PM-115 Fix attachment encryption on new cipher item encryption model

* PM-1690 added minimum server version restriction to cipher key encryption and also change the force key rotation flag

* PM-1690 Updated min server version for new cipher encryption key and fixed configService registration

* PM-1690 removed forcekeyrotation

src/App/Pages/Vault/AttachmentsPageViewModel.cs

@@ -123,7 +123,7 @@ namespace Bit.App.Pages
             {
                 await _deviceActionService.ShowLoadingAsync(AppResources.Saving);
                 _cipherDomain = await _cipherService.SaveAttachmentRawWithServerAsync(
-                    _cipherDomain, FileName, FileData);
+                    _cipherDomain, Cipher, FileName, FileData);
                 Cipher = await _cipherDomain.DecryptAsync();
                 await _deviceActionService.HideLoadingAsync();
                 _platformUtilsService.ShowToast("success", null, AppResources.AttachementAdded);

src/Core/Abstractions/ICipherService.cs

@@ -27,7 +27,7 @@ namespace Bit.Core.Abstractions
         Task<Cipher> GetAsync(string id);
         Task<CipherView> GetLastUsedForUrlAsync(string url);
         Task ReplaceAsync(Dictionary<string, CipherData> ciphers);
-        Task<Cipher> SaveAttachmentRawWithServerAsync(Cipher cipher, string filename, byte[] data);
+        Task<Cipher> SaveAttachmentRawWithServerAsync(Cipher cipher, CipherView cipherView, string filename, byte[] data);
         Task SaveCollectionsWithServerAsync(Cipher cipher);
         Task SaveNeverDomainAsync(string domain);
         Task SaveWithServerAsync(Cipher cipher);

src/Core/Constants.cs

@@ -63,6 +63,8 @@
         public const int Argon2MemoryInMB = 64;
         public const int Argon2Parallelism = 4;
         public const int MasterPasswordMinimumChars = 12;
+        public const int CipherKeyRandomBytesLength = 64;
+        public const string CipherKeyEncryptionMinServerVersion = "2023.3.0";
 
         public static readonly string[] AndroidAllClearCipherCacheKeys =
         {

src/Core/Models/Data/CipherData.cs

@@ -26,6 +26,7 @@ namespace Bit.Core.Models.Data
             Notes = response.Notes;
             CollectionIds = collectionIds?.ToList() ?? response.CollectionIds;
             Reprompt = response.Reprompt;
+            Key = response.Key;
 
             try // Added to address Issue (https://github.com/bitwarden/mobile/issues/1006)
             {
@@ -86,5 +87,6 @@ namespace Bit.Core.Models.Data
         public List<string> CollectionIds { get; set; }
         public DateTime? DeletedDate { get; set; }
         public Enums.CipherRepromptType Reprompt { get; set; }
+        public string Key { get; set; }
     }
 }

src/Core/Models/Domain/Attachment.cs

@@ -1,8 +1,10 @@
-using System.Collections.Generic;
+using System;
+using System.Collections.Generic;
 using System.Threading.Tasks;
 using Bit.Core.Abstractions;
 using Bit.Core.Models.Data;
 using Bit.Core.Models.View;
+using Bit.Core.Services;
 using Bit.Core.Utilities;
 
 namespace Bit.Core.Models.Domain
@@ -11,11 +13,11 @@ namespace Bit.Core.Models.Domain
     {
         private HashSet<string> _map = new HashSet<string>
         {
-            "Id",
+            nameof(Id),
-            "Url",
+            nameof(Url),
-            "SizeName",
+            nameof(SizeName),
-            "FileName",
+            nameof(FileName),
-            "Key"
+            nameof(Key)
         };
 
         public Attachment() { }
@@ -23,7 +25,7 @@ namespace Bit.Core.Models.Domain
         public Attachment(AttachmentData obj, bool alreadyEncrypted = false)
         {
             Size = obj.Size;
-            BuildDomainModel(this, obj, _map, alreadyEncrypted, new HashSet<string> { "Id", "Url", "SizeName" });
+            BuildDomainModel(this, obj, _map, alreadyEncrypted, new HashSet<string> { nameof(Id), nameof(Url), nameof(SizeName) });
         }
 
         public string Id { get; set; }
@@ -33,25 +35,26 @@ namespace Bit.Core.Models.Domain
         public EncString Key { get; set; }
         public EncString FileName { get; set; }
 
