Security

Account Encryption Key

Each unique Bitwarden account has an encryption key which is used to encrypt all vault data.

Rotate your encryption key

warning

Rotating your encryption key is a potentially dangerous operation. Please read this section thoroughly to understand the full ramifications of doing so.

Rotating your account’s encryption key generates a new encryption key that is used to re-encrypt all vault data. You should consider rotating your encryption key if your account has been compromised in such a way that someone has obtained your encryption key.

Before rotating

Before rotating, you should take the following actions to protect against potential data loss or corruption.

Re-create any account backup exports

If you are using Account backup encrypted exports to store long-term secure backups, you should immediately re-create the encrypted export of your vault data using the new encryption key.

Account backup encrypted exports use your encryption key to encrypt and decrypt your vault data, meaning that a rotated encryption key will not be able to decrypt an export created with the "stale" (prior-to-rotation) key.

After rotating

After rotating, you should quickly take the following actions to prevent data loss or corruption.

warning

We recommend creating a vault backup prior to rotating your account encryption key. To learn more about vault exports and what items are included, see Export Vault Data.

Log out of client applications

Before you rotate an encryption key, we recommend you immediately log out of any logged-in sessions on Bitwarden client applications (desktop app, browser extension, mobile app, and so on). Logging out of client applications in this way will prevent sessions from using the "stale" (prior-to-rotation) encryption key. After doing so, logging back in as normal will use the new encryption key.

Making changes in a session with a "stale" encryption key will cause data corruption that will make your data unrecoverable.

Re-create PRF-enabled passkeys for login

If you're using Log in with passkeys (beta), rotating your account encryption key will invalidate the encryption and decryption functionality of any passkey setup up for vault encryption.

The ability for that passkey to be used for authentication when logging in to Bitwarden will not be affected when you rotate your account encryption key, however you should create new sets of passkeys in order to continue using passkeys for vault decryption.

How to rotate your encryption key

To rotate your account encryption key:

  1. In the web app, navigate to SettingsSecurityMaster password:

    Master password settings
    Master password settings

  2. Enter your Current master password and create/confirm a New master password.

    tip

    If you don't want to change your master password and only rotate your account encryption key, you can enter your current master password in the New fields to prevent it from changing.

  3. Check the Also rotate my account's encryption key checkbox and accept the dialog.

  4. Select the Change master password button.

Make a suggestion to this page

Contact Our Support Team

For technical, billing, and product questions.

Name*
Bitwarden account email*
Verify account email*
Product*
Are you self-hosting?*
Subject*
Message...*

Cloud Status

Check status

© 2024 Bitwarden, Inc. Terms Privacy Cookie Settings Sitemap

This site is available in English.
Go to EnglishStay Here