--- URL: https://bitwarden.com/help/about-collections/ --- # About Collections Collections group together related logins, notes, cards, and identities for [secure sharing](https://bitwarden.com/help/sharing/) within an organization. Collections can be created and managed by any organization type. Collections are organization-equivalents to [folders](https://bitwarden.com/help/folders/), with a few key differences: - Organizations can define [access to collections](https://bitwarden.com/help/collection-permissions/), allowing users or [groups](https://bitwarden.com/help/about-groups/) to access only the items they need. - Items stored in an organization's collections(s) do not belong to any individual user, but rather to the organization. - Organization-owned items **must** be included in at least one collection. Your vault centralizes everything you have access to, like collections, [shared items](https://bitwarden.com/help/sharing/), and personal items. To open a specific collection, select it from the vault's filter menu: ![Open collection](https://bitwarden.com/assets/3uvlVv4JZdBPVkC6yQtmlB/e27ac5ec3d8fe46dbefdae0377144505/Open_collection.png) *Open collection* ## Nested collections When you nest a collection, it becomes hierarchically organized under another collection. Select where to **Nest your collection under** when you first create it or later by going to **Collections** → ⋮ **icon** →**Edit info**: ![Nested collection](https://bitwarden.com/assets/4WE9iu5h5WwMh2hTbMV0Q6/f3cfc507b06de6e8243a76685d598066/Nested_collection.png) *Nested collection* This only changes how your collection list appears in the filter column. Nested collections don't inherit items, access, or permissions from their "parent" collection. ## Next steps - [Create a collection](https://bitwarden.com/help/create-collections/) that you can add shared items to. - [Share items with organization members](https://bitwarden.com/help/sharing/) through your new collection. - [Assign groups and members](https://bitwarden.com/help/assign-users-to-collections/) access to your new collection. - [Configure the permissions](https://bitwarden.com/help/collection-permissions/) your groups and members have to the collection. - [Configure collection management settings](https://bitwarden.com/help/collection-management/) for your organization. --- URL: https://bitwarden.com/help/about-groups/ --- # Groups ## What are groups? Groups relate together individual members and provide a scalable way to assign access to and [permissions](https://bitwarden.com/help/user-types-access-control/#permissions/) for specific [collections](https://bitwarden.com/help/about-collections/). When [onboarding new members](https://bitwarden.com/help/managing-users/), add them to a group to have them automatically inherit that group's configured permissions. > [!NOTE] Groups available to teams and enterprise organizations > Groups are available to [Teams and Enterprise organizations](https://bitwarden.com/help/about-organizations/#types-of-organizations/). ### Using groups Organizations can designate access to [collections](https://bitwarden.com/help/about-collections/) based on member groups, rather than individual members. Group-collection associations provide a deep level of access control and scalability to sharing resources. One common group-collection methodology is to create **Groups by Department** and **Collections by Function**, for example: ![Using Collections with Groups](https://bitwarden.com/assets/1WzkMkukq1i1mueOQP81JC/e6ba38466c2612b64b15344040fea1dd/collections-graphic-2.png) Other common methodologies include **Collections by Vendor or System** (for example, members in an **Engineering** group are assigned to a **AWS Credentials** collection) and **Groups by Locality** (for example, members are assigned to a **US Employees** group or **UK Employees** group). ## Create a group Organization [admins (or higher)](https://bitwarden.com/help/user-types-access-control/) and [provider users](https://bitwarden.com/help/provider-users/#provider-user-types/) can create and manage groups. To create a group: 1. Log in to the Bitwarden [web app](https://bitwarden.com/help/getting-started-webvault/) and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Navigate to **Groups** and select the + **New Group** button: ![New group ](https://bitwarden.com/assets/FefJG4qBRiWkTzsxBKfm6/53093b4dd48e534cdde9f3e249d3c382/2024-12-03_14-22-27.png) 3. On the **Group info** tab, give your group a **Name.** > [!TIP] External ID (Org Entities) > The **External Id** field is only relevant if you are using [Directory Connector](https://bitwarden.com/help/directory-sync/) and will be visible in the dialogue when configured using [SCIM](https://bitwarden.com/help/about-scim/), Directory Connector, or the API. 4. On the **Members**tab, assign members to the group. 5. On the **Collections**tab, assign collections to group. For each collection, select the desired [permissions](https://bitwarden.com/help/user-types-access-control/#permissions/): ![Collections permissions](https://bitwarden.com/assets/1NP5OrGCAVOZmkxfGjhU2h/7c0375c7f8f8540863a5391b0062454a/2024-12-03_14-23-45.png) Permissions can designate that members can either view-only or edit items in the collection, as well as whether they can manage access to the collection and whether [passwords are hidden](https://bitwarden.com/help/user-types-access-control/#permissions/). 6. Select **Save** to finish creating your group. ### Edit members assignments Once your groups are created and configured, add members to them: 1. In the Admin console, open the **Groups** view. 2. For the group you want to edit, use the ⋮ options menu to select **Members**. 3. Add or remove members from the group and select **Save** > [!NOTE] Admins require collection access > If the **Owners and admins can manage all collections and items** option is disabled, administrators are unable to add themselves to a group. However, they can add other administrators to a group. See [Collection management settings](https://bitwarden.com/help/collection-management/#collection-management-settings/) for more information. ### Edit collections assignments If you want to change the [collections](https://bitwarden.com/help/about-collections/) or [permissions](https://bitwarden.com/help/user-types-access-control/#permissions/) assigned to a group: 1. In the Admin console, open the **Groups** view. 2. For the group you want to edit, use the ⋮ options menu to select **Collections**. 3. Add, remove, or change collections permissions from the group and select **Save.** --- URL: https://bitwarden.com/help/about-key-connector/ --- # About Key Connector > [!NOTE] TDE is a good alternative to KC. > Bitwarden recommends [trusted device decryption](https://bitwarden.com/help/about-trusted-devices/) as an alternative option to Key Connector that facilitates member login without a master password and does not require deploying or managing a key server. Key Connector is a self-hosted application that facilitates customer-managed encryption (CMS), allowing an enterprise organization to serve cryptographic keys to Bitwarden clients. Key Connector runs as a docker container on the same network as existing services, and can be used with [login with SSO](https://bitwarden.com/help/about-sso/) to serve cryptographic keys for an organization as an alternative to requiring a master password for vault decryption ([learn more](https://bitwarden.com/help/about-key-connector/#why-use-key-connector/)). Bitwarden supports deployment of one Key Connector for use by one organization for a self-hosted instance. Key Connector requires connection to a **database where encrypted user keys are stored** and an **RSA Key Pair to encrypt and decrypt stored user keys**. Key Connector can be [configured](https://bitwarden.com/help/deploy-key-connector/) with a variety of database providers (for example, MSSQL, PostgreSQL, MySQL) and key pair storage providers (for example, Hashicorp Vault, Cloud KMS Providers, On-prem HSM devices) in order to fit your business's infrastructure requirements. ![Key Connector Architecture](https://bitwarden.com/assets/59mLNik59Pb25ZhJ7vNRa9/6ce753e0215ef199ec0cdef6fc880fe8/keyconnector-diagram-2.png) ## Why use Key Connector? **In implementations that leverage master password decryption**, your identity provider handles authentication and a member's master password is required for vault decryption. This separation of concerns is an important step that ensures that only an organization member has access to the key which is required to decrypt your organization's sensitive vault data. **In implementations that leverage Key Connector for decryption**, your identity provider still handles authentication, but vault decryption is handled by Key Connector. By accessing an encrypted key database (see the above diagram), Key Connector provides a user their decryption key when they log in, without requiring a master password. We often refer to Key Connector implementations as leveraging **Customer-Managed Encryption**, because your business has sole responsibility for the management of the Key Connector application and of the vault decryption keys it serves. For enterprises ready to deploy and maintain a customer-managed encryption environment, Key Connector facilitates a streamlined vault login experience. ### Impact on master passwords Because Key Connector replaces master password-based decryption with customer-managed decryption keys, organization members will be **required to remove the master password from their account**. Once removed, all vault decryption actions will be conducted using the stored user key. Besides logging in, this will have some impacts on [offboarding](https://bitwarden.com/help/about-key-connector/#impact-on-organization-membership/) and [on other features](https://bitwarden.com/help/about-key-connector/#impact-on-other-features/) you should be aware of. > [!NOTE] > Currently, there is not a way to re-create master passwords for accounts that have removed them. > > For this reason, organization owners and admins are not able to remove their master password and must continue using their master password even if using SSO. It is possible to elevate a user who has removed their master password to owner or admin, however we **strongly recommend** that your organization always have at least one owner with a master password. ### Impact on organization membership Key Connector requires users to [remove their master passwords](https://bitwarden.com/help/about-key-connector/#impact-on-master-passwords/) and instead uses a company-owned database of cryptographic keys to decrypt users' vaults. Because master passwords can not be re-created for accounts that have removed them, this means that once an account uses Key Connector decryption it is for all intents and purposes **owned by the organization**. These accounts **may not leave the organization**, as in doing so they would lose any means of decrypting vault data. Similarly, if an organization administrator removes the account from the organization, the account will lose any means of decrypting vault data. ### Impact on other features | **Feature** | **Impact** | |------|------| | Verification | There are a number of features in Bitwarden client applications that ordinarily require entry of a master password in order to be used, including [exporting](https://bitwarden.com/help/export-your-data/) vault data, changing [two-step Login](https://bitwarden.com/help/setup-two-step-login/) settings, retrieving [API keys](https://bitwarden.com/help/personal-api-key/), and more. **All these features**will replace master password confirmation with email-based TOTP verification. | | Vault lock/unlock | Under ordinary circumstances, a [locked vault can be unlocked](https://bitwarden.com/help/vault-timeout/#vault-timeout-action/) using a master password. When your organization is using Key Connector, locked client applications can only be unlocked with a [PIN](https://bitwarden.com/help/unlock-with-pin/) or with [biometrics](https://bitwarden.com/help/biometrics/). If neither PIN nor biometrics are enabled for a client application, the vault will always log out instead of lock. Unlike unlocking, logging in **always**requires a connection to your self-hosted server ([learn more](https://bitwarden.com/help/vault-timeout/#vault-timeout-action/)). | | Master password re-prompt | When Key Connector is being used, [master password re-prompt](https://bitwarden.com/help/managing-items/#protect-individual-items/) will be disabled for any user that has removed their master password as a result of your Key Connector implementation. | | Admin password reset | When Key Connector is being used, [admin password reset](https://bitwarden.com/help/admin-reset/) will be disabled for any user that has removed their master password as a result of your Key Connector implementation. | | Emergency access | When Key Connector is being used, the emergency access [account takeover option](https://bitwarden.com/help/emergency-access/#user-access/) will be disabled for any user that has removed their master password as a result of your Key Connector implementation. Trusted emergency contacts may still **View**a grantor's individual vault data, subject to the established [emergency access workflow](https://bitwarden.com/help/emergency-access/#initiate-emergency-access/). | | Change email | When Key Connector is being used, a user's vault email address cannot be changed. | | CLI | Users who do not have master passwords will not be able to access the Password Manager CLI. | ## How do I start using Key Connector? In order to get started using Key Connector for customer-managed encryption, please review the following requirements: > [!WARNING] Key Connector Requirements > Management of cryptographic keys is incredibly sensitive and is **only recommended for enterprises with a team and infrastructure** that can securely support deploying and managing a key server. In order to use Key Connector you must also: - [Have an Enterprise organization](https://bitwarden.com/help/password-manager-plans/#enterprise-organizations/). - [Have a self-hosted Bitwarden server](https://bitwarden.com/help/install-on-premise-linux/). - [Have an active SSO implementation](https://bitwarden.com/help/about-sso/). - [Activate the single organization and require single sign-on policies](https://bitwarden.com/help/policies/). If your organization meets or can meet these requirements, including a team and infrastructure that can support management of a key server, [contact us](https://bitwarden.com/contact/) and we will activate Key Connector. --- URL: https://bitwarden.com/help/about-organizations/ --- # Organizations Overview ## What are organizations? Organizations relate Bitwarden users and vault items together for [secure sharing](https://bitwarden.com/help/sharing/) of logins, notes, cards, and identities. Organizations have a unique view, the Admin Console, where [administrators](https://bitwarden.com/help/user-types-access-control/) can manage the organization's items and members, run reporting, and configure organization settings: ![Free organization Admin Console](https://bitwarden.com/assets/hzBuypc5ISzqC3jUmYbea/edcb03ce3d3071cea4f9afb6c7f8eca9/2024-12-03_13-46-09.png) Members of an organization will find shared items in their **Vaults** view alongside personal items, as well as several methods for filtering the item list to only organization items or items in particular [collections](https://bitwarden.com/help/about-collections/): ![Organization-enabled vault](https://bitwarden.com/assets/4D2tlh9YKPzDY20SYGVKcG/dff56b66549d29405b1af211860f698e/2024-12-03_14-07-28.png) ### Types of organizations Bitwarden offers a variety of organizations to meet your business's or family's needs. For feature-by-feature breakdowns of each organization type, see [About Bitwarden Plans](https://bitwarden.com/help/password-manager-plans/). | **Type** | **Description** | |------|------| | Free organizations | Free organizations allow two users to securely share in up to two [collections](https://bitwarden.com/help/about-collections/). | | Families organizations | Families organizations allow six users to securely share in unlimited [collections](https://bitwarden.com/help/about-collections/). | | Teams organizations | Teams organizations allow unlimited users (billed per user per month) to securely share in unlimited [collections](https://bitwarden.com/help/about-collections/) and offer a suite of operational tools such as [event logs](https://bitwarden.com/help/event-logs/). | | Enterprise organizations | Enterprise organizations allow unlimited users (billed per user per month) to securely share in unlimited [collections](https://bitwarden.com/help/about-collections/) and add enterprise-only features such as [login with SSO](https://bitwarden.com/help/about-sso/) and [policies](https://bitwarden.com/help/policies/) to Bitwarden's suite of operational tools. | ### Comparing organizations with premium The key thing to know is that organizations enable **secure sharing from organizations to users**. [Premium individual plans](https://bitwarden.com/help/password-manager-plans/#premium-individual/) unlock premium password security and management features, including advanced 2FA options, the Bitwarden authenticator (TOTP), encrypted file attachments, and more, but premium individual **does not include secure data sharing.** Paid organizations (Families, Teams, or Enterprise) automatically include those premium features (advanced 2FA options, Bitwarden authenticator (TOTP), and more) for **every** user enrolled in the organization. ### Comparing organizations with providers [Providers](https://bitwarden.com/help/providers/) are vault-administration entities that allow businesses such as managed service providers (MSPs) to quickly create and administer **multiple Bitwarden organizations** on behalf of business customers. ## Create an organization Organizations are created and managed from the [web app](https://bitwarden.com/help/getting-started-webvault/). If you are new to Bitwarden, [create an account](https://bitwarden.com/go/start-free/) before you start your organization, then proceed with these instructions: 1. Select the **New organization** button in the Bitwarden web app: ![New organization](https://bitwarden.com/assets/3eSqWiTIuPSFxXdo5AAjT9/248b0fa7bb381add0d71682acd244a63/2024-12-03_13-57-58.png) Enter an **Organization name** and a **Billing email** we can reach you at. [Learn what the holder of your billing email is allowed to do](https://bitwarden.com/help/billing-faqs/#q-what-is-the-holder-of-my-organizations-billing-email-allowed-to-do/). 2. **Choose your plan**. Bitwarden offers organizations suited to any need. Check out the [feature-by-feature breakdown](https://bitwarden.com/help/password-manager-plans/#compare-business-plans/) to figure out which is best for you. > [!NOTE] Organization premium features > All paid organization (Families, Teams Starter, Teams, or Enterprise) include premium features for all enrolled users! 3. If you chose a **free organization**, you are all set! If you chose one of our paid organizations, - **Families/Teams/Enterprise:** Your plan comes with 1GB of encrypted [storage for attachments](https://bitwarden.com/help/attachments/). Add **Additional storage (GB)** for $0.33 per GB per month. - **Teams/Enterprise:** Specify the number of **user seats** you need for your organization. Seats will be added if you exceed this number, unless you [specify a limit](https://bitwarden.com/help/managing-users/#set-a-seat-limit/). - **Teams/Enterprise:** Choose whether you would like to be billed annually or monthly. Families organizations can only be billed annually. 4. Once you are happy with your organization, enter your **Payment information** (not required if you're creating a Free organization) and select **Submit**. > [!TIP] Organizations trial > New Families, Teams, and Enterprise organization have a seven day free trial built in! We won't charge you until your trial is over, and you can cancel your subscription at any time from the organization **Settings** tab. Once you have created your organization, create a [collection](https://bitwarden.com/help/about-collections/), [invite users](https://bitwarden.com/help/managing-users/), and [start sharing](https://bitwarden.com/help/sharing/). ## Collections and groups Bitwarden collections and groups are organizational tools that allow you to share data securely and manage access at scale. #### Collections Collections are a way to associate and share items, similar to a shared folder. Items may belong to one or more collections. Collection management is performed by users with appropriate [permissions](https://bitwarden.com/help/user-types-access-control/#permissions/). Collections may often be organized by: - Departments (engineering, HR) - Areas of responsibility (social media, software development) - Functions (compliance reporting, customer outreach) To get started with collections, see [here](https://bitwarden.com/help/about-collections/). #### Groups Organization groups are a way to associate members of your organization, similar to user groups in an identity provider. Groups enable administrators to grant or revoke collection permissions in bulk, or act as a template when a new member joins your organization. Groups may often be used to organize: - Departments ( engineering, HR) - Vendor or systems (AWS, production servers) - Locality (US employees, EU employees) To get started with groups, see [here](https://bitwarden.com/help/about-groups/). ## Upgrade an organization If you want to upgrade your organization to another plan in order to unlock the [additional features](https://bitwarden.com/help/about-bitwarden-plans/): 1. In the Admin Console, navigate to your organization's **Billing** → **Subscription**view. 2. Select the **Upgrade plan** button. You can only upgrade your organization to a higher plan, for example from Teams to Enterprise. Upgrading an organization in this way will not initiate a 7-day free trial like creating a new organization would. --- URL: https://bitwarden.com/help/about-scim/ --- # About SCIM System for cross-domain identity management (SCIM) can be used to automatically provision members and groups in your Bitwarden organization. Bitwarden servers provide a SCIM endpoint that, with a valid [SCIM API Key](https://bitwarden.com/help/about-scim/#set-up-scim/), will accept requests from your identity provider (IdP) for user and group provisioning and de-provisioning. > [!NOTE] SCIM vs. BWDC > SCIM integrations are available for **Teams and Enterprise organizations**. Customers not using a SCIM-compatible identity provider may consider using [Directory Sync](https://bitwarden.com/help/directory-sync/) as an alternative means of provisioning. Bitwarden supports SCIM v2 using standard attribute mappings and offers integration documentation for: - [JumpCloud](https://bitwarden.com/help/jumpcloud-scim-integration/) - [Microsoft Entra ID](https://bitwarden.com/help/microsoft-entra-id-scim-integration/) - [Okta](https://bitwarden.com/help/okta-scim-integration/) - [OneLogin](https://bitwarden.com/help/onelogin-scim-integration/) - [Ping Identity](https://bitwarden.com/help/ping-identity-scim-integration/) ## Set up SCIM To set up SCIM, your IdP will need a SCIM URL and API key to make authorized requests to the Bitwarden server. These values are available from the Admin Console by navigating to **Settings**→ **SCIM provisioning**: ![SCIM provisioning](https://bitwarden.com/assets/6sw1kuK7GuZ3dfQkkbs6rV/a4f4e18e561733297338e4ed44c6ed8c/2024-12-03_15-25-46.png) > [!TIP] Use SCIM Guides. > The following section covers some generic information that can be used to set up SCIM, however Bitwarden recommends using one of the integration documents for: > > - [JumpCloud](https://bitwarden.com/help/jumpcloud-scim-integration/) > - [Microsoft Entra ID](https://bitwarden.com/help/microsoft-entra-id-scim-integration/) > - [Okta](https://bitwarden.com/help/okta-scim-integration/) > - [OneLogin](https://bitwarden.com/help/onelogin-scim-integration/) > - [Ping Identity](https://bitwarden.com/help/ping-identity-scim-integration/) ### Required attributes Bitwarden uses standard SCIM v2 attribute names, listed here, however each IdP may use alternate names which are mapped to Bitwarden during provisioning. #### User attributes For each user, Bitwarden will use the following attributes: - An indication that the user is `active` (**required**) - `email`ª or `userName` (**required**) - `displayName` - `externalId` > [!NOTE] Multiple email addresses w/ SCIM > ª - Because SCIM allows users to have multiple email addresses expressed as an array of objects, Bitwarden will use the `value` of the object which contains `"primary": true`. #### Group attributes For each group, Bitwarden will use the following attributes: - `displayName` (**required**) - `members`ª - `externalId` > [!NOTE] Members & SCIM API > ª - `members` is an array of objects, each object representing a user in that group. **Group provisioning must be used in order to assign synced users to groups**, however the SCIM API cannot be used to query members in a group. To query group membership, use the [Public API.](https://bitwarden.com/help/api/) ## SCIM event logs Organizations using SCIM capture [event logs](https://bitwarden.com/help/event-logs/) for actions taken by SCIM integrations, including inviting users and removing users, as well as creating or deleting groups. SCIM-derived events will register `SCIM` in the **Member** column. ## Updates to existing objects The following sections describe the changes that SCIM provisioning will sync to your organization for members and groups **when a change occurs in the IdP**: ### Member status When a user is temporarily suspended or de-activated in your IdP, as opposed to being outright removed, their access to your organization will automatically be [revoked](https://bitwarden.com/help/revoke-users/). Users with revoked access are listed in the **Revoked**tab of the organization's**Members**screen and will: - Not have access to any organization vault items, collections. - Not have the ability to [use SSO to login](https://bitwarden.com/help/using-sso/), or [organizational Duo](https://bitwarden.com/help/setup-two-step-login-duo/) for two-step login. - Not be subject to your organization's [policies](https://bitwarden.com/help/policies/). - Not occupy a license seat. > [!WARNING] Accounts without MPs & TDE > For member accounts that do not have master passwords as a result of [SSO with trusted devices](https://bitwarden.com/help/about-trusted-devices/): > > - [Removing them from your organization](https://bitwarden.com/help/remove-users/#remove-members-from-an-organization/) eliminates all access to their Bitwarden account unless they were previously assigned a master password using [account recovery](https://bitwarden.com/help/account-recovery/) and they log in with that master password at least once before being removed. > > These users will not be able to re-join your organization unless the above steps are taken **before** they are removed from the organization. If they aren't, each removed user will be required to [delete their account](https://bitwarden.com/help/delete-your-account/#delete-a-personal-account/) and be issued a new invitation to create an account and join your organization. > - [Revoking access to the organization](https://bitwarden.com/help/revoke-users/), but not removing them from the organization, will still allow them to log in to Bitwarden and access **only** their individual vault. ### Member email address > [!NOTE] Who can change email addresses in organizations. > Members of organizations using [trusted devices](https://bitwarden.com/help/about-trusted-devices/) cannot change their email address unless issued a master password with [account recovery](https://bitwarden.com/help/account-recovery/). > > Members of organizations using [Key Connector](https://bitwarden.com/help/about-key-connector/) cannot change their email address. Members accounts will need to [deleted](https://bitwarden.com/help/delete-member-accounts/) and re-provisioned to accommodate an email address change. Remind users to export data prior to account deletion and re-import their data once provisioned with their new email address. Members provisioned using SCIM are able to change their account email address in Bitwarden and their organization's relevant IdP, however in order to do so they must: 1. First change the email address in Bitwarden by navigating to **Settings**→ **My account**([learn more](https://bitwarden.com/help/product-faqs/#q-how-do-i-change-my-email-address/)). 2. Once the email has been changed in Bitwarden, update the user value on the IdP or AD client. This could be the `externalid` or a corresponding value, depending on the organization's choice of IdP. 3. Re-sync the IdP or AD client to implement the changes. > [!NOTE] Changing the Bitwarden email in SCIM org > If the user email address is updated and synced on the IdP or AD prior to updating the Bitwarden email, the updated email will be interpreted as a new user. ### Member display name While requests to the SCIM API can be configured to include member display names, this data is not currently synced to Bitwarden on initial provision or when changes occur in the IdP. ### Member external ID While SCIM provisioning will assign an external ID to a user when they're initially provisioned, it will not currently sync changes to the external ID from the IdP to Bitwarden. ## Updates to pre-SCIM objects > [!NOTE] Turn off BWDC for SCIM > If you used Directory Connector prior to implementing SCIM, make sure to turn Directory Connector off before turning SCIM provisioning on. The following sections describe the changes that SCIM provisioning will sync to your organization for members and groups **that existed in your organization prior to the implementation of SCIM**: ### Members added prior to SCIM SCIM provisioning will treat members that**joined your organization before SCIM was implemented** differently depending on whether they do or do not exist in the IdP: - Members that **exist in the IdP** and joined before SCIM will not be duplicated, required to re-join the organization, or removed from any groups. - Members that **do not exist in the IdP** and joined before SCIM will not be removed, or added to or removed from any groups. ### Groups created prior to SCIM SCIM provisioning will treat groups that**were created in your organization before SCIM was implemented** differently depending on whether they do or do not exist in the IdP: - Groups that **exist in the IdP** and were created before SCIM will not be duplicated or have any member removed, but will have new members added according to membership assigned in the IdP. - Groups that **do not exist in the IdP** and were created before SCIM will not be removed or have any members added or removed. --- URL: https://bitwarden.com/help/about-send/ --- # About Send Bitwarden Send is a secure and ephemeral way to transmit text up to 1000 encrypted characters or files up to 500 MB (or 100 MB on mobile). Every Send is given a randomly generated and secure link, which can be [shared with anyone](https://bitwarden.com/help/receive-send/) (including those who do not have Bitwarden accounts) via text, email, or whatever communication channel you prefer. Every Send is: - **End-to-end encrypted**: Data is [encrypted](https://bitwarden.com/help/send-encryption/#send-encryption/) on creation and only [decrypted](https://bitwarden.com/help/send-encryption/#send-decryption/) when a recipient opens the link. A Send's contents are stored **encrypted** in Bitwarden systems just like a traditional vault item. The link generated for each Send doesn't contain any data related to its contents, so it's safe to share over intermediary communications services without exposing information. - **Dynamically ephemeral**: Sends are designed for ephemeral sharing, so every [Send that you create](https://bitwarden.com/help/create-send/) has specified [lifespan](https://bitwarden.com/help/send-lifespan/) (max. 31 days) that can be chosen from a few options or a custom timestamp. When its deletion date is reached, the Send and its contents will be completely purged. Using other options like [expiration date](https://bitwarden.com/help/send-lifespan/#expiration-date/) and [maximum access count](https://bitwarden.com/help/send-lifespan/#maximum-access-count/), you can ensure that access to recipients is terminated according to your needs. - **Flexibly private**: You can protect the contents of your Send by [configuring a password](https://bitwarden.com/help/send-privacy/#send-passwords/) for access or [hiding your email address from recipients](https://bitwarden.com/help/send-privacy/#hide-email/). For text Sends, you can also optionally [require users to toggle visibility](https://bitwarden.com/help/send-privacy/#hide-text/) to prevent exposure to unintentional onlookers. > [!NOTE] Sends and Attachments utilize storage space > Attachments on individual vault items and all Sends use the individual storage space granted by premium subscriptions or organizations. Attachments on organization owned items use shared organizational storage space. Learn how to [add storage space](https://bitwarden.com/help/attachments/#add-storage-space/). ## The Send view Sends are created, edited, managed, and deleted from the Send view in any Bitwarden app. The Send view can be accessed from the navigation, for example in the web app: ![Send in the web app](https://bitwarden.com/assets/7umXxS0YG58NdB3vb4kwKo/28d9a7f361875597d0d4739e46d80762/2024-12-03_10-06-39.png) ## Using Send Using Bitwarden Send is a simple two-step process: 1. [Create your Send](https://bitwarden.com/help/create-send/), setting whichever [lifespan options](https://bitwarden.com/help/send-lifespan/) and [privacy options](https://bitwarden.com/help/send-privacy/) are required to fit your sharing needs. 2. Share the Send link with the [intended recipients](https://bitwarden.com/help/receive-send/), using whatever communication channel you prefer. As the sender, we recommend that you keep track of your Send's [configured lifespan](https://bitwarden.com/help/send-lifespan/). To make that as easy as possible, sends will display [a set of status icons](https://bitwarden.com/help/send-faqs/#q-what-do-the-icons-next-to-my-sends-indicate/) whenever a lifespan event (for example, expiration) has occurred. The icons are as follows: | **Icon** | **Meaning** | |------|------| | 🔑 | This Send is [protected by a password](https://bitwarden.com/help/send-privacy/#send-passwords/). | | ✗ | This Send has been [manually disabled](https://bitwarden.com/help/send-lifespan/#manually-deactivate-or-delete/). | | 🕐 | This Send has reached its specified [expiration date](https://bitwarden.com/help/send-lifespan/#expiration-date/). | | [ban] | This Send has reached its specified [maximum access count](https://bitwarden.com/help/send-lifespan/#maximum-access-count/). | | 🗑️ | This Send has reached its specified [deletion date](https://bitwarden.com/help/send-lifespan/#deletion-date/) and is **pending deletion**. | ## Next steps Now that you have learned the basics of Bitwarden Send, we recommend: - [Creating your first Send](https://bitwarden.com/help/create-send/) - [Go premium for file Sends](https://bitwarden.com/help/password-manager-plans/#premium-individual/) - For a more in-depth overview of send, see [Bitwarden Send - How it works](https://bitwarden.com/blog/bitwarden-send-how-it-works/). --- URL: https://bitwarden.com/help/about-sso/ --- # About Single Sign-On Using single sign-on (SSO), [Enterprise organizations](https://bitwarden.com/help/about-organizations/#types-of-organizations/) can leverage their existing Identity Provider (IdP) to authenticate members with Bitwarden. SSO for Enterprise organizations include: - [SAML 2.0](https://bitwarden.com/help/configure-sso-saml/) and [OIDC](https://bitwarden.com/help/configure-sso-oidc/) configuration options that support integration with a wide variety of IdPs. - An [enterprise policy](https://bitwarden.com/help/policies/#require-single-sign-on-authentication/) to optionally **require** non-administrative members to log in to Bitwarden with SSO. - An [enterprise policy](https://bitwarden.com/help/policies/#automatically-log-in-users-for-allowed-applications/) to optionally allow easier auto-fill in non-SSO apps launched from your IdP. - Several distinct [member decryption options](https://bitwarden.com/help/sso-decryption-options/) for safe data access workflows. - [Just-In-Time (JIT) provisioning](https://bitwarden.com/help/jit-provisioning/) of members via SSO. > [!TIP] SSO Decryption Options > Using SSO with Bitwarden retains our zero-knowledge encryption model. Nobody at Bitwarden has access to your data and, similarly, **neither should your Identity Provider**. That's SSO **decouples authentication and decryption**. In all implementations, your Identity Provider cannot and will not have access to the decryption key needed to decrypt vault data. > > While authentication is handled via your IdP, decryption of your data is controlled by one of several [decryption methods](https://bitwarden.com/help/sso-decryption-options/). ![SSO and master password decryption](https://bitwarden.com/assets/76IOpVRQv886zcUYIM2HF0/36300f14123231d0da18081adcc9962b/sso-workflow-3.png) *SSO and master password decryption* If you're new to Bitwarden, [start a 7-day Enterprise free trial](https://bitwarden.com/go/start-enterprise-trial/) to begin testing SSO. We recommend this following steps when testing SSO: 1. Configure your SSO integration using one of the **SSO Guides** for your chosen IdP. If your IdP isn't listed, you can use the [generic SAML](https://bitwarden.com/help/configure-sso-saml/) or [generic OIDC](https://bitwarden.com/help/configure-sso-oidc/) guide. 2. Test the [member login experience](https://bitwarden.com/help/using-sso/) using master password decryption. 3. Assess whether a different [member decryption options](https://bitwarden.com/help/sso-decryption-options/) would fit your implementation, and if so begin configuration of that decryption option. 4. Provide information to members, based on the specifics of your implementation, about how to[ log in with SSO](https://bitwarden.com/help/using-sso/). --- URL: https://bitwarden.com/help/about-trusted-devices/ --- # About Trusted Devices SSO with trusted devices allows users to [authenticate using SSO](https://bitwarden.com/help/about-sso/) and decrypt their vault using a device-stored encryption key, eliminating the need to enter a master password. A trusted device is a Bitwarden app, like an instance of the browser extension or mobile app, that has been approved for use of passwordless sign-in [by the user](https://bitwarden.com/help/add-a-trusted-device/) or [by an administrator](https://bitwarden.com/help/approve-a-trusted-device/). Each Bitwarden app would be a separate trusted device, with a separate approval, even if they're on the same computer or smartphone. SSO with trusted devices gives business end users a passwordless experience that is also zero-knowledge and end-to-end encrypted. This prevents users from getting locked out due to forgotten master passwords and allows them to enjoy a streamlined login experience. ## Start using trusted devices To get started using SSO with trusted devices: 1. [Setup SSO with trusted devices](https://bitwarden.com/help/setup-sso-with-trusted-devices/) for your organization. 2. Provide administrators with information on [how to approve device requests](https://bitwarden.com/help/approve-a-trusted-device/). 3. Provide end-users with information on [how to add trusted devices](https://bitwarden.com/help/add-a-trusted-device/). ## How it works The following tabs describe encryption processes and key exchanges that occur during different trusted devices procedures: ### Onboarding When a new user joins an organization, an **Account Recovery Key** ([learn more](https://bitwarden.com/help/account-recovery/)) is created by encrypting their account encryption key with the **Organization Public Key**. Account recovery is required to enable SSO with trusted devices. The user is then asked if they want to remember, or trust, the device. When they opt to do so: ![Create a trusted device](https://bitwarden.com/assets/2o9o8L0JZMvWZYJvfKGMzj/b7cab59682862c8e782331ed6a2ef9d9/td-create.png) *Create a trusted device* 1. A new **Device Key**is generated by the client. This key never leaves the client. 