}.

14
_articles/security/password-salt-hash.md
View File

@@ -1,14 +0,0 @@
---
layout: article
title: Does Bitwarden use a salted hash for my password?
categories: [security]
featured: true
popular: false
tags: [encryption, hash]
---
Yes.
Bitwarden salts and hashes your master password with your email address on the client (your computer/device) before it is transmitted to our servers. Once the server receives the hashed password from your computer/device it is then salted again with a cryptographically secure random value, hashed again and stored in our database. This process is repeated and hashes are compared every time you log in.
The hashing functions that are used are one way hashes. This means that they cannot be reverse engineered by anyone at Bitwarden to reveal your true master password. In the hypothetical event that the Bitwarden servers were hacked and your data was leaked, the data would have **no value** to the hacker.

28
_articles/security/vault-data.md Normal file
View File

@@ -0,0 +1,28 @@
---
layout: article
title: Vault Data
categories: [security]
featured: true
popular: false
tags: []
order: 01
redirect_from:
- /article/what-information-is-encrypted/
---
All Vault data is encrypted by Bitwarden before being stored anywhere. To learn how, see [Encryption]({% link _articles/security/what-encryption-is-used.md %}).
Vault data can only be decrypted using a key derived from your master password. Bitwarden is a zero knowledge solution, meaning you are the only party with access to your key and the ability to decrypt your Vault data.
{% callout success %}
We encourage you to review our [Privacy Policy](https://bitwarden.com/privacy){:target="\_blank"} for more information.
{% endcallout %}
Vault data that is encrypted includes, but is not limited to:
- Names of Folders, Collections, Items, & Attachments
- All Login information (including usernames, passwords, URIs, TOTPs, etc.)
- All Card information (including cardholder name, number, brand, expiration, security codes, etc.)
- All Identity information (including names, email, phone, passport numbers, license numbers, SSNs, addresses, etc.)
- All Secure Notes and notes connected to a Login, Card, or Identity
- All Custom Field name/value combinations

40
_articles/security/what-encryption-is-used.md
View File

@@ -1,33 +1,51 @@
---
layout: article
title: What encryption is being used?
title: Encryption
categories: [security]
featured: true
popular: false
tags: [encryption]
order: 03
redirect_from:
- /article/password-salt-hash/
- /article/how-is-data-securely-transmitted-and-stored/
---
Bitwarden uses [AES-CBC][aes]{:target="blank"} 256 bit encryption as well as [PBKDF2][pbkdf2]{:target="blank"} to secure your data.
Bitwarden uses [AES-CBC](#aes-cbc) 256-bit encryption for your Vault data, and [PBKDF2](#pbkdf2) SHA-256 to derive your encryption key.
[AES-CBC][aes]{:target="blank"} is a standard in cryptography and used by the US government and other government agencies around the world for protecting top secret data. With proper implementation and a strong encryption key (your master password), AES is considered unbreakable.
Bitwarden **always** encrypts and/or hashes your data on your local device before anything is sent to cloud servers for storage. **Bitwarden servers are only used for storing encrypted data.** For more information, see [Storage]({% link _articles/security/data-storage.md %}).
[PBKDF2][pbkdf2]{:target="blank"} SHA-256 is used to derive the encryption key from your master password. This key is then salted and hashed. The default iteration count used with PBKDF2 is 100,001 iterations on the client (this client-side iteration count is configurable from your account settings), and then an additional 100,000 iterations when stored on our servers (for a total of 200,001 iterations by default). The Organization key is shared via [RSA-2048][rsa]{:target="blank"}.
Vault data can only be decrypted using the key derived from your master password. Bitwarden is a zero knowledge solution, meaning you are the only party with access to your key and the ability to decrypt your Vault data.
Bitwarden does not write any cryptographic code. Bitwarden only invokes crypto from popular and reputable crypto libraries that are written and maintained by cryptography experts. The following crypto libraries are used:
{% callout success %}
We encourage you to visit our [Interactive Cryptography Page](https://bitwarden.com/help/crypto.html){:target="\_blank"} to see for yourself how Bitwarden encrypts your data.
{% endcallout %}
- JavaScript (web, browser extension, desktop, and CLI vaults)
## AES-CBC
[AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard){:target="\_blank"}-CBC [(Cipher Block Chaining)](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_block_chaining_(CBC)){:target="blank"}, used to encrypt Vault data, is a standard in cryptography and used by the US government and other government agencies around the world for protecting top-secret data. With proper implementation and a strong encryption key (your master password), AES is considered unbreakable.
## PBKDF2
[PBKDF2][pbkdf2]{:target="blank"} SHA-256 is used to derive the encryption key from your master password. Bitwarden [salts and hashes](https://www.okta.com/blog/2019/03/what-are-salted-passwords-and-password-hashing/){:target="\_blank"} your master password with your email address **locally**, before transmission to our servers. Once a Bitwarden server receives the hashed password, it is salted again with a cryptographically secure random value, hashed again, and stored in our database.
The default iteration count used with PBKDF2 is 100,001 iterations on the client (*client-side iteration count is configurable from your account settings*), and then an additional 100,000 iterations when stored on our servers (for a total of 200,001 iterations by default). The Organization key is shared via [RSA-2048][rsa]{:target="blank"}.
The utilized hash functions are one-way hashes, meaning they **cannot be reverse engineered** by anyone at Bitwarden to reveal your master password. Even if Bitwarden were to be hacked, there would be no method by which your master password could be obtained.
## Invoked Crypto Libraries
**Bitwarden does not write any cryptographic code.** Bitwarden only invokes crypto from popular and reputable crypto libraries that are written and maintained by cryptography experts. The following crypto libraries are used:
- JavaScript (Web Vault, Browser Extension, Desktop, and CLI)
- [Web Crypto][webcrypto]{:target="blank"}
- [Node.js Crypto][nodecrypto]{:target="blank"}
- [Forge][forge]{:target="blank"}
- C# (mobile vault)
- C# (Mobile)
- CommonCrypto (iOS, Apple)
- Javax.Crypto (Android, Oracle)
- [BouncyCastle][bouncy]{:target="blank"} (Android)
Bitwarden **always** encrypts and/or hashes your data on your local device before it is ever sent to the cloud servers for syncing. The Bitwarden servers are only used for storing encrypted data. It is not possible to get your unencrypted data from the Bitwarden cloud servers.
For examples of how this encryption is used, please visit our [cryptography example page.](https://bitwarden.com/help/crypto.html)
[aes]: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
[pbkdf2]: https://en.wikipedia.org/wiki/PBKDF2
[rsa]: https://en.wikipedia.org/wiki/RSA_numbers#RSA-2048