-        public async Task<AttachmentView> DecryptAsync(string orgId)
+        public async Task<AttachmentView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
             var view = await DecryptObjAsync(new AttachmentView(this), this, new HashSet<string>
             {
-                "FileName"
+                nameof(FileName)
-            }, orgId);
+            }, orgId, key);
 
             if (Key != null)
             {
-                var cryptoService = ServiceContainer.Resolve<ICryptoService>("cryptoService");
                 try
                 {
-                    var orgKey = await cryptoService.GetOrgKeyAsync(orgId);
+                    var cryptoService = ServiceContainer.Resolve<ICryptoService>();
-                    var decValue = await cryptoService.DecryptToBytesAsync(Key, orgKey);
+
+                    var decryptKey = key ?? await cryptoService.GetOrgKeyAsync(orgId);
+                    var decValue = await cryptoService.DecryptToBytesAsync(Key, decryptKey);
                     view.Key = new SymmetricCryptoKey(decValue);
                 }
-                catch
+                catch (Exception ex)
                 {
-                    // TODO: error?
+                    LoggerHelper.LogEvenIfCantBeResolved(ex);
                 }
             }
             return view;
@@ -61,7 +64,7 @@ namespace Bit.Core.Models.Domain
         {
             var a = new AttachmentData();
             a.Size = Size;
-            BuildDataModel(this, a, _map, new HashSet<string> { "Id", "Url", "SizeName" });
+            BuildDataModel(this, a, _map, new HashSet<string> { nameof(Id), nameof(Url), nameof(SizeName) });
             return a;
         }
     }

src/Core/Models/Domain/Card.cs

@@ -31,9 +31,9 @@ namespace Bit.Core.Models.Domain
         public EncString ExpYear { get; set; }
         public EncString Code { get; set; }
 
-        public Task<CardView> DecryptAsync(string orgId)
+        public Task<CardView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
-            return DecryptObjAsync(new CardView(this), this, _map, orgId);
+            return DecryptObjAsync(new CardView(this), this, _map, orgId, key);
         }
 
         public CardData ToCardData()

src/Core/Models/Domain/Cipher.cs

@@ -1,10 +1,13 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Security.Cryptography;
 using System.Threading.Tasks;
+using Bit.Core.Abstractions;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
 using Bit.Core.Models.View;
+using Bit.Core.Utilities;
 
 namespace Bit.Core.Models.Domain
 {
@@ -16,12 +19,12 @@ namespace Bit.Core.Models.Domain
         {
             BuildDomainModel(this, obj, new HashSet<string>
             {
-                "Id",
+                nameof(Id),
-                "OrganizationId",
+                nameof(OrganizationId),
-                "FolderId",
+                nameof(FolderId),
-                "Name",
+                nameof(Name),
-                "Notes"
+                nameof(Notes)
-            }, alreadyEncrypted, new HashSet<string> { "Id", "OrganizationId", "FolderId" });
+            }, alreadyEncrypted, new HashSet<string> { nameof(Id), nameof(OrganizationId), nameof(FolderId) });
 
             Type = obj.Type;
             Favorite = obj.Favorite;
@@ -33,6 +36,11 @@ namespace Bit.Core.Models.Domain
             LocalData = localData;
             Reprompt = obj.Reprompt;
 
+            if (obj.Key != null)
+            {
+                Key = new EncString(obj.Key);
+            }
+
             switch (Type)
             {
                 case Enums.CipherType.Login:
@@ -79,29 +87,43 @@ namespace Bit.Core.Models.Domain
         public HashSet<string> CollectionIds { get; set; }
         public DateTime? DeletedDate { get; set; }
         public CipherRepromptType Reprompt { get; set; }
+        public EncString Key { get; set; }
 