2. A new RSA key pair, called the **Device Private Key**and **Device Public Key**, is generated by the client. 3. The user's account encryption key is encrypted with the unencrypted **Device Public Key** and the resultant value is sent to the server as the **Public Key-Encrypted User Key**. 4. The **Device Public Key**is encrypted with the user's account encryption key and the resultant value is sent to the server as the **User Key-Encrypted Public Key**. 5. The **Device Private Key** is encrypted with the first **Device Key** and the resultant value is sent to the server as the **Device Key-Encrypted Private Key**. The **Public Key-Encrypted User Key** and **Device Key-Encrypted Private Key** will, crucially, be sent from server to client when a login is initiated. The **User Key-Encrypted Public Key** will be used should the user need to rotate their account encryption key. ### Logging in When a user authenticates with SSO on an already-trusted device: ![Use a trusted device](https://bitwarden.com/assets/61SSa6ITlRaICIUoCzEiVp/746cf3ba3005b4118d20319e894c47c7/td-use.png) *Use a trusted device* 1. The user's **Public Key-Encrypted User Key**, which is an encrypted version of the account encryption key used to decrypt vault data, is sent from the server to the client. 2. The user's **Device Key-Encrypted Private Key**, the unencrypted version of which is required to decrypt the **Public Key-Encrypted User Key**, is sent from the server to the client. 3. The client decrypts the **Device Key-Encrypted Private Key**using the **Device Key**, which never leaves the client. 4. The now-unencrypted **Device Private Key**is used to decrypt the **Public Key-Encrypted User Key**, resulting in the user's account encryption key. 5. The user's account encryption key decrypts vault data. ### Approving When a user authenticates with SSO and opts to decrypt their vault with an un-trusted device (i.e. a **Device Symmetric Key**does not exist on that device), they are required to choose a method of approving the device and optionally trusting it for future use without further approval. What happens next depends on the selected option: - **Approve from another device**: 1. The process documented [here](https://bitwarden.com/help/log-in-with-device/#how-it-works/) is triggered, resulting in the client having obtained and decrypted the account encryption key. 2. The user can now decrypt their vault data with the decrypted account encryption key. If they have chosen to trust the device, trust is established with the client as described in the **Onboarding**tab. - **Request admin approval**: 1. The initiating client POSTs a request, which includes the account email address and a unique **auth-request public key**ª, to an Authentication Request table in the Bitwarden database. ![User requests admin approval (Step 1)](https://bitwarden.com/assets/1CgwXVCrjssDwsz2Aie4mV/aac6c3975c9a8d225074268c093cadc3/2025-04-30_09-33-37.png) *User requests admin approval (Step 1)* 2. Administrators can [approve or deny the request](https://bitwarden.com/help/approve-a-trusted-device/) on the Device approvals page. 3. When the request is approved by an administrator, the approving client encrypts the user's account encryption key using the **auth-request public key** enclosed in the request. 4. The approving client then PUTs the encrypted account encryption key to the Authentication Request record and marks the request fulfilled. ![Admin approves auth request (Steps 3-4)](https://bitwarden.com/assets/4Y9q6Y3KmLskDaqfF03YmJ/8a99742b2bf8e7394cb0988495dc13b0/2025-04-30_09-34-10.png) *Admin approves auth request (Steps 3-4)* 5. The initiating client GETs the encrypted account encryption key and **locally **decrypts it using the **auth-request private key**. ![User receives admin approval (Step 5)](https://bitwarden.com/assets/7LNcFuhupPeR4DJhg2k4po/10ae5da219f1e5338e5cdf6554655e9f/2025-04-30_09-34-28.png) *User receives admin approval (Step 5)* 6. Using the decrypted account encryption key, trust is established with the client as described in the **Onboarding**tab. ª - **Auth-request public** and **private keys** are uniquely generated for each passwordless login request and only exist for as long as the request does. Unapproved requests will expire after 1 week. - **Approve with master password**: 1. The users's account encryption key is retrieved and decrypted as documented in the [Authentication and decryption](https://bitwarden.com/help/bitwarden-security-white-paper/#authentication-and-decryption/) section of the security whitepaper. 2. Using the decrypted account encryption key, trust is established with the client as described in the **Onboarding**tab. ### Key rotation > [!NOTE] Which TDE users can rotate an enc key > Only users who have a master password can rotate their [account encryption key](https://bitwarden.com/help/account-encryption-key/). [Learn more](https://bitwarden.com/help/about-trusted-devices/#impact-on-master-passwords/). When a user rotates their [account encryption key](https://bitwarden.com/help/account-encryption-key/), during the normal rotation process: 1. The **User-Key Encrypted Public Key** is sent from the server to the client, and subsequently decrypted with the old account encryption key (a.k.a. **User Key**), resulting in the **Device Public Key**. 2. The user's new account encryption key is encrypted with the unencrypted **Device Public Key** and the resultant value is sent to the server as the new **Public Key-Encrypted User Key**. 3. The **Device Public Key**is encrypted with the user's new account encryption key and the resultant value is sent to the server as the new **User Key-Encrypted Public Key**. 4. The Public Key-Encrypted User Key is then re-shared with each trusted device. ### Keys used for trusted devices This table provides more information about each key used in the procedures described above: | Key | Details | |------|------| | Device Key | AES-256 CBC HMAC SHA-256, 512 bits in length (256 bits for key, 256 bits for HMAC) | | Device Private Key & Device Public Key | RSA-2048 OAEP SHA1, 2048 bits in length | | Public Key-Encrypted User Key | RSA-2048 OAEP SHA1 | | User Key-Encrypted Public Key | AES-256 CBC HMAC SHA-256 | | Device Key-Encrypted Private Key | AES-256 CBC HMAC SHA-256 | ### Impact on master passwords While SSO with trusted devices eliminates the need for a master password, it doesn't in all cases eliminate the master password itself: - If a user is onboarded **before** SSO with trusted devices is activated, their account will retain its master password. - If a user is onboarded **after** SSO with trusted devices is activated and they select **Log in**→**Enterprise SSO**from the organization invite for [JIT provisioning](https://bitwarden.com/help/sso-faqs/#q-how-does-login-with-sso-work-for-new-users-just-in-time/), their account will not have a master password. Should you change to the master password [member decryption option](https://bitwarden.com/help/sso-decryption-options/), these users will be prompted to create a master password when they log in as long as they are still a member of the organization ([learn more](https://bitwarden.com/help/setup-sso-with-trusted-devices/)). > [!WARNING] Accounts without MPs & TDE > For member accounts that do not have master passwords as a result of [SSO with trusted devices](https://bitwarden.com/help/about-trusted-devices/): > > - [Removing them from your organization](https://bitwarden.com/help/remove-users/#remove-members-from-an-organization/) eliminates all access to their Bitwarden account unless they were previously assigned a master password using [account recovery](https://bitwarden.com/help/account-recovery/) and they log in with that master password at least once before being removed. > > These users will not be able to re-join your organization unless the above steps are taken **before** they are removed from the organization. If they aren't, each removed user will be required to [delete their account](https://bitwarden.com/help/delete-your-account/#delete-a-personal-account/) and be issued a new invitation to create an account and join your organization. > - [Revoking access to the organization](https://bitwarden.com/help/revoke-users/), but not removing them from the organization, will still allow them to log in to Bitwarden and access **only** their individual vault. - If a user account is recovered using [account recovery](https://bitwarden.com/help/account-recovery/), their account will necessarily be assigned a master password. A master password cannot currently be removed from an account once it has one, so to avoid this outcome we recommend that you (i) instruct the user to export their data to a backup, (ii) completely delete the lost account, (iii) ask the user to [re-onboard to your organization using trusted devices](https://bitwarden.com/help/add-a-trusted-device/) and (iv) once they've done so instruct them to import their backup. ### Impact on other features Depending on whether a master password hash is available in memory for your client, which is dictated by how your client application is initially accessed, it may exhibit the following behavior changes: | Feature | Impact | |------|------| | Verification | There are a number of features in Bitwarden client applications that ordinarily require entry of a master password in order to be used, including [exporting](https://bitwarden.com/help/export-your-data/) vault data, changing [two-step login settings](https://bitwarden.com/help/setup-two-step-login/), retrieving [API keys](https://bitwarden.com/help/personal-api-key/), and more. If the user doesn't use a master password to access the client, **all these features**will replace master password confirmation with email-based TOTP verification. | | Vault lock/unlock | Under ordinary circumstances, a [locked vault can be unlocked](https://bitwarden.com/help/vault-timeout/#vault-timeout-action/) using a master password. If the user doesn't use a master password to access the client, locked client applications can only be unlocked with a [PIN](https://bitwarden.com/help/unlock-with-pin/) or with [biometrics](https://bitwarden.com/help/biometrics/). If neither PIN nor biometrics are enabled for a client application, the vault will always log out instead of lock. Unlocking and logging in will **always**require an internet connection. | | Master password re-prompt | If the user does not unlock their vault with a master password, [master password re-prompt](https://bitwarden.com/help/managing-items/#protect-individual-items/) will be disabled. | | Changing email address | Users who [do not have master passwords](https://bitwarden.com/help/about-trusted-devices/#impact-on-master-passwords/) **will not** be able to change their email address. | | CLI | Users who [do not have master passwords](https://bitwarden.com/help/about-trusted-devices/#impact-on-master-passwords/) **will not** be able to access Password Manager CLI. | --- URL: https://bitwarden.com/help/access-tokens/ --- # Access Tokens Access tokens are objects that facilitate [machine account](https://bitwarden.com/help/machine-accounts/) access to, and the ability to decrypt, edit, and create [secrets](https://bitwarden.com/help/secrets/) stored in Secrets Manager. Access tokens are issued to a particular machine account, and will give any machine they're applied to the ability to access **only the secrets associated with that machine account**. ## Create an access token Access tokens are never stored in Bitwarden databases and cannot be retrieved, so take care to store your access tokens somewhere safe when you generate them. To create an access token: 1. Select **Machine accounts**from the navigation. 2. Select the machine account to create an access token for, and open the **Access tokens** tab: ![Create access token](https://bitwarden.com/assets/6EINDaXiPQp9qQcO6q1zt5/259e6c2c6e91e0df63c83d03a89ac4a2/2024-12-03_11-31-26.png) 3. Select the **Create access token**button. 4. On the Create Access Token window, provide: 1. A **Name**for the token. 2. When the token **Expires**. By default, Never. 5. Select the **Create access token**button when you're finished configuring the token. 6. A window will appear printing your access token to the screen. Save your token somewhere safe before closing this window, as your token **will not be stored and cannot be retrieved later**: ![Access token example](https://bitwarden.com/assets/3QfpdSQai2hFrWGdGSlQRN/a5a5483cfbbbf690a8436043be58cea7/2024-12-03_11-32-26.png) This access token is the authentication vehicle through which you'll be able to script secret injection and editing by your machines and applications. ## Use an access token Access tokens are used for authentication by the [Secrets Manager CLI](https://bitwarden.com/help/secrets-manager-cli/). Once you've created your access token and saved its value somewhere safe, use it to authenticate secret retrieval commands by the CLI for injection into your applications or infrastructure. This could be: - Exporting the access token to a `BWS_ACCESS_TOKEN` environment variable on the host machine. CLI commands like the following will automatically check for a variable with that key for authentication: ``` bws project get e325ea69-a3ab-4dff-836f-b02e013fe530 ``` - Using the `-access-token` option inline a script written to `get` and inject secrets, for example something that includes the lines: ``` ... export DB_PW=$(bws secret get fc3a93f4-2a16-445b-b0c4-aeaf0102f0ff --access-token 0.48c78342-1635-48a6-accd-afbe01336365.C0tMmQqHnAp1h0gL8bngprlPOYutt0:B3h5D+YgLvFiQhWkIq6Bow== | .jq '.value') ... docker run -d database ... -env DB_PW=$DB_PW ... mysql:latest ``` - Using our dedicated [GitHub Actions integration](https://bitwarden.com/help/github-actions-integration/) to save the access token as a repository secret for use in your workflow files. ## Revoke an access token At any time, you can revoke an access token. **Revoking a token will break the ability of any machines currently using it to retrieve and decrypt secrets**. To revoke a token: 1. Select **Machine accounts**from the navigation, and open the **Access tokens**tab. 2. For the access token you want to revoke, use the (⋮ ) options menu to select **Revoke access token**: ![Revoke access token](https://bitwarden.com/assets/1rujDBqHJ6lYy26kqmTZw4/38b09b908992c91639a49012adbec93c/2024-12-03_13-40-17.png) --- URL: https://bitwarden.com/help/account-encryption-key/ --- # Encryption Key Rotation Each unique Bitwarden account has an encryption key which is used to encrypt all vault data. > [!NOTE] Rotating encryption key > **Rotating your encryption key is a potentially dangerous operation.** Please read this section thoroughly to understand the full ramifications of doing so. Rotating your account’s encryption key generates a new encryption key that is used to re-encrypt all vault data. You should consider rotating your encryption key if your account has been compromised in such a way that someone has obtained your encryption key. ## Before rotating Before rotating, you should take the following actions to protect against potential data loss or corruption. #### Re-create any account restricted exports If you are using Account restricted [encrypted exports](https://bitwarden.com/help/encrypted-export/) to store long-term secure backups, you should preemptively re-create the encrypted export of your vault data using the Password protected option Account restricted encrypted exports use your encryption key to encrypt **and decrypt** your vault data, meaning that a rotated encryption key will not be able to decrypt an export created with the "stale" (prior-to-rotation) key. Replacing your Account restricted export with a Password protected export ensures you'll be able, if you need to, to re-import your data after rotating your account encryption key. #### Log out of client applications Before you rotate an encryption key, we recommend you log out of any logged-in sessions on Bitwarden client applications (desktop app, browser extension, mobile app, and so on). Logging out of client applications in this way will prevent sessions from using the "stale" (prior-to-rotation) encryption key. After doing so, logging back in as normal will use the new encryption key. **Making changes in a session with a "stale" encryption key will cause data corruption that will make your data unrecoverable.** ## How to rotate an encryption key > [!NOTE] Backup prior to key rotation > Bitwarden recommends creating a backup of your items prior to rotating your account encryption key. Password protected `.json` exports are the recommended format for this scenario, however any format **except Account restricted** `.json` exports can be re-imported after your key is rotated. To learn more about vault exports and what items are included, see [Export Vault Data](https://bitwarden.com/help/export-your-data/). To rotate your account encryption key: 1. In the web app, navigate to**Settings** → **Security** → **Master password**: ![Master password settings](https://bitwarden.com/assets/2Svv0PwlH9i7SSK73dlv9A/5ff2708bb08164626baf1f03d3854b24/2024-12-02_10-24-14.png) 2. Enter your **Current master password** and create/confirm a **New master password**. 3. Check the **Also rotate my account's encryption key** checkbox and accept the dialog. 4. Select the **Change master password** button. --- URL: https://bitwarden.com/help/account-recovery-enrollment/ --- # Account Recovery Enrollment In order for members to be eligible for [account recovery](https://bitwarden.com/help/account-recovery/), they must be enrolled in the program. Enrollment triggers the key exchange that makes account recovery secure. There are two ways for members to be enrolled: - **Automatic enrollment**: When you turn on the [Account recovery administration policy](https://bitwarden.com/help/policies/#account-recovery-administration/), you can also turn on the option **Require new members to be enrolled automatically**. This option will enroll new members in account recovery automatically. - **Self-enrollment**: Organization members can follow a quick process to enroll themselves in account recovery. > [!TIP] When self-enrollment is necessary > Bitwarden recommends turning on automatic enrollment, however members that are already part of your organization **prior to account recovery being turned on** will be required to self-enroll. ## Automatic enrollment Turning on the option to **Require new members to be enrolled automatically** will: - Enroll new members in account recovery automatically when they [enter an accepted status](https://bitwarden.com/help/managing-users/#accept/). - Prevent them from withdrawing from account recovery. > [!NOTE] Notify users of admin password reset. > If you automatically enroll members in account recovery, we recommend notifying them of this feature. Some organization members can choose to store personal credentials under their own ownership and should be made aware that account recovery could allow an administrator to access their personal items. ## Self-enrollment Members that are already part of your organization **prior to account recovery being turned on** if you're using automatic enrollment, or all users if you're not using automatic enrollment, will be required to self-enroll. To enroll in account recovery, select the ⋮ **Options**menu next to the organization in the Vaults view and select **Enroll in account recovery**: ![Enroll in account recovery](https://bitwarden.com/assets/4ape19S5L7lf0tAAEyInGR/87fadad707f8c7acb5894e94e758c6c3/2024-12-03_15-33-13.png) ### Withdraw enrollment Members of organizations that have turned on the automatic enrollment option **will not be allowed to withdraw** from account recovery, however members of organizations that have not turned it on can **Withdraw** from the same dropdown used to enroll: ![Withdraw from account recovery](https://bitwarden.com/assets/4GR176lad9pre4sZN3rA35/642bdef55248fb84ddb24fc316875b11/2024-12-03_15-34-30.png) Manually changing your master password or [rotating an encryption key](https://bitwarden.com/help/account-encryption-key/) **will not** withdraw a member from account recovery. --- URL: https://bitwarden.com/help/account-recovery/ --- # About Account Recovery > [!NOTE] Account recovery plan availability > Account recovery is available for **Enterprise organizations**. Account recovery allows [owners, admins, and some custom role members](https://bitwarden.com/help/user-types-access-control/) to help organization members regain access when they forget their [master password](https://bitwarden.com/help/master-password/) or lose their [trusted devices](https://bitwarden.com/help/about-trusted-devices/). Account recovery: - Can be activated for an organization by turning on the [Account recovery administration policy](https://bitwarden.com/help/policies/#account-recovery-administration/). - Requires that members [enroll](https://bitwarden.com/help/account-recovery-enrollment/), using automatic enrollment or through self-enrollment, to be eligible for account recovery. Enrollment triggers the key exchange that makes account recovery secure. - **Does not bypass members' two-step login or SSO**. If a [two-step login method](https://bitwarden.com/help/setup-two-step-login/) is enabled for the account or if the organization [requires SSO authentication](https://bitwarden.com/help/policies/#require-single-sign-on-authentication/), members will still be required to use these methods to access their account after recovery. > [!WARNING] Account recovery not related to deleted accounts > Account recovery does not restore deleted accounts. [Deleting an account](https://bitwarden.com/help/delete-member-accounts/) is permanent and cannot be undone. ## Who can recover accounts Account recovery can be executed by [owners, admins, and permitted custom users](https://bitwarden.com/help/user-types-access-control/). Account recovery uses a hierarchical permission structure to determine who can reset whose master password, meaning: - Any owner, admin, or member with a custom role that includes **Manage account recovery** can reset a user's or custom role member's master password. - Only an admin or owner can reset an admin's master password. - Only an owner can reset another owner's master password. ## How it works When a member of the organization enrolls in account recovery, that user's [encryption key](https://bitwarden.com/help/account-encryption-key/) is encrypted with the organization's public key. The result is stored as the **Account Recovery Key**. When an recovery action is taken: 1. The organization private key is decrypted with the organization symmetric key. 2. The user's **Account Recovery Key** is decrypted with the decrypted organization private key, resulting in the users's [encryption key](https://bitwarden.com/help/account-encryption-key/). 3. The user’s encryption key is encrypted with a new master key and a new master password hash is seeded from the new master password, both the master key-encrypted encryption key and master password has replace pre-existing server-side values 4. The user's encryption key is encrypted with the organization's public key, replacing the previous **Account Recovery Key** with a new one. **At no point** will anyone, including the administrator who executes the reset, be able to see the old master password. ## Event logging [Events](https://bitwarden.com/help/event-logs/) are logged when: - A user's master password is reset using account recovery. - A user updates a password issued through account recovery. - A user enrolls in account recovery. - A user withdraws from account recovery. ## Next steps - Set up account recovery by turning on the [Account recovery administration policy](https://bitwarden.com/help/policies/) . - Instruct users to [enroll in account recovery](https://bitwarden.com/help/account-recovery-enrollment/) if they joined before the policy was turned on or if you didn't turn on automatic enrollment. - Learn how to [recover the account of an enrolled member](https://bitwarden.com/help/recover-a-member-account/). - Provide members with [instructions on what to do when their account is recovered](https://bitwarden.com/help/my-account-was-recovered/). --- URL: https://bitwarden.com/help/account-switching/ --- # Log In To Multiple Accounts Did you know that you can have **up to five** Bitwarden accounts logged-in at the same time with the Bitwarden browser extension, desktop app and mobile app? Using account switching, seamlessly switch between Bitwarden accounts such as personal and work accounts. ### Mobile To log in to a second (or third, or fourth, or fifth) account, select the currently logged-in account from the top menu bar and select + **Add Account**. ![Account switching on mobile](https://bitwarden.com/assets/56xAZhiS6wZqKktMlFwbVn/9af5d0ce782af44fc48ebfd8057ddc4c/2025-01-21_14-58-15.png) Selecting + **Add Account**will take you to the login screen: ![Log in on mobile](https://bitwarden.com/assets/112EwzW6sPKPGu65R8rKHc/679b2686d9b67e5ccb37a2ebf56ea062/2025-01-21_15-04-00.png) > [!TIP] Account Switching across Servers > If you have accounts on multiple servers, for example if an employer who self-hosts Bitwarden has issued you a [families organization sponsorship](https://bitwarden.com/help/families-for-enterprise/), use the **server selector drop down**that is located on the login screen and select the **Self-hosted** menu to change the **Server URL**to the URL for the account. > > ![Self-hosted domain selector](https://bitwarden.com/assets/1Bc4QseUed27nuuhbeD7WR/34517cfcc6e47d0bde4da5de99f9fac8/account-switching-2.png) > > In this example, your work account may use something such as `https://your.company.bitwarden.com` and your families organization account would use `https://vault.bitwarden.com`. Once you log in to your second account, you can quickly switch between them from the same menu, which will also show the current status of each account's vault (locked or unlocked). If you log out of one of these accounts, it will be removed from the list unless [vault timeout](https://bitwarden.com/help/vault-timeout/) is set to log out. > [!NOTE] Account Switching Preferences/Options > Most vault actions, including adding new items or folders, syncing, and settings such as [vault timeout](https://bitwarden.com/help/vault-timeout/) and unlock ([PIN](https://bitwarden.com/help/unlock-with-pin/) or [biometrics](https://bitwarden.com/help/biometrics/)) will only apply to the active account, which you can determine by the icon displayed in the top menu bar of the app. > > Some options such as [theme](https://bitwarden.com/help/change-theme/) are applied to all accounts. ## Auto-fill If you're using account switching, your mobile app will default to auto-fill credentials from the currently active account, however, you can switch from one account to the other during auto-fill ### Desktop To log in to a second (or third, or fourth, or fifth) account, select the currently logged-in account from the top-right of the desktop app and select + **Add Account:** ![Desktop App Account Switching](https://bitwarden.com/assets/7fpUmakpNIByzoWQa1cU8L/3673552e2fcc77ea3c0a8cae7fbd2b83/Screen_Shot_2022-05-18_at_3.33.08_PM.png) Selecting + **Add Account**will take you to the login screen: ![Product: Desktop Account Switching - Light](https://bitwarden.com/assets/3gAo9PEjSXwgf4VY0Ew3TZ/a615602e1f374782cd84bee8b44a1008/AccountSwitching_Light.png) > [!TIP] Account Switching across Servers > If you have accounts on multiple servers, for example if an employer who self-hosts Bitwarden has issued you a [families organization sponsorship](https://bitwarden.com/help/families-for-enterprise/), use the **server selector drop down**that is located on the login screen and select the **Self-hosted** menu to change the **Server URL**to the URL for the account. > > ![Self-hosted domain selector](https://bitwarden.com/assets/1Bc4QseUed27nuuhbeD7WR/34517cfcc6e47d0bde4da5de99f9fac8/account-switching-2.png) > > In this example, your work account may use something such as `https://your.company.bitwarden.com` and your families organization account would use `https://vault.bitwarden.com`. Once you log in to your second account, you can quickly switch between them from the same menu, which will also show the current status of each account's vault (locked* *or unlocked). If you log out of one of these accounts, it will be removed from this list. > [!TIP] Account Switching > Most vault actions, including adding new items or folders, syncing, searching, and settings like [vault timeout](https://bitwarden.com/help/vault-timeout/) and unlock ([PIN](https://bitwarden.com/help/unlock-with-pin/) or [Biometrics](https://bitwarden.com/help/biometrics/)) will only apply to the *active *account, which you can determine by the email displayed in the top-right of the app. > > Some **Preferences**, however, are set for **All Accounts**: > > ![Desktop App Preferences](https://bitwarden.com/assets/4tZUuuDPHnHQh5RNihx0TB/d82c343ba033d122e0910a6fe7a23f76/Screen_Shot_2022-01-31_at_11.18.49_AM.png) ### Browser extension To log in to a second (or third, or fourth, or fifth) account, select the currently logged-in account from the top menu bar: ![Browser extension account switching](https://bitwarden.com/assets/7xbbMZ89zcTHz6ee0cA1MK/8d8972a6b995b3fd7367f248c9c60d69/screenshot_3.png) Once you have selected the account icon, select + **Add account**from the account switching menu: ![Browser extension Add account](https://bitwarden.com/assets/343trVk3zLCF7Z12uA5wjO/ac2f56fc907372335f30d1dbf68116a1/screenshot_4.png) Once you log in to your second account, you can quickly switch between them from the same menu, which will also show the current status of each account's vault (locked* *or unlocked). If you log out of one of these accounts, it will be removed from this list. > [!NOTE] Account switching not available on Safari > Account switching on the browser extension is not available on Safari at this time. ## Auto-fill If you're using account switching, browser extension will default to auto-fill credentials from the currently active account. --- URL: https://bitwarden.com/help/add-a-trusted-device/ --- # Add a Trusted Device When you become a member of an organization, the device you log in with for the first time will automatically be registered as a trusted device. Once this occurs, all you'll need to do to log in to Bitwarden and decrypt your data is complete your company's established single sign-on flow. > [!TIP] TDE Remember Me? > Devices will be trusted by default when you log in on them. It is highly recommended that you uncheck the **Remember this device** option when logging in on a public or shared device. When you log into a new device however, you'll need to approve, or trust, that device. There are a few methods for doing so: - **Approve from another device**: If you're already logged into Bitwarden on another device, you can approve the new device from there: ### Mobile app To approve a request with the mobile app: 1. In the mobile app, navigate to **Settings** → **Account** **security**→ **Pending login requests**: ![Pending login requests on mobile](https://bitwarden.com/assets/1ZB3Pc8T0mlP96W3IZefrR/a22c8efe63a88941bad11a278b1d113d/2025-09-09_09-39-13.png) *Pending login requests on mobile* 2. Locate and tap the pending device request. 3. Verify that fingerprint phrase matches and select **Confirm access**: ![Approve a login on mobile](https://bitwarden.com/assets/6xeP36n7g2dbwLI9YWjNg4/2aa9fdc96e765e963ee07f38ad0b6c06/2025-09-09_09-39-44.png) *Approve a login on mobile* ### Browser extension To approve a request with the browser extension: 1. In the browser extension, wait for a device approval request to be received or navigate to **Settings**→ **Account** **security**→ **Devices**: ![Devices view on browser extensions](https://bitwarden.com/assets/6OZfQt2jDDqa9F0MaUdBUq/1460f0ec04c63ab55da1f5eaf37ca469/2025-09-09_09-49-23.png) *Devices view on browser extensions* 2. In the **Devices**view, locate and select the pending device request: ![Devices list on browser extensions](https://bitwarden.com/assets/64f1jZ30In2BbWDEUZVtxO/9de965d59fedca2bad4e325f4181f69a/2025-09-09_09-49-42.png) *Devices list on browser extensions* 3. Verify that fingerprint phrase matches and select **Confirm access**: ![Approve a device on browser extensions](https://bitwarden.com/assets/2LFY10MMpI9G0ZcojcXveg/0a891ec5fa8f6052e5804841e7ec7724/2025-09-09_09-48-55.png) *Approve a device on browser extensions* ### Web app To approve a request with the web app: > [!NOTE] Browser extensions & web app approval > When requesting approval for a login of the browser extension, the extension will wait for up to two minutes for approval even if you click out of or minimize the extension window in order to approve the request using the web app. 1. In the web app, select the **Review login request**link in the banner notification or navigate to **Settings** → **Security**→ **Devices**: ![Approval request on web](https://bitwarden.com/assets/1K9FeC1OVOwyu0T8DMiwOp/90852f4e82b80827750bffd19cb6493d/2025-09-09_09-23-06.png) *Approval request on web* 2. On the **Devices** tab, locate and select the pending device request: ![Device list on web app](https://bitwarden.com/assets/7GLmOwtReFuUD3uxPQ0LB8/2abd84049d99f0dc0c21158c636ab55d/2025-09-09_09-22-11.png) *Device list on web app* 3. Verify that fingerprint phrase matches and select **Confirm access**: ![Confirm access with web app](https://bitwarden.com/assets/6s6Hdn9L1EyeRfBsmOcfgX/a4e9e4996abc1ac63b8c6f2b3880cd07/2025-09-09_09-22-44.png) *Confirm access with web app* ### Desktop app To approve a request with the desktop app: 1. In the desktop app, wait for a device approval request to be received: ![Approve on desktop](https://bitwarden.com/assets/5cpkevhyuiSg82yfopvmc1/7d19d6377dbba8d4c6abee37b96a5037/2025-09-09_09-07-05.png) *Approve on desktop* 2. Verify that fingerprint phrase matches and select **Confirm access**. - **Use master password**: If you are an admin or owner, or joined your organization before SSO with trusted devices was implemented, and therefore still have a master password associated with your account, you can enter it to approve the device. ![Request admin approval](https://bitwarden.com/assets/5IMJBQOrklcOuLVEpaR6gX/60ead8f10e34f7acd2467eaaa34ff93d/2025-06-16_15-22-15.png) - **Request admin approval**: You can send a device approval request to admins and owners within your organization for approval. You **must** be [enrolled in account recovery](https://bitwarden.com/help/account-recovery/#self-enroll-in-account-recovery/) to request admin approval, though you may have been [automatically enrolled](https://bitwarden.com/help/account-recovery/#automatic-enrollment/) when you joined the organization. In many cases, this will be the only option available to you ([learn more](https://bitwarden.com/help/approve-a-trusted-device/)). > [!TIP] If you used admin approval for TDE > If you use this option, you'll get an email informing you to continue logging in on the new device when you're approved. You must take action by logging in to the new device within 12 hours, or the approval will expire. Once the new device becomes trusted, all you'll need to do to log in to Bitwarden and decrypt your vault data is complete your company's established single sign-on flow. ## Adding your first trusted device The initial client used to access Bitwarden for users who were invited with Just in Time (JIT) provisioning using [login with SSO](https://bitwarden.com/help/about-sso/) will become their first trusted device. If the initial client accessed is the Bitwarden desktop or mobile app, this device can be used to approve additional devices. For the desktop or mobile app to become the first trusted device, the user should not use the organization invite link. Instead, open the mobile or desktop app and select the **Enterprise single sign-on** option to begin the JIT process. ## Remove a trusted device Devices will remain trusted until: - The application or extension is uninstalled. - The web browser's memory is cleared (web app only). - The user's encryption key is rotated. > [!NOTE] Which TDE users can rotate an enc key > Only users who have a master password can rotate their [account encryption key](https://bitwarden.com/help/account-encryption-key/). [Learn more](https://bitwarden.com/help/about-trusted-devices/#impact-on-master-passwords/). ## Troubleshooting If you're having trouble establishing device trust: - On Chrome, check that **Allow sites to save data on your device** is turned on (**Settings** → **Privacy and security** → **Site settings** → **Additional content settings** → **On-device site data** → **Allow sites to save data on your device**). --- URL: https://bitwarden.com/help/add-existing-client-org/ --- # Add Existing Organizations > [!TIP] No more add existing clients > As of 2024.7.0, the option to migrate pre-existing organizations to your Provider is no longer supported. MSPs, resellers, and other Bitwarden partners that are already administering organizations on behalf of their clients can add pre-existing organizations to their Provider Portal. When Bitwarden detects that a [Provider admin's](https://bitwarden.com/help/provider-users/#provider-user-types/) account is the **owner of a non-provider organization**, the Provider Portal will display an + **Add existing organization** button: ![Add existing client](https://bitwarden.com/assets/3Ci2yJ6edQLwkgUON38T1v/07ce5dd908d82067e95eea52c8fa3c00/Screenshot_2024-02-29_at_10.19.05_AM.png) Selecting the + **Add existing organization** button prompts you to select the organization to add to the Provider: ![Confirm add existing client](https://bitwarden.com/assets/7beHAnPEiOIZzSp3GjXyIH/4bb717c2412ea38a26dbe53b38a26a60/Screenshot_2024-02-29_at_10.20.07_AM.png) Once added, the organization will appear in the **Clients** list alongside all other client organizations. > [!NOTE] Provider and member seat > **Once you have added the existing organization to the Provider**, you (the Provider admin and organization owner) can be removed from the organization. Doing so will free up the user seat previously taken up by your account. As a member of the Provider, you will retain all permission over the client organization: > > 1. Organizations may not be owner-less, so [add a backup owner to the organization](https://bitwarden.com/help/managing-users/#invite/). > 2. Once the new owner is invited, accepted, and confirmed, ask them to [remove you from the organization](https://bitwarden.com/help/managing-users/#offboard-users/). --- URL: https://bitwarden.com/help/add-rawmanifest-files/ --- # Add rawManifest Files The Bitwarden self-host Helm Chart allows you to include other Kubernetes manifest files either pre- or post-install. To do this, update the `rawManifests` section of the chart. The article contains some examples of how you might use rawManifests: ## Validate server certificate For example, to configure Bitwarden to validate your MSSQL database server's certificate: > [!NOTE] my-values.yaml value required > In this example, you would also need to set the value `caCertificate.enabled: true` in your `my-values.yaml` file. ```bash rawManifests: preInstall: - kind: ConfigMap apiVersion: v1 metadata: name: cacert data: rootca.crt: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- postInstall: ``` ## Traefik IngressRoute For example, to install Traefik's IngressRoute as an alternative to Kubernetes' Ingress controller, add the following: > [!NOTE] Add manifest example > In this example, you would also need to disable the ingress controller at `general.ingress.enabled`: within your `my-values.yaml` file. ```bash rawManifests: preInstall: [] postInstall: - apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: "bitwarden-self-host-middleware-stripprefix" spec: stripPrefix: prefixes: - /api - /attachments - /icons - /notifications - /events - /scim ##### NOTE: Admin, Identity, and SSO will not function correctly with path strip middleware - apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: "bitwarden-self-host-ingress" spec: entryPoints: - websecure routes: - kind: Rule match: Host(`REPLACEME.COM`) && PathPrefix(`/`) services: - kind: Service name: bitwarden-self-host-web passHostHeader: true port: 5000 - kind: Rule match: Host(`REPLACEME.COM`) && PathPrefix(`/api/`) services: - kind: Service name: bitwarden-self-host-api port: 5000 middlewares: - name: "bitwarden-self-host-middleware-stripprefix" - kind: Rule match: Host(`REPLACEME.COM`) && PathPrefix(`/attachments/`) services: - kind: Service name: bitwarden-self-host-attachments port: 5000 middlewares: - name: "bitwarden-self-host-middleware-stripprefix" - kind: Rule match: Host(`REPLACEME.COM`) && PathPrefix(`/icons/`) services: - kind: Service name: bitwarden-self-host-icons port: 5000 middlewares: - name: "bitwarden-self-host-middleware-stripprefix" - kind: Rule match: Host(`REPLACEME.COM`) && PathPrefix(`/notifications/`) services: - kind: Service name: bitwarden-self-host-notifications port: 5000 middlewares: - name: "bitwarden-self-host-middleware-stripprefix" - kind: Rule match: Host(`REPLACEME.COM`) && PathPrefix(`/events/`) services: - kind: Service name: bitwarden-self-host-events port: 5000 middlewares: - name: "bitwarden-self-host-middleware-stripprefix" - kind: Rule match: Host(`REPLACEME.COM`) && PathPrefix(`/scim/`) services: - kind: Service name: bitwarden-self-host-scim port: 5000 middlewares: - name: "bitwarden-self-host-middleware-stripprefix" ##### NOTE: SSO will not function correctly with path strip middleware - kind: Rule match: Host(`REPLACEME.COM`) && PathPrefix(`/sso/`) services: - kind: Service name: bitwarden-self-host-sso port: 5000 ##### NOTE: Identity will not function correctly with path strip middleware - kind: Rule match: Host(`REPLACEME.COM`) && PathPrefix(`/identity/`) services: - kind: Service name: bitwarden-self-host-identity port: 5000 ##### NOTE: Admin will not function correctly with path strip middleware - kind: Rule match: Host(`REPLACEME.COM`) && PathPrefix(`/admin`) services: - kind: Service name: bitwarden-self-host-admin port: 5000 tls: certResolver: letsencrypt ``` ## --- URL: https://bitwarden.com/help/adfs-oidc-implementation/ --- # ADFS OIDC This article contains **Active Directory Federation Services (AD FS)-specific** help for configuring login with SSO via OpenID Connect (OIDC). For help configuring login with SSO for another OIDC IdP, or for configuring AD FS via SAML 2.0, see [OIDC Configuration](https://bitwarden.com/help/configure-sso-oidc/) or [ADFS SAML Implementation](https://bitwarden.com/help/saml-adfs/). Configuration involves working simultaneously within the Bitwarden web app and the AD FS Server Manager. As you proceed, we recommend having both readily available and completing steps in the order they are documented. ## Open SSO in the web vault Log in to the Bitwarden [web app](https://bitwarden.com/help/getting-started-webvault/) and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) Select **Settings** → **Single sign-on** from the navigation: ![OIDC configuration](https://bitwarden.com/assets/51wSToXTHHVmBCrLrE8T0E/85aa432ea19eadf0195317f4f233e973/2024-12-04_09-41-46.png) If you haven't already, create a unique **SSO identifier**for your organization. Otherwise, you don't need to edit anything on this screen yet, but keep it open for easy reference. > [!TIP] Self-hosting, use alternative Member Decryption Options. > There are alternative **Member decryption options**. Learn how to get started using [SSO with trusted devices](https://bitwarden.com/help/about-trusted-devices/) or [Key Connector](https://bitwarden.com/help/about-key-connector/). ## Create an application group In Server Manager, navigate to **AD FS Management**and create a new application group: 1. In the console tree, select **Application Groups** and choose **Add Application Group**from the Actions list. 2. On the Welcome screen of the wizard, choose the **Server application accessing a web API**template. ![AD FS Add Application Group](https://bitwarden.com/assets/5X9h5j0BUUJ39NLtOqarjF/5948faaf2e497cc435b6da0f2e8ce610/adfs-oidc-1.png) 3. On the Server application screen: ![AD FS Server Application screen](https://bitwarden.com/assets/1e87bYOhKpJ4cWuvlgrRL8/46389fb08be2d247303a55d5e17196d4/adfs-oidc-2.png) - Give the server Application a **Name**. - Take note of the **Client Identifier**. You will need this value in a subsequent step. - Specify a **Redirect URI**. For cloud-hosted customers, this is `https://sso.bitwarden.com/oidc-signin` or `https://sso.bitwarden.eu/oidc-signin`. For self-hosted instances, this is determined by your configured Server URL, for example `https://your.domain.com/sso/oidc-signin`. 