Emergency Access fails because of KeyEncrypted value is null #1139

New Issue

Closed

opened 2026-02-05 00:04:37 +03:00 by OVERLORD · 8 comments

OVERLORD commented 2026-02-05 00:04:37 +03:00

Owner

Copy Link

Originally created by @BlackDex on GitHub (Oct 24, 2021).

Discussed in https://github.com/dani-garcia/vaultwarden/discussions/2060

^{Originally posted by LoicFr October 23, 2021}
Hello,

Just to try, I have configured an emergency access (with view access rights) and it is well approved but when I click on the View button of the emergency contact I can't see anything (see picture below). Is that normal ? I am redirecting to https://my.vaultwarden.server.com/#/settings/emergency-access/54a8de73-1da6-4578-b46f-358868d8cba4. What am I supposed to do then ?

Thanks for your help,
Regards,
Loïc

Originally created by @BlackDex on GitHub (Oct 24, 2021). ### Discussed in https://github.com/dani-garcia/vaultwarden/discussions/2060 <div type='discussions-op-text'> ^{Originally posted by **LoicFr** October 23, 2021} Hello, Just to try, I have configured an emergency access (with view access rights) and it is well approved but when I click on the View button of the emergency contact I can't see anything (see picture below). Is that normal ? I am redirecting to https://my.vaultwarden.server.com/#/settings/emergency-access/54a8de73-1da6-4578-b46f-358868d8cba4. What am I supposed to do then ?  Thanks for your help, Regards, Loïc </div>

OVERLORD added the questionbugtroubleshooting labels 2026-02-05 00:04:37 +03:00

OVERLORD closed this issue 2026-02-05 00:05:52 +03:00

OVERLORD commented 2026-02-05 00:05:54 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Oct 27, 2021):

@LoicFr @K1ngLear @antipasta

As already mentioned in the Discussion:

To see what is breaking this we need a json response which breaks. Since i can't reproduce this currently, and i think neither do the other main contributors. I understand that people are a bit hesitant to provide this, but all is encrypted, so we can't extract anything.

I also think the it is somewhere in the Ciphers json tree, and that if there is a KeyEncrypted and Object key/value within the response that that is probably not the issue, and we do not need that.

Please contact me on Matrix https://matrix.to/#/#vaultwarden:matrix.org, I am @blackdex:matrix.org

@BlackDex commented on GitHub (Oct 27, 2021): @LoicFr @K1ngLear @antipasta As already mentioned in the Discussion: To see what is breaking this we need a json response which breaks. Since i can't reproduce this currently, and i think neither do the other main contributors. I understand that people are a bit hesitant to provide this, but all is encrypted, so we can't extract anything. I also think the it is somewhere in the `Ciphers` json tree, and that if there is a `KeyEncrypted` and `Object` key/value within the response that that is probably not the issue, and we do not need that. Please contact me on Matrix https://matrix.to/#/#vaultwarden:matrix.org, I am `@blackdex:matrix.org`

OVERLORD commented 2026-02-05 00:05:59 +03:00

Author

Owner

Copy Link

@antipasta commented on GitHub (Oct 27, 2021):

Hi,

I just tried repeating all steps twice now from scratch and strangely enough both times everything is working fine for me. If I'm able to reproduce in the future i'll reach out on matrix.

Sorry about that! Hopefully one of the other users tagged is still in this error state

@antipasta commented on GitHub (Oct 27, 2021): Hi, I just tried repeating all steps twice now from scratch and strangely enough both times everything is working fine for me. If I'm able to reproduce in the future i'll reach out on matrix. Sorry about that! Hopefully one of the other users tagged is still in this error state

OVERLORD commented 2026-02-05 00:06:05 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Oct 27, 2021):

Steps to extract this info (Works on Firefox and Chrome based browsers):

1. Login with the account you want to use to view the emergency access of the other account.
2. Go to Settings
3. Go to Emergency Access
4. Now press F12, this will open a developer console.
5. Click on the Network tab within the developer console.
6. Hover over the account you want to view, click the gear icon and click on view.
7. This should generate a new line within the developer console, click on that.
8. It will show you some new tabs including Response, click on that.
9. In Firefox you can right click on the JSON an select Copy All, In Chrome you can just select all and copy that.

The output of that is what we need to debug/see what is going wrong.

