906e2ca0dd
* initial commit
* adding quotes for the array error
* Create Gemfile
* Create Gemfile.lock
* add .nvmrc and .node-version
* removed /article from URL
* update links to work with netlify
* more fixed links
* link fixes
* update bad links
* Update netlify.toml
toml test for redirects
* article redirect
* link fixes
* Update index.html
* Update netlify.toml
* Update _config.yml
* Update netlify.toml
* Update netlify.toml
* Update netlify.toml
* Update netlify.toml
* Update netlify.toml
* add article back into URL for launch
* Update netlify.toml
* Update netlify.toml
* add order to categories front matter
* Update netlify.toml
* update
* sidemenu update
* Revert "sidemenu update"
This reverts commit 5441c3d35c.
* update order prop
* Navbar updates per Gary and compiler warnings
* font/style tweaks
* Update sidebar.html
* Stage Release Documentation (#739)
* initial drafts
* rewrite Custom Fields article to prioritize new context-menu option & better organize ancillary information
* edit
* edit
* Custom Field Context Menu & CAPTCHA item in release notes
* SSO relink event
* update rn
* small edits
* improve release notes titles
* fix side menu
* Edits courtest of mportune!
* update order
* link fixes
* link cleanup
* image updates and a link
* fix trailing slash
Co-authored-by: DanHillesheim <79476558+DanHillesheim@users.noreply.github.com>
3.0 KiB
layout, title, categories, featured, popular, tags, order
| layout | title | categories | featured | popular | tags | order | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| article | Send Encryption |
|
true | false |
|
07 |
Send Encryption
Sends are a secure and ephemeral mechanism for transmitting sensitive information to anyone, include plaintext and files. As the About Send article notes, Sends are end-to-end encrypted, meaning that encryption (described below) and decryption occur client-side. When you create a Send:
-
A new 128-bit secret key is generated for the Send.
-
Using HKDF-SHA256, a 512-bit encryption key is derived from the secret key.
-
The derived key is used to AES-256 encrypt the Send, including its file/text data and metadata (Name, Filename, Notes, etc.).
{% callout success %}Any password used to protect a Send is not involved in encryption and decryption of a Send. Passwords are purely an authentication method, however password-protected Sends will be blocked from decrypting until password authentication is successful.{% endcallout %}
-
The encrypted Send is uploaded to Bitwarden servers, including a unique Send ID that Bitwarden uses to identify the Send for decryption but not including the encryption key.
Send Decryption
Sends are decrypted by opening the Send link, which are constructed from a unique Send ID and the derived encryption key:
https://vault.bitwarden.com/#/send/send_id/encryption_key
When you access a Send link:
-
The web browser requests a Send access page from Bitwarden servers.
-
Bitwarden servers return the Send access page as a Web Vault client.
-
The Web Vault client locally parses the URL fragment containing the Send ID and encryption key.
-
The Web Vault client requests data from the server based on the parsed Send ID. The encryption key is never included in network requests.
-
Bitwarden servers return the encrypted Send to the Web Vault client.
-
The Web Vault client locally decrypts the Send using the encryption key.
{% callout success %}If your send is password-protected, decryption of the Send will be blocked by authentication. The server validates the password and only returns the Send if the password is correct. This should not be confused with the password being used for decryption.{% endcallout %}
Send Security
When transmitting a Bitwarden Send link, there are optional steps you can take for additional security:
- Add a password to the Send and share the password via a separate channel.
- Send the link without the key (everything before the last forward slash) and send the key via a separate channel.
- Leverage both of the above options.
{%callout success%}
When reassembling a Send URL, be sure to include both the Send ID and the encryption key.
Example: https://vault.bitwarden.com/#/send/send_id/encryption_key
{%endcallout%}