Feature Request: key-connector for master-passwordless SSO

[Kab1r]

Bitwarden's upstream key-connector stores encryption keys used to encrypt vaults instead of master passwords. This allows for user accounts that authenticate using SSO to entirely omit master passwords.

[BlackDex]

For this feature we first need SSO support which is in progress as a PR.

Ill add it to the list.

[binaryben]

Please help me make sure I am right in my understanding of how this process works:

1. Currently the users master password encrypts the vaults
2. This is zero knowledge. Forgotten password = unrecoverable vault
3. key-connector means another key is used to encrypt the vault
4. The encryption key is stored in a data store - upstream provides anything from a JSON file to a RDBMS to a noSQL option

If my assumptions/understanding are correct, what protects the encryption key? Even though I use best practice to protect my vaultwarden instance, I still get a lot of peace of mind knowing that a bad actor with access would still have a hard time decrypting my passwords without the master key.

I know it's getting ahead of the horse when SSO support is still in development/testing... it would be nice to know the same peace of mind is possible with key-connector in place. 😊

[Kab1r]

The process is a little complicated, but as far as I know, the only thing you missed is that there are two kinds of keys involved. 'user-keys', the ones you mention, are visible to clients. So instead of storing these in plaintext, they are encrypted by another key that is not visible to clients and then stored.

It seems to me that key-connector is fundamentally less safe because if a bad actor gets access to the infrastructure and obtains the two keys, they can decrypt a vault.

Please correct me if I am wrong about any of this.

Upstream documentation:
https://bitwarden.com/help/about-key-connector/

[binaryben]

It seems to me that key-connector is fundamentally less safe because if a bad actor gets access to the infrastructure and obtains the two keys, they can decrypt a vault.

Thanks, that is my understanding and concern as well. Hopefully others will weigh in to correct us or confirm our understanding!

[mbgonicus]

If I understand it correctly, then the Key Connector is part of the Bitwarden License Agreement which only allows using it for non-prodction development:

2.1 Commercial Module License.
Subject to Your compliance with this Agreement,
Bitwarden hereby grants to You a limited, non-exclusive, non-transferable,
royalty-free license to use the Commercial Modules for the sole purposes of
internal development and internal testing, and only in a non-production
environment.

So adding the feature to use Key Connector with vaultwarden would only be allowed if you pay for a Bitwarden license, in which case you can just use Bitwarden completely? Or the functionality of Key Connector must be clones by a free open source project?