Sends are a secure and ephemeral mechanism for transmitting sensitive information to anyone, include plaintext and files. As the About Send article notes, Sends are end-to-end encrypted, meaning that encryption (described below) and decryption occur client-side. When you create a Send:
- A new 128-bit secret key is generated for the Send.
- Using HKDF-SHA256, a 512-bit encryption key is derived from the secret key.
The derived key is used to AES-256 encrypt the Send, including its file/text data and metadata (Name, Filename, Notes, etc.).
- The encrypted Send is uploaded to Bitwarden servers, including a unique Send ID that Bitwarden uses to identify the Send for decryption but not including the encryption key.
Sends are decrypted by opening the Send link, which are constructed from a unique Send ID and the derived encryption key:
When you access a Send link:
- The web browser requests a Send access page from Bitwarden servers.
- Bitwarden servers return the Send access page as a Web Vault client.
- The Web Vault client locally parses the URL fragment containing the Send ID and encryption key.
- The Web Vault client requests data from the server based on the parsed Send ID. The encryption key is never included in network requests.
- Bitwarden servers return the encrypted Send to the Web Vault client.
The Web Vault client locally decrypts the Send using the encryption key.
If your send is password-protected, decryption of the Send will be blocked by authentication, however this should not be confused with the password being used for decryption.