         public async Task<CipherView> DecryptAsync()
         {
             var model = new CipherView(this);
+
+            if (Key != null)
+            {
+                // HACK: I don't like resolving this here but I can't see a better way without
+                // refactoring a lot of things.
+                var cryptoService = ServiceContainer.Resolve<ICryptoService>();
+
+                var orgKey = await cryptoService.GetOrgKeyAsync(OrganizationId);
+
+                var key = await cryptoService.DecryptToBytesAsync(Key, orgKey);
+                model.Key = new SymmetricCryptoKey(key);
+            }
+
             await DecryptObjAsync(model, this, new HashSet<string>
             {
-                "Name",
+                nameof(Name),
-                "Notes"
+                nameof(Notes)
-            }, OrganizationId);
+            }, OrganizationId, model.Key);
 
             switch (Type)
             {
                 case Enums.CipherType.Login:
-                    model.Login = await Login.DecryptAsync(OrganizationId);
+                    model.Login = await Login.DecryptAsync(OrganizationId, model.Key);
                     break;
                 case Enums.CipherType.SecureNote:
-                    model.SecureNote = await SecureNote.DecryptAsync(OrganizationId);
+                    model.SecureNote = await SecureNote.DecryptAsync(OrganizationId, model.Key);
                     break;
                 case Enums.CipherType.Card:
-                    model.Card = await Card.DecryptAsync(OrganizationId);
+                    model.Card = await Card.DecryptAsync(OrganizationId, model.Key);
                     break;
                 case Enums.CipherType.Identity:
-                    model.Identity = await Identity.DecryptAsync(OrganizationId);
+                    model.Identity = await Identity.DecryptAsync(OrganizationId, model.Key);
                     break;
                 default:
                     break;
@@ -113,7 +135,7 @@ namespace Bit.Core.Models.Domain
                 var tasks = new List<Task>();
                 async Task decryptAndAddAttachmentAsync(Attachment attachment)
                 {
-                    var decAttachment = await attachment.DecryptAsync(OrganizationId);
+                    var decAttachment = await attachment.DecryptAsync(OrganizationId, model.Key);
                     model.Attachments.Add(decAttachment);
                 }
                 foreach (var attachment in Attachments)
@@ -128,7 +150,7 @@ namespace Bit.Core.Models.Domain
                 var tasks = new List<Task>();
                 async Task decryptAndAddFieldAsync(Field field)
                 {
-                    var decField = await field.DecryptAsync(OrganizationId);
+                    var decField = await field.DecryptAsync(OrganizationId, model.Key);
                     model.Fields.Add(decField);
                 }
                 foreach (var field in Fields)
@@ -143,7 +165,7 @@ namespace Bit.Core.Models.Domain
                 var tasks = new List<Task>();
                 async Task decryptAndAddHistoryAsync(PasswordHistory ph)
                 {
-                    var decPh = await ph.DecryptAsync(OrganizationId);
+                    var decPh = await ph.DecryptAsync(OrganizationId, model.Key);
                     model.PasswordHistory.Add(decPh);
                 }
                 foreach (var ph in PasswordHistory)
@@ -171,11 +193,12 @@ namespace Bit.Core.Models.Domain
                 CollectionIds = CollectionIds.ToList(),
                 DeletedDate = DeletedDate,
                 Reprompt = Reprompt,
+                Key = Key?.EncryptedString
             };
             BuildDataModel(this, c, new HashSet<string>
             {
-                "Name",
+                nameof(Name),
-                "Notes"
+                nameof(Notes)
             });
             switch (c.Type)
             {

src/Core/Models/Domain/Field.cs

@@ -28,9 +28,9 @@ namespace Bit.Core.Models.Domain
         public FieldType Type { get; set; }
         public LinkedIdType? LinkedId { get; set; }
 
-        public Task<FieldView> DecryptAsync(string orgId)
+        public Task<FieldView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
-            return DecryptObjAsync(new FieldView(this), this, _map, orgId);
+            return DecryptObjAsync(new FieldView(this), this, _map, orgId, key);
         }
 
         public FieldData ToFieldData()

src/Core/Models/Domain/Identity.cs

@@ -55,9 +55,9 @@ namespace Bit.Core.Models.Domain
         public EncString PassportNumber { get; set; }
         public EncString LicenseNumber { get; set; }
 
