Even with internet access expanding all the time, sometimes you end up offline with a need to access your secure information. With Bitwarden, most client applications provide access to your vault while offline, while still retaining end-to-end encryption.
Let’s discuss a bit about the Bitwarden architecture, then outline how to configure your client applications for offline access.
Bitwarden uses a client-server architecture where every Bitwarden client application connects to the Bitwarden Cloud or a Bitwarden self-hosted server.
This setup enables easy synchronization between an unlimited number of passwords across an unlimited number of devices, even with the Bitwarden Basic Free Account. The client-server architecture and the Individual Vault for a Bitwarden user is shown in Figure 1.
For a more detailed look at the Bitwarden architecture, including how to add Organizations for family or business use, see the Bitwarden Architecture presentation.
To retain the zero-knowledge, end-to-end encryption architecture, Bitwarden performs two operations when you want to get into your vault.
The first step is login and authentication. Bitwarden needs to confirm your identity using a combination of your email address and your master password. If you have two-step login, or two-factor authentication, configured - which we highly recommend - then you will also need to complete that step to finish authenticating.
One you have authenticated with the Bitwarden Cloud or a self-hosted server, Bitwarden will transfer the contents of your encrypted vault to the client application.
The second step is decrypting your vault which also happens using a combination of your email address and your master password. With individual users and the Bitwarden Cloud, these two steps happen together as they are both handled by Bitwarden.
If you are interested in the technical details behind Bitwarden encryption see the Bitwarden Security Whitepaper.
With Bitwarden, as long as you remain logged in, Bitwarden will cache a copy of your encrypted vault on your device. This means that even if you lose connectivity, you can still decrypt and access your vault. Offline access with Bitwarden is read-only, write access is available while online.
Offline Vault sessions will expire after 30 days.
Except for mobile client applications, which will expire after 90 days.
Two-step Login Remember Me selections will expire after 30 days.
Using the settings you choose, you can maintain access to your Bitwarden Vault by keeping the right clients logged in.
It’s important to note the difference between locking your vault and logging out. When you lock your vault, the encrypted vault data stays on your local device, and can be unlocked with your master password, PIN, or biometrics. When you log out the data is cleared from your device and you must connect to the Bitwarden servers (or your own server if self-hosted) and enter your credentials to receive the encrypted data again.
Depending on your security preferences, it may make sense to stay logged in to multiple clients at the same time. For example, some users have inadvertently lost their phone and two-step login information, only to find out that they had an active session in the desktop app or browser extension where they could still log in and download their vault.
Of course, other users prefer logging out of the Bitwarden application completely for greater protection. The help article on Vault Timeout Options presents the choices users have to configure their Bitwarden clients appropriately.
Offline backups provide yet another option for maintaining a well protected security posture. For more info on this check out 7 Tips to Protect Your Bitwarden Account and advice from World Password Day on Top tips to protect your passwords.