mirror of
https://github.com/bitwarden/help
synced 2025-12-06 00:03:30 +00:00
906e2ca0dd
* initial commit
* adding quotes for the array error
* Create Gemfile
* Create Gemfile.lock
* add .nvmrc and .node-version
* removed /article from URL
* update links to work with netlify
* more fixed links
* link fixes
* update bad links
* Update netlify.toml
toml test for redirects
* article redirect
* link fixes
* Update index.html
* Update netlify.toml
* Update _config.yml
* Update netlify.toml
* Update netlify.toml
* Update netlify.toml
* Update netlify.toml
* Update netlify.toml
* add article back into URL for launch
* Update netlify.toml
* Update netlify.toml
* add order to categories front matter
* Update netlify.toml
* update
* sidemenu update
* Revert "sidemenu update"
This reverts commit 5441c3d35c.
* update order prop
* Navbar updates per Gary and compiler warnings
* font/style tweaks
* Update sidebar.html
* Stage Release Documentation (#739)
* initial drafts
* rewrite Custom Fields article to prioritize new context-menu option & better organize ancillary information
* edit
* edit
* Custom Field Context Menu & CAPTCHA item in release notes
* SSO relink event
* update rn
* small edits
* improve release notes titles
* fix side menu
* Edits courtest of mportune!
* update order
* link fixes
* link cleanup
* image updates and a link
* fix trailing slash
Co-authored-by: DanHillesheim <79476558+DanHillesheim@users.noreply.github.com>
58 lines
3.8 KiB
Markdown
58 lines
3.8 KiB
Markdown
---
|
|
layout: article
|
|
title: Encryption
|
|
categories: [security]
|
|
featured: true
|
|
popular: false
|
|
tags: [encryption]
|
|
order: "03"
|
|
redirect_from:
|
|
- /article/password-salt-hash/
|
|
- /article/how-is-data-securely-transmitted-and-stored/
|
|
---
|
|
|
|
Bitwarden uses [AES-CBC](#aes-cbc) 256-bit encryption for your Vault data, and [PBKDF2](#pbkdf2) SHA-256 to derive your encryption key.
|
|
|
|
Bitwarden **always** encrypts and/or hashes your data on your local device before anything is sent to cloud servers for storage. **Bitwarden servers are only used for storing encrypted data.** For more information, see [Storage]({{site.baseurl}}/article/data-storage/).
|
|
|
|
Vault data can only be decrypted using the key derived from your master password. Bitwarden is a zero knowledge solution, meaning you are the only party with access to your key and the ability to decrypt your Vault data.
|
|
|
|
{% callout success %}
|
|
We encourage you to visit our [Interactive Cryptography Page]({{site.baseurl}}/crypto.html){:target="\_blank"} to see for yourself how Bitwarden encrypts your data.
|
|
|
|
If you'd like to learn more about how these encryption keys are used to protect your Vault, you can also check out our [Security Whitepaper](https://bitwarden.com/images/resources/security-white-paper-download.pdf).
|
|
{% endcallout %}
|
|
|
|
## AES-CBC
|
|
|
|
[AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard){:target="\_blank"}-CBC [(Cipher Block Chaining)](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_block_chaining_(CBC)){:target="blank"}, used to encrypt Vault data, is a standard in cryptography and used by the US government and other government agencies around the world for protecting top-secret data. With proper implementation and a strong encryption key (your master password), AES is considered unbreakable.
|
|
|
|
## PBKDF2
|
|
|
|
[PBKDF2][pbkdf2]{:target="blank"} SHA-256 is used to derive the encryption key from your master password. Bitwarden [salts and hashes](https://www.okta.com/blog/2019/03/what-are-salted-passwords-and-password-hashing/){:target="\_blank"} your master password with your email address **locally**, before transmission to our servers. Once a Bitwarden server receives the hashed password, it is salted again with a cryptographically secure random value, hashed again, and stored in our database.
|
|
|
|
The default iteration count used with PBKDF2 is 100,001 iterations on the client (*client-side iteration count is configurable from your account settings*), and then an additional 100,000 iterations when stored on our servers (for a total of 200,001 iterations by default). The Organization key is shared via [RSA-2048][rsa]{:target="blank"}.
|
|
|
|
The utilized hash functions are one-way hashes, meaning they **cannot be reverse engineered** by anyone at Bitwarden to reveal your master password. Even if Bitwarden were to be hacked, there would be no method by which your master password could be obtained.
|
|
|
|
## Invoked Crypto Libraries
|
|
|
|
**Bitwarden does not write any cryptographic code.** Bitwarden only invokes crypto from popular and reputable crypto libraries that are written and maintained by cryptography experts. The following crypto libraries are used:
|
|
|
|
- JavaScript (Web Vault, Browser Extension, Desktop, and CLI)
|
|
- [Web Crypto][webcrypto]{:target="blank"}
|
|
- [Node.js Crypto][nodecrypto]{:target="blank"}
|
|
- [Forge][forge]{:target="blank"}
|
|
- C# (Mobile)
|
|
- CommonCrypto (iOS, Apple)
|
|
- Javax.Crypto (Android, Oracle)
|
|
- [BouncyCastle][bouncy]{:target="blank"} (Android)
|
|
|
|
[aes]: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
|
|
[pbkdf2]: https://en.wikipedia.org/wiki/PBKDF2
|
|
[rsa]: https://en.wikipedia.org/wiki/RSA_numbers#RSA-2048
|
|
[forge]: https://github.com/digitalbazaar/forge
|
|
[webcrypto]: https://w3c.github.io/webcrypto/Overview.html
|
|
[bouncy]: http://www.bouncycastle.org/csharp/
|
|
[nodecrypto]: https://nodejs.org/api/crypto.html
|