bitwarden/help
1
0
Fork 0
mirror of https://github.com/bitwarden/help synced 2025-12-10 13:23:16 +00:00
Code Issues Releases Wiki Activity
Files
6453d56052975708c64f9341497632cddefcf0b9
help/_articles/send/send-encryption.md
fred_the_tech_writer 6453d56052 Send encryption (#492) 
* send encyrption article, first cut

* links

* edits from the team
2021-03-16 16:41:37 -04:00

2.4 KiB
Raw Blame History

layout, title, categories, featured, popular, tags, order
layout title categories featured popular tags order
article Send Encryption
send
true false
bitwarden send
send
about send
ephemeral sharing
07

Send Encryption

Sends are a secure and ephemeral mechanism for transmitting sensitive information to anyone, include plaintext and files. As the [About Send]({% link _articles/send/about-send.md %}) article notes, Sends are end-to-end encrypted, meaning that encryption (described below) and decryption occur client-side. When you create a Send:

  1. A new 128-bit secret key is generated for the Send.

  2. Using HKDF-SHA256, a 512-bit encryption key is derived from the secret key.

  3. The derived key is used to AES-256 encrypt the Send, including its file/text data and metadata (Name, Filename, Notes, etc.).

    {% callout success %}Any password used to protect a Send is not involved in encryption and decryption of a Send. Passwords are purely an authentication method, however password-protected Sends will be blocked from decrypting until password authentication is successful.{% endcallout %}

  4. The encrypted Send is uploaded to Bitwarden servers, including a unique Send ID that Bitwarden uses to identify the Send for decryption but not including the encryption key.

Send Decryption

Sends are decrypted by opening the [Send link]({% link _articles/send/receive-send.md %}), which are constructed from a unique Send ID and the derived encryption key:

https://vault.bitwarden.com/#/send/send_id/encryption_key

When you access a Send link:

  1. The web browser requests a Send access page from Bitwarden servers.

  2. Bitwarden servers return the Send access page as a Web Vault client.

  3. The Web Vault client locally parses the URL fragment containing the Send ID and encryption key.

  4. The Web Vault client requests data from the server based on the parsed Send ID. The encryption key is never included in network requests.

  5. Bitwarden servers return the encrypted Send to the Web Vault client.

  6. The Web Vault client locally decrypts the Send using the encryption key.

    {% callout success %}If your send is password-protected, decryption of the Send will be blocked by authentication, however this should not be confused with the password being used for decryption.{% endcallout %}