82ecf7def2
* initial draft * codeblock e.g.'s * initial draft of f4e end-user doc * first round of feedback * feedback round 2 * feedback round 3 * update screenshots * safari/macos import guide sketch * adios, friendly name * cli note * fix typo * finish import from macos/safari * feedback round 4 * more feedback * updated diagrams * fix typo * linked custom fields & more release note items * new auto-fill unlock behavior for context menu & keyboard! * release notes - autofill unlock * new events * fixes to 'using sso' * updated KC screenshot & test step * KC URL * send extension & release notes * hide ios extension * updates to sso faqs * SEO desc's & tags * Key Connector > Impact on Unlock > Add a note for online dependency * clarify "account is lost" * add some references to CME * final edits * f4e * quick edit to RN
2.0 KiB
layout, title, categories, featured, popular, tags, order, description
| layout | title | categories | featured | popular | tags | order | description | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| article | Member Decryption Options |
|
false | false |
|
04 | This article covers the Vault decryption options available for Enterprise Organizations leveraging Login with SSO. |
What makes Login with SSO unique is that it retains our zero-knowledge encryption model. Nobody at Bitwarden has access to your Vault data and, similarly, neither should your Identity Provider. That's why Login with SSO decouples authentication and decryption. In all Login with SSO implementations, your Identity Provider cannot and will not have access to the decryption key needed to decrypt Vault data.
Member Decryption Options are used to determine what decryption key will be used to decrypt Vault data in scenarios where Login with SSO is handling authentication. Options include:
- Master Password: Once authenticated, Organization members will decrypt Vault data using their Master Passwords.
- Key Connector: Connect Login with SSO to your self-hosted decryption key server. Using this option, Organization members won't need to use their Master Passwords to decrypt Vault data. Instead, Key Connector will retrieve a decryption key securely stored in a database owned and managed by you.
{% callout success %} Due to the sensitivity of storing decryption keys, the Key Connector option is disabled by default and currently only available to Organizations self-hosting Bitwarden.
If you're interesting in using Key Connector, check out the About Key Connector and Deploy Key Connector articles and Contact Us to setup a time for us to help you get started. {% endcallout %}