-        public Task<IdentityView> DecryptAsync(string orgId)
+        public Task<IdentityView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
-            return DecryptObjAsync(new IdentityView(this), this, _map, orgId);
+            return DecryptObjAsync(new IdentityView(this), this, _map, orgId, key);
         }
 
         public IdentityData ToIdentityData()

src/Core/Models/Domain/Login.cs

@@ -29,20 +29,20 @@ namespace Bit.Core.Models.Domain
         public DateTime? PasswordRevisionDate { get; set; }
         public EncString Totp { get; set; }
 
-        public async Task<LoginView> DecryptAsync(string orgId)
+        public async Task<LoginView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
             var view = await DecryptObjAsync(new LoginView(this), this, new HashSet<string>
             {
                 "Username",
                 "Password",
                 "Totp"
-            }, orgId);
+            }, orgId, key);
             if (Uris != null)
             {
                 view.Uris = new List<LoginUriView>();
                 foreach (var uri in Uris)
                 {
-                    view.Uris.Add(await uri.DecryptAsync(orgId));
+                    view.Uris.Add(await uri.DecryptAsync(orgId, key));
                 }
             }
             return view;

src/Core/Models/Domain/LoginUri.cs

@@ -24,9 +24,9 @@ namespace Bit.Core.Models.Domain
         public EncString Uri { get; set; }
         public UriMatchType? Match { get; set; }
 
-        public Task<LoginUriView> DecryptAsync(string orgId)
+        public Task<LoginUriView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
-            return DecryptObjAsync(new LoginUriView(this), this, _map, orgId);
+            return DecryptObjAsync(new LoginUriView(this), this, _map, orgId, key);
         }
 
         public LoginUriData ToLoginUriData()

src/Core/Models/Domain/PasswordHistory.cs

@@ -24,9 +24,9 @@ namespace Bit.Core.Models.Domain
         public EncString Password { get; set; }
         public DateTime LastUsedDate { get; set; }
 
-        public Task<PasswordHistoryView> DecryptAsync(string orgId)
+        public Task<PasswordHistoryView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
-            return DecryptObjAsync(new PasswordHistoryView(this), this, _map, orgId);
+            return DecryptObjAsync(new PasswordHistoryView(this), this, _map, orgId, key);
         }
 
         public PasswordHistoryData ToPasswordHistoryData()

src/Core/Models/Domain/SecureNote.cs

@@ -16,7 +16,7 @@ namespace Bit.Core.Models.Domain
 
         public SecureNoteType Type { get; set; }
 
-        public Task<SecureNoteView> DecryptAsync(string orgId)
+        public Task<SecureNoteView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
             return Task.FromResult(new SecureNoteView(this));
         }

src/Core/Models/Request/CipherRequest.cs

@@ -19,6 +19,7 @@ namespace Bit.Core.Models.Request
             Favorite = cipher.Favorite;
             LastKnownRevisionDate = cipher.RevisionDate;
             Reprompt = cipher.Reprompt;
+            Key = cipher.Key?.EncryptedString;
 
             switch (Type)
             {
@@ -124,5 +125,6 @@ namespace Bit.Core.Models.Request
         public Dictionary<string, AttachmentRequest> Attachments2 { get; set; }
         public DateTime LastKnownRevisionDate { get; set; }
         public CipherRepromptType Reprompt { get; set; }
+        public string Key { get; set; }
     }
 }

src/Core/Models/Response/CipherResponse.cs

@@ -28,5 +28,6 @@ namespace Bit.Core.Models.Response
         public List<string> CollectionIds { get; set; }
         public DateTime? DeletedDate { get; set; }
         public CipherRepromptType Reprompt { get; set; }
+        public string Key { get; set; }
     }
 }

src/Core/Models/View/CipherView.cs

@@ -49,6 +49,7 @@ namespace Bit.Core.Models.View
         public DateTime RevisionDate { get; set; }
         public DateTime? DeletedDate { get; set; }
         public CipherRepromptType Reprompt { get; set; }
+        public SymmetricCryptoKey Key { get; set; }
 