4. On the Configure Application Credentials screen, take note of the **Client Secret**. You will need this value in a subsequent step. 5. On the Configure Web API screen: ![AD FS Configure Web API screen](https://bitwarden.com/assets/28pMbK9dUI9ZIfcwDaf4Dw/b0572921f857956d3a61077de352c555/adfs-oidc-3.png) - Give the Web API a **Name**. - Add the **Client Identifier**and **Redirect URI**(see step 2B. & C.) to the Identifier list. 6. On the Apply Access Control Policy screen, set an appropriate Access Control Policy for the Application Group. 7. On the Configure application permissions screen, permit the scopes `allatclaims` and `openid`. ![AD FS Configure Application Permissions screen](https://bitwarden.com/assets/2PvGUtVgRfd0GLx1HG72Is/1e41e84f90fac6b20b4aaf93a9c38069/adfs-oidc-4.png) 8. Finish the Add Application Group Wizard. ## Add a transform claim rule In Server Manager, navigate to **AD FS Management** and edit the created application group: 1. In the console tree, select **Application Groups**. 2. In the Application Groups list, right-click the created application group and select **Properties**. 3. In the Applications section, choose the Web API and select **Edit...**. 4. Navigate to the **Issuance Transform Rules**tab and select the **Add Rule...**button. 5. On the Choose Rule Type screen, select **Send LDAP Attributes as Claims.** 6. On the Configure Claim Rule screen: ![AD FS Configure Claim Rule screen](https://bitwarden.com/assets/67MOJ621dRTvbkVR5gyW7e/044d2b61f1df83069f961d30639f29b3/adfs-oidc-5.png) - Give the rule a **Claim rule name**. - From the LDAP Attribute dropdown, select **E-Mail-Addresses.** - From the Outgoing Claim Type dropdown, select **E-Mail Address**. 7. Select**Finish.** ## Back to the web app At this point, you have configured everything you need within the contest of the AD FS Server Manager. Return to the Bitwarden web app to configure the following fields: | **Field** | **Description** | |------|------| | Authority | Enter the hostname of your AD FS Server with `/adfs `appended, for example `https://adfs.mybusiness.com/adfs`. | | Client ID | Enter the [retreived Client ID](https://bitwarden.com/help/adfs-oidc-implementation/#create-an-application-group/). | | Client Secret | Enter the [retrieved Client Secret](https://bitwarden.com/help/adfs-oidc-implementation/#create-an-application-group/). | | Metadata Address | Enter the specified **Authority**value with `/.well-known/openid-configuration `appended, for example `https://adfs.mybusiness.com/adfs/.well-known/openid-configuration`. | | OIDC Redirect Behavior | Select **Redirect GET**. | | Get claims from user info endpoint | Enable this option if you receive URL too long errors (HTTP 414), truncated URLS, and/or failures during SSO. | | Custom Scopes | Define custom scopes to be added to the request (comma-delimited). | | Customer User ID Claim Types | Define custom claim type keys for user identification (comma-delimited). When defined, custom claim types are searched for before falling back on standard types. | | Email Claim Types | Define custom claim type keys for users' email addresses (comma-delimited). When defined, custom claim types are searched for before falling back on standard types. | | Custom Name Claim Types | Define custom claim type keys for users' full names or display names (comma-delimited). When defined, custom claim types are searched for before falling back on standard types. | | Requested Authentication Context Class References values | Define Authentication Context Class Reference identifiers (`acr_values`) (space-delimited). List `acr_values `in preference-order. | | Expected "acr" Claim Value In Response | Define the `acr `Claim Value for Bitwarden to expect and validate in the response. | When you are done configuring these fields, **Save** your work. > [!TIP] Policies for SSO Guides > You can require users to log in with SSO by activating the single sign-on authentication policy. Please note, this will require activating the single organization policy as well. [Learn more](https://bitwarden.com/help/policies/). ## Test the configuration Once your configuration is complete, test it by navigating to [https://vault.bitwarden.com](https://vault.bitwarden.com), entering your email address, selecting **Continue**, and selecting the **Enterprise Single-On** button: ![Log in options screen](https://bitwarden.com/assets/3BdlHeogd42LEoG06qROyQ/c68021df4bf45d72e9d37b1fbf5a6040/login.png) Enter the[ configured Organization ID](https://bitwarden.com/help/configure-sso-oidc/#step-1-enabling-login-with-sso/) and select **Log In**. If your implementation is successfully configured, you'll be redirected to the AD FS SSO login screen. After you authenticate with your AD FS credentials, enter your Bitwarden master password to decrypt your vault! > [!NOTE] SSO must be initiated from Bitwarden > Bitwarden does not support unsolicited responses, so initiating login from your IdP will result in an error. The SSO login flow must be initiated from Bitwarden. --- URL: https://bitwarden.com/help/admin-team-onboarding-emails/ --- # Admin Team Onboarding Emails This article includes the onboarding emails sent to new Bitwarden Enterprise and Teams admins and owners from **care@bitwarden.com**. Feel free to read them all at once below, or grab them and adapt them to your team's needs. ### Enterprise ### Onboarding overview > [!NOTE] Email - Program 1, Email 1, Enterprise > **Subject**: Your Bitwarden onboarding checklist > > **Body**: > > Hi *[name]*, > > Welcome to Bitwarden! > > In order to make sure you get the most out of your new password manager, you'll receive one email a day over the next week on how to set up Bitwarden. This way, you can quickly scale Bitwarden across your team. The emails will cover how to: > > - Invite your admin team > - Set your enterprise policies > - Import your data > - Create groups and collections > - Invite users > - Get employee buy in > - Become a Bitwarden power user > > In the meantime, feel free to review this [Bitwarden onboarding guide](https://bitwarden.com/help/onboarding-and-succession/) for additional support. > > Stay secure, > > *[Signature]* ### Invite your admin team > [!NOTE] Email - Program 1, Email 2, Enterprise & Teams > **Subject**: To do today: Invite your admin team > > **Body**: > > Hi *[name]*, > > Every all-star business needs an all-star admin team. Today, **invite at least one additional organization owner**to your Bitwarden account - this is essential for protective redundancy. Bitwarden recommends redundant owners and admins for every organization. > > Read more about inviting your admin team [here](https://bitwarden.com/help/get-started-administrator/#invite-your-admin-team/). > > Stay secure, > > *[Signature]* ### Set Enterprise policies > [!NOTE] Email - Program 1, Email 3, Enterprise > **Subject**: Pro-tip for Bitwarden admins and owners > > **Body**: > > Hi *[name]*, > > Today's onboarding tip is critical for getting your Bitwarden organization ready for more team members: **Set your Enterprise policies**. > > Enterprise policies allow Bitwarden Enterprise organizations to enforce security rules for all users, such as requiring two-step login. It's how Bitwarden admins and owners **set the right security foundations for their teams**, and build **a consistent deployment and user experience**for all team members. > > Some policies will remove non-compliant users from the organization when enabled, and some are not retroactively enforceable, so now is the time to nail down your organization's policies. > > Learn more about how policies work [here](https://bitwarden.com/help/policies/). > > Stay secure, > > *[Signature]* ### Import your data > [!NOTE] Email - Program 1, Email 4, Enterprise & Teams > **Subject**: Save time and hassle with Bitwarden's data import options > > **Body**: > > Hi *[name]*, > > Are your migrating to Bitwarden from another password manager? > > The next step in getting started with Bitwarden is to import your company's existing password data. Bitwarden supports many file types, including those from other password solutions, like LastPass and 1Password. > > Here's a [step-by-step guide](https://bitwarden.com/help/import-to-org/) for importing your organization's data into Bitwarden. > > Stay secure, > > *[Signature]* ### Groups & collections > [!NOTE] Email - Program 1, Email 5, Enterprise & Teams > **Subject**: How to organization your data in Bitwarden > > **Body**: > > Hi *[name]*, > > Now that you've added items to your vault, it's time to set up collections and groups to ensure that the *right* users have access to the *right* credentials. > > Organizing Bitwarden data with collections and groups will help you save time, automate permissions, and make items more discoverable. > > - Learn more about collections [here](https://bitwarden.com/help/about-collections/). > - Learn more about groups [here](https://bitwarden.com/help/about-groups/). > > Stay secure, > > *[Signature]* ### Invite your users > [!NOTE] Email - Program 1, Email 6, Enterprise > **Subject**: 2 ways to automate Bitwarden user provisioning > > **Body**: > > Hi *[name]*, > > Scalable success with Bitwarden comes from provisioning users smoothly and securely. Here are the top ways new admins and owners automate the process of getting employees on Bitwarden. > > **SSO** > > With Login with SSO, Enterprise organizations leverage their existing Identity Provider to authenticate users with Bitwarden using the SAML 2.0 or OpenID Connect (OIDC) protocols. [Learn about SSO](https://bitwarden.com/help/configure-sso-saml/). > > **SCIM** > > System for cross-domain identity management (SCIM) can be used to automatically provision members and groups in your Bitwarden organization. Bitwarden servers provide a SCIM endpoint that, with a valid SCIM API key, will accept requests from your Identity Provider (IdP) for user and group provisioning and de-provisioning. [Learn about SCIM](https://bitwarden.com/help/about-scim/). > > **Directory Connector** > > The Bitwarden Directory Connector app automatically provisions users, groups, and group associations in your Bitwarden organization by pulling from a selection of source directory services. Provisioned users will be issued invitations to join the organization. [Learn about Directory Connector](https://bitwarden.com/help/directory-sync/). > > Stay secure, > > *[Signature]* ### Employee buy-in tips > [!NOTE] Email - Program 1, Email 7, Enterprise & Teams > **Subject**: How to get your employees to use Bitwarden > > **Body**: > > Hi *[name]*, > > You likely want to drive the most employee adoption possible with your new password manager. We have some tips to help. > > Here's what Bitwarden recommends to get employees on board: > > 1. Appoint and implementation champion. > 2. Communicate the implementation plan to employees. > 3. Share this guide with employees your invite to Bitwarden: [Get started with Bitwarden](https://bitwarden.com/help/courses/password-manager-team-member/). You can also share [this video training series](https://bitwarden.com/learning/pm-101-getting-started-as-a-user/). > 4. Communicate the benefits of using a password manager (repeatedly). > 5. Sign up for complimentary, 1:1 Bitwarden training [here](https://bitwarden.com/http://bitwarden.com/training/). > > Read more about the steps above in this blog post: [How to Gain Employee Buy-in for Your New Password Manager](https://bitwarden.com/blog/user-adoption-for-company-password-manager/). > > Stay secure, > > *[Signature]* ### Conclusion > [!NOTE] Email - Program 1, Email 8, Enterprise & Teams > **Subject**: What's next with Bitwarden > > **Body**: > > Hi *[name]*, > > This is the end of the onboarding email series - but it's just the beginning of your journey with Bitwarden! Here are some ways to keep learning about Bitwarden: > > **Bitwarden Courses** > > Check out [Courses](https://bitwarden.com/help/courses/), which compiles videos, presentations, and guides on key security and Bitwarden topics. > > **The Community Forum** > > In addition to the priority support you receive as a Bitwarden client, you are now part of a thriving security community: [The Bitwarden Community Forum](https://community.bitwarden.com/). Join the conversation and even suggest your own feature requests for voting and discussion! > > **Contact Customer Support** > > Feel free to reach out to our Customer Support team at any time for technical, billing, and product questions: [Contact Support](https://bitwarden.com/help/). > > Stay secure, > > *[Signature]* ### Teams ### Onboarding overview > [!NOTE] Email - Program 1, Email 1, Teams > **Subject**: Your Bitwarden onboarding checklist > > **Body**: > > Hi *[name],* > > Welcome to Bitwarden! > > In order to make sure you get the most out of your new password manager, you'll receive one email a day over the next week on how to set up Bitwarden. This way, you can quickly scale Bitwarden across your team. The emails will cover how to: > > - Invite your admin team > - Import your data > - Create groups and collections > - Invite users > - Get employee buy-in > - Become a Bitwarden power user > > In the meantime, feel free to review this [Bitwarden onboarding guide](https://bitwarden.com/help/onboarding-and-succession/) for additional support. > > Stay secure, > > *[Signature]* ### Invite your admin team > [!NOTE] Email - Program 1, Email 2, Enterprise & Teams > **Subject**: To do today: Invite your admin team > > **Body**: > > Hi *[name]*, > > Every all-star business needs an all-star admin team. Today, **invite at least one additional organization owner**to your Bitwarden account - this is essential for protective redundancy. Bitwarden recommends redundant owners and admins for every organization. > > Read more about inviting your admin team [here](https://bitwarden.com/help/get-started-administrator/#invite-your-admin-team/). > > Stay secure, > > *[Signature]* ### Import your data > [!NOTE] Email - Program 1, Email 4, Enterprise & Teams > **Subject**: Save time and hassle with Bitwarden's data import options > > **Body**: > > Hi *[name]*, > > Are your migrating to Bitwarden from another password manager? > > The next step in getting started with Bitwarden is to import your company's existing password data. Bitwarden supports many file types, including those from other password solutions, like LastPass and 1Password. > > Here's a [step-by-step guide](https://bitwarden.com/help/import-to-org/) for importing your organization's data into Bitwarden. > > Stay secure, > > *[Signature]* ### Groups & collections > [!NOTE] Email - Program 1, Email 5, Enterprise & Teams > **Subject**: How to organization your data in Bitwarden > > **Body**: > > Hi *[name]*, > > Now that you've added items to your vault, it's time to set up collections and groups to ensure that the *right* users have access to the *right* credentials. > > Organizing Bitwarden data with collections and groups will help you save time, automate permissions, and make items more discoverable. > > - Learn more about collections [here](https://bitwarden.com/help/about-collections/). > - Learn more about groups [here](https://bitwarden.com/help/about-groups/). > > Stay secure, > > *[Signature]* ### Invite your users > [!NOTE] Email - Program 1, Email 6, Teams > **Subject**: Top tips for inviting users to Bitwarden > > **Body**: > > Hi *[name]*, > > Scalable success with Bitwarden comes from provisioning users smoothly and securely. If you haven't done so already, you'll want to research the options for inviting users to Bitwarden, and select what makes the most sense for company. > > **Standard Invites** > > You can manually invite users through the web app. [Learn about standard invites](https://bitwarden.com/help/managing-users/#onboard-users/). > > **Directory Connector** > > The Bitwarden Directory Connector application automatically provisions users, groups, and group associations in your Bitwarden organization by pulling from a selection of source directory services. Provisioned users will be issued invitations to join the organization, and can then complete the normal onboarding procedure. [Learn about Directory Connector](https://bitwarden.com/help/directory-sync/). > > Stay secure, > > *[Signature]* ### Employee buy-in tips > [!NOTE] Email - Program 1, Email 7, Enterprise & Teams > **Subject**: How to get your employees to use Bitwarden > > **Body**: > > Hi *[name]*, > > You likely want to drive the most employee adoption possible with your new password manager. We have some tips to help. > > Here's what Bitwarden recommends to get employees on board: > > 1. Appoint and implementation champion. > 2. Communicate the implementation plan to employees. > 3. Share this guide with employees your invite to Bitwarden: [Get started with Bitwarden](https://bitwarden.com/help/courses/password-manager-team-member/). You can also share [this video training series](https://bitwarden.com/learning/pm-101-getting-started-as-a-user/). > 4. Communicate the benefits of using a password manager (repeatedly). > 5. Sign up for complimentary, 1:1 Bitwarden training [here](https://bitwarden.com/http://bitwarden.com/training/). > > Read more about the steps above in this blog post: [How to Gain Employee Buy-in for Your New Password Manager](https://bitwarden.com/blog/user-adoption-for-company-password-manager/). > > Stay secure, > > *[Signature]* ### Conclusion > [!NOTE] Email - Program 1, Email 8, Enterprise & Teams > **Subject**: What's next with Bitwarden > > **Body**: > > Hi *[name]*, > > This is the end of the onboarding email series - but it's just the beginning of your journey with Bitwarden! Here are some ways to keep learning about Bitwarden: > > **Bitwarden Courses** > > Check out [Courses](https://bitwarden.com/help/courses/), which compiles videos, presentations, and guides on key security and Bitwarden topics. > > **The Community Forum** > > In addition to the priority support you receive as a Bitwarden client, you are now part of a thriving security community: [The Bitwarden Community Forum](https://community.bitwarden.com/). Join the conversation and even suggest your own feature requests for voting and discussion! > > **Contact Customer Support** > > Feel free to reach out to our Customer Support team at any time for technical, billing, and product questions: [Contact Support](https://bitwarden.com/help/). > > Stay secure, > > *[Signature]* --- URL: https://bitwarden.com/help/administrative-data/ --- # Administrative Data Users provide personal information in connection with your account creation, usage of the Bitwarden service and support, and payments for the Bitwarden service. Bitwarden uses administrative data to provide the Bitwarden service to you. We retain administrative data for as long as you are a customer of Bitwarden and as required by law. If you terminate your relationship with Bitwarden, we will delete your personal information in accordance with our data retention policies. > [!NOTE] Privacy policy > We encourage you to review our [Privacy Policy](https://bitwarden.com/privacy/) for more information. For Individual, Premium, and Families accounts, Bitwarden **does not log**specific information regarding authentication attempts (successful or otherwise) or use of Bitwarden products. For members of Teams and Enterprise organizations, such information, including IP addresses, is logged for access by admins and owners in [event logs](https://bitwarden.com/help/event-logs/). As described above, Bitwarden does access some data to provide the Bitwarden service to you, including: #### Personal information - Account email address (used for email verification, account administration, and communication between you and Bitwarden). - Whether email address is verified. - Name (only if provided during account creation). - A **Bitwarden-generated** device-specific GUID (sometimes referred to as a device ID, and used to alert you when a new device logs into your vault.) #### Billing / Subscription - Premium subscription status and renewal date. - Billing history. - Last four digits of payment method on file, type of card, and expiration date. - Any existing account credit. #### Organization information - Organization name. - Organization business name (when applicable). - Organization type and plan information, including: - Features available to the organization. - Renewal cadence. - Number of seats. - Organization billing email address. - Email addresses of organization owners and admins. --- URL: https://bitwarden.com/help/adoption-checklist/ --- # Adoption checklist Use this checklist to help drive adoption, ensuring ongoing engagement of Bitwarden beyond initial implementation. ## Awareness and communication **Drive ongoing visibility and awareness of Bitwarden value** - Send Bitwarden monthly/quarterly newsletters with tips, reminders, and updates - Use email, intranet, or collaboration platforms - Plan regular communication about Bitwarden and password security - Conduct periodic awareness campaigns on password security best practices via email, posters, intranet, or videos - Highlight risks of password reuse and weak passwords - Encourage C-suite leaders to promote use of Bitwarden to their direct reports or in larger-audience newsletters **Support links:** - [Customer activation kit](https://bitwarden.com/help/customer-activation-kit/) - [Bitwarden posters](https://bitwarden.com/resources/bitwarden-posters/) - [Bitwarden brand materials](https://bitwarden.com/brand/) - [Onboarding email templates](https://bitwarden.com/help/customer-success-hub/) ## Training and enablement **Equip users with the knowledge they need to succeed** - Conduct Bitwarden-led training for all users - Schedule in-person/virtual sessions with Bitwarden training team - Different sessions across roles and departments - Leverage Bitwarden training materials and FAQs with solutions - Host user guides and training materials on internal knowledge base or shared repositories **Support links:** - [Disabling browser autofill](https://bitwarden.com/help/disable-browser-autofill/) - [Import data from Chome or Edge](https://bitwarden.com/help/import-from-chrome/) ## Support and engagement **Ensure users are supported and feel empowered throughout their journey** - Offer ongoing support channels for users (support email, chat, or office hours) - Ensure clear access for questions/assistance - Identify and empower Bitwarden champions within teams or departments - Provide these individuals with extra training and resources - Encourage sharing experiences and helping colleagues - Design user adoption incentives and success metrics **Support links:** - [Identifying your Bitwarden Champion](https://bitwarden.com/blog/deployment-strategies-for-password-managers/#champion-opt-in-first/) ## Advocacy and success stories **Build internal momentum and trust through proven impact** - Highlight success stories and benefits for all users - Share examples of improved security and workflows **Support links:** - [Bitwarden case studies](https://bitwarden.com/case-studies/) ## Adoption monitoring and user feedback **Track progress and gather feedback to refine your strategy** - Track the number of active Bitwarden users in the organization - Use admin console to monitor active user logins - Track over time to assess adoption strategies - Monitor and track feedback on key features (autofill, password saving, password sharing) - Check indicators of usage such as stored credentials in organization vaults - Conduct periodic user experience surveys - Identify roadblocks and suggestions for improvement **Support links:** - [Member access reports](https://bitwarden.com/help/reports/#member-access/) ## Troubleshooting and continuous improvement **Address common challenges and iterate on user experience** - Monitor support requests for recurring issues (eg. vault confusion, extension issues) - Identify common challenges users face during onboarding and usage - Leverage Bitwarden training materials and FAQs Support links: - [Member access reports](https://bitwarden.com/help/reports/#member-access/) ## Strategic security alignment **Position Bitwarden as a key pillar in your security strategy** - Emphasize Bitwarden in improving organizational security posture - Explain how Bitwarden reduces breach risks, aids compliance, and promotes safe practices - Position as key security strategy component - Highlight value beyond password management (Bitwarden Send, storing sensitive information such as credit cards, identities, notes, and more) - Quantify Bitwarden security gains - Use testimonials from early adoptors --- URL: https://bitwarden.com/help/ansible-integration/ --- # Ansible Bitwarden offers an integration with Ansible to retrieve secrets from Secrets Manager and inject them into your Ansible playbook. The lookup plugin will inject retrieved secrets as masked environment variables inside an Ansible playbook. To setup the collection: ## Requirements - We recommend installing Python packages in a [Python virtual environment](https://python.land/virtual-environments/virtualenv). - Current version of Ansible installed on your system. - Bitwarden Secrets Manager with an [active machine account](https://bitwarden.com/help/secrets-manager-quick-start/#add-a-service-account/). Prior to setting up the Ansible collection, we recommend that you also open Secrets Manager to access your access token and any secrets you wish to include in the setup. ## Install the Bitwarden Ansible collection The following guide is a setup example for the Bitwarden collection using a Linux machine. 1. Install the Bitwarden SDK: ```bash pip install bitwarden-sdk ``` 2. Install bitwarden.secrets collection: ```bash ansible-galaxy collection install bitwarden.secrets ``` Now that the Ansible collection has been installed, we can begin calling Bitwarden secrets from an Ansible playbook with `bitwarden.secrets.lookup`. The following section will include examples to demonstrate this process. > [!NOTE] Mac OS ansible > macOS users may need to set the following environment variable in shell in order to avoid [Ansible issues upstream](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#running-on-macos-as-a-control-node). > > - `export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES ` ## Fetch Bitwarden secrets To fetch secrets from Secrets Manager in your playbook, there are two methods: ### Save access token as environment variable. Using the Secrets Manager, we can securely set our access token as an environment variable in the shell and use the playbook to retrieve the secret. To [authenticate the access token](https://bitwarden.com/help/developer-quick-start/#authenticate/): 1. In the shell, run the following command to set your access token environment variable: ```bash export BWS_ACCESS_TOKEN= ``` 2. Now that the environment variable has been set, we can use the lookup plugin to populate variables in our playbook. For example: ```bash vars: database_password: "{{ lookup('bitwarden.secrets.lookup', '') }}" ``` > [!NOTE] Secure env variable in playbook > By setting `BWS_ACCESS_TOKEN` as an environment variable, the access token can be referenced without including the raw access token value in the playbook. ### Supply access token in playbook The Secrets Manager access token can also be referenced within the playbook itself. This method would not require you to use the `BWS_ACCESS_TOKEN` environment variable in your shell, however, the access token value will be stored in the playbook itself. 1. Access tokens may be included in the playbook with the following example: ```bash vars: password_with_a_different_access_token: "{{ lookup('bitwarden.secrets.lookup', '', access_token='') }}" ``` Using this method, multiple access tokens may be referenced in a single playbook. ## Retrieve secret from different server Bitwarden self-hosted users can retrieve secrets from their Bitwarden server by including the `base_url,` `api_url` and `identity_url`: ```bash vars: secret_from_other_server: "{{ lookup('bitwarden.secrets.lookup', '', base_url='https://bitwarden.example.com' ) }}" secret_advanced: >- {{ lookup('bitwarden.secrets.lookup', '', api_url='https://bitwarden.example.com/api', identity_url='https://bitwarden.example.com/identity' ) }} ``` ## Example playbook The following is an example of a playbook file with several configuration options. ```bash --- - name: Using secrets from Bitwarden vars: bws_access_token: "{{ lookup('env', 'CUSTOM_ACCESS_TOKEN_VAR') }}" state_file_dir: "{{ '~/.config/bitwarden-sm' | expanduser }}" secret_id: "9165d7a8-2c22-476e-8add-b0d50162c5cc" secret: "{{ lookup('bitwarden.secrets.lookup', secret_id) }}" secret_with_field: "{{ lookup('bitwarden.secrets.lookup', secret_id, field='note' ) }}" secret_with_access_token: "{{ lookup('bitwarden.secrets.lookup', secret_id, access_token=bws_access_token ) }}" secret_with_state_file: "{{ lookup('bitwarden.secrets.lookup', secret_id, state_file_dir=state_file_dir ) }}" tasks: - name: Use the secret in a task include_tasks: tasks/add_db_user.yml # reference the secrets with "{{ secret }}", "{{ secret_with_field }}", etc. ``` > [!NOTE] Multiple CUSTOM_ACCESS_TOKEN > In the example above the `CUSTOM_ACCESS_TOKEN_VAR `demonstrates that you may include multiple, different access tokens. These do not have to be hard carded and can be supplied securely to your playbook. | Variable | Additional information | |------|------| | `bws_access_token` | Lookup access token `env` variable. | | `state_file_dir` | A directory where your authentication state can be cached. | | `secret_id` | ID of the secret you wish to lookup. | | `secret` | Lookup a secret value and store it as a variable named `"secret"`. | | `secret_with_field` | Lookup a secret with additional field output. In this example, the lookup will return the secret's `'note'` value. | | `secret_with_access_token` | Lookup a secret with the access token value included in the request. | | `secret_with_state_file` | Lookup a secret with the pre configured state file included in the request. | ## Additional requests and fields In addition to the `secret_id`, several fields can be included in the `bitwarden.secrets.lookup`. A The following JSON object includes all of the fields that can be referenced in the playbook lookup: ```bash { "id": "be8e0ad8-d545-4017-a55a-b02f014d4158", "organizationId": "10e8cbfa-7bd2-4361-bd6f-b02e013f9c41", "projectId": "e325ea69-a3ab-4dff-836f-b02e013fe530", "key": "SES_KEY", "value": "0.982492bc-7f37-4475-9e60", "note": "", "creationDate": "2023-06-28T20:13:20.643567Z", "revisionDate": "2023-06-28T20:13:20.643567Z" } ``` To retrieve additional fields such as `"note"`, the following command can be added to the playbook: ```bash vars: database_password: "{{ lookup('bitwarden.secrets.lookup', '0037ed90-efbb-4d59-a798-b103012487a0', field='note') }}" ``` --- URL: https://bitwarden.com/help/apple-watch-totp/ --- # Bitwarden on Apple Watch Our Password Manager [integration authenticator capabilities](https://bitwarden.com/help/integrated-authenticator/) are now accessible on the Apple Watch. Bitwarden Premium members or those with a premium memberships from a paid organization will now have an additional option for accessing time-based one-time passwords (TOTP) codes. Bitwarden for the Apple Watch will show TOTP codes for vault items with seeds stored for easier access when logging into TOTP protected accounts. > [!NOTE] TOTP membership requirement > TOTP code generation requires Bitwarden Premium or individual premium membership from a paid organization (Families, Teams, or Enterprise). Learn more about the details of each plan [here](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans/). ## Setup 1. Have the Bitwarden app installed on your iOS mobile device. 2. Check your Apple Watch, Bitwarden should be installed on your watch automatically. If you do not see Bitwarden your Apple Watch, You can manually install Bitwarden on the Apple Watch. ![Apple Watch Bitwarden app](https://bitwarden.com/assets/6pWZMbYpUERAe7wPVKBANZ/eb3046159b774c207510b762947e144d/Screen_Shot_2022-12-02_at_3.53.40_PM__2_.png) 3. Access your Bitwarden account on the iPhone mobile app and select the ⚙️ **Settings**tab. 4. Select the **Other**option and toggle on **Connect to Watch**. Once selected, confirm that the setting is **on**in the pop-up window. ![Connect to an Apple Watch ](https://bitwarden.com/assets/349i1GulSBErWTuDSFOgkW/25a10a9b2a8584fb074c205236311fc8/2025-01-22_10-10-42.png) 5. Once started, the watch will begin syncing with Bitwarden: When you log out of an account or switch to a different account, the Apple Watch will wipe the current data. Syncing will occur again when logging back into a Bitwarden account on your iOS mobile device. > [!NOTE] disable watch app > Turning the Bitwarden Apple Watch connection off in the mobile app will delete all data and disable communication to the Bitwarden app on the Apple Watch. ## Enabling TOTP If you are new to enabling TOTP codes for vault items, see [here](https://bitwarden.com/help/authenticator-keys/#generate-totp-codes/). If no items have TOTP setup, the Apple Watch will display this screen: ![Apple Watch add 2FA screen](https://bitwarden.com/assets/28ELSN09aicT7i20KcFekH/6a062e0391357ae18abcf60cf819db06/2fa.png) ## Using the Apple Watch to access TOTP codes 1. Unlock your Apple Watch by entering your watch PIN if one has been enabled. 2. Select Bitwarden on your Apple Watch. ![Apple Watch app selection screens ](https://bitwarden.com/assets/7twiT5CXV1jsizjiVTocGM/abdcfe9af5da2b1712e18a0fed59f338/Screen_Shot_2022-12-12_at_5.06.28_PM.png) 3. The vault will sync with the active Bitwarden account on your iOS mobile device. The current account can be seen at the top of the vault page. ![Apple Watch vault screen](https://bitwarden.com/assets/6JGjNWcUfjrUkLjxgRnjPD/0a9be44d510816b1edf4ec76b44b8778/vault_view.png) 4. Select the vault item you wish to access. The TOTP code and timer will be displayed on the Apple Watch screen. ![Apple Watch TOTP screen](https://bitwarden.com/assets/4ENEoPkcwuB2dOb0EHDmhR/efaf2e9278212af2297e5155895865ac/totp_bevel_copy.png) ## Bitwarden on Apple Watch security Bitwarden's zero-knowledge encryption works together with Apple's WatchConnectivity and Secure Enclave will retain zero-knowledge and a secure communication between the iPhone and Apple Watch. Several steps can be taken to increase the security of your accounts and device by: - Setting a secure passcode to prevent unwanted access to Bitwarden on Apple Watch. Once the Apple Watch is unlocked, information on the device can be viewed. - Enabling wrist detection on the Apple Watch so the device will lock automatically once it has been removed from the user's wrist. > [!NOTE] Unlock with iPhone security > If the Unlock with iPhone setting is enabled, unlocking the connected iPhone will automatically unlock your Apple Watch if the device is nearby. This could potentially expose Bitwarden information on the Apple Watch. See Apple's [documentation](https://support.apple.com/guide/security/system-security-for-watchos-secc7d85209d/web) for watchOS security to learn more. --- URL: https://bitwarden.com/help/approve-a-trusted-device/ --- # Approve a Trusted Device When a member of your organization logs into a new device, they'll need to [approve, or trust, that device](https://bitwarden.com/help/add-a-trusted-device/). One method for doing so, done by selecting the **Request admin approval**option, involves sending a device approval request to admins and owners within the organization for approval. ![Request admin approval](https://bitwarden.com/assets/5IMJBQOrklcOuLVEpaR6gX/60ead8f10e34f7acd2467eaaa34ff93d/2025-06-16_15-22-15.png) As an admin, you'll receive an email any time an organization member submits a device approval request. To approve a request, as an organization admin, or owner, or [custom user](https://bitwarden.com/help/user-types-access-control/#custom-role/) with the **Manage account recovery** permission: 1. Log in to the Bitwarden web app and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Select **Settings**→ **Device approvals** from the navigation. 