178 views
# Bitwarden Security Guide **This article contains important infomation on how to keep your Bitwarden account secure.** **Most importantly:** * DO NOT resuse an existing password for your Bitwarden master password. * Pick a very strong master password, here's a good video guide: [How to pick a strong password](https://invidious.silkky.cloud/watch?v=Klx5gVol9dA). * Go to [haveibeenpwned](https://haveibeenpwned.com/Passwords) and make sure your master password has not already been leaked. * Enable two-factor authentication. [Setup Here](https://vault.silkky.cloud/#/settings/two-factor). * Store your 2fa backup codes offline. On a piece of paper or on a encrypted usb stick. * Never reuse passwords for accounts. Please take these steps to ensure your Bitwarden account is as secure as possible. # Bitwarden Security **this is for [vault.silkky.cloud](https://vault.silkky.cloud)** adapted from bitwarden official documentation. Pretty much all of Bitwarden's official documentation will apply to our [Bitwarden implementation.](https://git.silkky.cloud/silkkycloud/bitwarden) ### References [Vault Data](https://bitwarden.com/help/article/vault-data/) [Encryption](https://bitwarden.com/help/article/what-encryption-is-used/) [Account Encryption Key](https://bitwarden.com/help/article/account-encryption-key/) [Account Fingerprint Phrase](https://bitwarden.com/help/article/fingerprint-phrase/) [Storage](https://bitwarden.com/help/article/data-storage/) [Privacy](https://bitwarden.com/privacy/) [Bitwarden-rs](https://github.com/dani-garcia/bitwarden_rs) ## Summary [vault.silkky.cloud](https://vault.silkky.cloud) is a publically available bitwarden instance using [Bitwarden-rs](https://github.com/dani-garcia/bitwarden_rs) as the server API and [Postgresql](https://www.postgresql.org/) as the database backend. Bitwarden-rs is lightweight implementation of Bitwarden server written in [Rust](https://github.com/rust-lang/rust), the combination of Postgresql for the database and Bitwarden-rs for the API produces excellent security, performance, reliability and scalability. Please see the configuration on Gitea [here](https://git.silkky.cloud/silkkycloud/bitwarden). ### Vault Data All vault data is encrypted by Bitwarden before being stored anywhere. To learn how, see [Encryption](#Encryption). Vault data can only be decrypted using a key derived from your master password. Bitwarden is a zero knowledge solution, meaning you are the only party with access to your key and the ability to decrypt your vault data. ### Encryption Bitwarden uses [AES-CBC](#AES-CBC) 256-bit encryption for you vault data, and [PBKDF2](#PBKDF2) SHA-256 to derive your encryption key. Bitwarden **always** encrypts and/or hashes you data on your local device before anything is sent to the server for storage. **The server is only used for storing encrypted data.** For more information, see [Storage](#Storage). Vault data can only be decrypted using a key derived from your master password. Bitwarden is a zero knowledge solution, meaning you are the only party with access to your key and the ability to decrypt your vault data. Please visit the [Bitwarden Interactive Cryptography Page](https://bitwarden.com/help/crypto.html) to see for yourself how Bitwarden encrypts your data. #### AES-CBC AES-CBC ([Cipher Block Chaining](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_block_chaining_(CBC))), used to encrypt vault data. With proper implementation and a strong encryption key (your master password), AES is considered unbreakable. #### PBKDF2 PBKDF2 SHA-256 is used to derive the encryption key from your master password. Bitwarden salts and hashes your master password with your email address locally, before transmission to our server. Once our Bitwarden server receives the hased password, it is salted again with a cryptographically secure random value, hashed again. and stored in our database. The default iteration count used with PBKDF2 is 100,001 iterations on the client (client-side iteration count is configurable from your account settings), and then an additional 100,000 iterations when stored on our servers (for a total of 200,001 iterations by default). The Organization key is shared via [RSA-2048](https://en.wikipedia.org/wiki/RSA_numbers#RSA-2048). The utilized hash functions are one-way hashes, meaning they **cannot be reverse engineered** by anyone at silkky.cloud to reveal your master password. Even if the silkky.cloud server were to be hacked, there would be no method by which your master password could be obtained. ### Storage #### *On Silkkycloud Servers* silkky.cloud processes and stores all data securely in Finland on a Hetzner dedicated server. [Contact server administrator](mailto:silkky@silkky.cloud) #### *On your Local Machine* Data that is stored on your computer/device is also encrypted and only decrypted when you unlock you vault. Vault data can be found in the following locations based on the client application in use. | Windows | MacOS | Linux | | ----------------- | --------------------------------------- | -------------------- | | %AppData\Bitwarden | ~/Library/Application Support/Bitwarden | ~/.config/Bitwarden | | .\bitwarden-appdata| ~/Library/Containers/com.bitwarden.desktop/Data/Library/Application Support/Bitwarden | ~/snap/bitwarden/current/.config/Bitwarden |