         public ItemView Item
         {

src/Core/Services/CipherService.cs

@@ -1,4 +1,6 @@
-using System;
+#define ENABLE_NEW_CIPHER_KEY_ENCRYPTION_ON_CREATION
+
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
@@ -30,6 +32,7 @@ namespace Bit.Core.Services
         private readonly IStorageService _storageService;
         private readonly II18nService _i18nService;
         private readonly Func<ISearchService> _searchService;
+        private readonly IConfigService _configService;
         private readonly string _clearCipherCacheKey;
         private readonly string[] _allClearCipherCacheKeys;
         private Dictionary<string, HashSet<string>> _domainMatchBlacklist = new Dictionary<string, HashSet<string>>
@@ -48,6 +51,7 @@ namespace Bit.Core.Services
             IStorageService storageService,
             II18nService i18nService,
             Func<ISearchService> searchService,
+            IConfigService configService,
             string clearCipherCacheKey,
             string[] allClearCipherCacheKeys)
         {
@@ -59,6 +63,7 @@ namespace Bit.Core.Services
             _storageService = storageService;
             _i18nService = i18nService;
             _searchService = searchService;
+            _configService = configService;
             _clearCipherCacheKey = clearCipherCacheKey;
             _allClearCipherCacheKeys = allClearCipherCacheKeys;
         }
@@ -180,6 +185,26 @@ namespace Bit.Core.Services
                 Reprompt = model.Reprompt
             };
 
+            key = await UpdateCipherAndGetCipherKeyAsync(cipher, model, key);
+
+            var tasks = new List<Task>
+            {
+                EncryptObjPropertyAsync(model, cipher, new HashSet<string>
+                {
+                   nameof(CipherView.Name),
+                   nameof(CipherView.Notes)
+                }, key),
+                EncryptCipherDataAsync(cipher, model, key),
+                EncryptFieldsAsync(model.Fields, key, cipher),
+                EncryptPasswordHistoriesAsync(model.PasswordHistory, key, cipher),
+                EncryptAttachmentsAsync(model.Attachments, key, cipher)
+            };
+            await Task.WhenAll(tasks);
+            return cipher;
+        }
+
+        private async Task<SymmetricCryptoKey> UpdateCipherAndGetCipherKeyAsync(Cipher cipher, CipherView cipherView, SymmetricCryptoKey key = null)
+        {
             if (key == null && cipher.OrganizationId != null)
             {
                 key = await _cryptoService.GetOrgKeyAsync(cipher.OrganizationId);
@@ -189,20 +214,36 @@ namespace Bit.Core.Services
                 }
             }
 
-            var tasks = new List<Task>
+            if (!await ShouldUseCipherKeyEncryptionAsync())
             {
-                EncryptObjPropertyAsync(model, cipher, new HashSet<string>
+                return key;
-                {
+            }
-                   "Name",
+
-                   "Notes"
+            if (cipherView.Key != null)
-                }, key),
+            {
-                EncryptCipherDataAsync(cipher, model, key),
+                cipher.Key = await _cryptoService.EncryptAsync(cipherView.Key.Key, key);
-                EncryptFieldsAsync(model.Fields, key, cipher),
+                return cipherView.Key;
-                EncryptPasswordHistoriesAsync(model.PasswordHistory, key, cipher),
+            }
-                EncryptAttachmentsAsync(model.Attachments, key, cipher)
+#if ENABLE_NEW_CIPHER_KEY_ENCRYPTION_ON_CREATION
-            };
+            // turned on, only on debug to check that the enc/decryption is working fine at the cipher level.
-            await Task.WhenAll(tasks);
+            // this will be allowed on production on a later release.
-            return cipher;
+            var cfs = ServiceContainer.Resolve<ICryptoFunctionService>();
+            var newKey = new SymmetricCryptoKey(await cfs.RandomBytesAsync(Core.Constants.CipherKeyRandomBytesLength));
+            cipher.Key = await _cryptoService.EncryptAsync(newKey.Key, key);
+
+            return newKey;
+#else
+            return key;
+#endif
+        }
+
+        private async Task<bool> ShouldUseCipherKeyEncryptionAsync()
+        {
+            var config = await _configService.GetAsync();
+
+            return config != null
+                   &&
+                   VersionHelpers.IsServerVersionGreaterThanOrEqualTo(config.Version, Constants.CipherKeyEncryptionMinServerVersion);
         }
 
         public async Task<Cipher> GetAsync(string id)
@@ -526,6 +567,7 @@ namespace Bit.Core.Services
                 var request = new CipherRequest(cipher);
                 response = await _apiService.PutCipherAsync(cipher.Id, request);
             }
+
             var userId = await _stateService.GetActiveUserIdAsync();
             var data = new CipherData(response, userId, cipher.CollectionIds);
             await UpsertAsync(data);
@@ -555,11 +597,12 @@ namespace Bit.Core.Services
             await UpsertAsync(data);
         }
 
