[PR #3990] [MERGED] Implement cipher key encryption #7007

New Issue

GiteaMirror · 2026-03-07T21:09:27-06:00

GiteaMirror commented

2026-03-07 21:09:27 -06:00

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/3990
Author: @dani-garcia
Created: 10/21/2023
Status: ✅ Merged
Merged: 10/22/2023
Merged by: @dani-garcia

Base: main ← Head: cipher_key_encryption

📝 Commits (1)

4f03794 Implement cipher key encryption

📊 Changes

12 files changed (+29 additions, -1 deletions)

View changed files

➕ migrations/mysql/2023-10-21-221242_add_cipher_key/down.sql (+0 -0)
➕ migrations/mysql/2023-10-21-221242_add_cipher_key/up.sql (+2 -0)
➕ migrations/postgresql/2023-10-21-221242_add_cipher_key/down.sql (+0 -0)
➕ migrations/postgresql/2023-10-21-221242_add_cipher_key/up.sql (+2 -0)
➕ migrations/sqlite/2023-10-21-221242_add_cipher_key/down.sql (+0 -0)
➕ migrations/sqlite/2023-10-21-221242_add_cipher_key/up.sql (+2 -0)
📝 src/api/core/ciphers.rs (+3 -0)
📝 src/api/core/mod.rs (+12 -1)
📝 src/db/models/cipher.rs (+5 -0)
📝 src/db/schemas/mysql/schema.rs (+1 -0)
📝 src/db/schemas/postgresql/schema.rs (+1 -0)
📝 src/db/schemas/sqlite/schema.rs (+1 -0)

📄 Description

New versions of the bitwarden clients will very soon start using separate encryption keys for each cipher, so we need to handle those.

At the same time, I've noticed that the clients have started depending on the version value of the /config endpoint to do backwards compatibility checks, so I think the simplest solution for everyone would be for us to return the server version that most closely matches the features we support.

They are doing the semver checks here:
3e495ab082/libs/common/src/platform/services/config/config.service.ts (L116-L127)

For now the only check they are doing is for version 2023.9.1 for the cipher key encryption feature that this PR implements, so we report that we support that version:
3e495ab082/libs/common/src/vault/services/cipher.service.ts (L56)

Also added the section for feature flags in the config, the current ones reported on the official vault are:

"display-eu-environment": true,
"display-kdf-iteration-warning": true,
"trusted-device-encryption": true,
"sm-ga-billing": true,
"autofill-v2": true

For now as a test I've enabled autofill-v2 as that is an entirely client side change, so it won't affect us

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/3990 **Author:** [@dani-garcia](https://github.com/dani-garcia) **Created:** 10/21/2023 **Status:** ✅ Merged **Merged:** 10/22/2023 **Merged by:** [@dani-garcia](https://github.com/dani-garcia) **Base:** `main` ← **Head:** `cipher_key_encryption` --- ### 📝 Commits (1) - [`4f03794`](https://github.com/dani-garcia/vaultwarden/commit/4f037944e5cea8286e63731f068c2a44b6264036) Implement cipher key encryption ### 📊 Changes **12 files changed** (+29 additions, -1 deletions) <details> <summary>View changed files</summary> ➕ `migrations/mysql/2023-10-21-221242_add_cipher_key/down.sql` (+0 -0) ➕ `migrations/mysql/2023-10-21-221242_add_cipher_key/up.sql` (+2 -0) ➕ `migrations/postgresql/2023-10-21-221242_add_cipher_key/down.sql` (+0 -0) ➕ `migrations/postgresql/2023-10-21-221242_add_cipher_key/up.sql` (+2 -0) ➕ `migrations/sqlite/2023-10-21-221242_add_cipher_key/down.sql` (+0 -0) ➕ `migrations/sqlite/2023-10-21-221242_add_cipher_key/up.sql` (+2 -0) 📝 `src/api/core/ciphers.rs` (+3 -0) 📝 `src/api/core/mod.rs` (+12 -1) 📝 `src/db/models/cipher.rs` (+5 -0) 📝 `src/db/schemas/mysql/schema.rs` (+1 -0) 📝 `src/db/schemas/postgresql/schema.rs` (+1 -0) 📝 `src/db/schemas/sqlite/schema.rs` (+1 -0) </details> ### 📄 Description New versions of the bitwarden clients will very soon start using separate encryption keys for each cipher, so we need to handle those. At the same time, I've noticed that the clients have started depending on the version value of the `/config` endpoint to do backwards compatibility checks, so I think the simplest solution for everyone would be for us to return the server version that most closely matches the features we support. They are doing the semver checks here: https://github.com/bitwarden/clients/blob/3e495ab082e2152284a36bb5d2b2fb7a4060cfb3/libs/common/src/platform/services/config/config.service.ts#L116-L127 For now the only check they are doing is for version 2023.9.1 for the cipher key encryption feature that this PR implements, so we report that we support that version: https://github.com/bitwarden/clients/blob/3e495ab082e2152284a36bb5d2b2fb7a4060cfb3/libs/common/src/vault/services/cipher.service.ts#L56 Also added the section for feature flags in the config, the current ones reported on the official vault are: ``` "display-eu-environment": true, "display-kdf-iteration-warning": true, "trusted-device-encryption": true, "sm-ga-billing": true, "autofill-v2": true ``` For now as a test I've enabled autofill-v2 as that is an entirely client side change, so it won't affect us --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-03-07 21:09:27 -06:00

GiteaMirror closed this issue

2026-03-07 21:09:28 -06:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#7007