@BlackDex commented on GitHub (Oct 27, 2021): Steps to extract this info (Works on Firefox and Chrome based browsers): 1. Login with the account you want to use to view the emergency access of the other account. 2. Go to `Settings` 3. Go to `Emergency Access` 4. Now press `F12`, this will open a developer console. 5. Click on the `Network` tab within the developer console. 6. Hover over the account you want to view, click the gear icon and click on `view`. 7. This should generate a new line within the developer console, click on that. 8. It will show you some new tabs including `Response`, click on that. 9. In Firefox you can right click on the JSON an select `Copy All`, In Chrome you can just select all and copy that. The output of that is what we need to debug/see what is going wrong.

OVERLORD commented 2026-02-05 00:06:14 +03:00

Author

Owner

Copy Link

@jyundt commented on GitHub (Oct 27, 2021):

@BlackDex
Following up on our matrix chat, below is my support string:

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.23.0
• Web-vault version: v2.23.0c
• Running within Docker: true (Base: Alpine)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.35.4
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, SHOW_PASSWORD_HINT, DISABLE_ADMIN_TOKEN, SMTP_HOST, SMTP_SSL, SMTP_PORT, SMTP_FROM, SMTP_USERNAME, SMTP_PASSWORD

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_ip_header_enabled": true,
  "admin_token": null,
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": true,
  "disable_icon_download": false,
  "domain": "*****://*********.*****.**",
  "domain_origin": "*****://*********.*****.**",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 5 * * * *",
  "emergency_request_timeout_schedule": "0 5 * * * *",
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "******@*****.***",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "****.*****.***",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "******@*****.***",
  "templates_folder": "data/templates",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

@jyundt commented on GitHub (Oct 27, 2021): @BlackDex Following up on our matrix chat, below is my support string: ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.23.0 * Web-vault version: v2.23.0c * Running within Docker: true (Base: Alpine) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.35.4 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, SHOW_PASSWORD_HINT, DISABLE_ADMIN_TOKEN, SMTP_HOST, SMTP_SSL, SMTP_PORT, SMTP_FROM, SMTP_USERNAME, SMTP_PASSWORD ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_ip_header_enabled": true, "admin_token": null, "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_max_conns": 10, "database_url": "****/**.*******", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": true, "disable_icon_download": false, "domain": "*****://*********.*****.**", "domain_origin": "*****://*********.*****.**", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 5 * * * *", "emergency_request_timeout_schedule": "0 5 * * * *", "enable_db_wal": true, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "org_attachment_limit": null, "org_creation_users": "", "password_iterations": 100000, "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_explicit_tls": false, "smtp_from": "******@*****.***", "smtp_from_name": "Vaultwarden", "smtp_host": "****.*****.***", "smtp_password": "***", "smtp_port": 587, "smtp_ssl": true, "smtp_timeout": 15, "smtp_username": "******@*****.***", "templates_folder": "data/templates", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details>

OVERLORD commented 2026-02-05 00:06:24 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Oct 27, 2021):

Upon seeing the output/response it looks like KeyEncrypted is null which shouldn't.

{
    [],
    "KeyEncrypted": null,
    "Object": "emergencyAccessView"
}

And that causes the following error in javascript:

TypeError: Cannot read properties of null (reading 'split')
    at e.<anonymous> (crypto.service.ts:556)
    at main.5c0db323b598138d1784.js:1
    at Object.next (main.5c0db323b598138d1784.js:1)
    at main.5c0db323b598138d1784.js:1
    at new t (zone.js:1340)
    at o (main.5c0db323b598138d1784.js:1)
    at e.rsaDecrypt (main.5c0db323b598138d1784.js:1)
    at e.<anonymous> (emergency-access-view.component.ts:75)
    at main.5c0db323b598138d1784.js:1
    at Object.next (main.5c0db323b598138d1784.js:1)
    at P (zone.js:1255)
    at zone.js:1162
    at s (main.5c0db323b598138d1784.js:1)
    at t.invoke (zone.js:400)
    at Object.onInvoke (core.js:28591)
    at t.invoke (zone.js:399)
    at e.run (zone.js:160)
    at zone.js:1318
    at t.invokeTask (zone.js:434)
    at Object.onInvokeTask (core.js:28578)
qi @ core.js:6210
handleError @ core.js:6258
next @ core.js:29198
t.__tryOrUnsub @ Subscriber.js:192
t.next @ Subscriber.js:130
t._next @ Subscriber.js:76
t.next @ Subscriber.js:53
t.next @ Subject.js:47
emit @ core.js:25940
(anonymous) @ core.js:28617
t.invoke @ zone.js:400
e.run @ zone.js:160
runOutsideAngular @ core.js:28520
onHandleError @ core.js:28617
t.handleError @ zone.js:404
e.runGuarded @ zone.js:174
t @ zone.js:1113
Zone.__load_patch.n.microtaskDrainDone @ zone.js:1125
m @ zone.js:627
Promise.then (async)
g @ zone.js:603
t.scheduleTask @ zone.js:424
onScheduleTask @ zone.js:311
t.scheduleTask @ zone.js:414
e.scheduleTask @ zone.js:248
e.scheduleMicroTask @ zone.js:268
C @ zone.js:1308
P @ zone.js:1246
(anonymous) @ zone.js:1162
Promise.then (async)
(anonymous) @ zone.js:1514
t @ zone.js:1340
B.t.then @ zone.js:1513
P @ zone.js:1213
(anonymous) @ zone.js:1162
(anonymous) @ main.5c0db323b598138d1784.js:1
t @ zone.js:1340
l @ main.5c0db323b598138d1784.js:1
a @ main.5c0db323b598138d1784.js:1
t.invoke @ zone.js:400
onInvoke @ core.js:28591
t.invoke @ zone.js:399
e.run @ zone.js:160
(anonymous) @ zone.js:1318
t.invokeTask @ zone.js:434
onInvokeTask @ core.js:28578
t.invokeTask @ zone.js:433
e.runTask @ zone.js:205
m @ zone.js:620
Promise.then (async)
g @ zone.js:603
t.scheduleTask @ zone.js:424
onScheduleTask @ zone.js:311
t.scheduleTask @ zone.js:414
e.scheduleTask @ zone.js:248
e.scheduleMicroTask @ zone.js:268
C @ zone.js:1308
P @ zone.js:1246
(anonymous) @ zone.js:1162
Promise.then (async)
(anonymous) @ zone.js:1514
t @ zone.js:1340
B.t.then @ zone.js:1513
P @ zone.js:1213
(anonymous) @ zone.js:1162
(anonymous) @ main.5c0db323b598138d1784.js:1
t @ zone.js:1340
l @ main.5c0db323b598138d1784.js:1
a @ main.5c0db323b598138d1784.js:1
t.invoke @ zone.js:400
onInvoke @ core.js:28591
t.invoke @ zone.js:399
e.run @ zone.js:160
(anonymous) @ zone.js:1318
t.invokeTask @ zone.js:434
onInvokeTask @ core.js:28578
t.invokeTask @ zone.js:433
e.runTask @ zone.js:205
m @ zone.js:620
e.invokeTask @ zone.js:520
m @ zone.js:1656
b @ zone.js:1682