3. Using the options ⋮ menu, select ✓ **Approve request**. ![Approve device request](https://bitwarden.com/assets/1iPurecgskOyt0NGDRidBM/3a85c233b2a208dc2c939c8e79fd9b4f/Screenshot_2024-02-29_at_10.52.50_AM.png) > [!NOTE] Verify fingerprint > When a member requests device approval, a fingerprint phrase is displayed on the member's device. Additional verification can be performed by checking that this fingerprint phrase matches the one shown in the member column. This method is optional and **requires synchronous communication** between the requesting member and the administrator. ## Bulk approve requests Multiple device requests may be approved at one time using the top level options ⋮ menu and selecting ✓ **Approve all requests**. ![Approve or bulk approve device](https://bitwarden.com/assets/4ozBvrFFLPYcRmuCWNCuCz/504a206008a06c4e98d0058478f21d26/TDE_Bulk_Device_sc3.png) > [!NOTE] Bulk device approval web app warning > Bulk device approval using the **Approve all requests** option may neglect verification steps that administrators can perform to ensure a request is legitimate, such as checking the user's reported fingerprint phrase. > > Bitwarden recommends that significant security controls such as IdP credential standards, IdP MFA, and IdP device registration and trust be reviewed before enabling and using bulk device approval. When a device request is approved, the requesting user is sent an email informing them they can continue logging in on that device. The user must take action by logging in to the new device within 12 hours, or the approval will expire. Unapproved requests will expire after 1 week. You can deny a login attempt by instead selecting [close] **Deny request**, or deny all existing requests by selecting the top-most options ⋮ menu and selecting [close] **Deny all requests**. [Events](https://bitwarden.com/help/event-logs/) are logged when: - A user requests a device approval. - A device request is approved. - A device request is denied. --- URL: https://bitwarden.com/help/assign-users-to-collections/ --- # Assign Users to Collections When you [create a collection](https://bitwarden.com/help/about-collections/), you can assign access to existing [groups](https://bitwarden.com/help/about-groups/) or members. You can, at any time, modify who has access to a collection from the Password Manager web app: 1. In the web app, open the collection and select the [angle-down] button to see your options: ![Manage a collection](https://bitwarden.com/assets/m7O6TwNqNzsOCJNp1caor/914bfbf2192a2cccbe6c3fb58c11a73d/2024-12-02_15-40-10.png) 2. Select **Access**. 3. In the collection **Access** view, you can: - Grant additional [groups](https://bitwarden.com/help/about-groups/) or members access, including what [level of permission](https://bitwarden.com/help/collection-permissions/) they have. - Change the [level of permission](https://bitwarden.com/help/collection-permissions/) associated with a [group](https://bitwarden.com/help/about-groups/) or member that can already access the collection. 4. Select **Save**. > [!TIP] Bulk collection access management > **Bulk-management**: Users with access to the Admin Console can bulk-manage access to collections from the Collections view using the options ⋮ menu: > > ![Bulk manage collections](https://bitwarden.com/assets/42edJRnvap8xiBpURskIVI/7ff8006517e9bce50dffa4372fcc2911/2024-12-02_15-41-46.png) ## Assign access to un-managed collections Collections should always have at least one assigned member with the [Manage collection permission](https://bitwarden.com/help/collection-permissions/). Under certain circumstances, for example when a managing member leaves your organization, collections can end up without a member with that level of permission. > [!NOTE] Only applies if 'Owner/Admin Manage All' setting is off. > The following only applies if the [Owners and admins can manage all collections and items](https://bitwarden.com/help/collection-management/#owners-and-admins-can-manage-all-collections-and-items/) collection management setting is **off.** If this setting is **on** in your organization: > > - Owners and admins can always, rather than temporarily, modify access to a collection from the **Collections** view. > - The **Add Access** badge and tab described below will not appear. When this occurs, owners and admins will temporarily gain management capabilities for these collections through the **Add Access** tab of the **Collections**view: ![Add access to un-managed collections](https://bitwarden.com/assets/1Nqn29nNIkKtb5HfWkfcWK/64c3875f60d3d292837d0655ad3b146c/2024-12-05_09-56-43.png) Using the steps described previously in this article, owners and admins should assign a new member with the [Manage collection permission](https://bitwarden.com/help/collection-permissions/). Once done, owners and admins lose management capabilities for that collection and the Add Access label is removed. ## Next steps - [Learn about collections](https://bitwarden.com/help/about-collections/) at a conceptual level. - [Create a collection](https://bitwarden.com/help/create-collections/) that you can add shared items to. - [Share items with organization members](https://bitwarden.com/help/sharing/) through your new collection. - [Configure the permissions](https://bitwarden.com/help/collection-permissions/) your groups and members have to the collection. - [Configure collection management settings](https://bitwarden.com/help/collection-management/) for your organization. --- URL: https://bitwarden.com/help/attachments/ --- # File Attachments > [!NOTE] Attachments only available if you're paying > File attachments are available for Premium users and members of paid [organizations](https://bitwarden.com/help/about-organizations/). These users paid have 1GB of encrypted storage for file attachments. [More storage](https://bitwarden.com/help/attachments/#add-storage-space/) can be purchased in 1GB increments. Files can be attached to vault items from any Bitwarden app. A file of any type that's 500 MB or smaller (100 MB or smaller, if uploading from mobile) can be attached to an item. Attachments are encrypted and decrypted locally, meaning no unencrypted attachment data is transported over the internet or stored by the server. > [!NOTE] Sends and Attachments utilize storage space > Attachments on individual vault items and all Sends use the individual storage space granted by premium subscriptions or organizations. Attachments on organization owned items use shared organizational storage space. Learn how to [add storage space](https://bitwarden.com/help/attachments/#add-storage-space/). ## Upload a file To attach a file to a vault item: ### Web app To attach file from the web app: 1. Select the ⋮ **Options** menu for the item to attach the file to. 2. Select [paperclip] **Attachments** from the dropdown. 3. In the attachments panel, **Browse...** for your file. 4. Select the **Save** button. Once a vault item has a file attached to it, selecting [paperclip] **Attachments** from the ⋮ **Options** menu will also display a list of attached files. ### Browser extension To attach file from the browser extension: 1. Open the item to attach the file to and select the **Edit** button. 2. Scroll to the bottom of the Edit screen and select [paperclip] **Attachments**. 3. On the attachments panel, select **Choose File**. 4. Select a file to upload and select the **Upload** button. Once a vault item has a file attached to it, selecting [paperclip] **Attachments** from this location will also display a list of attached files. ### Mobile To attach file from the mobile app: 1. Open the item to attach the file to and select the ⋮ **Menu** button. 2. Select [paperclip] **Attachments**. 3. On the attachments panel, select the **Choose File** button and browse for your file. 4. Select the **Save** button. Once a vault item has a file attached to it, selecting [paperclip] **Attachments** from the ⋮ **Menu** dropdown will also display a list of attached files. ### Desktop To attach file from the desktop app: 1. Open the item to attach the file to and select the **Edit**button. 2. Select [paperclip] **Attachments**. 3. On the attachments panel, **Browse...** for your file. 4. Select the **Save** button. Once a vault item has a file attached to it, selecting [paperclip] **Attachments** from will also display a list of attached files. ### CLI Use `bw create attachment` to attach a file to an existing vault item, for example: ``` bw create attachment --file /path/to/myfile.ext --itemid ``` For more information, please refer to the Bitwarden [CLI documentation](https://bitwarden.com/help/cli/). ## Download a file To download a file attachment: ### Web app To download an attachment from the web app: 1. Select the ⋮ **Options** menu for the item to download the attach from. 2. Select [paperclip] **Attachments** from the dropdown. 3. Select the attachment to download. ### Browser extension To download an attachment from the browser extension: 1. Open the item with the attachment to download. 2. Scroll to the bottom of the Edit screen and select **Attachments**. 3. For the attachment to download, select the ⬇️ **Download**button. ### Mobile To download an attachment from the mobile app: 1. Open the item with the attachment to download. 2. Select the ⬇️ **Download**button for the attachment to download. ### Desktop To download an attachment from the desktop app: 1. Open the item with the attachment to download. 2. Scroll to the attachments section and select the ⬇️ **Download**button for the item to download. ### CLI Use `bw get attachment` to download a file, for example: ``` bw get attachment photo.png --itemid 99ee88d2-6046-4ea7-92c2-acac464b1412 --output /Users/myaccount/Pictures/ ``` For more information, please refer to the [CLI documentation](https://bitwarden.com/help/cli/#get-attachment/). ## Export all attachments To create an export that includes attachments: ### Web app To export your attachments from the web app: 1. Select **Tools** → **Export vault**from the navigation: ![Export individual vault](https://bitwarden.com/assets/5PUGzasNsQnABG9gtso4o3/9be00b37afafd779c20fd9624dd9512d/2024-12-03_08-59-25.png) 2. From the **File format** dropdown, select `.zip (with attachments)`. Currently, attachment can only be exported from your individual vault. 3. Select **Confirm format**and select the **Export vault** button to finish. You will need to confirm your permission to do this using your master password or an email verification code. Your export file will be sent to your Downloads folder or wherever your web browser is set to download files to. ### Browser extension To export your attachments from the browser extension: 1. Open the **Settings** tab. 2. Select **Vault options** and then **Export vault**. 3. From the **File format** dropdown, select `.zip (with attachments)`. Currently, attachments can only be exported from your individual vault. 4. Select **Export vault** button to finish. You will need to confirm your permission to do this using your master password or an email verification code. Your export file will be sent to your Downloads folder or wherever your web browser is set to download files to. ### Desktop app To export your attachments from the desktop app: 1. From the menu bar, navigate to **File** → **Export vault**. 2. From the **File Format** dropdown, select `.zip (with attachments)`. Currently, attachments can only be exported from your individual vault. 3. Select **Export vault**. You will need to confirm your permission to do this using your master password or an email verification code. Your export file will be sent to your Downloads folder or wherever your web browser is set to download files to. ### CLI To export your attachments from the CLI, use the command: ```bash bw export --format zip ``` ## Delete a file To delete a file attachment: ### Web app To delete an attachment from the web app: 1. Select the ⋮ **Options** menu for the item with the attachment to delete. 2. Select [paperclip] **Attachments**from the dropdown. 3. Select the 🗑️ **Delete** icon next to the attachment to delete. ### Browser extension To delete an attachment from the browser extension: 1. Open the item with the attachment to delete. 2. Scroll to the bottom of the Edit screen and select **Attachments**. 3. For the attachment to delete, select the 🗑️ **Delete**button. ### Mobile To delete an attachment from the mobile app: 1. Open the item with the attachment to delete and select the ⋮ **Menu**icon. 2. Select [paperclip] **Attachments.** 3. On the attachments panel, select the 🗑️ **Delete**icon for the attachment to delete. ### Desktop To delete an attachment from the desktop app: 1. Open the item with the attachment to delete and select the **Edit** button. 2. Select [paperclip]**Attachments**. 3. On the attachments panel, select the 🗑️ **Delete**icon for the attachment to delete. ### CLI Use bw delete attachment to delete a file attachment, for example: ``` bw delete attachment 7063feab-4b10-472e-b64c-785e2b870b92 ``` For more information, please refer to the Bitwarden [CLI documentation](https://bitwarden.com/help/cli/). ## Add storage space Paid users and members of paid [organizations](https://bitwarden.com/help/about-organizations/) have 1GB of encrypted storage for file attachments. Individuals and organizations can purchase additional storage space by completing the following steps: > [!NOTE] Adding Storage Billing Impact > Adding storage space will adjust your billing totals and immediately charge your payment method. The first charge will be prorated for the remainder of the current billing cycle. ### Individual To add storage space in your individual vault: 1. In the Bitwarden web app, navigate to**Settings**→ **Subscription.** 2. In the Storage section, select the **Add Storage** button: ![Add storage to individual vault](https://bitwarden.com/assets/113yhHwt2fIgkjWjmPgCa4/868beec72cf9e007512178cc82b325a5/2024-12-02_15-26-55.png) 3. Using the counter, choose the number of **GB of Storage to Add** and select **Submit**. ### Organization To add storage space in your organization vault: 1. In the Bitwarden web app, Open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. From the navigation, select **Billing**→ **Subscription**. 3. In the Manage subscription section, select the **Add Storage** button: ![Add storage to organization vault](https://bitwarden.com/assets/6tMMQEzEKXIRSa9fIUXuoh/3d9f81b717d3cee9681f1feda97d1b91/2024-12-02_15-28-55.png) 4. Using the counter, choose the number of **GB of Storage to Add** and select **Submit**. ### Self-hosted While attachment storage is still tied to being a paid user or member of an organization when self-hosted, the **amount of storage** space is only limited by how much space is available on the volume that contains your attachments directory, with an upward limit of 10 TB (10240 GB). Users and admins **do not** need to change any values to increase that limit. ## Fixing old attachments Prior to December 2018, file attachments used a different method of encrypting their data. We have since moved to a newer, better way of encrypting attachments. Any attachments that use the older encryption method will be labeled with an alert icon in your vault listing. You should upgrade these old attachments to the newer method of encryption so that other account-related features can function properly: 1. Open the page for editing your attachments. 2. Click the **Fix**button next to the old attachment. This process will download the attachment, re-encrypt it using the new encryption method, re-upload the attachment back to your vault, and delete the old version of the attachment. Once an attachment has successfully been upgraded, the  alert icon and fix button should disappear. --- URL: https://bitwarden.com/help/authenticator-faqs/ --- # FAQs #### Q: Is the new Bitwarden Authenticator part of Bitwarden Password Manager? **A**: Bitwarden Authenticator is a standalone mobile app that is available for everyone, whether they use Bitwarden Password Manager or not. Bitwarden Password Manager will retain an integrated authenticator available for users with premium or members of paid organizations. #### Q: Can I use the Bitwarden Authenticator to add 2FA to my Bitwarden account? **A**: Yes! Since Bitwarden Authenticator allows you to store codes outside of your Bitwarden account, this app can be used to add 2FA to your Bitwarden account. #### Q: How do I set this app as my default verification code app on iOS? **A**: iOS users running iOS 16+ can set any application as the default for storing verification codes when scanning codes directly from the camera app, including [Bitwarden Authenticator](https://bitwarden.com/help/bitwarden-authenticator/) and Password Manager [integrated authentication](https://bitwarden.com/help/integrated-authenticator/). To set this up: 1. Open the iOS **Settings**app on your device. 2. Tap **General**. 3. Tap **AutoFill & Passwords**. 4. Tap **Password Options**. 5. Select an app from the **Set Up Codes In** dropdown in the **Verification Codes** section. #### Q: When should I use this standalone app as opposed to the integrated authenticator? **A**: Apart from using the standalone app to setup 2FA for your Bitwarden account, you can use either app to store and generate verification codes for all your other accounts. They can be used together, or separately, depending on your security preferences. #### Q: How is my data stored and protected? **A**: Your authentication keys (sometimes referred to as "secret keys" or "TOTP seeds") and all associated metadata are stored in a local unencrypted database on your device. This data is not synced to Bitwarden servers. A backup of your data is made by your device's cloud backup system, for example by iCloud Backup or Google One. To protect the data in your app, you can also setup biometric login. #### Q: How do I backup and restore my data? **A**: An encrypted backup of your data is made by your device's cloud backup system, for example by iCloud or Google One. To restore your data, restore your device's cloud backup. #### Q: How do I determine what version of Bitwarden Authenticator I'm using? **A**: To determine what version of Bitwarden Authenticator you're using, open the **Settings** tab and scroll down to the **About** section. --- URL: https://bitwarden.com/help/authenticator-import-export/ --- # Import and Export ## Import data To import data to Bitwarden Authenticator, open the ⚙️ **Settings**tab and tap the **Import**button. Then, tap **File format** and choose one of the following sources: - **Authenticator Export (JSON)**: Import a Bitwarden Authenticator or Bitwarden Password Manager `.json` export. Use the instructions in the following section for information on how to create a `.json` export with Bitwarden Authenticator. Importing a Bitwarden Password Manager `.json` export ([learn more](https://bitwarden.com/help/export-your-data/)) will parse the file and import TOTP seeds. - **Google Authenticator (QR Code)**: Import from Google Authenticator using a QR code, which can be made from the **Transfer accounts** screen in Google Authenticator. Scan the generated QR code with Bitwarden Authenticator to complete the import. > [!TIP] Google Import Authenticator Android > On Android, use the + **Add** icon on the home screen to scan a Google Authenticator QR code rather than navigating to **Settings**→ **Import**. - **LastPass (JSON)**: Import a LastPass Authenticator account export, which can be made from the LastPass Authenticator **Settings** → **Transfer accounts**screen. - **2FAS (.2fas)**: Import a 2FAS backup file, which can be made from the 2FAS **Settings** → **2FAS Backup** screen. Only backup files that are not password protected can be imported to Bitwarden Authenticator. - **Raivo (JSON) (iOS only)**: Import a Raivo OTP export, which can be made from the Raivo **Settings** screen using the **Export OTPs to ZIP archive option**. You will need to decrypt the `.zip` file using your master password and import the enclosed `raivo-otp-export.json` file to Bitwarden Authenticator. - **Aegis (Android only)**: Import an unencrypted Aegis .json export, which can be made from the Aegis **Import & Export** screen. ## Export data To export data from Bitwarden Authenticator, open the ⚙️ **Settings**tab and tap the **Export**button. You can choose to export your data as a `.json` or `.csv` file. > [!NOTE] Exporting from authenticator > Your exported data will include an `otpauth://totp/?secret=` string for each entry. Should you wish to store this data elsewhere or set up a second authenticator app, this is the most important data to save. ### Example exports Bitwarden Authenticator will export data in the following formats. You may also use this section to condition your own import file if you're importing from a currently-unsupported provider: ### .json ```plain text { "encrypted": false, "items": [ { "favorite": false, "id": "52A4DFB0-F19E-4C9D-82A1-BBEE95BBEF81", "login": { "totp": "otpauth://totp/Amazon:alice@bitwarden.com?secret=IIO5SCP3766LMSAB5HJCQPNDCCNAZ532&issuer=Amazon&algorithm=SHA1&digits=6&period=30", "username": "alice@bitwarden.com" }, "name": "Amazon", "type": 1 }, { "favorite": false, "id": "DC81A830-ED98-4F45-9B73-B147E40134AB", "login": { "totp": "otpauth://totp/Apple:alice@bitwarden.com?secret=IIO5SCQ3766LMSBB5HJCQPNDCCNAZ532&issuer=Apple&algorithm=SHA1&digits=6&period=30", "username": "alice@bitwarden.com" }, "name": "Apple", "type": 1 }, { "favorite": false, "id": "4EF44090-4B6A-4E98-A94C-CF7B0F2CC35D", "login": { "totp": "otpauth://totp/Bitwarden:alice@bitwarden.com?secret=IIO5SCP3766LMSBB5HJCQPNDCCNAZ532&issuer=Bitwarden&algorithm=SHA1&digits=6&period=30", "username": "alice@bitwarden.com" }, "name": "Bitwarden", "type": 1 }, { "favorite": false, "id": "59B09168-502A-4D38-B218-FACF66E6A365", "login": { "totp": "otpauth://totp/Microsoft:alice@bitwarden.com?secret=IIO5SCP3766LMSBB5HJCHPNDCCNAZ532&issuer=Microsoft&algorithm=SHA1&digits=6&period=30", "username": "alice@bitwarden.com" }, "name": "Microsoft", "type": 1 }, { "favorite": false, "id": "789F095B-95B2-4816-A5F7-01095116C10E", "login": { "totp": "otpauth://totp/Reddit:alice@bitwarden.com?secret=IIO5SCP3766LNSBB5HJCQPNDCCNAZ532&issuer=Reddit&algorithm=SHA1&digits=6&period=30", "username": "alice@bitwarden.com" }, "name": "Reddit", "type": 1 } ] } ``` ### .csv ```plain text folder,favorite,type,name,notes,fields,reprompt,login_uri,login_username,login_password,login_totp ,,login,Amazon,,,0,,alice@bitwarden.com,,otpauth://totp/Amazon:alice@bitwarden.com?secret=IIO5SCP3766LMSAB5HJCQPNDCCNAZ532&issuer=Amazon&algorithm=SHA1&digits=6&period=30 ,,login,Apple,,,0,,alice@bitwarden.com,,otpauth://totp/Apple:alice@bitwarden.com?secret=IIO5SCQ3766LMSBB5HJCQPNDCCNAZ532&issuer=Apple&algorithm=SHA1&digits=6&period=30 ,,login,Bitwarden,,,0,,alice@bitwarden.com,,otpauth://totp/Bitwarden:alice@bitwarden.com?secret=IIO5SCP3766LMSBB5HJCQPNDCCNAZ532&issuer=Bitwarden&algorithm=SHA1&digits=6&period=30 ,,login,Microsoft,,,0,,alice@bitwarden.com,,otpauth://totp/Microsoft:alice@bitwarden.com?secret=IIO5SCP3766LMSBB5HJCHPNDCCNAZ532&issuer=Microsoft&algorithm=SHA1&digits=6&period=30 ,,login,Reddit,,,0,,alice@bitwarden.com,,otpauth://totp/Reddit:alice@bitwarden.com?secret=IIO5SCP3766LNSBB5HJCQPNDCCNAZ532&issuer=Reddit&algorithm=SHA1&digits=6&period=30 ``` --- URL: https://bitwarden.com/help/auto-fill-android-troubleshooting/ --- # Troubleshoot Android Autofill > [!NOTE] Android Autofill mechanics > On Android, Password Manager uses a website (e.g. `https://gmail.com`) to autofill in web browsers and a package name (e.g. `com.google.android.gm`) to autofill in installed applications. > > When it comes to installed applications, it is important that you **only install and autofill into applications from trusted sources**, like the Google Play Store or F-Droid, as a malicious application could mimic the package name of a well-known application. [Learn more](https://bitwarden.com/help/uri-match-detection/#tab-android-1MW4Dc3sLFszt1M8GaKqyB/). Depending on the version of Android your device is running, there are a few different ways to enable autofill from Bitwarden: | **Option** | **Requires version...** | **Requires you to also enable...** | |------|------|------| | Autofill Service | Android 8+ | - | | Inline Autofill | Android 11+ | Autofill service, IME that supports inline | | Accessibility | All Android versions | - | For instructions on setting up autofill on Android, see [Autofill logins on Android](https://bitwarden.com/help/auto-fill-android/). ### Troubleshooting the autofill service If the Bitwarden autofill service overlay isn't visible when your device is focusing on a username or password input field, your device may require a device-specific setting to be enabled: **For Huawei/Honor devices**, enable Dropzone: 1. Open the Huawei/Honor Optimizer app (also known as "Phone Manager"). 2. Tap **Dropzone** in the middle of the bottom row. 3. Slide the toggle to the right to allow Dropzone. **For Oppo and other devices**, enable Floating Window: 1. Open the Android Settings app. 2. Navigate to Privacy/Security. 3. Locate **Floating Windows** or **App Management** and tap to open. 4. Slide the toggle to the right to allow Floating Windows. ### Troubleshooting the accessibility service The most common issue encountered using the accessibility service is that **Android battery optimization** settings will automatically turn off services (like the Accessibility Service) in order to preserve battery. To resolve this, **turn off battery optimization for Bitwarden**. If you continue to experience issues with the Accessibility Service: 1. Double-check your battery optimization settings. If battery optimization is on for Bitwarden, turn it off. 2. If you use a battery saver or Task Manager app, try disabling to see if that makes a difference. If it does, add Bitwarden to the exception list. 3. Check the built-in Task Manager. You'll need to bring up the running apps view and then hold down the app icon or swipe up on the Bitwarden app and then select **Lock**. Please note, the service can also halt if you ever "Force stop" the Bitwarden app. > [!NOTE] > The site [https://dontkillmyapp.com/](https://dontkillmyapp.com/) might help you determine the default battery optimization configurations for your device. > [!NOTE] Android autofill help > If you are still not able to get Android autofill working, [Contact Us](https://bitwarden.com/contact/). --- URL: https://bitwarden.com/help/auto-fill-android/ --- # Autofill from Android App Bitwarden makes your passwords available for autofill so that you can seamlessly log in to websites and apps while also maintaining strong and secure passwords. Autofill cuts the copying and pasting out of your login routine by detecting vault items that match the service you are logging in to. Custom fields and split login workflows (when username and password fields are displayed on separate screens) are not currently supported in mobile autofill. > [!NOTE] Android Autofill mechanics > On Android, Password Manager uses a website (e.g. `https://gmail.com`) to autofill in web browsers and a package name (e.g. `com.google.android.gm`) to autofill in installed applications. > > When it comes to installed applications, it is important that you **only install and autofill into applications from trusted sources**, like the Google Play Store or F-Droid, as a malicious application could mimic the package name of a well-known application. [Learn more](https://bitwarden.com/help/uri-match-detection/#tab-android-1MW4Dc3sLFszt1M8GaKqyB/). ## Set up autofill Depending on the version of Android your device is running, there are a few different ways to enable autofill from Bitwarden. To set up autofill: 1. Navigate to **Settings** → **Autofill**. 2. Tap **Autofill services**to allow Bitwarden to use your saved login information to sign in to apps on your device. 3. When your device asks for your preferred services for passwords, passkeys, & autofill, choose **Bitwarden**. 4. Back on the Bitwarden **Settings** → **Autofill** screen, choose one of the following **Display autofill suggestions**options: - **Inline**: This option will suggest credentials to autofill in your keyboard. - **Popup**: This option will suggest credentials to autofill in a popup over the input field. 5. If you use Brave or Chrome as your web browser, toggle the **Use Brave autofill integration** or **Use Chrome autofill integration** options on to ensure that autofill will work in these browsers. Learn more [below](https://bitwarden.com/help/auto-fill-android/#browser-integrations/). > [!NOTE] This blocks credit cards. 6. If you want to use Quick-action tiles, toggle **Use accessibility** on. When your device takes you to the **Accessibility** menu, toggle Bitwarden on in that location as well. > [!TIP] Quick Tile Actions > Quick-action tiles do not require that the **Autofill service**is toggled on in Bitwarden, meaning you can skip the previous steps if this is your preferred method, however you will need to edit your tiles using the [pencil] icon to put the Bitwarden tile options in a place that makes sense for you. > [!NOTE] There's a troubleshooting guide > Having problems? Refer to our guide on [troubleshooting Android Autofill](https://bitwarden.com/help/auto-fill-android-troubleshooting/). If you are still not able to get autofill on Android working, [contact us](https://bitwarden.com/contact/). ## Autofill methods ### Inline This method suggests credentials to autofill in your keyboard: ![Android inline autofill](https://bitwarden.com/assets/2LxDxR7KcVd68U9UydYxat/e02408654528f4262a293de61e1439bb/2025-07-30_10-56-55.png) If you're not seeing suggestions: - Make sure you're using Android 11+ and a compatible IME (input method editor). - Check that the keyboard IME you're using supports inline. ### Popup This method overlays a popup menu when the device is focused on an input that has a [matching login item](https://bitwarden.com/help/uri-match-detection/). When your vault is unlocked, you'll be provided the options to immediately autofill or to open your vault: ![Android popup autofill](https://bitwarden.com/assets/1fIoPhOLMcXzvd0Y8aw1pm/642f9f722291f2de3daf93f2fd9a6450/2025-07-30_10-59-13.png) You'll be presented with two options. The first (above, **My Login Item**) will autofill the first login (above, `my_username`) with a matching URI. The second (above, **Bitwarden**) will allow you to choose from a list of logins with matching URIs. This method requires Android 8+. ### Browser integrations If you use Brave or Chrome as your web browser, toggle the **Use Brave autofill integration** or **Use Chrome autofill integration** options on to ensure that autofill will work in these browsers. Doing so will take you to that web browser's settings, where you will also need to enable the option to use a third-party service. This is required by Chrome so it can securely use Bitwarden to autofill passwords through its protected autofill system, and requires that **Autofill services**is enabled in Bitwarden and that the installed Chrome app is at least version 135. These options will disable the browser's built-in autofill functionality in favor of Bitwarden. > [!WARNING] Risks of compatibility mode. > Bitwarden will automatically detect whether you're using **Edge, Opera, or Samsung Internet**, will not require an integration option to be turned on for those browsers, and will use a modified autofill logic within those browsers. > > On Edge, Opera, or Samsung Internet, take care to only autofill trusted and legitimate websites, as a vulnerability exists that could allow credentials to be autofilled into an embedded or hidden iframe on a malicious website. ![Enable android integrations](https://bitwarden.com/assets/1Qm4g428OlYOBvzAxKwUNU/77106f75d8f5af42bed8bde4db9dc325/2025-07-30_13-14-04.png) ### Quick-action tiles Quick-action tiles use the Android accessibility service to make autofill actions available from your notifications pull-down's settings menu. Quick-action tiles do not require that the **Autofill service**is toggled on in Bitwarden, however you will need to edit your tiles using the [pencil] icon to put the Bitwarden tile options in a place that makes sense for you: ![Android quick-action autofill](https://bitwarden.com/assets/7MHfjTUrRjdLtBoyL3Ukz2/7980adfc9de7b6b2659f1955d3d987fd/2025-07-30_11-07-51.png) To use a quick-action tile, navigate to the page or app you want to autofill and, swipe down to access the tiles, and tap the tile you want to use. ## Switch accounts during autofill If you are [logged in to more than one account](https://bitwarden.com/help/account-switching/), your mobile app will default to trying to autofill credentials from the currently active account. You can switch from one account to another during autofill by tapping the avatar bubble. ## Use passkeys ### Set up Bitwarden for use with passkeys Once the Bitwarden application is updated to the latest version, go to **Settings**→ **Autofill** and tap **Passkey management** to access the Android settings to configure Bitwarden as your passkey provider. Please note that Android does not allow 3rd party passkey providers like Bitwarden to support passkey-based 2FA (a.k.a. "non-discoverable credentials"); Bitwarden-stored passkeys can only be used as a primary login credential. ### Create a passkey When creating a new passkey on a website or app, the Android application will prompt you to store the passkey: ![Create a passkey](https://bitwarden.com/assets/4mBZ6s599BKxzn86CDwBhH/e2a313ab3dc263cd93f5da24e7cad778/passkey-android-1__1_.png) *Create a passkey* Select **Create**. > [!NOTE] Other options for passkeys (Android) > Select **Save another way**if you do not wish to store the passkey in Bitwarden or **More saved sign-ins**to sign in with a passkey not stored in Bitwarden. If a passkey already exists for this service, Bitwarden will allow you to save a new passkey by selecting the + icon to create a new item, or by overwriting an existing passkey: ![Save or overwrite a passkey](https://bitwarden.com/assets/m8rHHqT8hmuEY7wB9WKld/573de4ef230d2d9cdbdcd94574b55168/passkey-android-2__1_.png) *Save or overwrite a passkey* > [!NOTE] One passkey per login > Only one passkey can be saved per login item. If a credential is saved in multiple places, for instance as two separate login items in the individual vault and organization vault respectively, a different passkey can be be stored with each login item. ### Sign in using a passkey stored in Bitwarden To use a passkey stored in Bitwarden, initiate the passkey login on the website. The mobile app will provide an option to login using the passkey stored in your Bitwarden vault: ![Save or overwrite a passkey](https://bitwarden.com/assets/m8rHHqT8hmuEY7wB9WKld/573de4ef230d2d9cdbdcd94574b55168/passkey-android-2__1_.png) *Save or overwrite a passkey* Select **Sign in** to use your passkey. > [!NOTE] Other options for passkeys (Android) > Select **Save another way**if you do not wish to store the passkey in Bitwarden or **More saved sign-ins**to sign in with a passkey not stored in Bitwarden. --- URL: https://bitwarden.com/help/auto-fill-browser/ --- # Autofill from Browser Extension Bitwarden makes logging in quick and secure with autofill. When you visit a website, the browser extension recognizes it and enters matching credentials from your vault into the login fields. Configure the autofill methods that you find most convenient. > [!NOTE] Autofill for basic auth prompts > [Basic authentication prompts](https://bitwarden.com/help/basic-auth-autofill/) work differently than the autofill methods described in this article. ## Set up autofill First, all autofill methods with the browser extension require your login items to have an [assigned website URI](https://bitwarden.com/help/uri-match-detection/). This connects your saved credentials to the correct websites. Next, the steps to configure and use autofill vary and are outlined in each method's description below. Within the **Settings** → **Autofill** menu, some options apply to all or most autofill methods: - For best performance, check **Make Bitwarden your default password manager** and [deactivate your browser's password manager](https://bitwarden.com/help/disable-browser-autofill/). This prevents the browser's password tool from interfering with the Bitwarden autofill. - If you do not want a TOTP to be automatically copied when autofill is activated, uncheck [**Copy TOTP automatically**](https://bitwarden.com/help/auto-fill-browser/#totp-autofill/). - From the **Clear clipboard** dropdown menu, select your preferred interval to control how long copied values from your vault remain available. - Choose your**Default URI match detection**, the logic that Bitwarden uses to pair the website to your saved credential. The default, unless [specified by your organization](https://bitwarden.com/help/policies/#default-uri-match-detection/), is **Base domain**. - Select and add [**Blocked domains**](https://bitwarden.com/help/blocking-uris/) to prevent autofilling on specific websites. ## Autofill methods in the browser extension The most basic ways to autofill logins are by interacting with the Bitwarden browser extension. When you're on a website and at least one item's saved URI matches, the number of matching items for that website will appear on top of the Bitwarden extension icon. > [!TIP] Disable badge counter > To hide the matching items' total, go to ⚙️ **Settings** → **Appearance** and uncheck **Show number of login autofill suggestions on extension icon**. Select the [shield] **Bitwarden extension badge** to open your vault, and the matching items will appear in the top **Autofill suggestions** section. If you want cards or identities included, go to **Settings** → **Autofill** and check **Always show cards as Autofill suggestions on Vault view**or **Always show identities as Autofill suggestions on Vault view**. To find an item, select the 🎚️ **Filters icon** to open and apply filters to the **Autofill suggestions** and **All items** results: ![Browser extension filters and suggestions](https://bitwarden.com/assets/12UsFuA2sxbUCBMIczJsxv/689221013fac56ddb555ed9dabddbdc9/screenshot_6.png) ### Fill button To autofill a login: 1. When on the website's login page, open the Bitwarden browser extension. 2. Go to the **Vault** tab. 3. Select **Fill** next to the login to enter. It will likely be at the top in the **Autofill suggestions** section: ![Autofill via browser extension](https://bitwarden.com/assets/1pamjhdWn7obh8UBxXcIPF/1841242fa5299a780d53f3ae70e546b3/screenshot_5.png) Selecting the **Fill**button will enter the credential to the detected input fields. In cases where a web page or service has multiple items with relevant URIs, Bitwarden will always autofill the last-used login. > [!NOTE] Autofill on untrusted iframes and mismatched SSL > You may receive a warning before autofilling if the targeted fields are in an [untrusted iframe](https://bitwarden.com/help/auto-fill-browser/#autofill-in-iframes/) or the current site uses HTTP but the [item's saved URI](https://bitwarden.com/help/uri-match-detection/) requires HTTPS. ### Copy credentials You can also select the [clone] **Copy icon** next to an item. A menu will appear where you select **Copy username** or **Copy password**: ![Standard copy icon](https://bitwarden.com/assets/7y8WE9sWACC2KLASo9yASw/5c5fa1150e5e4f4ded19baf0afecfa6e/Standard_Copy_icon.png) Alternatively, you can add three quick-copy action buttons next to items to specifically copy your username, password, or verification code to the clipboard: ![Quick copy actions](https://bitwarden.com/assets/5w7lobEk81aOGfLKFjRp2e/d37711426641f91deb9ea28715901fb0/Quick_copy_icons.png) This option is off by default. To turn it on, go to **Settings** → **Appearance** and toggle on **Show quick copy actions on Vault**. ### Click items Alternatively, you can set up the browser extension to autofill when you click anywhere on an item, as long as it appears in the **Autofill suggestions** section. When this option is used, the **Fill** button is not present: ![Click item to autofill](https://bitwarden.com/assets/3tnagVMjtTufvRCrih3ctQ/b3698262ce7c19baeda6afc87c485167/2025-01-02_11-14-19.png) To activate this method, go to **Settings** → **Appearance** and toggle **Click items in autofill suggestion to fill** on. If you want to open an item within the browser extension when this option is turned on, select the⋮ **Menu icon** → **View**. ### Drag-and-drop logins The browser extension and desktop apps include a feature to drag the username and password fields into a website's login form to fill credentials: ![Browser extension drag and drop](https://bitwarden.com/assets/7m5Ghz2w281MDQXtvWVdAZ/ded43247a3295552fed4690a3431b095/browser_gif.gif) To drag-and-drop credentials: 1. Hover your cursor over the **Username** or **Password** field on the Bitwarden browser extension or desktop app. ![Hover username or password](https://bitwarden.com/assets/38KJr7zvVSKmYri1WaRXGg/5bab3513a7300ef20f9f55a33ba80c82/2025-02-20_11-07-33.png) 2. Once the icon appears, drag the field into the desired login form. ## Other autofill methods There are several more ways to autofill your credentials when your vault is unlocked within the browser extension. These options may be even faster because you don't need to interact with the browser extension. For all of the autofill options described below, there are two instances where you may receive a warning before autofilling: - If the targeted fields are in an [untrusted iframe](https://bitwarden.com/help/auto-fill-browser/#autofill-in-iframes/). - The current site uses HTTP but the [item's saved URI](https://bitwarden.com/help/uri-match-detection/) requires HTTPS. ### Inline menu Use the inline autofill menu to quickly input login credentials, [passkeys](https://bitwarden.com/help/storing-passkeys/), and [TOTP](https://bitwarden.com/help/integrated-authenticator/) codes from your Bitwarden vault. ![Inline autofill menu](https://bitwarden.com/assets/H7DjdJNvQH00yGNLf5gsC/1ec6f0ce9a94862b0cae1d8b8d679fc8/2024-10-29_14-41-02.png) #### Activate the inline autofill menu To turn on the inline autofill menu: 1. Log in and unlock the Bitwarden [browser extension](https://bitwarden.com/help/getting-started-browserext/). 