mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2025-12-10 17:23:04 +03:00
Regarding BWN-01-010 - Changing the master password does not change encryption keys #2288
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @strayer on GitHub.
This is more a question than an issue, sorry if this is not appropriate. It seems the official web client recently got a fix for the BWN-01-010 security audit issue (see commit 2d0acc76).
Does this require any server code, or is this a client-side-only operation? I guess this would be available in web vault 2.6.0.
@dani-garcia commented on GitHub:
I imagine changing the encryption key would require the vault to send all the ciphers and attachments to the server encrypted with the new key. For that we'd probably have to make some changes to the server code, but I'd prefer to wait untill the new vault is closer to a stable release before commiting to implement the changes.
@dani-garcia commented on GitHub:
Okay, the attachments are fixed in the latest commit to the new rocket branch, and with that, we should be compatible with version 2.6.0 of the vault (all the other changes seem to be client-side (link))
Now, because this change has a high probability of causing data loss if there is a bug in the code, I plan on waiting some time before merging this (also hoping a stable rocket gets released soon, as I'd rather not have a beta version in the master branch).
At this point, I'd appreciate if someone is willing to test this (but please, make backups first).
The important points to test are:
@dani-garcia commented on GitHub:
I've pushed a quick version of this to the rocket-0.4 branch.
This version has a problem though, and it's that the organization ciphers won't decrypt correctly (the user owned ones will). I´ll have to investigate a bit more. Also, I didn't test attachments.
I also had to make a small change: before, changing the password would deauthorize all sessions. Now it won't anymore because the key rotation endpoint gets hit after the password change one and that won't work with an expired session. The old behavior didn't make much sense anyway, as there was an explicit button to deauthorize all sessions.
@dani-garcia commented on GitHub:
Alright, with the actual release of the vault 2.6.0, organization ciphers seem to work now. I'll see if I can fix the attachments (which now seem to have an individual encryption key each).
@mprasil commented on GitHub:
Hello, no worries, questions are welcome here. 😃
I'm actually not sure, we normally don't build images with Vault versions that haven't yet been released. If someone wants to test this, grab a Dockerfile, set the
VAULT_VERSIONthere tomasterand build the image. Let us know.@strayer commented on GitHub:
I'll try to test this in the next days, pretty busy right now. Still have to import my huge 1Password database, but that should be a fine test for upgrading to the new version - it has quite a few attachments. I'll also test organizations. I'll get this done on the weekend, hopefully.
Am 28. November 2018 11:40:50 MEZ schrieb mprasil notifications@github.com:
@halms commented on GitHub:
I tried to test the
mprasil/bitwarden:rocket-0.4-betaimage, but it seems to not work at all for me.It does not start to listen on the specified port and my reverse proxy just outputs a bad gateway error.
docker logsjust showsHello, world!and then the container restarts.Is it just my configuration or is there something very broken in the beta image (both the builds from today and from 4 days ago)?
@mprasil commented on GitHub:
For anyone wanting to help, there is image being built right now. It should be done in about an hour. (Edit: it's available now) You can then test the functionality with
mprasil/bitwarden:rocket-0.4-betaimage once it's built.@dani-garcia commented on GitHub:
That's strange, I don't think we print hello world anywhere.
@mprasil can you check if the beta version was built correctly?
@strayer commented on GitHub:
I fear I was a little bit too quick about offering help – won't be able to do a thorough test for now, sorry! :/
@mprasil commented on GitHub:
I just triggered build with the latest commit in. Let's hope it helps, but it's still quite strange.
@mprasil commented on GitHub:
I've noticed the GitHub interface sometimes shows old commit for the rocket-0.4 branch, maybe some intermittent issues? I've just pushed
2129946with your update of vault and I'm going to trigger the build now.@mprasil commented on GitHub:
@dani-garcia, you can see build log here. To me it looks like the "Hello world" message comes from the dummy app from the two stage build.
You can see that the full app should compile according to the logs:
This is definitely weird.
@dani-garcia commented on GitHub:
So, I just installed docker locally to test this, and the problem was indeed with the dummy project. For some reason, after copying the files, cargo still thought that nothing had changed so it didn't build the project.
I made a change to basically force it to notice the change (
e34f75c267) and at least for me it now builds correctly@mprasil Can you rebuild the docker hub image? Hopefully this time it works.
@halms commented on GitHub:
I can confirm that the latest Docker Hub image works fine now.
@dani-garcia commented on GitHub:
The rocket branch is now merged, so this is fixed in `master´ now. I'll wait a couple of days to test if the fixes to #275 work fine now and then I'll publish a new release.