-        public async Task<Cipher> SaveAttachmentRawWithServerAsync(Cipher cipher, string filename, byte[] data)
+        public async Task<Cipher> SaveAttachmentRawWithServerAsync(Cipher cipher, CipherView cipherView, string filename, byte[] data)
         {
             var orgKey = await _cryptoService.GetOrgKeyAsync(cipher.OrganizationId);
-            var encFileName = await _cryptoService.EncryptAsync(filename, orgKey);
+            var key = await UpdateCipherAndGetCipherKeyAsync(cipher, cipherView, orgKey);
-            var (attachmentKey, orgEncAttachmentKey) = await _cryptoService.MakeEncKeyAsync(orgKey);
+            var encFileName = await _cryptoService.EncryptAsync(filename, key);
+            var (attachmentKey, encAttachmentKey) = await _cryptoService.MakeEncKeyAsync(key);
             var encFileData = await _cryptoService.EncryptToBytesAsync(data, attachmentKey);
 
             CipherResponse response;
@@ -567,18 +610,19 @@ namespace Bit.Core.Services
             {
                 var request = new AttachmentRequest
                 {
-                    Key = orgEncAttachmentKey.EncryptedString,
+                    Key = encAttachmentKey.EncryptedString,
                     FileName = encFileName.EncryptedString,
                     FileSize = encFileData.Buffer.Length,
                 };
 
                 var uploadDataResponse = await _apiService.PostCipherAttachmentAsync(cipher.Id, request);
                 response = uploadDataResponse.CipherResponse;
+
                 await _fileUploadService.UploadCipherAttachmentFileAsync(uploadDataResponse, encFileName, encFileData);
             }
             catch (ApiException e) when (e.Error.StatusCode == System.Net.HttpStatusCode.NotFound || e.Error.StatusCode == System.Net.HttpStatusCode.MethodNotAllowed)
             {
-                response = await LegacyServerAttachmentFileUploadAsync(cipher.Id, encFileName, encFileData, orgEncAttachmentKey);
+                response = await LegacyServerAttachmentFileUploadAsync(cipher.Id, encFileName, encFileData, encAttachmentKey);
             }
 
             var userId = await _stateService.GetActiveUserIdAsync();
@@ -1054,7 +1098,7 @@ namespace Bit.Core.Services
             {
                 await EncryptObjPropertyAsync(model, attachment, new HashSet<string>
                 {
-                    "FileName"
+                    nameof(AttachmentView.FileName)
                 }, key);
                 if (model.Key != null)
                 {

src/Core/Utilities/ServiceContainer.cs

@@ -44,8 +44,9 @@ namespace Bit.Core.Utilities
             var organizationService = new OrganizationService(stateService, apiService);
             var settingsService = new SettingsService(stateService);
             var fileUploadService = new FileUploadService(apiService);
+            var configService = new ConfigService(apiService, stateService, logger);
             var cipherService = new CipherService(cryptoService, stateService, settingsService, apiService,
-                fileUploadService, storageService, i18nService, () => searchService, clearCipherCacheKey,
+                fileUploadService, storageService, i18nService, () => searchService, configService, clearCipherCacheKey,
                 allClearCipherCacheKeys);
             var folderService = new FolderService(cryptoService, stateService, apiService, i18nService, cipherService);
             var collectionService = new CollectionService(cryptoService, stateService, i18nService);
@@ -87,7 +88,6 @@ namespace Bit.Core.Utilities
             var userVerificationService = new UserVerificationService(apiService, platformUtilsService, i18nService,
                 cryptoService);
             var usernameGenerationService = new UsernameGenerationService(cryptoService, apiService, stateService);
-            var configService = new ConfigService(apiService, stateService, logger);
 