2. Select ⚙️ **Settings** → **Autofill**. 3. Check **Show autofill suggestions on form fields**, which will open more options: - (Optional) Check **Display identities as suggestions** and/or **Display cards as suggestions** if you want the inline autofill menu to [suggest those item types](https://bitwarden.com/help/auto-fill-card-id/#using-the-inline-menu/). - (Optional) Check **Display suggestions when icon is selected** to display the matching items available for autofill only when the Bitwarden icon is selected. If this setting is unchecked, the matching item(s) immediately appear below the form field. We also recommend [turning off your browser's autofill](https://bitwarden.com/help/disable-browser-autofill/) option. If your browser's autofill functionality is enabled, you may experience conflicts with the Bitwarden autofill menu. #### Use the inline autofill menu ### Log in with inline autofill To log in to an account using the inline autofill menu: 1. Select the login form's username field. If your vault is locked when you attempt this, the menu will prompt you to unlock the vault. 2. The inline autofill menu will display. When it does, select the login or passkey you wish to use for the website. > [!NOTE] adding URI to auto-fill menu > Don't see the login credentials you would like to use? Edit the vault item and select **Autofill and save**, or manually enter the website in the URI field. 3. If no credentials are saved for this site, select + **New item**. The browser extension will open to a new item where you can save new login credentials. ![Autofill create item](https://bitwarden.com/assets/1nVpqyl5FuzMPIaKezwZ8c/8a715cb0b1e1423815f0b66b0e8b1b42/web-browser-extension-autofill-newitem.png) > [!NOTE] Press Esc to close auto-fill menu > If the inline autofill menu is causing unintended interference with your browser, press the `Esc` key to close it. ### Enter TOTP with inline autofill To autofill TOTP codes with inline autofill, place your cursor into the TOTP field on the login form. When the inline autofill menu displays, select the TOTP code: ![TOTP inline autofill single login](https://bitwarden.com/assets/3RaBZBRgkfwVF0mQPRZYBJ/840a46c911d09ead87ac09fdb0955493/2025-01-03_09-22-34.png) If you have multiple logins for the website, the inline autofill menu will display each login with a TOTP code: ![Inline TOTP autofill](https://bitwarden.com/assets/1rc2rXC3daH5mcEZNRgbv1/db47ffbb4a3b987ff2e3e7842900ceb6/2025-01-02_17-23-28.png) ### Create account with inline autofill To create a new account using the inline autofill menu: 1. Enter a username in the login form's username field. 2. Select the password field. The inline autofill menu will display. 3. Select **Fill generated password** if you're satisfied with the generated password**.**You can also use the [refresh-tab] Generate button to generate a new password until you're satisfied with it: ![Fill generated password](https://bitwarden.com/assets/2JcceqWgFbk4ViLCMe6qm5/ce116e8ff337f90fbbd57b52aa15fdcd/2024-11-05_10-07-08.png) > [!TIP] Inline uses generator settings > This option will use the settings you've configured in the browser extension's **Generator**tab. [Learn how to change these settings](https://bitwarden.com/help/generator/#password-types/). 4. **Before submitting the form by clicking 'Sign up' or 'Create account'**, the inline autofill menu will offer the option to **Save to Bitwarden**. Use this option to open Bitwarden in a pop-up, and select the **Save** button to save the generated credential: ![Save login to Bitwarden](https://bitwarden.com/assets/7cMSUQLfvxHNwHS8xMX1j7/b63d716005ec29eef2a4f42286271d29/2025-04-25_10-21-36.png) 5. Complete the form by selecting Sign up, Create account, or whatever button the website or app offers to complete account creation. ### Context menu Without opening your browser extension, you can right-click on an input field and use the **Bitwarden** → **Autofill** option. If your vault is locked when you attempt this, a window will open prompting you to unlock. Once unlocked, the browser extension will automatically proceed with autofilling your username, password, card, or identity. ![Browser Extension Context Menu](https://bitwarden.com/assets/6GKKvIe7GwwOBtp9gmh862/4d39f59a8a862bb83d53e50f9f68d107/2024-12-03_09-12-06.png) > [!NOTE] No context-menu in safari extension > Autofill with a context menu is currently unavailable in the Safari browser extension. ### Keyboard shortcuts One of the fastest methods is with an autofill keyboard shortcut. This works when username and password fields appear together on one page and separately in split login workflows. #### Set up keyboard shortcuts The default shortcut for login items is: `Ctrl/Cmd` + `Shift` + `L`. If you want to change it or the default doesn't work, [update your browser's shortcut settings](https://bitwarden.com/help/keyboard-shortcuts/#customize-browser-extension-shortcuts/). You can also create [shortcuts for cards and identities](https://bitwarden.com/help/auto-fill-card-id/#using-keyboard-shortcuts/). If you use Microsoft Edge, make sure you upgrade to the latest Chromium-based version. #### Use keyboard shortcuts To use the shortcut: 1. Place your cursor into the first login field, like username. 2. Press `Ctrl/Cmd` + `Shift` + `L`. 3. (Optional) If there are multiple logins with the detected URI, the last-used login will be used for the autofill operation. Press the same keyboard shortcut again to cycle through multiple logins. If your vault is locked when you attempt the autofill shortcut, a window will open prompting you to unlock. Once unlocked, the browser extension will automatically proceed with autofilling your credentials. > [!TIP] Authenticator keyboard shortcut > If the login uses the [Bitwarden authenticator](https://bitwarden.com/help/integrated-authenticator/) for TOTPs and you use the autofill shortcut, the TOTP is automatically copied to the clipboard after autofill. Press `Cmd/Ctrl` + `V` to paste the TOTP. ### On page load > [!WARNING] Why auto-fill on page load is "experimental". > This feature is disabled by default because, while generally safe, compromised or untrusted websites could take advantage of this to steal credentials. > > Browser extensions will not allow autofill on page load for [untrusted iframes](https://bitwarden.com/help/auto-fill-browser/#auto-fill-in-iframes/) and will warn users before auto-filling on an HTTP site when HTTPS is expected based on that [item's saved URI(s)](https://bitwarden.com/help/uri-match-detection/). Autofill on page load will autofill login information when a web page corresponding to a login's URI value loads. By default, **on page load** is not turned on. Once enabled, you can set the default behavior to on or off for all items. To enable this feature, navigate to **Settings** → **Autofill** in your browser extension, check on the **Autofill on page load** checkbox, and choose your default behavior. Once enabled and the default behavior is set, you can additionally specify autofill on page load behavior for each individual login: ![On page load options](https://bitwarden.com/assets/5PxR0j79XtzMCrF4R6xUtu/49fca8557bb393247d750e3b3030c0e8/2024-12-03_09-14-59.png) Using this convention, you can setup your browser extension to, for example: - Autofill on page load for only a select few items (**off by default** for all items and **manually turned on** for select items). - Autofill on page for all but a select few items (**on by default** for all items and **manually turned off** for select items). ## Troubleshoot autofill from the browser extension If your browser extension is having issues autofilling usernames and passwords for a particular site, you can use [linked custom fields](https://bitwarden.com/help/auto-fill-custom-fields/#using-linked-custom-fields/) to force an autofill. ### Autofill in iframes Browser extensions will quietly disable [autofill on page load](https://bitwarden.com/help/auto-fill-browser/#on-page-load/) for untrusted iframes and will warn you about the iframe if autofill is triggered manually using a keyboard shortcut, the context menu, or directly from the browser extension. "Untrusted" iframes are defined as those for which the `src=""` value does not match a URI for the login item, as dictated by a globally-set or item-specific [match detection behavior](https://bitwarden.com/help/uri-match-detection/#match-detection-options/). ## Autofill less common credentials ### TOTP autofill If you use the [integrated authenticator](https://bitwarden.com/help/integrated-authenticator/), the browser extension will autofill your TOTP code provided that you're using the context menu, keyboard shortcuts, or manual autofill (using the **Fill** button for items without a saved URI). You may also use the inline autofill menu for TOTP codes. Browser extensions **will not autofill your TOTP code if you're using autofill on page load**. By default, your TOTP will also be copied to the clipboard when a login is autofilled. This is the recommended workflow if you're using autofill on page load. > [!TIP] Extension TOTP copying. > Automatic TOTP copying can be turned off on browser extensions using **Settings** → **Autofill** → **Copy TOTP automatically**, which will be on by default. Additionally, use the nearby **Clear clipboard**option to set an interval with which to clear copied values. ### Log in with passkeys stored in Bitwarden You can [use passkeys to log in](https://bitwarden.com/help/storing-passkeys/) to websites. When storing a new passkey, the website URI is saved in the login item. To use the passkey, open the website and begin the passkey login workflow. Related passkeys will be displayed in a Bitwarden browser extension dialogue box. Select the passkey you would like to use and press **Confirm**: ![Log in with passkey](https://bitwarden.com/assets/5KeuUZox5shd0zDMxPHKXn/1aab35dfceed0ed9cdb17b143be9a890/2024-10-29_11-39-33.png) The [inline autofill menu](https://bitwarden.com/help/auto-fill-browser/#inline-autofill-menu/) can also be used to easily authenticate with passkeys. > [!NOTE] Excluded domains surpress passkeys > When a domain is in the [**Excluded Domains**](https://bitwarden.com/help/exclude-domains/)list, Bitwarden browser extensions won't issue passkey prompts. --- URL: https://bitwarden.com/help/auto-fill-card-id/ --- # Autofill Cards & Identities Bitwarden can do more than just [autofill your usernames and passwords](https://bitwarden.com/help/auto-fill-browser/)! Some Bitwarden apps can autofill [cards](https://bitwarden.com/help/managing-items/#cards/) and [identities](https://bitwarden.com/help/managing-items/#identities/) to simplify online purchases, account creation, and more. For organization members, a policy may [prevent the use of card items](https://bitwarden.com/help/policies/#remove-card-item-type/) and therefore the ability to autofill them. > [!NOTE] Support for auto-fill cards and identities. > Autofill of cards is currently available for browser extensions and Android. Autofill of identities is currently only available for browser extensions. ## Set up card & identity autofill > [!TIP] Android autofill card setup > On Android, autofill of cards does not require any setup beyond the [baseline autofill setup](https://bitwarden.com/help/auto-fill-android/). The following instructions are for browser extensions only. You can add or remove cards from your autofill suggestions and from the inline autofill menu using four settings found in the **Settings** → **Autofill** menu: - **Display identities as suggestions**: Include identities in the inline autofill menu. This requires the **Show autofill suggestions on form fields** option to be on. - **Display cards and suggestions**: Include cards in the inline autofill menu. This requires the **Show autofill suggestions on form fields** option to be on. - **Always show cards as Autofill suggestions on Vault view**: Include cards in the suggestions located in the Vault view. These can be autofilled using the **Fill** button. - **Always show identities as Autofill suggestions on Vault view**: Include identities in the suggestions located in the Vault view. These can be autofilled using the **Fill** button. ## Use card & identity autofill There are a few different methods you can use to autofill cards or identities: ### Browser extensions ### Using the inline menu To enable card and identity autofill using the inline autofill menu, turn on the **Display identities as suggestions** and **Display cards as suggestions** options as described in the previous section. The **Show autofill suggestions on form fields**option must also be turned on. Once on, your stored cards and identities will be listed when you click on a form. Select the card or identity you wish to use when filling out a form information: ![Inline Autofill Card](https://bitwarden.com/assets/2IZKkQJjPBvDgT3Z6IZMoR/2d00c6b6789b78addd486fd974720ddd/2024-08-13_13-10-20.png) > [!NOTE] Save new card inline autofill > If you do not have a card or identity saved in your Bitwarden vault, you may select + **New Card**/ **New identity** from the inline menu after filling out the information to save the new item in your Bitwarden vault. ### Using the Fill button To autofill a card or identity using the **Fill**button, turn on the **Show cards as Autofill suggestions on Vault view** and **Show identities as Autofill suggestions on Vault view** options as described in the previous section. Once on, your cards and identities will be available in the **Autofill suggestions**section of the **Vault**view. Select the **Fill**button to autofill: ![Fill Card and Identities](https://bitwarden.com/assets/78MbqVeoL6Juo7E5cMUUNh/57b31fd7fd315aa6334125bf168fb67d/Card___identity_fill.png) The browser extension will find any fields on the web page that map to card or identity information and autofill them. ### Using the context menu > [!NOTE] No context-menu in safari extension > Autofill with a context menu is currently unavailable in the Safari browser extension. Without opening your browser extension, you can autofill cards and identities by right-clicking on an input field and using the **Bitwarden** → **Autofill** option. If your vault is locked when you attempt this, a window will open prompting you to unlock. Once unlocked, the browser extension will automatically proceed with autofilling your information. ![Browser Extension Context Menu](https://bitwarden.com/assets/6GKKvIe7GwwOBtp9gmh862/4d39f59a8a862bb83d53e50f9f68d107/2024-12-03_09-12-06.png) ### Using keyboard shortcuts Cards and Identities can be autofilled using keyboard shortcuts. To use this feature, keyboard shortcuts must be manually set for cards and identities: 1. Open the Bitwarden browser extension and select ⚙️ **Settings**. 2. Select **Autofill** from the settings menu and then **Manage shortcuts** to open your browsers autofill settings window. 3. In the Bitwarden Password Manager keyboard shortcuts, configure keyboard shortcuts you would like to use for **Autofill the last used card for the current website** and **Autofill the last used identity for the current website**. ### Android apps On Android, cards will automatically appear as suggestions inline (in your keyboard) or as a popup over the field depending on [which autofill method is active](https://bitwarden.com/help/auto-fill-android/#list-of-autofill-methods/). This is currently available for Chrome and Chromium browsers. For example, as a popup: ![Android card popup](https://bitwarden.com/assets/2ekny75ulY7xoyqz80Kz1z/f3954ac976db5283aa064efc6a78cc5e/2025-08-12_10-32-44.png) --- URL: https://bitwarden.com/help/auto-fill-custom-fields/ --- # Autofill Custom Fields Bitwarden can do more than just [autofill your usernames and passwords](https://bitwarden.com/help/auto-fill-browser/)! Bitwarden browser extensions can autofill [custom fields](https://bitwarden.com/help/custom-fields/) to simplify filling in security questions, PINS, and more. Additionally, if your browser extension is having issues autofilling usernames and passwords for a particular site, using [linked custom fields](https://bitwarden.com/help/auto-fill-custom-fields/#using-linked-custom-fields/) can force an autofill. > [!TIP] Name custom fields correctly. > It's important to name the custom field correctly in order for autofill to work. [Learn more](https://bitwarden.com/help/custom-fields/#custom-field-names/). To autofill custom fields: 1. Open the browser extension to the **Vault** view. This view automatically detects the website (for example, `myverizon.com`) of the page displayed in the open tab and surfaces any logins with corresponding URIs. 2. Select the **Fill** button on item that contains the custom field you want to autofill: ![Item with a custom field ](https://bitwarden.com/assets/4ExHyb45ZapKssCpRl6Uro/b8e686e8a58e0ed24f8aa58dd746253e/2024-12-03_09-55-22.png) The browser extension will find any fields that match the [custom field name](https://bitwarden.com/help/custom-fields/#custom-field-names/) and autofill that field's value. ### Using linked custom fields Linked custom fields can be used to solve issues where your browser extension can't autofill usernames and passwords for a particular site. To create and autofill a linked custom field: 1. In the **Custom fields** section of an item's **Edit** panel, choose **Linked** from the Field type dropdown. 2. In the **Name** input, [give the custom field a name](https://bitwarden.com/help/custom-fields/#custom-field-names/) that corresponds to the username or password's HTML form element `id`, `name`, `aria-label`, or `placeholder`. > [!TIP] Use context menu for custom field name. > You can get the right value by right-clicking the form element and using the **Copy Custom Field Name** context menu option: > > ![Copy custom field name](https://bitwarden.com/assets/5nnPLqyzgAhDCinQNB0uUC/a721194f39f0a8fa919066d73ff9e2c8/2024-10-29_10-50-34.png) 3. Select **Add**. 4. Select **Username** or **Password** for the field's value depending on which credential you are having trouble autofilling. In many cases, you'll need to create a linked custom field for each. 5. **Save** the changes to the vault item. Now that you have created one or more linked custom fields, you can autofill using the [method described in an earlier section](https://bitwarden.com/help/auto-fill-custom-fields/#auto-fill-custom-fields/). When you do, your browser extension will autofill the username, password, or both into the HTML form element given for a field Name. ## Special autofill scenarios ### HTML `` elements Typically custom fields are autofilled in HTML `
` or `` elements, however Bitwarden browser extensions can autofill custom field values into the `innerText` of HTML `` elements as well. In order to autofill into a `` element, the opening tag must have the `data-bwautofill` attribute. So, in the following scenario: ``` Bitwarden is great. ``` A custom field with **name:** `myspan` will replace `Bitwarden is great` with whatever is saved in the custom field's **value**. --- URL: https://bitwarden.com/help/auto-fill-ios/ --- # Autofill from iOS App Bitwarden makes your passwords and passkeys available for autofill so that you can seamlessly log in to websites and apps while also maintaining strong and secure passwords. Autofill cuts the copying and pasting out of your login routine by detecting vault items that match the service you are logging in to. Custom fields and split login workflows (when username and password fields are displayed on separate screens) are not currently supported in mobile autofill. ## Set up autofill > [!NOTE] autofill URI > Most autofill methods require login items to have an [assigned website URI](https://bitwarden.com/help/uri-match-detection/). There are four ways to autofill on iOS: - **Keyboard autofill**: (Recommended) Use this option to make Bitwarden autofill accessible in any iOS app—including web browsers—through a keyboard button or slide-up prompt. - **Browser app extension**: Use this option to make Bitwarden autofill accessible only in web browser apps, like Safari, through the Share menu. - **Long-press a text field**: Use this option to autofill from Bitwarden in a larger variety of locations. > [!NOTE] iOS AutoFill > It is currently not possible to use auto-fill on iOS if your [vault timeout action](https://bitwarden.com/help/vault-timeout/#vault-timeout-action/) is set to **Log Out** and your only enabled [two-step login method](https://bitwarden.com/help/setup-two-step-login/) requires NFC (for example, an NFC YubiKey), as iOS will not allow NFC inputs to interrupt autofill workflows. > > Either change your vault timeout action to **Lock**, or enable another two-step login method. > [!NOTE] iOS autofill Argon2id > If you are using Argon2id with a KDF memory value higher than 48 MB, a warning dialogue will be displayed every time iOS autofill is initiated or a new Send is created through the Share sheet. To avoid this message, adjust Argon2id settings [here](https://bitwarden.com/help/kdf-algorithms/#argon2id/) or enable [unlock with biometrics](https://bitwarden.com/help/biometrics/#enable-unlock-with-biometrics/). ### Keyboard autofill To activate keyboard autofill on iOS for passwords, complete the following steps. This will also activate the slide-up menu for passkey autofill: 1. Open iOS ⚙️ **Settings** and then **General** on your device. 2. Tap **AutoFill & Passwords**. 3. Toggle **AutoFill Passwords and Passkeys** on and tap **Bitwarden** in the **Autofill From** list: ![Setup autofill on iOS](https://bitwarden.com/assets/5jxVP3WslH4ppIdFq9viqX/613fbbb9eacbb14f56c0fbcee17bc9a1/2025-01-22_11-00-15.png) > [!NOTE] Disable other autofill providers on iOS > We highly recommend deactivating any other autofill service, like Keychain, in the **Autofill From** list. Next, test autofill to make sure it works properly: 1. Open an app or website that you aren't currently signed in to. 2. Tap the username or password field on the login screen. A keyboard will slide up with a matching login (`my_username`), or with a 🔑 **Passwords** button: ![AutoFill on iOS ](https://bitwarden.com/assets/vQG8BTWlHg2AQxBlXe4S3/63f2a5e9c32c2f38b29ec0ab0af24d57/autofill-ios.jpeg) 3. If a [matching login](https://bitwarden.com/help/uri-match-detection/) is displayed, tap it to autofill. If the 🔑 **Passwords** button is displayed, tap it to browse your vault for the login to use. In cases where the 🔑 **Passwords** button is displayed, it's probably because there isn't an item in your vault with a [matching URI](https://bitwarden.com/help/uri-match-detection/). > [!NOTE] iOS biometric unlock disabled with autofill > Are you getting a `Biometric unlock disabled pending verification of master password` message? [Learn what to do](https://bitwarden.com/help/autofill-faqs/#q-what-do-i-do-about-biometric-unlock-disabled-pending-verification-of-master-password/). ### Browser app extension autofill To enable browser app extension autofill on iOS: 1. Open your Bitwarden app and tap ⚙️ **Settings**. 2. Tap **Autofill**. 3. Tap the **App extension** option in the Autofill section. 4. Tap the **Activate app extension** button. 5. From the share menu that slides up, tap **Bitwarden**. A green `Extension Activated!` message will indicate success. Then test that the app extension is working correctly: 1. Open your device's web browser and navigate to a website that you aren't currently signed in to. 2. Tap the **Share** icon. 3. Scroll down and tap the **Bitwarden** option: ![Bitwarden in the Share menu ](https://bitwarden.com/assets/3Icxd3YqcXjBrjHVAeluwm/8be732b1ed2adebfd0a7af00f7150a97/extension.png) > [!NOTE] > If you have [unlock with biometrics](https://bitwarden.com/help/biometrics/) enabled, the first time you tap this option you will be prompted to verify your master password. 4. A Bitwarden screen will slide up on your device and will list [matching logins](https://bitwarden.com/help/uri-match-detection/) for the website. Tap the item to autofill. > [!NOTE] > If there are no logins listed, it's probably because there isn't a login in your vault with a [matching URI](https://bitwarden.com/help/uri-match-detection/). ### Long-press a text field By long-pressing any text field, you can autofill data from Bitwarden and long as it's active as the keyboard auto-fill option: ![Long-press a text field on iOS](https://bitwarden.com/assets/77glhnjH87Z6PKscElWtZy/f9229264859577c0490cf423237f8502/2025-01-22_11-05-33.png) ## Switch accounts during autofill If you are [logged in to more than one account](https://bitwarden.com/help/account-switching/), your [mobile app ](https://bitwarden.com/download/apple-iphone-password-manager/)will default to trying to autofill credentials from the currently active account. You can switch from one account to another during autofill by tapping the avatar bubble. ## Use passkeys ### Set up Bitwarden for use with passkeys Autofilling passkeys, including being prompted by Bitwarden when you create a new passkey, requires iOS 17.0 or higher. To use the functionality described below: 1. Open your iOS **Settings** app. 2. Go to **Passwords** → **Password Options**. 3. Toggle the following options on: - Toggle **AutoFill Passwords and Passkeys**on. - Toggle **Bitwarden**on in the **Use passwords and passkeys from:**list. ### Create a passkey When creating a new passkey on a website or app, the iOS application will prompt you to store the passkey: ![Create a passkey](https://bitwarden.com/assets/6rccoaRtUBbEnUjQxfSTNi/d033196df75950bae5bd7a20e8a7edd2/passkey-ios-1__1_.png) *Create a passkey* Select **Continue**. > [!NOTE] Other options for passkeys (iOS) > Select **Other Options** if you do not wish to store the passkey in Bitwarden or **Other Sign In Options** to sign in with a passkey not stored in Bitwarden. If a passkey already exists for this service, Bitwarden will allow you to save a new passkey by selecting the + icon to create a new item, or by overwriting an existing passkey: ![Save or overwrite a passkey](https://bitwarden.com/assets/6L5s6XBFjvaaEiDZ68m00Q/a130745c2276068fd0be066a47a34684/passkey-ios-2__1_.png) *Save or overwrite a passkey* > [!NOTE] One passkey per login > Only one passkey can be saved per login item. If a credential is saved in multiple places, for instance as two separate login items in the individual vault and organization vault respectively, a different passkey can be be stored with each login item. ### Sign in using a passkey stored in Bitwarden To use a passkey stored in Bitwarden, initiate the passkey login on the website. The mobile app will provide an option to login using the passkey stored in your Bitwarden vault: ![Sign in with passkey](https://bitwarden.com/assets/b6fY5o4CBxhW4ZjDIpanR/56ffdbf1ff93b7387be273bc7df15e6b/passkey-ios-3__1_.png) *Sign in with passkey* Select **Continue**. > [!NOTE] Other options for passkeys (iOS) > Select **Other Options** if you do not wish to store the passkey in Bitwarden or **Other Sign In Options** to sign in with a passkey not stored in Bitwarden. --- URL: https://bitwarden.com/help/autofill-faqs/ --- # Autofill FAQs ### Q: How do I disable the Bitwarden accessibility bubble? 1. Open the **Settings** in your Android device. 2. Navigate to **Accessibility**. 3. Select **Bitwarden**. 4. Turn off the toggle for Bitwarden shortcut. ### Q: Can I use autofill while using a physical keyboard on an iPad? **A:** Yes! To use autofill while using a physical keyboard: 1. Open the iOS ⚙️ **Settings** app on your device. 2. Tap **General**. 3. Tap **Keyboards**. 4. In the All Keyboards section, toggle **Shortcuts** on. ### Q: How do I disable Google Autofill in my Android device? **A:** To disable Google Autofill on your Android device: 1. Open **Settings** in your Android device. 2. Scroll down and tap on **Google**. 3. Tap on **Autofill with Google** and toggle it off. ### Q: What do I do about 'Biometric unlock disabled pending verification of master password'? **A:** This most commonly occurs on iOS when you make a change to your device's biometrics settings (for example, adding another finger to Touch ID). To resolve this error: 1. **If you have**[**PIN Code**](https://bitwarden.com/help/unlock-with-pin/)**verification active**, disable it. 2. Log out of your Bitwarden mobile app. 3. Check that your device settings are [setup to use Bitwarden for autofill](https://bitwarden.com/help/auto-fill-ios/#keyboard-auto-fill/). 4. Log back in to your Bitwarden mobile app. 5. Re-enable [PIN code](https://bitwarden.com/help/unlock-with-pin/) verification if you want to use it as a backup for [biometrics](https://bitwarden.com/help/biometrics/). ### Q: Does URI matching not work with certain websites when Base Domain is the set rule? **A:**Some results that would typically match have been filtered out because the URL you are currently on may serve multiple websites. To learn more about these websites, see [publicsuffix.org](https://publicsuffix.org/). --- URL: https://bitwarden.com/help/autosave-from-browser-extensions/ --- # Autosave from Browser Extension Bitwarden browser extensions offer an array of in-browser notifications that compare your decrypted data with data that you enter into login, registration, and similar web forms. This includes: - A notification to add an undetected login. - A notification to update an existing login. - A notification to save or use passkeys. These notifications are active by default, but can be turned off from the browser extension's **Settings** → **Notifications** menu. > [!TIP] Block autosave > You can also block specific sites from triggering autosave notifications from the **Settings** → **Notification** → **Excluded domains** menu. Learn more in [Block Autosave on Specific Sites](https://bitwarden.com/help/exclude-domains/). ## Ask to save and use passkeys When Bitwarden detects that you're creating a new passkey for a website, or if you're being prompted to login with a passkey that you have saved in Bitwarden, Bitwarden will prompt you to either save a new passkey or log in with an already-saved one: ![Log in with passkey](https://bitwarden.com/assets/5KeuUZox5shd0zDMxPHKXn/1aab35dfceed0ed9cdb17b143be9a890/2024-10-29_11-39-33.png) More information can be found in [Autofill Passkeys](https://bitwarden.com/help/storing-passkeys/). ## Ask to add login When Bitwarden detects that you've entered login information for a page that isn't stored in Bitwarden, you'll be prompted to save those credentials in Bitwarden: ![Ask to add login](https://bitwarden.com/assets/4vsurEuH5deik26BWn4n1p/82757186b081890fbe92b4d73baeae53/screenshot_7.png) From this notification, you can select whether to store this among your personal items (i.e. **My vault**) or with an organization. You can also edit the item before saving it using the edit [pencil-square] button. ## Ask to update existing login When Bitwarden detects that login information you enter on a form for an item you have saved in Bitwarden is different from what you have saved, for example if you've recently updated your password on a website but not in Bitwarden, you'll be prompted to update your credentials in Bitwarden: ![Ask to update existing login](https://bitwarden.com/assets/3nn8Vz526Il3onWPHMUUAi/90fd3af3616b60c2961064a56205d525/2025-05-20_16-19-00.png) --- URL: https://bitwarden.com/help/aws-eks-deployment/ --- # AWS EKS Deployment This article dives into how you might alter your [Bitwarden self-hosted Helm Chart](https://bitwarden.com/help/self-host-with-helm/) deployment based on the specific offerings of AWS and Elastic Kubernetes Service (EKS). Note that certain add-ons documented in this article will require that your EKS cluster has at least one node already launched. ## Requirements Before proceeding with the installation, ensure the following requirements are met: - [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) is installed. - [Helm 3](https://helm.sh/docs/intro/install/) is installed. - You have an SSL certificate and key or access to creating one via a certificate provider. - You have a SMTP server or access to a cloud SMTP provider. - A [storage class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) that supports ReadWriteMany. - You have an installation id and key retrieved from [https://bitwarden.com/host](https://bitwarden.com/host/). ### Rootless requirements Bitwarden will detect whether your environment restricts what user containers can be run as during startup and will automatically initiate deployment in rootless mode if restriction is detected. Successfully deploying in rootless mode requires one of the following two options: - Deploying an [external MSSQL database](https://bitwarden.com/help/external-db/) instead of the SQL container included by default in the Helm chart. - Assigning elevated privileges to the included SQL container [using a service account](https://bitwarden.com/help/kubernetes-service-accounts/), [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod), or other method. > [!TIP] SQL pod as root to non-root > While Microsoft requires that SQL containers be run as root, container startup will step down to a non-root user before executing application code. ## Ingress controller An nginx controller is defined by default in `my-values.yaml`, and will require an AWS Network Load Balancer. AWS Application Load Balancers (ALB) are not currently recommended as they do not support path rewrites and path-based routing. > [!TIP] Assumption about NLB for EC2 > The following assumes that you have an SSL certificate saved in AWS Certificate Manager, as you will need a certificate Amazon Resource Name (ARN). > > You also must have at least 1 node already running in your cluster. To connect a Network Load Balancer to your cluster: 1. Follow [these instructions](https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html) to create an IAM policy and role, and to install the AWS Load Balancer Controller in your cluster. 2. Run the following commands to setup an ingress controller for your cluster. This will create an AWS Network Load Balancer. Note that there are values you **must** replace as well as values you can configure to suit your needs in this example command: ```bash helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo update helm upgrade ingress-nginx ingress-nginx/ingress-nginx -i \ --namespace kube-system \ --set-string controller.service.annotations.'service\.beta\.kubernetes\.io/aws-load-balancer-backend-protocol'="ssl" \ --set-string controller.service.annotations.'service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled'="true" \ --set-string controller.service.annotations.'service\.beta\.kubernetes\.io/aws-load-balancer-type'="external" \ --set-string controller.service.annotations.'service\.beta\.kubernetes\.io/aws-load-balancer-nlb-target-type'="instance" \ --set-string controller.service.annotations.'service\.beta\.kubernetes\.io/aws-load-balancer-scheme'="internet-facing" \ --set-string controller.service.annotations.'service\.beta\.kubernetes\.io/aws-load-balancer-ssl-cert'="arn:aws:acm:REPLACEME:REPLACEME:certificate/REPLACEME" \ #Replace with the ARN for your certificate --set-string controller.service.annotations.'service\.beta\.kubernetes\.io/aws-load-balancer-ssl-ports'="443" \ --set controller.service.externalTrafficPolicy="Local" ``` 3. Update your `my-values.yaml` file according to the following example, making sure to replace any `REPLACE` placeholders: ```bash general: domain: "REPLACEME.com" ingress: enabled: true className: "nginx" ## - Annotations to add to the Ingress resource annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/rewrite-target: /$1 ## - Labels to add to the Ingress resource labels: {} # Certificate options tls: # TLS certificate secret name name: # Handled via the NLB defined in the ingress controller # Cluster cert issuer (ex. Let's Encrypt) name if one exists clusterIssuer: paths: web: path: /(.*) pathType: ImplementationSpecific attachments: path: /attachments/(.*) pathType: ImplementationSpecific api: path: /api/(.*) pathType: ImplementationSpecific icons: path: /icons/(.*) pathType: ImplementationSpecific notifications: path: /notifications/(.*) pathType: ImplementationSpecific events: path: /events/(.*) pathType: ImplementationSpecific scim: path: /scim/(.*) pathType: ImplementationSpecific sso: path: /(sso/.*) pathType: ImplementationSpecific identity: path: /(identity/.*) pathType: ImplementationSpecific admin: path: /(admin/?.*) pathType: ImplementationSpecific ``` ## Create a storage class Deployment requires a shared storage class that you provide, which must support [ReadWriteMany](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes). The following example of how to create a storage class that meets the requirement: > [!TIP] AWS Helm EFS assumption > The following assumes that you have an AWS Elastic File System (EFS) created. If you don't [create one now](https://docs.aws.amazon.com/efs/latest/ug/gs-step-two-create-efs-resources.html). In either case, take note of your EFS' **File system ID** as you will need it during this process. 1. [Get the Amazon EFS CSI driver add-on](https://docs.aws.amazon.com/eks/latest/userguide/managing-add-ons.html#creating-an-add-on) for your EKS cluster. This will require that you [create an OIDC provider](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) for your cluster and [create an IAM role](https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html#efs-create-iam-resources) for the driver. 2. In the AWS CloudShell, replace the `file_system_id= "REPLACE"` variable in the the following script and run it in the AWS CloudShell: > [!WARNING] It's just an example > The following is an illustrative example, be sure to assign permissions according to your own security requirements. ```bash file_system_id="REPLACE" cat << EOF | kubectl apply -n bitwarden -f - kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: shared-storage provisioner: efs.csi.aws.com parameters: provisioningMode: efs-ap fileSystemId: $file_system_id directoryPerms: "777" # Change for your use case uid: "2000" # Change for your use case gid: "2000" # Change for your use case basePath: "/dyn1" subPathPattern: "\${.PVC.name}" ensureUniqueDirectory: "false" reuseAccessPoint: "false" mountOptions: - iam - tls EOF ``` 3. Set the `sharedStorageClassName` value in `my-values.yaml` to whatever name you give the class in `metadata.name:`, in this example: ```bash sharedStorageClassName: "shared-storage" ``` ## Using AWS Secrets Manager Deployment requires Kubernetes secrets objects to set sensitive values for your deployment. While the `kubectl create secret` command can be used to set secrets, AWS customers may prefer to use AWS Secrets Manager and the AWS Secrets and Configuration Provider (ACSP) for Kubernetes Secrets Store CSI Driver. You will need the following secrets stored in AWS Secrets Manager. Note that you can change the **Keys** used here but must also make changes to subsequent steps if you do: | Key | Value | |------|------| | `installationid` | A valid installation id retrieved from [https://bitwarden.com/host](https://bitwarden.com/host/). For more information, see [what are my installation id and installation key used for?](https://bitwarden.com/help/hosting-faqs/#general/) | | `installationkey` | A valid installation key retrieved from [https://bitwarden.com/host](https://bitwarden.com/host/). For more information, see [what are my installation id and installation key used for?](https://bitwarden.com/help/hosting-faqs/#general/) | | `smtpusername` | A valid username for your SMTP server. | | `smtppassword` | A valid password for the entered SMTP server username. | | `yubicoclientid` | Client ID for YubiCloud Validation Service or self-hosted Yubico Validation Server. If YubiCloud, get your client ID and secret key [here](https://upgrade.yubico.com/getapikey/). | | `yubicokey` | Secret key for YubiCloud Validation Service or self-hosted Yubico Validation Server. If YubiCloud, get your client ID and secret key [here](https://upgrade.yubico.com/getapikey/). | | `globalSettings__hibpApiKey` | Your HaveIBeenPwned (HIBP) API Key, available [here](https://haveibeenpwned.com/API/Key). This key allows users to run the [Data Breach report](https://bitwarden.com/help/reports/#data-breach-report-individual-vaults-only/) and to check their master password for presence in breaches when they create an account. | | If you're using the Bitwarden SQL pod, `sapassword`. If you're using your own SQL server, `dbconnectionString.