@BlackDex commented on GitHub (Oct 27, 2021): Upon seeing the output/response it looks like `KeyEncrypted` is `null` which shouldn't. ```json { [], "KeyEncrypted": null, "Object": "emergencyAccessView" } ``` And that causes the following error in javascript: ```javascript TypeError: Cannot read properties of null (reading 'split') at e.<anonymous> (crypto.service.ts:556) at main.5c0db323b598138d1784.js:1 at Object.next (main.5c0db323b598138d1784.js:1) at main.5c0db323b598138d1784.js:1 at new t (zone.js:1340) at o (main.5c0db323b598138d1784.js:1) at e.rsaDecrypt (main.5c0db323b598138d1784.js:1) at e.<anonymous> (emergency-access-view.component.ts:75) at main.5c0db323b598138d1784.js:1 at Object.next (main.5c0db323b598138d1784.js:1) at P (zone.js:1255) at zone.js:1162 at s (main.5c0db323b598138d1784.js:1) at t.invoke (zone.js:400) at Object.onInvoke (core.js:28591) at t.invoke (zone.js:399) at e.run (zone.js:160) at zone.js:1318 at t.invokeTask (zone.js:434) at Object.onInvokeTask (core.js:28578) qi @ core.js:6210 handleError @ core.js:6258 next @ core.js:29198 t.__tryOrUnsub @ Subscriber.js:192 t.next @ Subscriber.js:130 t._next @ Subscriber.js:76 t.next @ Subscriber.js:53 t.next @ Subject.js:47 emit @ core.js:25940 (anonymous) @ core.js:28617 t.invoke @ zone.js:400 e.run @ zone.js:160 runOutsideAngular @ core.js:28520 onHandleError @ core.js:28617 t.handleError @ zone.js:404 e.runGuarded @ zone.js:174 t @ zone.js:1113 Zone.__load_patch.n.microtaskDrainDone @ zone.js:1125 m @ zone.js:627 Promise.then (async) g @ zone.js:603 t.scheduleTask @ zone.js:424 onScheduleTask @ zone.js:311 t.scheduleTask @ zone.js:414 e.scheduleTask @ zone.js:248 e.scheduleMicroTask @ zone.js:268 C @ zone.js:1308 P @ zone.js:1246 (anonymous) @ zone.js:1162 Promise.then (async) (anonymous) @ zone.js:1514 t @ zone.js:1340 B.t.then @ zone.js:1513 P @ zone.js:1213 (anonymous) @ zone.js:1162 (anonymous) @ main.5c0db323b598138d1784.js:1 t @ zone.js:1340 l @ main.5c0db323b598138d1784.js:1 a @ main.5c0db323b598138d1784.js:1 t.invoke @ zone.js:400 onInvoke @ core.js:28591 t.invoke @ zone.js:399 e.run @ zone.js:160 (anonymous) @ zone.js:1318 t.invokeTask @ zone.js:434 onInvokeTask @ core.js:28578 t.invokeTask @ zone.js:433 e.runTask @ zone.js:205 m @ zone.js:620 Promise.then (async) g @ zone.js:603 t.scheduleTask @ zone.js:424 onScheduleTask @ zone.js:311 t.scheduleTask @ zone.js:414 e.scheduleTask @ zone.js:248 e.scheduleMicroTask @ zone.js:268 C @ zone.js:1308 P @ zone.js:1246 (anonymous) @ zone.js:1162 Promise.then (async) (anonymous) @ zone.js:1514 t @ zone.js:1340 B.t.then @ zone.js:1513 P @ zone.js:1213 (anonymous) @ zone.js:1162 (anonymous) @ main.5c0db323b598138d1784.js:1 t @ zone.js:1340 l @ main.5c0db323b598138d1784.js:1 a @ main.5c0db323b598138d1784.js:1 t.invoke @ zone.js:400 onInvoke @ core.js:28591 t.invoke @ zone.js:399 e.run @ zone.js:160 (anonymous) @ zone.js:1318 t.invokeTask @ zone.js:434 onInvokeTask @ core.js:28578 t.invokeTask @ zone.js:433 e.runTask @ zone.js:205 m @ zone.js:620 e.invokeTask @ zone.js:520 m @ zone.js:1656 b @ zone.js:1682 ```

OVERLORD commented 2026-02-05 00:06:27 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Oct 27, 2021):

@jjlin Something you encountered maybe with your cleanup which could cause this?

@BlackDex commented on GitHub (Oct 27, 2021): @jjlin Something you encountered maybe with your cleanup which could cause this?

OVERLORD commented 2026-02-05 00:06:30 +03:00

Author

Owner

Copy Link

@LoicFr commented on GitHub (Oct 27, 2021):

Hello,

I confirm I have the same output JSON :

{
    "Ciphers": [...],
    "KeyEncrypted": null,
    "Object": "emergencyAccessView"
}

Regards,
Loïc

@LoicFr commented on GitHub (Oct 27, 2021): Hello, I confirm I have the same output JSON : ``` { "Ciphers": [...], "KeyEncrypted": null, "Object": "emergencyAccessView" } ``` Regards, Loïc

OVERLORD commented 2026-02-05 00:06:35 +03:00

Author

Owner

Copy Link

@jjlin commented on GitHub (Oct 28, 2021):

@BlackDex I haven't, but I'm getting back to the cleanup work over the next few days so I'll look into it.

@jjlin commented on GitHub (Oct 28, 2021): @BlackDex I haven't, but I'm getting back to the cleanup work over the next few days so I'll look into it.

OVERLORD referenced this issue 2026-02-05 05:01:14 +03:00

[PR #1141] [MERGED] Fixed creating a new organization #2865

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label bug question troubleshooting

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1139