             Register<IConditionedAwaiterManager>(conditionedRunner);
             Register<ITokenService>("tokenService", tokenService);
@@ -95,6 +95,7 @@ namespace Bit.Core.Utilities
             Register<IAppIdService>("appIdService", appIdService);
             Register<IOrganizationService>("organizationService", organizationService);
             Register<ISettingsService>("settingsService", settingsService);
+            Register<IConfigService>(configService);
             Register<ICipherService>("cipherService", cipherService);
             Register<IFolderService>("folderService", folderService);
             Register<ICollectionService>("collectionService", collectionService);
@@ -113,7 +114,6 @@ namespace Bit.Core.Utilities
             Register<IKeyConnectorService>("keyConnectorService", keyConnectorService);
             Register<IUserVerificationService>("userVerificationService", userVerificationService);
             Register<IUsernameGenerationService>(usernameGenerationService);
-            Register<IConfigService>(configService);
         }
 
         public static void Register<T>(string serviceName, T obj)

src/Core/Utilities/VersionHelpers.cs

@@ -0,0 +1,34 @@
+using System;
+
+namespace Bit.Core.Utilities
+{
+    public static class VersionHelpers
+    {
+        private const char HOTFIX_SEPARATOR = '-';
+
+        /// <summary>
+        /// Compares two server versions and gets whether the <paramref name="targetVersion"/>
+        /// is greater than or equal to <paramref name="compareToVersion"/>.
+        /// WARNING: This doesn't take into account hotfix suffix.
+        /// </summary>
+        /// <param name="targetVersion">Version to compare</param>
+        /// <param name="compareToVersion">Version to compare against</param>
+        /// <returns>
+        /// <c>True</c> if <paramref name="targetVersion"/> is greater than or equal to <paramref name="compareToVersion"/>; <c>False</c> otherwise.
+        /// </returns>
+        public static bool IsServerVersionGreaterThanOrEqualTo(string targetVersion, string compareToVersion)
+        {
+            return GetServerVersionWithoutHotfix(targetVersion).CompareTo(GetServerVersionWithoutHotfix(compareToVersion)) >= 0;
+        }
+
+        public static Version GetServerVersionWithoutHotfix(string version)
+        {
+            if (string.IsNullOrWhiteSpace(version))
+            {
+                throw new ArgumentNullException(nameof(version));
+            }
+
+            return new Version(version.Split(HOTFIX_SEPARATOR)[0]);
+        }
+    }
+}

test/Core.Test/AutoFixture/Cipher/CipherCustomizations.cs

@@ -1,6 +1,8 @@
 using System;
+using System.Text;
 using AutoFixture;
 using Bit.Core.Models.Domain;
+using Bit.Core.Models.View;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 
@@ -26,16 +28,36 @@ namespace Bit.Core.Test.AutoFixture
         }
     }
 
+    internal class UserCipherView : ICustomization
+    {
+        public void Customize(IFixture fixture)
+        {
+            byte[] getRandomBytes(int size)
+            {
+                Random random = new Random();
+
+                byte[] bytes = new byte[size];
+                random.NextBytes(bytes);
+                return bytes;
+            };
+
+            fixture.Customize<CipherView>(composer => composer
+                .Without(c => c.OrganizationId)
+                .Without(c => c.Attachments)
+                .With(c => c.Key, new SymmetricCryptoKey(getRandomBytes(32), Enums.EncryptionType.AesCbc128_HmacSha256_B64)));
+        }
+    }
+
     internal class UserCipherAutoDataAttribute : CustomAutoDataAttribute
     {
         public UserCipherAutoDataAttribute() : base(new SutProviderCustomization(),
-            new UserCipher())
+            new UserCipher(), new UserCipherView())
         { }
     }
     internal class InlineUserCipherAutoDataAttribute : InlineCustomAutoDataAttribute
     {
         public InlineUserCipherAutoDataAttribute(params object[] values) : base(new[] { typeof(SutProviderCustomization),
-            typeof(UserCipher) }, values)
+            typeof(UserCipher), typeof(UserCipherView) }, values)
         { }
     }
 