` | Credentials for the database connected to your Bitwarden instance. What is required will depend on whether you're using the included SQL pod or an external SQL server. | 1. Once your secrets are securely stored, [install ACSP](https://docs.aws.amazon.com/secretsmanager/latest/userguide/ascp-eks-installation.html). During ACSP installation you will: - Install the Secrets Store CSI Driver (`secrets-store-driver-csi`). > [!NOTE] Secrets Store CSI Driver > When installing and configuring the Secrets Store CSI Driver, you **must** enable `syncSecret.enabled=true`. - Install the AWS provider for Secrets Store CSI Driver (`secrets-store-driver-csi-provider-aws`). 2. Create a permissions policy to allow access to your secrets. This policy **must** grant `secretsmanager:GetSecretValue` and `secretsmanager:DescribeSecret` permission, for example: ```bash { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:REPLACEME:REPLACEME:secret:REPLACEME" } } ``` 3. Create a service account that has access to your secrets via the created permissions policy, for example: ```bash CLUSTER_NAME="REPLACE" ACCOUNT_ID="REPLACE" # replace with your AWS account ID ROLE_NAME="REPLACE" # name of a role that will be created in IAM POLICY_NAME="REPLACE" # the name of the policy you created earlier eksctl create iamserviceaccount \ --cluster=$CLUSTER_NAME \ --namespace=bitwarden \ --name=bitwarden-sa \ --role-name $ROLE_NAME \ --attach-policy-arn=arn:aws:iam::$ACCOUNT_ID:policy/$POLICY_NAME \ --approve ``` 4. Next, create a [SecretProviderClass](https://docs.aws.amazon.com/secretsmanager/latest/userguide/ascp-examples.html#ascp-examples-secretproviderclass), as in the following example. Be sure to: - Replace the `region` with your region. - Replace the `objectName` with the name of the Secrets Manager secret you created (**Step 1**). - If you're using IRSA, use the same `namespace` as your EKS pods. ```bash cat < [!TIP] SQL pod as root to non-root > While Microsoft requires that SQL containers be run as root, container startup will step down to a non-root user before executing application code. ## Ingress controllers This section documents 2 options for ingress controllers that can be used in your Azure AKS deployment: - Using the **Azure nginx** ingress controller to optionally integrate with Azure DNS for zone management and Azure Key Vault for certificate issuance. - Using the **Azure Application Gateway** ingress controller (AGIC) to deploy Bitwarden behind an application load balancer. ### Azure nginx Azure provides an nginx ingress controller option that supports an application routing add-on and optionally integrates with Azure DNS for zone management and Azure Key Vault for certificate issuance. If you use this option: 1. [Create a "managed" nginx ingress controller.](https://learn.microsoft.com/en-us/azure/aks/app-routing#create-the-ingress-object) 2. In your `my-values.yaml` file, set `general.ingress.className:`to `webapprouting.kubernetes.azure.com`. 3. In your `my-values.yaml` file, uncomment the following values: ```yaml nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/rewrite-target: /$1 ``` Once complete, you can retrieve the IP address assigned to your Azure nginx ingress controller using the command `kubectl get ingress -n bitwarden`. It may take a few minutes after deployment for your IP address to populate. ### Azure Application Gateway Azure customers may, however, prefer to use an Azure Application Gateway as the ingress controller for their AKS cluster in order to deploy Bitwarden behind an application load balancer. #### Before installing the chart If you prefer this option, **before** [installing the chart](https://bitwarden.com/help/self-host-with-helm/#install-the-chart/) you must: 1. [Enable the Azure Application Gateway ingress controller for your cluster](https://learn.microsoft.com/en-us/azure/application-gateway/tutorial-ingress-controller-add-on-existing). 2. Update your my-values.yaml file, specifically `general.ingress.className:`, `general.ingress.annotations:`, and `general.ingress.paths:`: ```bash general: domain: "replaceme.com" ingress: enabled: true className: "azure-application-gateway" # This value might be different depending on how you created your ingress controller. Use "kubectl get ingressclasses -A" to find the name if unsure. ## - Annotations to add to the Ingress resource. annotations: appgw.ingress.kubernetes.io/ssl-redirect: "true" appgw.ingress.kubernetes.io/use-private-ip: "false" # This might be true depending on your setup. appgw.ingress.kubernetes.io/rewrite-rule-set: "bitwarden-ingress" # Make note of whatever you set this value to. It will be used later. appgw.ingress.kubernetes.io/connection-draining: "true" # Update as necessary. appgw.ingress.kubernetes.io/connection-draining-timeout: "30" # Update as necessary. ## - Labels to add to the Ingress resource. labels: {} # Certificate options. tls: # TLS certificate secret name. name: tls-secret # Cluster cert issuer (e.g. Let's Encrypt) name if one exists. clusterIssuer: letsencrypt-staging paths: web: path: /(.*) pathType: ImplementationSpecific attachments: path: /attachments/(.*) pathType: ImplementationSpecific api: path: /api/(.*) pathType: ImplementationSpecific icons: path: /icons/(.*) pathType: ImplementationSpecific notifications: path: /notifications/(.*) pathType: ImplementationSpecific events: path: /events/(.*) pathType: ImplementationSpecific scim: path: /scim/(.*) pathType: ImplementationSpecific sso: path: /(sso/.*) pathType: ImplementationSpecific identity: path: /(identity/.*) pathType: ImplementationSpecific admin: path: /(admin/?.*) pathType: ImplementationSpecific ``` 3. If you're going to use the provided Let's Encrypt example for your TLS certificate, update `spec.acme.solvers.ingress.class:` in the script linked [here](https://bitwarden.com/help/self-host-with-helm/#example-certificate-setup/) to `"azure/application-gateway"`. 4. In the Azure Portal, create an empty rewrite set for Application Gateway: 1. Navigate to the **Load balancing** > **Application Gateway** in the Azure Portal and select your Application Gateway. 2. Select the **Rewrites**blade. 3. Select the + **Rewrite set** button. 4. Set the **Name**to the value specified for `appgw.ingress.kubernetes.io/rewrite-rule-set:` in `my-values.yaml`, in this example `bitwarden-ingress`. 5. Select **Next**and **Create**. #### After installing the chart **After** [installing the chart](https://bitwarden.com/help/self-host-with-helm/#install-the-chart/), you will also be required to create rules for your rewrite set: 1. Re-open the empty rewrite set you created before installing the chart. 2. Select all routing paths that begin with `pr-bitwarden-self-host-ingress...`, de-select any that do not begin with that prefix, and select **Next**. 3. Select the + **Add Rewrite rule** button. You can give your rewrite rule any name and any sequence. 4. Add the following condition: - **Type of variable to check**: Server variable - **Server variable**: uri_path - **Case-sensitive**: No - **Operator**: equal (=) - **Pattern to match**: `^(\/(?!admin)(?!identity)(?!sso)[^\/]*)\/(.*)` 5. Add the following action: - **Rewrite type**: URL - **Action type**: Set - **Components**: URL path - **URL path value**: `/{var_uri_path_2}` - **Re-evaluate path map**: Unchecked 6. Select **Create**. ## Creating a storage class Deployment requires a shared storage class that you provide, which must support [ReadWriteMany](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes). The following example is a script you can run in the Azure Cloud Shell to create an Azure File Storage class that meets the requirement: > [!WARNING] It's just an example > The following is an illustrative example, be sure to assign permissions according to your own security requirements. ```bash cat < [!TIP] Key Vault existing is assumed > These instructions assume you already an have Azure Key Vault setup. If not, [create one now](https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver#create-or-use-an-existing-azure-key-vault). 1. Add Secrets Store CSI Driver support to your cluster with the following command: ```bash az aks enable-addons --addons azure-keyvault-secrets-provider --name myAKSCluster --resource-group myResourceGroup ``` The add-on creates a user-assigned managed identity you can use to authenticate to your key vault, however you have other [options for identity access control](https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-identity-access). If you use the created user-assigned managed identity, you will need to explicitly assign **Secret** > **Get** access to it ([learn how](https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal)). 2. Create a SecretProviderClass, as in the following example. The `parameters` section of the following YAML file is accurate for most environments. However, depending on your setup, you may need to change some values; for example, `cloudName` should be set to `AzureUSGovernmentCloud` for Azure US Government Cloud. Consult [Microsoft's documentation](https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/getting-started/usage/#create-your-own-secretproviderclass-object) for full details. The `parameters` section also contains `` placeholders that you must replace, and will be slightly different depending on if you are using the included SQL pod or using your own SQL server. ```bash cat <" # Set the clientID of the user-assigned managed identity to use # clientID: "" # Setting this to use workload identity keyvaultName: "" cloudName: "AzurePublicCloud" objects: | array: - | objectName: installationid objectAlias: installationid objectType: secret objectVersion: "" - | objectName: installationkey objectAlias: installationkey objectType: secret objectVersion: "" - | objectName: smtpusername objectAlias: smtpusername objectType: secret objectVersion: "" - | objectName: smtppassword objectAlias: smtppassword objectType: secret objectVersion: "" - | objectName: yubicoclientid objectAlias: yubicoclientid objectType: secret objectVersion: "" - | objectName: yubicokey objectAlias: yubicokey objectType: secret objectVersion: "" - | objectName: hibpapikey objectAlias: hibpapikey objectType: secret objectVersion: "" - | objectName: sapassword #-OR- dbconnectionstring if external SQL objectAlias: sapassword #-OR- dbconnectionstring if external SQL objectType: secret objectVersion: "" tenantId: "" secretObjects: - secretName: "bitwarden-secret" type: Opaque data: - objectName: installationid key: globalSettings__installation__id - objectName: installationkey key: globalSettings__installation__key key: globalSettings__mail__smtp__username - objectName: smtppassword key: globalSettings__mail__smtp__password - objectName: yubicoclientid key: globalSettings__yubico__clientId - objectName: yubicokey key: globalSettings__yubico__key - objectName: hibpapikey key: globalSettings__hibpApiKey - objectName: sapassword #-OR- dbconnectionstring if external SQL key: SA_PASSWORD #-OR- globalSettings__sqlServer__connectionString if external SQL EOF ``` 3. Use the following commands to set the required secrets values in Key Vault: > [!WARNING] Insecure way of setting a secret > This example will record commands to your shell history. Other methods may be considered to securely set a secret. ```bash kvname= az keyvault secret set --name installationid --vault-name $kvname --value az keyvault secret set --name installationkey --vault-name $kvname --value az keyvault secret set --name smtpusername --vault-name $kvname --value az keyvault secret set --name smtppassword --vault-name $kvname --value az keyvault secret set --name yubicoclientid --vault-name $kvname --value az keyvault secret set --name yubicokey --vault-name $kvname --value az keyvault secret set --name hibpapikey --vault-name $kvname --value az keyvault secret set --name sapassword --vault-name $kvname --value # - OR - # az keyvault secret set --name dbconnectionstring --vault-name $kvname --value ``` 4. In your `my-values.yaml` file, set the following values: - `secrets.secretName`: Set this value to the `secretName` defined in your SecretProviderClass. - `secrets.secretProviderClass`: Set this value to the `metadata.name` defined in your SecretProviderClass. --- URL: https://bitwarden.com/help/backup-on-premise/ --- # Backup Server Data When self-hosting Bitwarden, you are responsible for implementing your own backup procedures in order to keep data safe. Though the steps required to do so will depend on your deployment method, in all cases it is recommended that you: - Manually take regular backups of important data, including configuration data, certificate data, and more. - Ensure that automatically-recurring database backups are being taken. > [!TIP] Recurring backups, by deployment > In **Docker**deployments using the built-in database, a nightly backup runs as long as the `mssql` container is running. In **Helm** deployments, you will need to either schedule a job outside the cluster or create a CronJob object within the cluster, and Bitwarden provides examples to help guide your approach. ### Docker ## Manual backups Bitwarden will take automatic nightly backups of the `mssql` database container (see below), however for the most complete disaster recovery (DR) plan you should manually backup and keep safe the entire `./bwdata` directory. Particularly important pieces of `./bwdata` to backup regularly include: - `./bwdata/env` - Instance's environment variables, including database and certificate passwords. - `./bwdata/core/attachments` - Instance's vault item attachments. - `./bwdata/mssql/data` - Instance's database data. - `./bwdata/core/aspnet-dataprotection` - Framework-level data protection, including authentication tokens and some database columns. You can also manually trigger a backup of the `mssql` database container at any time using the following command: ```bash docker exec -i bitwarden-mssql /backup-db.sh ``` ## Automatic database backups Bitwarden will automatically take nightly backups of the `mssql` database container, as long as the container running. These backups are stored in the `./bwdata/mssql/backups` directory for 30 days. ### Restore a database backup In the event of data loss, you can use `./bwdata/mssql/backups` to restore a nightly backup. Complete the following steps to restore a nightly backup: 1. Retrieve your database password from the `globalSettings__sqlServer__connectionString=...Password=` value found in `global.override.env`. 2. Identify the Container ID of the `mssql` container using the `docker ps` command. 3. Run the following command to open a bash session for your `mssql` docker container: ``` docker exec -it bitwarden-mssql /bin/bash ``` Your command prompt should now match the identified Container ID of the `bitwarden-mssql` container. 4. In the container, locate the backup file you wish to restore. > [!NOTE] > The backup directory in the container is volume-mapped from the host directory. `./bwdata/mssql/backups` on the host machine maps to `etc/bitwarden/mssql/backups` in the container. For example, a file `/etc/bitwarden/mssql/backups/vault_FULL_20201208_003243.BAK` is a backup taken on December 08, 2020 at 12:32am. 5. Start the `sqlcmd` utility with the following command: ``` /opt/mssql-tools/bin/sqlcmd -S localhost -U -P ``` where `` and `` match the `User=` and `Password=` values found in `global.override.env`. 6. Once in the `sqlcmd` utility, you have two options for backup: 1. **Offline restore** (Preferred) Run the following SQL commands: ``` 1> use master 2> GO 1> alter database vault set offline with rollback immediate 2> GO 1> restore database vault from disk='/etc/bitwarden/mssql/backups/vault_FULL_{Backup File Name}.BAK' with replace 2> GO ​1> alter database vault set online 2> GO 1> exit ``` Restart your Bitwarden instance to finish restoring. 2. **Online restore** Execute the following SQL commands: ``` 1> RESTORE DATABASE vault FROM DISK = '/etc/bitwarden/mssql/backups/vault_FULL_20200302_235901.BAK' WITH REPLACE 2> GO ``` Restart your Bitwarden instance to finish restoring. ### Helm ## Manual backups Bitwarden provides example jobs that can be used to regularly backup your database (see below), however for the most complete disaster recovery (DR) plan you should manually backup and keep safe a wider array of server data. Particularly important pieces of data to backup regularly include: - Your chart's `my-values.yaml` file. - Your [Kubernetes Secrets object](https://bitwarden.com/help/self-host-with-helm/#create-a-secret-object/) (typically, as a `.yaml` file). - Any persistent volumes (PVCs) set up for: - `dataprotection` - `attachments` - `licenses` ## Recurring database backups There are a variety of ways to schedule recurring database backups for your Bitwarden deployment. The Bitwarden Helm Charts repository contains [one such example for backing up the pre-packaged SQL container](https://github.com/bitwarden/helm-charts/tree/main/examples), which includes: - Creating a Kubernetes Job object (`backup-job.yaml`) that establishes a connection to the database through Kubernetes Secrets, executes a backup, and stores the resultant `vault.bak` file to a persistent volume (PVC) while preserving prior backups. - Creating a Bash script (`db-backup.sh`), intended for use by a task scheduler outside of the cluster, that will run the Kubernetes Job and monitor it in real-time. ## Restoring backups To restore a backup, deploy a new Helm installation of Bitwarden with your backed-up `my-values` file and Kubernetes Secret object `.yaml` file. Once the chart is re-installed, re-attach your manually backed-up persistent volumes (PVCs) and `vault.bak` database backup. --- URL: https://bitwarden.com/help/basic-auth-autofill/ --- # Autofill Basic Auth Prompts Login prompts like the one pictured below, called "basic" or "native" authentication prompts, will be automatically autofilled by Bitwarden browser extensions **if there is only one login item with a** [**matching URI**](https://bitwarden.com/help/uri-match-detection/). You can also use the browser extension's [share-square] **Launch** button to automatically open and log in to a basic auth-protected resource. Autofilling on basic auth prompts will, by default, use the [Host](https://bitwarden.com/help/uri-match-detection/#host/) URI match detection option so that autofilling is more restrictive. This can be changed by setting the [match detection option](https://bitwarden.com/help/uri-match-detection/) for the relevant login. If more than one login with a matching URI is found, the browser extension will not be able to autofill your credentials and you will need to manually copy/paste your username and password to log in. If a single login item is present for a matching URI, the credentials will be autofilled in the background and no authentication prompt will be shown. ![Basic Auth Prompt ](https://bitwarden.com/assets/6rUtQ8FzPTPuKM0sXZ4iyc/3fc116ce5eba8bc70f8dbebfac0eafa6/basic-auth-prompt.png) > [!NOTE] > Due to the way basic auth prompts are designed, auto-filling must be non-interactive. This means you cannot autofill on a basic auth prompt using the **Vault** view, context-menu, or keyboard shortcuts. --- URL: https://bitwarden.com/help/billing-faqs/ --- # Billing FAQs This article contains frequently asked questions (FAQs) regarding **Plans and Pricing**. For help selecting the right Bitwarden plan for you, refer to [what plan is right for me?](https://bitwarden.com/help/what-plan-is-right-for-me/) and [about Bitwarden plans](https://bitwarden.com/help/password-manager-plans/). ## Account management ### Q: How do I find out what subscription plan I'm on? **A:** Log in to the web app: - For individual subscriptions, navigate to **Settings**→ **Subscription**. If this screen can't be found, this account is on a free plan. If this screen exists, this account is on a premium plan. - For organization subscriptions, organization owners can open the Admin Console and navigate to the organization's **Billing** → **Subscription** view. The **Plan** section will log this organization's plan. ### Q: How do I view my billing information? **A:** Viewing billing information is different depending on whether you are viewing it for an individual or organization subscription. Use [Update your Billing Information](https://bitwarden.com/help/update-billing-info/) to guide you through both processes. ### Q: How do I delete my account? **A:** We're sad to see you go! Use [Delete your Account](https://bitwarden.com/help/delete-your-account/) to guide you through this process. ### Q: How do I upgrade from an individual subscription to an organization? **A:** Use [Upgrade from Individual to Organization](https://bitwarden.com/help/upgrade-from-individual-to-org/) to guide you through this process. ### Q: How do I add or remove a user seat from my organization? **A:** For Teams and enterprise organizations, user seats will be automatically added as you invite new users. You can [specify a limit](https://bitwarden.com/help/managing-users/#set-a-seat-limit/) to prevent your seat count from exceeding a specific number. To remove user seats, navigate to your organization's **Billing** → **Subscription** screen and use the **Subscription Seats** input to remove seats ([learn more](https://bitwarden.com/help/managing-users/#manually-add-or-remove-seats/)). Adding and removing user seats will adjust your future billing totals. Adding seats will immediately charge your payment method on file at an adjusted rate so that **you will only pay for the remainder of the billing cycle** (month/year). Removing seats will cause your next charge to be adjusted so that you are **credited for time not used** by the already-paid-for seat. ### Q: How do subscriptions work for self-hosting? **A:** In order to use a subscription on a self-hosted server first create an account and subscription in the Bitwarden cloud via the [web app](https://bitwarden.com/help/getting-started-webvault/). From there, download the [subscription license](https://bitwarden.com/help/licensing-on-premise/#organization-license/), which will flag access to premium or organization features, to apply to your self-hosted server. Per the Bitwarden terms of service, one organization deployment is permitted per subscription. ### Q: If I have a families organization, do I need premium? **A:** The current families plan (introduced Sep. 2020) automatically provides premium features for all six members of the organization, so no! Legacy families plans do not automatically provide premium features, so users would need to upgrade to premium individually or the families organization owner could upgrade the organization. ### Q: Why do my license expiration dates on cloud and self-hosted not match? **A**: To ensure that you don't inadvertently lose organization functionality, we provide a 2 month grace period between the expiration of the license on cloud and expiration of the license on your self-hosted server. Learn more [here](https://bitwarden.com/help/organization-renewal/). ### Q: What is the holder of my organization's billing email allowed to do? **A**: The holder of your organization's [billing email](https://bitwarden.com/help/about-organizations/#create-an-organization/) may, by contacting us: - Add or remove a credit card from the subscription. - Change the billing email for the organization. - Inquire about invoices and billing information on-file. - Swap between a monthly and annual billing cycle (if applicable for your organization). - Request a plan upgrade, downgrade, cancellation, or seat adjustment. They **may not** for any reason request deletion of an organization, be given the identity of current organization owners, or request the promotion of any user to an owner. ## Payment options ### Q: What payment options do you accept for customers based in the United States? **A:** We accept credit/debit cards, PayPal, bank account (ACH), and Bitcoin. For business subscriptions, we also accept wire transfers and corporate checks, with a minimum payment of 500 USD. For more information regarding payment options, please [contact support](https://bitwarden.com/contact/). ### Q: What payment options do you accept for customers outside the United States? **A:** We accept credit/debit Cards, PayPal, and Bitcoin. For business subscriptions, we also accept international wire transfers and corporate checks, with a minimum payment of 500 USD. For more information regarding payment options, please [contact support](https://bitwarden.com/contact/). ### Q: Can I pay with Bitcoin? **A:** Yes! Please note, you will need to **Add Credit** using Bitcoin on the **Settings** → **Billing** screen before purchasing the subscription. ### Q: How do I enter my tax information? **A:** You can provide a Tax ID during signup, at any time from the web app Admin Console **Billing** → **Payment method** view by selecting **Change payment method**, or by contacting Customer Support: - If you are a customer based in the United States, select **United States** from the **Country** dropdown menu and enter your **Zip / Postal Code**. - If you are a customer based outside the United States, select your country from the **Country** dropdown menu. If your billing address is in Australia, Canada, the European Union (EU), or the United Kingdom (UK), enter a **VAT/GST Tax ID**. Learn more about how taxes are assessed for paid Bitwarden subscriptions [here](https://bitwarden.com/help/tax-calculation/). ### Q: Why am I charged sales tax? **A:** Sales tax liability criteria and rates are mandated by individual US states. Bitwarden is classified under the Software as a service (SaaS) tax code. Tax liability and applicable rates are subject to change as required by your location. ### Q: Can I use a Bitwarden Free plan for commercial use? **A**: Users can utilize Bitwarden clients, with either paid or free accounts, for personal or business purposes as long as they comply with our [Terms of Service](https://bitwarden.com/terms/). Bitwarden's license grants a limited, non-exclusive, non-transferable, royalty-free license to use the Commercial Modules solely for internal development and testing in a non-production environment. For more information, refer to the [license](https://github.com/bitwarden/server/blob/main/LICENSE.txt) and [license FAQ](https://github.com/bitwarden/server/blob/main/LICENSE_FAQ.md). If users do not intend to modify, resell, rent, lease, distribute, sublicense, loan, or otherwise transfer the Commercial Modules to any third party, or create a competing product or service, they can use any of the available clients for business or personal use while respecting our terms of service. ## Known issues ### Q: An error occurs when I try to go premium on Firefox. How do I fix this? **A:** We have observed some users of Firefox get the following error message when submitting payment information for a Premium subscription: `You passed an empty string for 'payment_method_data[referrer]'. We assume empty values are an attempt to unset a parameter; however 'payment_method_data[referrer]' cannot be unset. You should remove 'payment_method_data[referrer]' from your request or supply a non-empty value.` This usually occurs when submitting your payment method is impeded by an installed browser Extension or configured Browser option. **Open Firefox in a Private Window and try resubmitting.** --- URL: https://bitwarden.com/help/biometrics/ --- # Unlock With Biometrics Quickly and securely access your vault with biometrics in the desktop app, browser extension, and mobile app. After logging in with your standard method, like a [master password](https://bitwarden.com/help/master-password/) or [trusted device](https://bitwarden.com/help/add-a-trusted-device/), [unlock your vault](https://bitwarden.com/help/understand-log-in-vs-unlock/) with biometrics. Biometric features are part of the built-in security in your device and/or operating system. **Bitwarden never receives your biometrics data**, because the feature uses native APIs to perform the validation on your local device. > [!TIP] Biometric for multiple accounts > Security settings are set per account. To turn on biometric unlock for [multiple accounts](https://bitwarden.com/help/account-switching/), like individual and organization accounts, repeat these steps for each one. ## Set up biometrics for desktop app To set up biometrics in the desktop app: ### Windows Set up unlock with biometrics for Windows via [Windows Hello](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello) using PIN, facial recognition, or other hardware that meets [Windows Hello biometric requirements](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements). This option is supported in the Windows desktop app when it’s installed from [Bitwarden Downloads](https://bitwarden.com/download/#downloads-desktop/). If the desktop app was installed from the Microsoft Store, biometrics will not work. To turn on biometric unlock: 1. [Turn on Windows Hello](https://support.microsoft.com/en-us/windows/configure-windows-hello-dae28983-8242-bb2a-d3d1-87c9d265a5f0) in your device’s system settings. > [!NOTE] Microsoft Visual C++ Redistributable > If you are unable to turn on Windows Hello in your device settings, install [Microsoft Visual C++ Redistributable](https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170). 2. Download the Bitwarden desktop app from [Bitwarden Downloads](https://bitwarden.com/download/#downloads-desktop/) (if you haven’t already). Bitwarden desktop app installs from the Microsoft Store do not support biometric unlock. 3. Open the Bitwarden desktop app and go to **File** → **Settings**. 4. Under **Security**, check **Unlock with Windows Hello**. 5. (Optional) If you want to use biometrics to unlock your vault when the desktop app restarts, uncheck **Require master password or PIN on app restart**. You will be prompted to confirm your biometric in a pop-up window. If this setting remains checked, you will need to enter your master password or PIN every time the desktop app restarts. ### macOS Set up unlock with biometrics for macOS via [Touch ID](https://support.apple.com/en-us/HT207054). This option is supported in the macOS desktop app when it’s installed from the [Mac App Store](https://apps.apple.com/us/app/bitwarden/id1352778147?mt=12). If the desktop app was installed from the Bitwarden Downloads page, biometrics will not work. To turn on biometric unlock: 1. [Turn on Touch ID](https://support.apple.com/guide/mac-help/use-touch-id-mchl16fbf90a/mac) in your device’s system settings. 2. Download the Bitwarden desktop app from the [Mac App Store](https://apps.apple.com/us/app/bitwarden/id1352778147?mt=12) (if you haven’t already). BItwarden desktop app installs from the Bitwarden Download page do not support biometric unlock. 3. Open the Bitwarden desktop and go to **Bitwarden** → **Settings**. 4. Under **Security**, check **Unlock with Touch ID** and confirm the update when prompted. 5. (Optional) Check **Ask for Touch ID on app start** to use Touch ID when the desktop app first opens, skipping the initial unlock screen. ### Linux Unlock with biometrics is supported in Linux when: - Your system has a polkit agent and secret service daemon, such as GNOME Keyring. - The [Bitwarden desktop app](https://bitwarden.com/download/#downloads-desktop/) is installed from Snap (**recommended**). Snap supports biometrics for the desktop app, but does not support integration with the browser extension. `AppImage`, `.deb`, or .`rpm` packages, available from [bitwarden.com/download](https://bitwarden.com/download/#downloads-desktop/), do support biometrics but do not support automatic updates. > [!NOTE] Log in before biometrics-Linux > After biometrics are configured for the Linux desktop app, you still need to log in with a master password or PIN. Once logged in, use biometrics to unlock your vault. To turn on biometric unlock: 1. Turn on system authentication on your machine. 2. Open the Bitwarden desktop and go to **File** → **Settings**. 3. Under **Security**, check **Unlock with system authentication** and confirm the update when prompted. ## Set up biometrics for browser extension The ability to unlock your vault with biometrics is supported on these browsers: - Chromium-based browsers, including Chrome, Edge, Opera, and Brave - Firefox 87+ (Firefox ESR is not supported.) - Safari 14+ To set up biometrics on the browser extension or a mobile device: ### Chromium-based & Firefox There are two steps to enabling biometrics for browser extensions: [activate the integration](https://bitwarden.com/help/biometrics/#1-activate-the-integration/) and [activate extension biometrics](https://bitwarden.com/help/biometrics/#2-activate-extension-biometrics/). ### 1) Activate the integration First, open the Bitwarden desktop app and update the settings: 1. Turn on unlock with biometrics in the [Bitwarden desktop app](https://bitwarden.com/help/biometrics/#set-up-biometrics-for-desktop-app/). 2. Open the Bitwarden desktop app **Settings**. (For Windows and Linux, go to **File** → **Settings**. For macOS, go to **Bitwarden** → **Settings**.) 3. Check **Allow browser integration**. > [!WARNING] macOS username size bug > On macOS, you may encounter an error if your username directory (e.g. `/Users/your_username/Library/...`) is longer than 104 characters. If you encounter this. error, shorten your username. 4. (Optional) Check **Require verification for browser integration** to ask for fingerprint verification every time the integration between the desktop app and browser extension is activated. ### 2) Activate extension biometrics > [!NOTE] Allow access to file URLs > Some browsers, notably Chrome and Chromium-based browsers like Edge and Brave, may require an additional permission for biometrics to work properly: > > 1. Using the web browser address bar, navigate to the extensions manager (e.g. `chrome://extensions or brave://extensions`). > 2. Open the Bitwarden entry on this page and toggle on **Allow access to file URLs**. Next, remain logged in to the Bitwarden desktop app and open the Bitwarden browser extension. To turn on unlock with biometrics for the browser extension: 1. Select the ⚙️ **Settings** icon. 2. Select **Account security**. 3. Check **Unlock with biometrics**. 4. You may see a prompt asking permission for Bitwarden to “communicate with cooperating native applications.” Select **Allow**. > [!NOTE] Communicate with cooperating native applications > This permission is required for the browser extension to unlock with biometrics. If you decline, you can continue using the browser extension, but unlock with biometrics will not work. 5. Go to the desktop app and there: 1. Select **Approve** to verify the browser connection. 2. Enter your biometric when prompted. 6. (Optional) If you previously turned on **Require verification for browser integration**, enter your fingerprint when prompted. 7. (Optional) Check **Ask for biometrics on launch** to use biometrics when the browser extension first opens, skipping the initial unlock screen. ### Safari To turn on biometric unlock: 1. Select the ⚙️ **Settings** icon. 2. Select **Account security**. 3. If a confirmation window appears, enter your device’s password and click **Always Allow**. 4. Check **Unlock with biometrics**. 5. When prompted, enter your Touch ID. 6. (Optional) Check **Ask for biometrics on launch** to use biometrics when the browser extension first opens, skipping the initial unlock screen. > [!TIP] Require verification for browser integration > To ask for fingerprint verification every time the integration between the desktop app and browser extension is activated: > > 1. Open the desktop app and go to **Bitwarden** → **Settings**. > 2. Check **Require verification for browser integration**. > 3. When turning on biometrics unlock in the browser extension, you’ll be asked to enter your fingerprint during setup. ## Set up biometrics for mobile Unlock with biometrics is supported on iOS via [Touch ID](https://support.apple.com/en-us/HT201371) and [Face ID](https://support.apple.com/en-us/HT208109) and on Android (Google Play or FDroid) via [fingerprint unlock](https://support.google.com/nexus/answer/6285273?hl=en) or [face unlock](https://support.google.com/pixelphone/answer/9517039?hl=en). > [!NOTE] Android Class Requirement > On Android, Bitwarden requires your biometric factor to be [Class 3](https://source.android.com/docs/security/features/biometric). Fingerprint readers will most often be Class 3, however the class of facial recognition systems will vary based on device manufacturer and model To set up unlock with biometrics for your mobile device: 1. Turn on the biometric method in your device’s system settings, like the **iOS Setting**s app. 2. Open the Bitwarden app and tap the ⚙️ **Settings** icon. 3. Tap **Account security**. 4. Tap **Unlock with Face ID** or **Unlock with Biometrics**. (What’s available is based on your device’s hardware capabilities and what you previously turned on in your device’s system settings.) 5. Enter your biometric when prompted, like your face or fingerprint. The toggle will fill in when unlock with biometrics is successfully set up. ## Use unlock with biometrics ### Windows & Linux Desktop To access your vault with the Windows or Linux desktop app: 1. Log in with a master password or PIN. 2. Select **Unlock with Windows Hello** or **Unlock with system authentication**: ![Unlock with Windows Hello](https://bitwarden.com/assets/7n73BtZuBKI2lrmTMGJUqk/cf42eacad0651a4cf1b12ba786a2f362/Windows_Hello.png) 3. Enter the biometric you configured. > [!NOTE] Biometrics greyed out > When you first open or restart the Windows and Linux desktop apps, the biometrics option will be greyed out. Unlock the vault with your standard method, like the master password or PIN. After that first log in and unlock, you can use biometrics to unlock your vault. ### macOS Desktop If you checked **Ask for Touch ID on app start** during setup, you’ll immediately be prompted to enter your Touch ID. If you did not check **Ask for Touch ID** on app start during setup: 1. Log in with a master password or PIN. 2. Select **Unlock with Touch ID**: ![Unlock with Touch ID](https://bitwarden.com/assets/2c5pB6gzPsvqDA46W2cODn/46c5bad230d8a5deb7f31e2861bdae0d/Unlock_with_Touch_ID.png) 3. Enter your Touch ID. ### Browser extension To access your vault with the browser extension: 1. Log in to the Bitwarden desktop app and unlock your vault. 2. With the desktop app still running in the background, open the Bitwarden browser extension. 3. (Optional) If you previously turned on **Require verification for browser integration** in the desktop app, enter your fingerprint when prompted. 4. Depending on if **Ask for biometrics on launch** was checked in the desktop app during setup: - If this setting was checked, you’ll immediately be prompted to enter your biometric. - If this setting **was not**checked, select **Unlock with biometrics** and enter the biometric you configured: ![Unlock with biometrics browser](https://bitwarden.com/assets/4UeYGO9saN15Jg3xLQmv5y/bfdb5e552b33009d219b1c1b7accd26b/Unlock_with_Biometrics_Browser.png) ### Mobile When the Bitwarden mobile app first opens, enter your fingerprint or face ID when prompted. ## Troubleshooting If a “Biometric unlock disabled pending verification of your master password” error appears: 1. Temporarily turn off autofill in Bitwarden. 