12
_articles/security/what-happens-if-bitwarden-is-hacked.md
View File

@@ -1,12 +0,0 @@
---
layout: article
title: What happens if Bitwarden gets hacked?
categories: [security]
featured: true
popular: false
tags: [hacked]
---
Bitwarden takes extreme measures to ensure that its websites, application, and cloud servers are secure. Part of this security comes from the fact that [we rely on managed services and do not manage our cloud server infrastructure at all]({% link _articles/security/cloud-server-security.md %}).
However, if for some reason Bitwarden were to get hacked and your data was exposed, your information is still protected. This is because Bitwarden uses strong encryption and one-way salted hashing. As long as you use a strong master password, your data is safe no matter who gets hold of it.

47
_articles/security/what-information-is-encrypted.md
View File

@@ -1,47 +0,0 @@
---
layout: article
title: What information is encrypted?
categories: [security]
featured: true
popular: false
tags: []
---
All information associated with your stored vault data is protected with end-to-end encryption. This includes:
- Folder names
- Collection names
- Item names
- Item notes
- Attachments
- Custom field names/values
- Login information
- Usernames
- Passwords
- URLs
- Authenticator keys (TOTP)
- Card information
- Cardholder names
- Numbers
- Brands
- Expirations
- Security codes
- Identity information
- Names
- Contact info (email, phone, etc)
- Password numbers
- License numbers
- SSNs
- Addresses
- Secure note information
Certain information in Bitwarden cannot be encrypted. This includes:
- Your name (if provided)
- Your account's email address
- Equivalent domains
- Organization names
- Organization business names
- Organization billing email
- Collection external ids
- Organization group names and external ids

12
_articles/security/where-is-data-stored-cloud.md
View File

@@ -1,12 +0,0 @@
---
layout: article
title: Where is my data stored in the cloud?
categories: [security]
featured: true
popular: false
tags: [cloud]
---
Bitwarden processes and stores all data securely in the [Microsoft Azure cloud](https://en.wikipedia.org/wiki/Microsoft_Azure){:target="_blank"} using services that are managed by the team at Microsoft. Bitwarden does not manage any server infrastructure or security directly. All data is backed up multiple times over, again using services provided by Microsoft Azure.
Don't trust the Bitwarden cloud? You don't have to. Open source is beautiful. You can easily host the entire Bitwarden stack yourself. You control your data. Learn more [here]({% link _articles/hosting/install-on-premise.md %}).

16
_articles/security/why-should-i-trust-bitwarden.md
View File

@@ -1,16 +0,0 @@
---
layout: article
title: Why should I trust Bitwarden with my passwords?
categories: [security]
featured: true
popular: true
tags: []
---
1. Bitwarden is open source software. All of our source code is hosted on [GitHub](https://github.com/bitwarden){:target="_blank"} and is free for anyone to review. Thousands of software developers follow Bitwarden's source code projects (and you can too!).
2. Bitwarden [is audited]({% link _articles/security/is-bitwarden-audited.md %}) by reputable third-party security auditing firms as well as independent security researchers.
3. Bitwarden does not store your passwords. Bitwarden stores encrypted versions of your passwords [that only you can unlock]({% link _articles/security/can-bitwarden-see-my-passwords.md %}).
Your sensitive information is encrypted locally on your personal device before ever being sent to our cloud servers.
4. Bitwarden has a reputation. Bitwarden is used by millions of individuals and businesses. If we did anything questionable or risky we would be out of business.
Still don't trust us? You don't have to. Open source is beautiful. You can easily host the entire Bitwarden stack yourself. You control your data. Learn more [here]({% link _articles/hosting/install-on-premise.md %}).