test/Core.Test/Services/CipherServiceTests.cs

@@ -22,7 +22,7 @@ namespace Bit.Core.Test.Services
     {
         [Theory, UserCipherAutoData]
         public async Task SaveWithServerAsync_PrefersFileUploadService(SutProvider<CipherService> sutProvider,
-            Cipher cipher, string fileName, EncByteArray data, AttachmentUploadDataResponse uploadDataResponse, EncString encKey)
+            Cipher cipher, CipherView cipherView, string fileName, EncByteArray data, AttachmentUploadDataResponse uploadDataResponse, EncString encKey)
         {
             var encFileName = new EncString(fileName);
             sutProvider.GetDependency<ICryptoService>().EncryptAsync(fileName, Arg.Any<SymmetricCryptoKey>())
@@ -33,7 +33,7 @@ namespace Bit.Core.Test.Services
             sutProvider.GetDependency<IApiService>().PostCipherAttachmentAsync(cipher.Id, Arg.Any<AttachmentRequest>())
                 .Returns(uploadDataResponse);
 
-            await sutProvider.Sut.SaveAttachmentRawWithServerAsync(cipher, fileName, data.Buffer);
+            await sutProvider.Sut.SaveAttachmentRawWithServerAsync(cipher, cipherView, fileName, data.Buffer);
 
             await sutProvider.GetDependency<IFileUploadService>().Received(1)
                 .UploadCipherAttachmentFileAsync(uploadDataResponse, encFileName, data);
@@ -43,7 +43,7 @@ namespace Bit.Core.Test.Services
         [InlineUserCipherAutoData(HttpStatusCode.NotFound)]
         [InlineUserCipherAutoData(HttpStatusCode.MethodNotAllowed)]
         public async Task SaveWithServerAsync_FallsBackToLegacyFormData(HttpStatusCode statusCode,
-            SutProvider<CipherService> sutProvider, Cipher cipher, string fileName, EncByteArray data,
+            SutProvider<CipherService> sutProvider, Cipher cipher, CipherView cipherView, string fileName, EncByteArray data,
             CipherResponse response, EncString encKey)
         {
             sutProvider.GetDependency<ICryptoService>().EncryptAsync(fileName, Arg.Any<SymmetricCryptoKey>())
@@ -56,7 +56,7 @@ namespace Bit.Core.Test.Services
             sutProvider.GetDependency<IApiService>().PostCipherAttachmentLegacyAsync(cipher.Id, Arg.Any<MultipartFormDataContent>())
                 .Returns(response);
 
-            await sutProvider.Sut.SaveAttachmentRawWithServerAsync(cipher, fileName, data.Buffer);
+            await sutProvider.Sut.SaveAttachmentRawWithServerAsync(cipher, cipherView, fileName, data.Buffer);
 
             await sutProvider.GetDependency<IApiService>().Received(1)
                 .PostCipherAttachmentLegacyAsync(cipher.Id, Arg.Any<MultipartFormDataContent>());
@@ -64,7 +64,7 @@ namespace Bit.Core.Test.Services
 
         [Theory, UserCipherAutoData]
         public async Task SaveWithServerAsync_ThrowsOnBadRequestApiException(SutProvider<CipherService> sutProvider,
-            Cipher cipher, string fileName, EncByteArray data, EncString encKey)
+            Cipher cipher, CipherView cipherView, string fileName, EncByteArray data, EncString encKey)
         {
             sutProvider.GetDependency<ICryptoService>().EncryptAsync(fileName, Arg.Any<SymmetricCryptoKey>())
                 .Returns(new EncString(fileName));
@@ -77,7 +77,7 @@ namespace Bit.Core.Test.Services
                 .Throws(expectedException);
 
             var actualException = await Assert.ThrowsAsync<ApiException>(async () =>
-                await sutProvider.Sut.SaveAttachmentRawWithServerAsync(cipher, fileName, data.Buffer));
+                await sutProvider.Sut.SaveAttachmentRawWithServerAsync(cipher, cipherView, fileName, data.Buffer));
 
             Assert.Equal(expectedException.Error.StatusCode, actualException.Error.StatusCode);
         }