2. Follow the steps above to set up biometrics in Bitwarden. 3. Turn autofill back on within Bitwarden. --- URL: https://bitwarden.com/help/bitwarden-addresses/ --- # Bitwarden Domains, Endpoints, & URLs This page identifies official addresses and repositories for Bitwarden hosted or managed resources. Bitwarden utilizes CDNs (content delivery networks) and other resources whose IP addresses may change. ## Bitwarden Domains bitwarden.com | bitwarden.net | bitwarden.eu btwrdn.co | btwrdn.com ## Bitwarden URLs **Bitwarden Webpage** - bitwarden.com - bitwarden.net - btwrdn.com - start.bitwarden.com - go.bitwarden.com - cdn.bitwarden.com - cdn.bitwarden.net **Bitwarden community contributions** - contributing.bitwarden.com ## Bitwarden applications **Download Bitwarden** - https://bitwarden.com/download/ **Bitwarden web app** - vault.bitwarden.com - vault.bitwarden.eu **Bitwarden server install/update** - func.bitwarden.com - artifacts.bitwarden.com - selfhost.bitwarden.com - btwrdn.co - ghcr.io/bitwarden ## Application endpoints - api.bitwarden.com / api.bitwarden.eu - events.bitwarden.com / events.bitwarden.eu - func.bitwarden.com - identity.bitwarden.com / identity.bitwarden.eu - scim.bitwarden.com / scim.bitwarden.eu - sso.bitwarden.com / sso.bitwarden.eu - push.bitwarden.com / push.bitwarden.eu - icons.bitwarden.net ## GitHub - [https://github.com/bitwarden](https://github.com/bitwarden) ## Issues - [Bitwarden server issues](https://github.com/bitwarden/server/issues) - [Bitwarden client issues](https://github.com/bitwarden/clients/issues) - [Bitwarden mobile issues](https://github.com/bitwarden/mobile/issues) - [Bitwarden Directory Connector issues](https://github.com/bitwarden/directory-connector/issues) ## Community - [Feature requests](https://community.bitwarden.com/t/about-the-feature-requests-category/12) - [Contributing](https://github.com/orgs/bitwarden/discussions) - [Community forums](https://community.bitwarden.com/) - [X.com](https://x.com/bitwarden) - [Reddit](https://www.reddit.com/r/Bitwarden/) - [YouTube](https://www.youtube.com/channel/UCId9a_jQqvJre0_dE2lE_Rw) - [LinkedIn](https://www.linkedin.com/company/bitwarden1) - [Facebook](https://www.facebook.com/bitwarden/) - [Instagram](https://www.instagram.com/bitwarden/) - [Mastodon](https://fosstodon.org/@bitwarden) - [Twitch](https://www.twitch.tv/bitwardenlive) --- URL: https://bitwarden.com/help/bitwarden-apis/ --- # Password Manager APIs Bitwarden currently offers two APIs with differing sets of functionality and use-cases: ## Public API The Bitwarden Public API provides organizations with a suite of tools for managing members, collections, groups, event logs, and policies. The Public API is a RESTful API with predictable resource-oriented URLs, accepts JSON-encoded request bodies, returns JSON-encoded responses, and uses standard HTTP response codes, authentication, and verbs. Learn more about the [Bitwarden Public API](https://bitwarden.com/help/public-api/) or view the [API Specification](https://bitwarden.com/help/api/) documentation. ## Vault Management API The Vault Management API provides Bitwarden users with a suite of tools for managing vault items, including those owned by organizations provided you have the appropriate permissions. The Vault Management API allows most actions that can be taken by the Bitwarden CLI to be taken in the form of RESTful API calls from an HTTP interface. Using the Vault Management API requires that you use the `serve` command from the CLI to start a local express web server from which to make requests. > [!NOTE] Vault management API JSON requests > The Vault Management API accepts JSON request bodies and returns JSON responses, including standard HTTP response codes. Learn more about the [serve command](https://bitwarden.com/help/cli/#serve/) or view the [API Specification](https://bitwarden.com/help/vault-management-api/) documentation. --- URL: https://bitwarden.com/help/bitwarden-authenticator/ --- # Bitwarden Authenticator Bitwarden Authenticator is a mobile authentication app (available on [iOS](https://apps.apple.com/us/app/bitwarden-authenticator/id6497335175) and [Android](https://play.google.com/store/apps/details?id=com.bitwarden.authenticator&pli=1) 12+) you can use to verify your identity for websites and apps that use two-factor authentication (2FA). Bitwarden Authenticator generates 5-10 digit time-based one-time passwords (TOTPs), by default using SHA-1 and rotating them every 30 seconds. ![Bitwarden iOS Authenticator app](https://bitwarden.com/assets/4fMWMI0YBJQybhhyOlV0Zb/2bb912b6e9a6f38818cc37d8a0f982b4/2025-05-21_10-13-39.png) *Bitwarden iOS Authenticator app* Bitwarden Authenticator can be used as a completely standalone app, or can be set up to [sync with Bitwarden Password Manager](https://bitwarden.com/help/totp-sync/). When synced, your codes will be labelled either **Local Codes** or labelled by your account email address. ## Add codes If setup to [sync with Password Manager](https://bitwarden.com/help/totp-sync/), Authenticator will automatically add and keep up-to-date any verification codes stored in Password Manager. Using the Authenticator app, you can also **Scan a QR code**or **Add a code manually**, and in either case choose whether to save it locally or in Password Manager: ### Scan a QR code In the Bitwarden Authenticator app: 1. Tap the + icon. 2. Point your camera at the QR code. Scanning will happen automatically. 3. Choose whether to **Save here** (meaning, only in Authenticator) or **Save to Bitwarden** (meaning, save as a login item in Password Manager). ### Add a code manually 1. Tap the + icon. 2. Tap **Enter key manually** at the bottom of the screen. 3. Enter the name of the website or app in the **Name**field. 4. Enter the **Authenticator key**offered by the website or app. Some services refer to this as a "secret key" or "TOTP seed". 5. Choose whether to **Save here** (meaning, only in Authenticator) or **Save to Bitwarden** (meaning, save as a login item in Password Manager). ### Sync from Password Manager To sync TOTPs from Bitwarden Password Manager: 1. Ensure that both Bitwarden Authenticator and Bitwarden Password Manager are installed on your device, and that in Password Manager you're logged in to accounts you want to sync with. > [!NOTE] Require android 12+ > The Authenticator sync feature is available on Android versions 12 or newer. 2. In Password Manager, navigate to **Settings** → **Account security** and toggle on the **Allow authenticator syncing** option. > [!TIP] Multiple accounts for authenticator sync > You can sync with as many Bitwarden Password Manager accounts as you want, but you'll need to toggle this option separately for each. 3. In Bitwarden Authenticator, validate that any TOTPs stored in Password Manager are listed under your Bitwarden account's heading rather than under **Local Codes**. > [!TIP] Export for Bitwarden Authenticator > When you get a new mobile device, you can: > > - Export data from Bitwarden Authenticator and import that data on your new device. [Learn how](https://bitwarden.com/help/authenticator-import-export/). > - Setup sync from Password Manager to pull all verification codes that are attached to saved login items. [Learn how](https://bitwarden.com/help/totp-sync/). ### Copy codes to Password Manager Local codes can be copied from Authenticator to Password Manager by long-pressing the entry and tapping the **Copy to Bitwarden** option. Doing so will open Password Manager and allow you to attach the code to an existing item or create a new item. ## Edit codes Long-press a **Local Code** on the **Verification codes** screen, or edit a synced item from Bitwarden Password Manager, to make changes to it. For local codes you can: - Edit the **Name** or **Key** attached to it. - Designate an item as a **Favorite**, which will move it to the top of the Verification codes screen for easy access. - Add a **Username** to the item. Use this field when you have multiple accounts for the same website and require a separate verification code per account. - Change the **Algorithm**used to generate the code. By default, Bitwarden Authenticator uses SHA-1. - Change the **Refresh period**for the code. By default, Bitwarden Authenticator uses 30 seconds. - Change the **Number of digits**for the code. By default, Bitwarden Authenticator uses 6 digits. > [!TIP] Changing authenticator settings > **Algorithm**, **Refresh period**, and **Number of digits** are determined by the site you're using the verification code with. Do not change these settings for an item unless that website requires it or allows you to customize verification code behavior. ## Use codes To use a verification code once the secret for that account is stored in Bitwarden Authenticator, open Bitwarden Authenticator and tap the entry to copy its verification code to your clipboard. Then, paste the verification code in the input for the website or app you're logging in to. --- URL: https://bitwarden.com/help/bitwarden-field-guide-two-step-login/ --- # Why Use Two-Step Login? Two-step login (also called two-factor authentication or 2FA) is a common security technique used by websites and apps to protect your sensitive data. Websites that use two-step login require you to verify your identity by entering an additional "token" (also called verification code or one-time password (OTP)) besides username and password, typically retrieved from a different device. Without physical access to the token from your secondary device, a malicious actor would be unable to access the website, even if they discover your username and password: ![Basic Two-step Login flow ](https://bitwarden.com/assets/6E6lpxB8UfXU7V6YcW40S3/b89a863ed448d1b90e42ac6c25140edd/fg-1.png) Commonly, websites or apps with sensitive data (for example, your online bank account) will attempt verify your identity outside of the login screen by: - Sending a token in an SMS / text message to the mobile device on-file. - Asking for a token generated by an Authenticator app (for example, [Bitwarden Authenticator](https://bitwarden.com/help/bitwarden-authenticator/)) on your mobile device. - Looking for a token from a physical security key (for example, Yubikey). ### How should I use two-step login? Security often involves a tradeoff between protection and convenience, so ultimately it's up to you! Generally, the two most critical ways to use two-step login are: 1. [**To secure Bitwarden**](https://bitwarden.com/help/bitwarden-field-guide-two-step-login/#securing-bitwarden/) Secure all vault data by requiring a secondary step each time you log in to Bitwarden, in addition to entering your master password. 2. [**To secure important websites**](https://bitwarden.com/help/bitwarden-field-guide-two-step-login/#securing-important-websites/) Secure an individual website by requiring a temporary one-time password (TOTP) when you log in. You can store and generate TOTPs with Bitwarden. ## Securing Bitwarden Since your password manager stores all of your logins, we highly recommend that you secure it with two-step login. Doing so protects all of your logins by preventing a malicious actor from accessing your vault, even if they discover your master password. Enabling two-step login will require you to complete a secondary step each time you log in, in addition to your primary log in method (master password). You won't need to complete your secondary step to unlock your vault, only to log in. ![Two-step login to access Bitwarden ](https://bitwarden.com/assets/1fc7ZMSHr1grocnEitdwua/1fbdceda08b4a6c59b17a96b366ffacd/fg-2.png) Bitwarden offers several two-step login methods for free, including: - FIDO (any FIDO2 WebAuthn certified key) - via an authenticator app (for example, [Bitwarden Authenticator](https://bitwarden.com/help/bitwarden-authenticator/)) - via email For premium users, Bitwarden offers several advanced two-step login methods: - Duo Security with Duo Push, SMS, phone call, and security keys - YubiKey (any 4/5 series device or YubiKey NEO/NFC) [Learn more about your options](https://bitwarden.com/help/setup-two-step-login/) or get help setting up any method using our **Setup Guides.** > [!NOTE] Bitwarden does not support SMS 2FA > Bitwarden does not support SMS 2FA due to vulnerabilities, including SIM hijacking. We do not recommend SMS 2FA for other accounts unless it is the only available method. Any second factor is recommended over having none, but most alternatives are safer than SMS 2FA. ## Securing important websites Many other websites and apps have two-step login options, this is especially common for websites that store sensitive information (for example, credit card or bank account numbers). Most website's two-step login option will be located in the **Settings**, **Security**, or **Privacy** menus. Activating two-step login will typically open a QR code, like this example from Reddit: ![2FA QR Code](https://bitwarden.com/assets/4ddS2XK3JVWe1uG9OCiXwB/d199bbf12b390ac32ec2a6737ded4a20/reddit-2fa-setup.png) Scanning this code with an authenticator app will enable the app to generate rotating six-digit tokens that you can use to verify your identity, like this one generated by [Bitwarden Authenticator](https://bitwarden.com/help/bitwarden-authenticator/): ![TOTP token](https://bitwarden.com/assets/kBDOyVjNB2DiINm7FHk0r/13b3f7bceb014df08b84246256451322/IMG_5440.png) ### Use Bitwarden Authenticator Bitwarden Authenticator is a mobile authentication app you can use to verify your identity for websites and apps that use two-factor authentication (2FA). Bitwarden Authenticator can be downloaded from the iOS App Store and Google Play Store. ![Two-step login using Bitwarden Authenticator ](https://bitwarden.com/assets/5WsEwCqHd3BmAKTGdhXpQZ/bc84335eeb3655916781b1dd7cd4f4f1/fg-5.png) For help using Bitwarden Authenticator, refer to [this article](https://bitwarden.com/help/bitwarden-authenticator/). ### Use integrated authentication As an alternative, Bitwarden Password Manager offers a built-in authenticator for premium users, including members of paid organizations (Families, Teams, or Enterprise). ![Two-step Login using Bitwarden ](https://bitwarden.com/assets/4XRROCzbnmkN2EM9iO7MLX/3cf42adb04c450c833cd7d8aad836665/fg-3.png) For help using integration authentication, refer to [this article](https://bitwarden.com/help/integrated-authenticator/). #### When should I use the standalone app as opposed to the integrated authenticator? Only the standalone app allows you to setup 2FA for your Bitwarden account, but you can use either app to store and generate verification codes for all your other accounts. Only the integrated authentication currently allows you to share the token generation among team members. They can be used together, or separately, depending on your security preferences. ## 2FA security keys and passkeys FIDO2 security keys are a popular and secure option for adding 2FA to your Bitwarden account. If you are not familiar with FIDO2 security keys, see the [FIDO Alliance website](https://fidoalliance.org/fido2/) for additional information regarding FIDO2. A YubiKey device is a security key that works with FIDO authentication protocols, and can have several use cases. Two uses are as 2FA security keys, or [passkeys](https://bitwarden.com/blog/what-are-passkeys-and-passkey-login/). - **2FA security key:** Using a YubiKey as a 2FA security key will act as an additional device in the authentication process. This will be accompanied by another primary method of authentication (such as master password). The YubiKey security key must be physically plugged in to provide the authentication credentials. - **Passkey:**A passkey is a pair or public-private cryptographic keys that are used to authenticate a login. Instead of creating a username, password and adding 2FA to an account, the single passkey is used. During passkey creation, the YubiKey is able to work as the passkey generator to create the public and private keys necessary for passkey login. Learn more about using a YubiKey as a passkey [here](https://www.yubico.com/resources/glossary/what-is-a-passkey/). With Bitwarden, the primary use of a security key such as a YubiKey device is to provide 2FA authentication. ## Next steps Now that you are a two-step login expert, we recommend: - [Setup two-step login](https://bitwarden.com/help/setup-two-step-login/) - [Get premium for access to advanced two-step login methods](https://bitwarden.com/go/start-premium/) - [Setup the Bitwarden authenticator](https://bitwarden.com/help/integrated-authenticator/) - [Setup two-step login for teams and enterprise](https://bitwarden.com/help/setup-two-step-login/#two-step-login-for-teams-and-enterprise/) --- URL: https://bitwarden.com/help/bitwarden-for-msps/ --- # Managed Service Providers Learn how to get started with Bitwarden Password Manager as Managed Service Provider (MSP) and deploy it to your customer in this video guide. [![Vimeo Video](https://vumbnail.com/668382756.jpg)](https://vimeo.com/668382756) *[Watch on Vimeo](https://vimeo.com/668382756)* Learn more about becoming a Bitwarden MSP or reseller [here](https://bitwarden.com/partners/), or jump to the following points in the video to learn more about specific topics: - **1:36**: Overview of Bitwarden Password Manager. - **1:46**: Bitwarden client apps. - **2:15**: How Bitwarden integrates with your tech stack. - **4:53**: Overview of terminology and concepts. - **8:34**: MSP architecture deep dive. - **10:05**: Your organization. - **16:19**: The Provider Portal. - **23:13**: Client organizations. - **25:49**: Manage your clients. - **26:50**: Manage policies. - **27:43**: Import data. - **28:18**: Set up SSO and SCIM. - **29:00**: Q&A. # MSP customer deployment guide Use the following steps and best practices to deploy Bitwarden to your customers. ## Phase 1 - Pre-onboarding Define technical requirements and onboarding strategy for your customer's Bitwarden organization and environment. | Step | Topic | Action | Resources | Duration (hours) | |------|------|------|------|------| | 1 | Environment decision | Determine Cloud or Self-Hosted environment | [Hosting FAQs](https://bitwarden.com/help/hosting-faqs/) | 0.5 | | 2 | Authentication strategy | Determine if the customer will use Single Sign-On (SSO) | [About SSO](https://bitwarden.com/help/about-sso/) | 0.25 | | 3 | Decryption method | If using Login with SSO, select Master Password or trusted devices for decryption | [About trusted devices](https://bitwarden.com/help/about-trusted-devices/) | 0.25 | | 4 | Provisioning strategy | Select provisioning strategy like SCIM, directory connector, or manual provisioning. | [Managing users](https://bitwarden.com/help/managing-users/#onboard-users/) | 0.25 | | 5 | User identification | Identify users, teams, or departments for rollout groups | | 0.25 | | 6 | Training strategy | Identify groups and internal advocates who will attend training. Example: end users, service desk, admins | | 0.5 | | 7 | Document collection (sharing) strategy | Determine how collections will be configured. Considerations include: Will users be allowed to create collections? Will collections be configured by department, project, function? Will data be imported from another application, which often defines structure? Do Admin and Owner users get access to all shared items, or only the Managers of delegated Collections? | [About collections](https://bitwarden.com/help/about-collections/) | 1 | | 8 | Policy planning | Select policies to be configured at launch | [Policies](https://bitwarden.com/help/policies/) | 0.5 | | 9 | Rollout timeline | Determine invitation and onboarding mechanisms and timing | | 0.5 | | 10 | Internal communication | Create internal messaging or memo about Bitwarden rollout. Review Bitwarden templates to get a sense of the communications | [Welcome email templates](https://bitwarden.com/help/welcome-email-templates/) | 1 | | 11 | Leadership communication | Communicate to internal leaders about Password Management Rollout Strategy | | 0.25 | ## Phase 2 - Organization set up Set up the technical foundation and configure Bitwarden settings for your customer.  | Step | Topic | Action | Resources | Duration (hours) | |------|------|------|------|------| | 12 | Organization owner | Identify the organization owner. The owner is the super-user that can control all aspects of your organization. Decide if you want the email to be associated with a specific user or a team inbox. Additionally, the best practice is two owner accounts for redundancy | [Member roles](https://bitwarden.com/help/user-types-access-control/#member-roles/) | 0.25 | | 13 | Enterprise policies | Configure Enterprise policies. Any policies should be enabled prior to user invitation. Be sure to check out the following policies: Account recovery administration Enforce organization data ownership Activate autofill | [Policies](https://bitwarden.com/help/policies/) | 1 | | 14 | Collection management settings | Choose how collections will behave in the organization. These settings allow for a spectrum of full admin control to completely self-serve where users can create their own collections. These settings can be used to establish a policy of least privilege | [Managing users](https://bitwarden.com/help/managing-users/) | 0.25 | | 15 | Co-managed environment | Add administrators or owners to the client organization to co-manage. Best practice is to configure a second owner for redundancy | [Managing users](https://bitwarden.com/help/managing-users/) | 0.5 | | 16 | Create collections | Collections are where secure items are located and shared with groups of users | [Collections](https://bitwarden.com/help/collections/) | 0.5 | | 17 | Create user groups | Creating user groups allows easy assignment of collections. If you decide to sync groups and users from your Identity Provider or Directory Service, you may need to reconfigure user and group assignments later | [Groups](https://bitwarden.com/help/groups/) | 0.5 | | 18 | Collection assignment | Assign groups to collections, making sure to test and demonstrate 'Read Only' and 'Hide Password' options | [User types access control](https://bitwarden.com/help/user-types-access-control/) | 0.5 | | 19 | Add items | Add items manually to test collections or import via CSV or JSON from another password management application | [Collections](https://bitwarden.com/help/collections/) | 0.25 | | 20 | Login with SSO | If applicable, configure Login with SSO and organization identifier Configure to work with SAML 2.0 or OpenID Connect | [Get started with SSO](https://bitwarden.com/help/getting-started-with-sso/) | 1.5 | | 21 | Domain verification | if applicable, verify company and/or other email domains to allow your users to skip entering the Organization identifier during the Enterprise SSO process. Not necessary for non-SSO organizations | [Domain verification](https://bitwarden.com/help/domain-verification/) | 0.5 | ## Phase 3 - Organization roll out Deploy Bitwarden across your customer's teams and functions. | Step | Topic | Action | Resources | Duration (hours) | |------|------|------|------|------| | 22 | Technical cadence meeting | Plan implementation phase 3 with client | | 0.5 | | 23 | Add items to collections | Add items manually to production collections or import data from another password management application | [About collections](https://bitwarden.com/help/about-collections/) | 0.25 | | 24 | Enterprise policies | Enterprise Policies can be used to tailor your Bitwarden Organization to fit your security needs. Enable and configure desired policies before user onboarding begins | [Policies](https://bitwarden.com/help/policies/) | 0.1 | | 25 | Login with SSO | If applicable, configure Bitwarden to authenticate using your SAML 2.0 or OIDC Identity Provider | [About SSO](https://bitwarden.com/help/about-sso/) | 1.5 | | 26 | Early users | Add a set of users to the client organization manually and assign them to different groups. With these users, you'll broadly test all pre-configured functionality in the next step, before moving on to advanced functions like Directory Connector. Share the attached onboarding workflow instructions with the users | [Managing users - Invite](https://bitwarden.com/help/managing-users/#invite/) [Onboarding Workflows](https://bitwarden.com/help/onboarding-workflows/) | 0.5 | | 27 | SIEM integration | If applicable, connect Bitwarden to customer's SIEM tool | [SIEM](https://bitwarden.com/help/event-logs/#siem-and-external-systems-integrations/) | 0.5 | | 28 | Bitwarden clients | All Organization members added for the pilot group should download Bitwarden on an assortment of devices, login, and test access to shared items via collections. They should test the proper implementation of policies. | [Download](https://bitwarden.com/download/) | 0.5 | | 29 | Deploy client applications | Configure your application management or MDM tooling to prepare for mass deployment of Bitwarden applications | [Deploy client applications](https://bitwarden.com/help/browserext-deploy/) | 0.5 | | 30 | Disable built-in password manager | Make Bitwarden Password Manager the default password manager and turn off built-in browser solutions. Educate users how to do the same when onboarded | [Disable built-in password manager](https://bitwarden.com/help/getting-started-browserext/#disable-a-built-in-password-manager/) | 0.25 | | 31 | Test user onboarding | Configure and test Bitwarden SCIM or Directory Connector integrations to automatically sync users and groups | [About SCIM](https://bitwarden.com/help/about-scim/) [About Directory Connector](https://bitwarden.com/help/directory-sync/) | 1.5 | | 32 | User onboarding | Execute on SCIM or Directory Connector syncing to invite additional users in groups to the organization. Share the attached onboarding workflow instructions with the users | [About SCIM](https://bitwarden.com/help/about-scim/) [About Directory Connector](https://bitwarden.com/help/directory-sync/) [Onboarding Workflows](https://bitwarden.com/help/onboarding-workflows/) | 1 | ## Phase 4 - User training Train all users and stakeholders on how to use Bitwarden and provide continuing education. | Step | Topic | Action | Resources | Duration (hours) | |------|------|------|------|------| | 33 | Admin training | Provide essential day-to-day task training for administrative users with the addition of any special topics requested Example special topics include, but are not limited to: Demonstrating the configured SSO login flow User onboarding and offboarding Custom roles | [Get to know the Admin Console](https://bitwarden.com/help/get-started-administrator/#get-to-know-the-admin-console/) [Bitwarden for business admins](https://bitwarden.com/help/courses/bitwarden-for-business-admins/) | 0.75 | | 34 | Service desk training | Advise service desk users on their role/operations. Review what tasks can be done with the custom role and what require admin intervention | | 0.75 | | 35 | Team member training | A general training session for end users will cover: Bitwarden for all devices Setting up the Bitwarden Browser Extension Creating your account Getting to know the Bitwarden vault How to use the Bitwarden Password Manager Bitwarden Send | [Get to know your vault ](https://bitwarden.com/help/get-started-team-member/#get-to-know-your-vault/) [Get to know Password Manager](https://bitwarden.com/help/get-to-know-password-manager/) | 0.75 | | 36 | Ongoing education | All users can take advantage of monthly new and updated learning content in the Bitwarden Learning Center | [Learning](https://bitwarden.com/learning/) | 0.75 | --- URL: https://bitwarden.com/help/bitwarden-glossary/ --- # Bitwarden Glossary of Terms ## General | Terminology | Definition | |------|------| | Account | A Bitwarden account is the record defined by your username and master password (which only you know). Your Bitwarden account is used to access Bitwarden services and also contains information such as billing, settings, language preference, and more. | |   Account Switching | The Bitwarden feature for desktop and mobile clients that enables you to easily switch between multiple accounts, such as your personal or work accounts. [Learn more](https://bitwarden.com/help/account-switching/).  | |   Personal Account | A personal Bitwarden account is the record defined by your username and master password (which only you know) that is not associated with an Organizational vault or related to a company or business entity. A personal account is generally set up with a personal email address and contains vault items over which only you have ownership and control. | |   Business Account | A business Bitwarden account is the record defined by your username and master password (which only you know) that is associated with an Organization related to a company or business entity. A business account is generally set up with a business email address. A business account is governed by the associated organization. Any vault items or secrets contained within a business account should be considered proprietary to the related company or business entity. | | API Key | The application programming interface (API) key is a specific identifying code for a user or program. The API key can be used to integrate other applications with Bitwarden for the uses of automation, monitoring, and more. The API key is a sensitive secret and should be handled carefully. | | Clients / Bitwarden Client | The client, or client application, is the application that logs into Bitwarden. This includes the web, mobile, and desktop apps, the Bitwarden CLI, and browser extensions. Clients may be downloaded from the [Downloads page](https://bitwarden.com/download/). | | Directory Connector | An application to sync users and groups from a directory service to a Bitwarden Organization. The Bitwarden Directory Connector automatically provisions and deprovisions users, groups, and group associations from the source directory. [Learn more.](https://bitwarden.com/help/directory-sync-desktop/#sync-with-directory-connector/) | | Domain Verification | The process of an organization proving their ownership of a specific internet domain (eg. mycompany.com). Domain verification allows for additional features to be activated, such as users being able to skip inputting the SSO identifier during the login process. [Learn more.](https://bitwarden.com/help/claimed-domains/) | | Groups | A set of Organization members. Groups relate users together, and provide a scalable way to assign permissions, such as access to Collections, projects, or secrets, as well as permissions within each separate Collection. When provisioning new users, add them to a Group to have them automatically inherit that Group’s configured permissions. | | Master Password | Also known as a Bitwarden password, main password, account password, or vault password. The primary method (or key) for accessing your Bitwarden account and data, the master password is used both for authenticating your identity to the Bitwarden service and for decrypting your sensitive data such as vault items or secrets. Bitwarden encourages users to establish one that is memorable, strong, and unique in that it is used only for Bitwarden. *In 2021, Bitwarden introduced Account Recovery Administration (formerly Admin Password Reset), which enables Enterprise users and organizations to implement a policy that allows Administrators and Owners to reset master passwords for enrolled users. *[*Learn more.*](https://bitwarden.com/help/master-password/) | | Organization | An entity (company, institution, group of people) that relates Bitwarden users to shared Organization data such as logins within an Organization vault or a Secrets Manager Project for secure sharing of items. | | Plan | Plans define the services that Bitwarden provides through licensing, including available features and number of users able to use the product. There are multiple types of pre-defined plans available for individuals or organizations to subscribe to. | | Policies | Policies are organization-wide controls that help an administrator keep a company secure by enabling additional settings for how their members (also called end users) use Bitwarden. These policies ensure a uniform standard of security. [Learn more.](https://bitwarden.com/help/policies/) | | SCIM | System for cross-domain identity management (SCIM) can be used to automatically provision members and groups in your Bitwarden organization. Bitwarden servers provide a SCIM endpoint that, with a valid SCIM API Key, will accept requests from your identity provider (IdP) for user and group provisioning and de-provisioning. [Learn more.](https://bitwarden.com/help/about-scim/) | | Single Sign-On (SSO) | A session and user authentication service that grants employees or users access to applications with one set of login credentials that are based on their identity and permissions. Single Sign-On has multiple implementation options, and is widely compatible with Identity Providers (IdPs) allowing customers to leverage their existing solution. [Learn more.](https://bitwarden.com/help/sso-decryption-options/) | |   Login with SSO | An implementation of Single Sign-On. With this method, the user is authenticated by an Identity Provider, then the user enters their Bitwarden password to decrypt their data. [Learn more.](https://bitwarden.com/help/about-sso/) | |   SSO with Trusted Devices | A passwordless implementation of Single Sign-On. With this method, the user is authenticated by an Identity Provider and their data is decrypted through a process that utilizes a device encryption key stored on designated, trusted devices. [Learn more.](https://bitwarden.com/help/about-trusted-devices/) | |   SSO with Customer Managed Encryption | An advanced passwordless implementation of Single Sign-On available to self-hosted organizations. With this method, the user is authenticated by an Identity Provider, then the user's encryption key is automatically retrieved from a self-hosted key server utilizing Key Connector, allowing for user data to be decrypted. [Learn more.](https://bitwarden.com/help/about-key-connector/) | | Subscription | The subscription is the transactional agreement between the customer and Bitwarden as part of the issuance of a license. Owners subscribe to plans at the agreed-upon fee on a recurring basis (monthly or annual) for the services provided by Bitwarden outlined in the plan. | ## Bitwarden Password Manager | Terminology | Definition | |------|------| | Autofill | A software feature that automatically enters previously stored information into a form field. Using Bitwarden, you can autofill logins via browser extensions and mobile devices, and autofill cards and identities via browser extensions. [Learn more.](https://bitwarden.com/help/getting-started-browserext/#auto-fill-a-login/) | | Collections | A unit to store one or more vault items together (logins, notes, cards, and identities for secure sharing) by a business within a Bitwarden Organization. [Learn more.](https://bitwarden.com/help/about-collections/) | | Individual Vault | The Individual vault is the protected area for every user to store unlimited logins, notes, cards, and identities. Users can access their Bitwarden Individual vault on any device and platform. **Within a business context** For users that are part of a Bitwarden Teams or Enterprise plan, an Individual vault is connected to their work email address. Individual vaults are often associated with, but separate from, an Organization vault. **Within a personal context** For users that are part of a Bitwarden personal or families plan, an Individual vault is connected to their personal email address. If part of a families plan or free two-person organization, the Individual vault remains separate from the Organization vault, but both are accessible by the user. Bitwarden recommends associating work email addresses with Teams and Enterprise Organizations, and personal email addresses with families organizations. Note: the Individual vault may be turned off for members of an Enterprise organization through an enterprise policy. | | Items / Vault Items | Items are the individual entries that can be saved and shared in Bitwarden Password Manager such as logins, notes, cards, and identities. | | Organization Member / Members | An end user such as an employee or family member that has access to shared Organization items within their vaults, alongside individual items within their individual vault. | | Organization Vault | The protected area for shared items. Every user (also called a “member”) who is part of an Organization can find shared items in their vault view, alongside individually owned items. Organization vaults allow administrators and owners to manage the Organization’s items, users, and settings. | | Vault / Vaults view | The secure storage area that provides a unified interface and tight access control to any item. | ## Bitwarden Secrets Manager | Terminology | Definition | |------|------| | Access token | Akey that facilitates service account access to, and the ability to decrypt, secrets stored in your vault. [Learn more.](https://bitwarden.com/help/secrets-manager-quick-start/#create-an-access-token/) | | Name | A user-defined label for a specific secret. | | Project | Collections of secrets logically grouped together for management access by your DevOps and cybersecurity teams. [Learn more.](https://bitwarden.com/help/projects/) | | Secret | Sensitive key-value pairs, like API keys, that your organization needs to be securely stored and should never be exposed in plain code or transmitted over unencrypted channels. | | Service account | Non-human machine users, like applications or deployment pipelines, that require programmatic access to a discrete set of secrets. | | Value | A user-defined field of a stored secret that is used in software or machine processes. This is the sensitive information that is managed by Bitwarden Secrets Manager and can include API keys, application configurations, database connection strings, and environment variables. | ## Bitwarden Passwordless.dev | Terminology | Definition | |------|------| | FIDO | FIDO is the acronym for Fast Identity Online. It represents a consortium that develops secure, open passwordless authentication standards that are phishing proof. The FIDO protocols, which were developed by the FIDO Alliance, include: UAF: Universal Authentication Framework U2F: Universal Second Factor FIDO2: a new passwordless authentication protocol that contains core specifications WebAuthn (the client API) and CTAP (the authenticator API) [Learn more.](https://docs.passwordless.dev/guide/concepts.html#fido2) | | Passkeys | Passkeys – the credentials derived from the FIDO2 standard for each website that a user registers to – enable users to create and store cryptographic tokens instead of traditional passwords. Today, passkeys are used to log users into an app or website with pre-authenticated device specific tokens. In the future, the process could be used with shareable or transferable cryptographic tokens. [Learn more.](https://docs.passwordless.dev/guide/concepts.html#passkeys) | | Passwordless | Passwordless is the umbrella term used to describe a variety of authentication technologies that do not rely on passwords, including: something a user has (a security key, token, or device), something they are (biometrics), and passkeys. | --- URL: https://bitwarden.com/help/bitwarden-onboarding-playbook/ --- # Bitwarden Onboarding Playbook This playbook provides IT administrators with a flexible roadmap for onboarding users to Bitwarden Password Manager across five key phases. While the phases are presented in sequence, they're not strictly linear. Many steps can happen in parallel based on your team's needs and timeline. Throughout this guide, you'll find action items in code boxes that can be copied and pasted directly into your project management tools, internal documentation, or team communication platforms. This makes it easy to track progress, assign tasks, and maintain accountability during your Bitwarden rollout. Use this guide as a foundation and adapt it to fit your environment. ### 1: Training  > [!NOTE] Phase 1 tip > Phase 1 focuses on educating stakeholders, preparing systems, and establishing the knowledge base for successful setup. Bitwarden recommends scheduling training sessions for each group or team before or during rollout.  ## Key objectives - Establish training programs for all user levels - Prepare technical infrastructure and requirements - Create organizational and collection management policies and procedures - Build internal expertise and support capabilities ## Activities #### Step 1: Administrator training **Key personnel:** IT directors, system admins, owners **Training topics:** - Bitwarden architecture and enterprise features - Scalable sharing capabilities - Collection setup; organize and group related credentials, secrets, or other vault items - Adding a user to the Bitwarden organization  - Assigning appropriate permissions to members or groups for each collection - Assigning certain items to multiple collections so the right people can access without duplication  - Setup and Policies - SSO setup and integration workflows - Two-factor authentication setup and policies - Security policies and enterprise controls - Management and reporting - Custom fields and roles management - User and group management best practices - Event logging and reporting capabilities Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text [ ] Schedule administrator training sessions [ ] Review enterprise feature requirements [ ] Document SSO integration requirements [ ] Plan custom roles and permission structures [ ] Establish security policy framework [ ] Document cyber insurance compliance requirement [ ] Prepare business case including insurance premium impact [ ] Align rollout timeline with insurance renewal dates ``` #### Step 2: Service desk training  **Key personnel:** Help desk staff, customer success leads **Training topics:** - Common user issues and troubleshooting - Password reset procedures and limitations - Account recovery processes - Escalation procedures for complex issues Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text [ ] Train support staff on Bitwarden functionality [ ] Create troubleshooting documentation [ ] Establish support ticket workflows [ ] Define escalation procedures ``` #### Step 3: End user training  Note: For many customers, end user training comes right before or during rollout, as each department is onboarded. Bitwarden recommends prioritizing admin training first.  **Key personnel:** All end users across the company **Training topics:** - Password import processes and best practices if applicable  - Cross-platform Bitwarden usage (desktop, mobile, web, browser) - Account creation and master password guidelines - Vault navigation and organization features - How to save a new login - Autofill options - Password generator  - Bitwarden Send for secure sharing - Collaboration through collections Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text [ ] Schedule organization-wide training sessions by functions; recommend starting with more technical teams (ie. tech team, data team) [ ] Create user documentation and quick reference guides. Leverage resources available in the Bitwarden help center [ ] Prepare import templates and migration tools [ ] Establish help desk support procedures ``` #### Step 4: Leadership training **Key personnel:** Department leads, executive leadership **Training topics:** - Why Bitwarden is important for securing the organization  - Password import processes and best practices if applicable  - Identify at-risk passwords with Vault Health reports  - Cross-platform Bitwarden usage (desktop, mobile, web, browser) - Account creation and master password guidelines - Vault navigation and organization features - How to save a new login - Autofill options - Password generator  - Bitwarden Send for secure sharing - Collaboration through collections Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text [ ] Get leadership buy-in and identify advocates. Bitwarden research shows that company-wide password management mandates more than doubles regular usage.  [ ] Train leadership on importance of using a password manager [ ] Show leadership how easy it is to use ``` ### 2: Setup  > [!NOTE] Phase 2 Tip > Phase 2 is the technical setup phase where Bitwarden is deployed and configured for your organization.  ## Key objectives - Deploy Bitwarden infrastructure (cloud or self-host) - Configure organizational structure and policies - Establish security and identity integrations ([SSO](https://bitwarden.com/resources/choose-the-right-sso-login-strategy/), [SCIM](https://bitwarden.com/help/about-scim/)) - Prepare for user rollout (see [phase 3](https://bitwarden.com/help/bitwarden-onboarding-playbook/#tab-3:-prep-5hNzVYHnEiUgdYnhS6KJ0t/))  ## Option A: Bitwarden cloud (recommended) Bitwarden hosted is recommended for most organizations. Enjoy easy scalability, automatic updates, and minimal maintenance on secure, reliable servers managed by Bitwarden. #### Step 1: Pre-setup planning Before diving into the technical setup, it's important to establish your organizational strategy and approach. Below are key recommendations to consider. ##### Choose between US or EU cloud server regions Organizations must choose [between US or EU cloud server](https://bitwarden.com/help/server-geographies/) regions based on data residency requirements. Bitwarden cannot migrate accounts from one region to another for customers. A script is available for organizations to help facilitate migrations. Subscriptions can be transferred from one region to another region by contacting support. ##### Set the foundation for centralized ownership and credential lifecycle management **New customers ** - Begin with centralized ownership by enabling the **Enforce organization data ownership**policy from day one and start managing the entire credential lifecycle across applications.  - Every user (excepting admins and owners at this time) receives an organization-owned **My items** space for seamless, day-to-day work - All credentials are organization-owned, with reporting benefits built in - Simplify employee transitions, so credentials follow the person’s role changes and can be seamlessly reassigned when responsibilities shift.  **Existing customers** - Continue using your current setup while Bitwarden prepares a seamless path to centralized ownership for previously individual-held credentials.  - You’ll soon be able to bring every credential into the company vault, aligning all users under a single model of ownership - Contact your account team for more information on timing - Gain organization-wide control and insights into credential health and usage with centralized reporting. - Ensure seamless employee transitions by securely reassigning or deleting credentials without disruption. - Enforce least privilege by assigning roles, segmenting credentials into collections by department or function, granting users and groups access only to the collections they need. - Reinforce good password practices and begin bringing insights into the credential lifecycle - creation, access, transfer, and deletion - with enterprise policies. ##### Bitwarden recommends SSO with trusted devices For the best user experience, Bitwarden recommends [SSO with trusted devices](https://bitwarden.com/help/about-trusted-devices/). This allows employees to log in and decrypt their vaults in a single step, though it requires additional IT admin setup time. Here are items to consider with this approach: - Enforce a vault timeout policy of "Log out" which provides one consistent user experience: after timeout, employees simply re-authenticate via SSO with no master password required. - In trusted devices environments, “Unlock” behaves as “Log out” unless users configure PIN or biometrics - If your organization actively promotes PIN or biometrics, admins may choose “Unlock” but only if user communications make that expectation clear. - Vault timeout: Bitwarden recommends between 4-10 hours for most use cases to balance productivity and security. Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text [ ] Determine cloud server region (US, EU) [ ] Determine overall organizational data ownership [ ] Choose authentication and decryption strategy [ ] Define user onboarding and deprovisioning approach [ ] Manual invitation [ ] Bitwarden Directory Connector [ ] SCIM [ ] Just-in-Time SSO [ ] Define vault ownership strategy (Individual vaults vs. Organization-only) [ ] Identify user groups for rollout phases [ ] Stakeholder selections: [ ] Project lead [ ] Identity provider admin [ ] Executive sponsor [ ] Security and compliance admin [ ] Support/help desk admin [ ] Device management admin (for client deployment) [ ] Business continuity admin [ ] Directory/user management admin ``` #### Step 2: Organization creation Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text [ ] Create new Bitwarden organization account [ ] Select appropriate enterprise plan [ ] Configure billing and payment methods ``` #### Step 3: Core setup Follow the recommendations below to ensure a smooth Bitwarden setup. ##### Claim all corporate email domains To restrict certain user actions, grant administrators greater control, and simplify the login experience for your users. ##### Set up enterprise policies before user onboarding Set up all [enterprise policies](https://bitwarden.com/help/policies/) before user onboarding begins to ensure consistent security controls from day one. ##### Establish strong security baselines With minimum 14-16 character [master passwords](https://bitwarden.com/help/policies/#master-password-requirements/) (including uppercase, lowercase, numbers, and symbols) and password generator minimums of at least 14 characters with symbols and numbers. ##### Enable single organization restriction To prevent users from joining other Bitwarden organizations, maintain data governance and prevent potential data leaks. ##### Set up your organization vault If you already use groups and objects in your IdP or Directory, mirror that framework in Bitwarden for consistency. Folder-like objects will automatically be converted to collections during import. Remember: Bitwarden is different from traditional applications. For Bitwarden, everything is protected with end-to-end encryption, and access policies are enforced at the client level. That means: - Admins can define and assign access, but they can’t see the credentials themselves. - Collections and groups are the way Bitwarden enforces access while preserving zero-knowledge. - Some operations (syncing, policy checks, vault actions) require additional processing on the client side instead of being visible in plaintext to the server. If starting from scratch: - [Collections (what gets shared)](https://bitwarden.com/help/collection-management/)**:** Best practice is to organize Collections based on the function of the resources being shared (eg. shipping profiles, advertising platform logins)  Keep collections broad at first; add granularity when necessary. Typically, IT admins manage org-wide collections, while team leads manage department-specific ones. - [Groups (who gets access)](https://bitwarden.com/help/about-groups/): Use Groups to represent departments or teams (eg. Marketing, Finance) and aligning them 1:1 with collections for clarity. Unique groups that span functions (executive assistants, IT admins, purchase approvers) are also common. > [!NOTE] Scalable sharing tip > **Remember**: The Bitwarden scalable sharing model means that items can live in multiple collections simultaneously, without compromising security. Teams can access credentials they need without unnecessary exposure to entire vaults Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text [ ] Configure domain claiming [ ] Set up enterprise policies for mandatory security controls [ ] Set up password and password generator minimums [ ] Organization data ownership enforcement to require all vault items in organization [ ] Create organizational structure - collections, groups [ ] Configure user roles and permissions ``` #### Step 4: Integration setup Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text SSO integration (if applicable): [ ] Configure SAML 2.0 or OIDC with identity provider [ ] Test SSO login workflows [ ] Configure trusted devices (if applicable) [ ] Document SSO troubleshooting procedures Directory Integration (if applicable): [ ] Install and configure Directory Connector [ ] Set up SCIM provisioning (Azure AD, Okta, OneLogin, JumpCloud) [ ] Test user and group synchronization [ ] Schedule automated sync intervals ``` #### Step 5: Security controls Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text [ ] Set up event logging and SIEM integration [ ] Establish backup and recovery procedures ``` ## Option B: Self-hosted (advanced) *What does it mean to self-host?* Running Bitwarden on your own servers requires advanced technical knowledge and IT infrastructure. It also means that you are responsible for server maintenance, security, uptime, and updates.  To assess whether self host is right for you: - Do you already have anything else self-hosted? - Do you have dedicated hardware to run the server? - Is there an IT or DevOps team that will be responsible for the server? - Are you familiar with Docker, or Kubernetes and Helm charts? - Are you comfortable installing software using [Linux terminal](https://bitwarden.com/help/install-on-premise-linux/) or [PowerShell](https://bitwarden.com/help/install-on-premise-windows/#installation-procedure/)? If you decide to self-host Bitwarden, follow the steps below.  #### Step 1: Pre-setup planning Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text [ ] Choose self hosted deployment method (Linux standard/manual/offline, Windows standard/offline, or Kubernetes) [ ] Define server/VM specs and hosting environment (environment variables, firewall or proxy) [ ] Decide on SSL certificate approach [ ] Plan network architecture, firewall or proxy rules, access controls [ ] Scalability planning [ ] Select key roles [ ] Project lead [ ] Executive sponsor [ ] Server admin [ ] Docker admin [ ] Network admin [ ] Firewall admin [ ] Support/help desk admin [ ] Database admin [ ] Identity provider admin [ ] SMTP admin [ ] Security and compliance admin [ ] Backups admin [ ] Business continuity admin [ ] Disaster recovery admin [ ] Device management admin ``` #### Step 2: Infrastructure preparation Set up a dedicated environment for your Bitwarden server. Requirements vary depending on your operating system. See [Help center](https://bitwarden.com/help/self-host-bitwarden/) for detailed instructions.  Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text [ ] Provision hardware that meets minimum requirements [ ] Configure DNS records and domain name [ ] Open ports 80 and 443 [ ] Install server offerings and containerization tools [ ] Obtain installation ID and key from Bitwarden [ ] Secure SSL certificates ``` #### Step 3: Bitwarden server installation Install Bitwarden in your prepared environment. The exact steps differ depending on the operating system.  #### Step 4: Organization setup Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text [ ] Create cloud organization for billing purposes [ ] Link self-hosted installation to billing organization [ ] Configure enterprise settings and policies [ ] Set up collections and groups structure [ ] Test all integrations (SSO, SCIM) ``` #### Step 5: Maintenance planning Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text [ ] Create server update and maintenance schedule [ ] Implement automated backup system [ ] Set up off-site backup storage [ ] Test disaster recovery procedures [ ] Document maintenance and backup/recovery procedures [ ] Set up monitoring and alerting for backup failures; evaluate backup methods ``` ### 3: Plan > [!NOTE] Phase 3 Tip > Phase 3 focuses on organizational readiness and communication before user onboarding begins. This phase ensures smooth user adoption by setting proper expectations, addressing concerns, and creating organizational momentum for the change. ## Key objectives - Communicate the Bitwarden implementation to the entire organization - Address user concerns and resistance to change - Prepare support resources and documentation - Conduct final system testing and validation - Create organizational excitement and buy-in for improved security ## Activities #### Step 1: Prepare company-wide communication from leadership > [!NOTE] Mandate Tip > Leadership is critical to adoption success. [Bitwarden research](https://bitwarden.com/resources/bitwarden-security-impact-report/) shows that company-wide password management mandates more than doubles regular usage.  **Key Personnel:** Executive leadership, IT leadership, communications team, department leads. Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text [ ] Prepare leadership talking points about security benefits [ ] Schedule leadership communication sessions (all-hands, team meetings) [ ] CEO/Leadership announcement about password security initiative [ ] Clear messaging about why Bitwarden was chosen [ ] Timeline communication for rollout phases [ ] Expectation setting for mandatory adoption [ ] Emphasis on security benefits for both work and personal use [ ] Highlight cyberinsurance benefits and that implementing Bitwarden is a prerequisite to get approved for higher level of coverage; document insurance coverage being met ``` #### Step 2: Organizational communication campaign **Key personnel:** Communications team, HR, IT support. Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text Communication strategy: [ ] Develop multi-channel communication plan (email, intranet, meetings) [ ] Create consistent messaging about security benefits [ ] Address common concerns and objections proactively [ ] Highlight ease of use and convenience benefits [ ] Share success stories from pilot users or other organizations Pre-rollout communications: [ ] All hands meeting: Initial introduction to Bitwarden [ ] Why we're implementing password management / Bitwarden [ ] Security benefits for the organization and individuals [ ] Why it is important to follow the directions shared by IT [ ] Expect more details in your email inbox [ ] Announcement email: More details on Bitwarden and roll out plan [ ] Recap: Why we're implementing password management / Bitwarden [ ] Recap: Security benefits for the organization and individuals [ ] Timeline for rollout and training [ ] What to expect in coming weeks [ ] FAQ document: Address common questions and concerns [ ] "Will this slow down my workflow?" [ ] "What happens to my existing passwords?" [ ] "Is my personal information secure?" [ ] "What if I forget my master password?" [ ] "Do I have to use this for personal passwords, too?" ``` #### Step 3: Change management readiness **Key personnel:** HR, change management team, department managers **Change management activities** Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text  [ ]  Identify and engage change champions in each department  [ ]  Conduct department-specific communication sessions  [ ]  Address cultural and workflow concerns  [ ]  Plan for resistance management and additional support  [ ]  Create peer support networks and feedback channels ``` ### 4: Rollout  > [!NOTE] Phase 4 Tip > Phase 4 ensures Bitwarden is actively used with the introduction of users to Bitwarden, ensuring proper account setup and initial usage.  > > Reminder for admins that all Bitwarden onboarding **process flow:** Invite → Accept → Confirm ## Key objectives - Onboard all users to the platform in phases or all at once - Ensure proper account setup and security setup - Facilitate password migration and initial vault population - Establish user proficiency with core features ## Choose your rollout path **Option A: Phased rollout (recommended for most organizations)** - Roll out in waves across teams and departments (eg.10% > 20% > 70%) - Ideal for larger organizations or those who want to reduce internal disruption - Easier to pace communications, training, prevent service desk overload, and allows admins to iterate and improve the process. **Option B: All at once (advanced)** - Works well for smaller organizations or large organizations with strong IT and training resources - Best if you can coordinate communications and support for everyone at once > [!NOTE] Rollout Callout > Running a small pilot (20-100 users, depending on your organization size) can help validate rollout across all main use cases (desktop, mobile, browser, SSO, etc) This helps refine communications and creates internal champions. Important note on the invitation and re-invitation process: Invite users after enterprise policies are configured and the core admin team has onboarded. This ensures new members are immediately subject to your organization’s security and usage standards. Users automatically receive an email invitation when provisioned via SCIM or Directory Connector. For phased rollouts, coordinate with your IT or email team to filter (based on subject lines) specific onboarding emails at the mail gateway and send these emails when you’re ready for the next group to onboard.  After a user accepts their invitation, an organization admin or owner must confirm their membership before vault access is granted. During rollout, admins should check the Members screen regularly (multiple times per day for larger orgs) to approve pending users. Confirmation can be automated with a script, but note that doing so reduces security visibility. Invitations expire after 7 days. Users still showing as Invited after several days may need IT follow-up to ensure adoption. Admins can also trigger a Reinvite, which sends a fresh invitation email as a reminder to join the organization. #### Step 1: Rollout planning > [!NOTE] Phased Rollout > The phased rollout approach, department by department, was selected by [Bitwarden customers as being “very effective.”](https://bitwarden.com/resources/bitwarden-security-impact-report/) **Key personnel:**Organization administrators Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text [ ] Identify groups of users who will be onboarded first (usually more technical teams) [ ] Follow a 10-20-70 rule for roll out (first 10% of users, then 20%, then 70%) [ ] Document timeline for each roll out phase ``` #### Step 2: User account creation and access **Key personnel:** All invited users, organization administrators Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text User actions: [ ] Accept organization invitation via email link [ ] Log in with existing account or create new account using invited email [ ] If applicable, create strong master password (14-16+ characters with mixed case, numbers, symbols) Administrator actions: [ ] Send organization invitations in planned waves (remember process flow: Invite → Accept → Confirm) [ ] Distribute Bitwarden onboarding guides and/or customized onboarding guides and intranet knowledge base articles [ ] Monitor invitation acceptance rates [ ] Confirm user accounts after acceptance [ ] Assign users to appropriate groups and collections [ ] Verify SSO and authentication workflows [ ] Configure MDM deployment if needed ``` #### Step 3: Client installation and setup **Key personnel:** All users Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text Installations: [ ] Configure server URL if not using vault.bitwarden.com and confirm web vault access [ ] Install browser extension and pin to toolbar [ ] Install and configure web vault access [ ] Download and install desktop application (Windows/macOS/Linux) [ ] Download mobile apps (iOS/Android) [ ] Log into all installed clients with master password and 2FA Setup tasks: [ ] Configure browser extension settings and permissions [ ] Set up mobile autofill permissions [ ] Configure biometric unlock (desktop/mobile, if available) [ ] Test synchronization across all devices ``` #### Step 4: Vault setup and navigation **Key personnel:** All users Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text Navigation training: [ ] Explore web vault interface and main navigation elements [ ] Understand difference between My Vault (individual) and Organization Vault (shared) [ ] Learn to use search functionality across vault items [ ] Familiarize with item types (Logins, Notes, Cards, Identities) Collection and organization understanding: [ ] Understand Collections concept for shared items [ ] Access items shared through collections [ ] Learn about Groups and permission levels [ ] Practice organizing items with folders ``` #### Step 5: Password management implementation **Key Personnel:** All users Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text Core functionality: [ ] Practice manually adding new login items [ ] Learn to edit existing vault items [ ] Set up browser extension autofill and auto-save features [ ] Practice different autofill experiences from browser extension [ ] Use built-in password generator for creating strong passwords Advanced features: [ ] Explore Bitwarden Send for secure item sharing with individuals outside of your organization [ ] Review password history for login items [ ] Configure autofill options (inline vs context menu) [ ] Set up TOTP (Time-based One-Time Password) generation [ ] Utilize clipboard history features ``` #### Step 6: Password migration and import **Key Personnel:** All users, with IT support Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text Migration process: [ ] Export passwords from current password managers [ ] Use Bitwarden import tools for bulk migration [ ] Manually add critical passwords not captured in import [ ] Verify all imported items are accessible and functional [ ] Update weak or duplicate passwords using generator Quality assurance: [ ] Complete security audit of imported passwords using Bitwarden vault health reports [ ] Identify and update weak passwords [ ] Resolve duplicate entries [ ] Verify critical business applications are included ``` ### 5: Adoption  > [!NOTE] Phase 5 Tip > Phase 5 focuses on adoption, maximizing value, ensuring security compliance, and maintaining long-term success. ## Key objectives - Achieve full organizational adoption  - Establish ongoing security and maintenance practices - Optimize workflows and advanced feature utilization - Maintain continuous improvement and support - Incorporate Bitwarden training into new employee onboarding ## Activities #### Step 1: Adoption and optimization  **Key stakeholders:** All users, organization administrators. Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text User verification: [ ] Test login across all devices and browsers [ ] Verify sharing and collaboration features work properly [ ] Confirm understanding of organization's password policies [ ] Validate emergency access and recovery procedures [ ] Document personal backup and security measures Administrative verification: [ ] Monitor user adoption metrics through event logs [ ] Verify policy compliance across the organization [ ] Review and optimize collection and group structures [ ] Analyze usage patterns and identify improvement opportunities [ ] Deploy technical enforcements such as: [ ] Turn off browser based password managers [ ] Remove access to documents (google docs, excel, etc) where passwords were previously stored  ``` #### Step 2: Security audit and compliance **Key stakeholders:** Security team, organization administrators. Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text Security review: [ ] Complete comprehensive security audit using Bitwarden reports [ ] Review exposed passwords and security breaches [ ] Analyze password strength across the organization [ ] Monitor 2FA adoption rates [ ] Review and update security policies as needed Compliance activities: [ ] Document compliance with organizational security standards [ ] Review event logs for suspicious activities [ ] Validate backup and disaster recovery procedures [ ] Ensure proper data retention and deletion policies [ ] Conduct periodic security assessments ``` #### Step 3: Advanced feature implementation **Key stakeholders:** Power users, organization administrators. Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text Advanced capabilities: [ ] Implement custom fields for specialized data [ ] Configure advanced sharing workflows [ ] Utilize API integrations for business applications [ ] Set up automated reporting and monitoring [ ] Implement CLI tools for advanced users ``` #### Step 4: Ongoing support  **Key stakeholders:** IT support, organization administrators. Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text Support structure: [ ] Establish regular support office hours [ ] Create escalation procedures for complex issues [ ] Maintain updated documentation and training materials [ ] Monitor and respond to user feedback [ ] Provide ongoing training for new features ``` #### Step 5: Continuous improvement **Key stakeholders:** All users, organizational administrators. Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability:  ```plain text Regular reviews: [ ] Schedule quarterly security and usage reviews [ ] Collect and analyze user feedback [ ] Monitor industry best practices and updates [ ] Review and update organizational policies [ ] Plan for future enhancements and expansions Success metrics: [ ] User adoption and engagement rates [ ] Indicators of vault usage such as stored credentials in organizational vaults [ ] Regular usage of key features (autofill, password saving, password sharing) [ ] Password security improvements [ ] Reduction in security incidents [ ] Time savings in credential management [ ] Compliance with organizational security standards ``` #### Step 6: New employee onboarding **Key stakeholders:** new employees, HR, organizational administrators. Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability:  ```plain text [ ] Document Bitwarden best practices in onboarding resources or new hire checklist [ ] Offer recurring Bitwarden trainings for new employees [ ] Encourage new hires to ask for help from existing employees  ``` ### Resources Use these additional resources to help guide you through the phases during your Bitwarden journey: ## Success checklist Copy and paste this list directly into your project management tools, internal documentation, or team communication platforms to easily track progress, assign tasks, and maintain accountability: ```plain text [ ] 100% user adoption of all purchased Bitwarden seats  [ ] Complete password migration from legacy systems and other password managers [ ] Security posture improvements (reduction of breaches, promotes safe password habits)  [ ] Reduce number of at-risk credentials (reused, exposed, weak) across the entire organization [ ] Value achieved beyond password management (Bitwarden Send, storing sensitive information such as credit cards, identifies, notes, and more) [ ] Internal champions excited to help others achieve password security success [ ] Full integration with existing identity and security infrastructure [ ] Established security policies and compliance procedures [ ] Ongoing support and maintenance frameworks [ ] Documented Bitwarden procedures for onboarding new employees [ ] Optimized workflows for maximum efficiency and security [ ] Regular monitoring and continuous improvement processes ``` ## Bitwarden support - **Billing support:** Contact customer success for expedited billing assistance - **Technical support:** Available for all users with comprehensive troubleshooting - **Enterprise customers:** Ongoing meetings with global accounts managers - **Executive access:** Periodic meetings with Bitwarden executives for enterprise clients ## Templates [Rollout email templates](https://bitwarden.com/help/rollout-email-templates/): Email templates to announce the Bitwarden Password Manager rollout to your end users, administrative users, and IT teams. Attach your branding to these emails and adapt them as needed.  [End user onboarding email templates](https://bitwarden.com/help/end-user-onboarding-emails/): Onboarding emails sent to new Bitwarden Enterprise and Teams users from care@bitwarden.com.  [Customer activation kit](https://bitwarden.com/help/customer-activation-kit/): Ready-made communication materials including one-pagers, training videos, posters, email templates, and promotional resources to support your rollout. [Slide deck announcement template](https://docs.google.com/presentation/d/1zK8NDB6E8ID_ok_yxn5x5qjO7mzeI5CZ-kqcOsfcQcU/edit?usp=sharing): Slide deck template to the Bitwarden Password Manager to the whole company or organization. Attach your company branding and roll-out details as needed. ## Go deeper [Bitwarden Courses](https://bitwarden.com/help/courses/) - Monthly updated video content [Weekly Live Demos](https://bitwarden.com/resources/demos/) - Interactive Q&A sessions [Enterprise Feature List](https://bitwarden.com/help/enterprise-feature-list/) - Comprehensive feature documentation [API Documentation](https://bitwarden.com/help/api/) - For advanced integrations [Community Forums](https://community.bitwarden.com/) - User community and support --- URL: https://bitwarden.com/help/bitwarden-power-users/ --- # Bitwarden Power Users Use this article and following video guides to become a Bitwarden power user! See how you can take your Bitwarden vault beyond standard password management and use additional security functionality like Bitwarden Send, vault timeout, and biometric unlock. Learn how to organize your vault for streamlined navigation of items, set up custom fields for autofill, and more! ## How to use Bitwarden Send [![Vimeo Video](https://vumbnail.com/797850224.jpg)](https://vimeo.com/797850224) *[Watch on Vimeo](https://vimeo.com/797850224)* **Video Chapters:** Learn more about Bitwarden Send [here](https://bitwarden.com/help/about-send/). Learn more about Bitwarden Send [here](https://bitwarden.com/help/about-send/), or jump to the following points in the video to learn about specific topics: - **1:00**: Create a text send. - **1:25:** Set your send options. - **3:11**: Receive a send. ## Using custom fields [![Vimeo Video](https://vumbnail.com/821402921.jpg)](https://vimeo.com/821402921) *[Watch on Vimeo](https://vimeo.com/821402921)* **Video Chapters:** Learn more about using custom fields [here](https://bitwarden.com/help/custom-fields/). Learn more about using custom fields [here](https://bitwarden.com/help/custom-fields/), or jump to the following points in the video to learn about specific topics: - **0:30**: Types of custom fields. - **1:30**: Create a custom field on browser extensions. - **2:13**: Autofill a custom field. ## Changing your default language for Bitwarden [![Vimeo Video](https://vumbnail.com/795737043.jpg)](https://vimeo.com/795737043) *[Watch on Vimeo](https://vimeo.com/795737043)* **Video Chapters:** Learn more about changing the app's language [here](https://bitwarden.com/help/localization/). Learn more about changing the app's language [here](https://bitwarden.com/help/localization/), or jump to the following points in the video to learn about specific topics: - **0:15**: Change language in the web app. - **0:56**: Change language in the desktop app. ## How to self-host Bitwarden Password Manager on a Raspberry Pi [![YouTube Video](https://img.youtube.com/vi/4GjjfkMYqqs/maxresdefault.jpg)](https://www.youtube.com/watch?v=4GjjfkMYqqs) *[Watch on YouTube](https://www.youtube.com/watch?v=4GjjfkMYqqs)* Learn more about self-hosting with Bitwarden Unified [here](https://bitwarden.com/help/install-and-deploy-lite/), or jump to the following points in the video to learn more about specific topics: - **0:38**: Configure environment variables. - **1:53**: Configure optional settings. - **2:36**: Run the deployment with Docker. --- URL: https://bitwarden.com/help/bitwarden-resellers/ --- # Bitwarden Resellers At Bitwarden, we love our partners! Look no further if you're a reseller who wants to get started offering Bitwarden organizations for your customers. ## Become a partner Becoming a member of the Bitwarden Partner Program is quick and easy. Our partnership program has been designed to maximize your success across a wide range of shared priorities, strategic requirements, and customer benefits. [Get started today](https://bitwarden.com/partners/). ## More information Here are some helpful links for you to use when reselling Bitwarden, or to provide to your customers: - [Password Manager Plans](https://bitwarden.com/help/about-bitwarden-plans/#business-plans/) - [Secrets Manager Plans](https://bitwarden.com/help/secrets-manager-plans/) - [Organizations Quick Start](https://bitwarden.com/help/getting-started-organizations/) - [Secrets Manager Quick Start](https://bitwarden.com/help/secrets-manager-quick-start/) - [Get Started with Bitwarden: Team Member](https://bitwarden.com/help/courses/password-manager-team-member/) --- URL: https://bitwarden.com/help/bitwarden-security-white-paper/ --- # Bitwarden Security Whitepaper ## Overview #### Everyone is more connected than ever Internet-connected devices and services are more critical than ever in today’s society. As more and more companies provide innovative software-as-a-service products that improve users’ lives at home and at work, the number of credentials and machine secrets grow exponentially. As do the threats to their security. #### Cybersecurity threats are high, but practices are low Threats to user and customer data continue to rise. It’s almost every week that a breach or ransomware attack makes the news, and those are only the incidents large enough to be published. In 2023, [IBM reported](https://www.ibm.com/reports/data-breach) that the average cost of a US data breach approaches $9.48 Million, taking into account investigation costs, legal fees, opportunity cost, and loss of customer trust. Research from [Verizon](https://www.verizon.com/business/resources/reports/2023-data-breach-investigations-report-dbir.pdf) shows that compromised credentials account for 86% of data breaches. This includes the use of passwords that have been guessed, phished, or leaked in other breaches. With such threats, one would expect that businesses armed their employees with as much training and tools as possible, but [Bitwarden research](https://bitwarden.com/resources/2023-password-decisions-survey-results/) shows that users aren’t always following best practices, including 90% of respondents saying that they reused passwords. Security experts recommend that users have a different, randomly generated password for every account. But how does one manage all those passwords? And how can good password habits be maintained across an organization? #### Bitwarden helps secure individuals, businesses, and infrastructure secrets Bitwarden offers a portfolio of security products to help secure everyone, prevent breaches, and ensure productivity. Bitwarden Password Manager provides users the tools to create, store, and share passwords while maintaining the highest level of security. It is the easiest and safest way to store all of your logins, passwords, passkeys, and other sensitive information while conveniently keeping them synced between all of your devices. Bitwarden Secrets Manager empowers developers, DevOps, and IT teams to store, share, and automate machine secrets like authentication keys, database passwords, and API keys. The end-to-end encrypted secrets management solution supports the secure deployment of infrastructure and application code without the risk of exposing critical machine secrets. Bitwarden Passwordless.dev provides APIs and tools needed for developers to implement FIDO2 WebAuthn based passkey authentication, the next generation of secure credential authentication, for websites and applications. #### Maintaining security and compliance Bitwarden solutions, software, infrastructure, and security processes have been designed from the ground up with a multi-layered, defense-in-depth approach. The Bitwarden Security and Compliance Program is based on the ISO27001 Information Security Management System (ISMS). Policies have been defined that govern security practices and processes and are continually updated to be consistent with applicable legal, industry, and regulatory requirements for services provided under the Terms of Service Agreement. Bitwarden complies with industry-standard application security guidelines that include a dedicated security engineering team and include regular reviews of application source code and IT infrastructure to detect, validate, and remediate any security vulnerabilities. This white paper provides an overview of Bitwarden security principles as well as links to additional documents that provide more detail in specific areas. ## Bitwarden security principles Protecting user data with Bitwarden products is a partnership between Bitwarden systems and employees, and users themselves. This section will cover, at a high-level, the key security measures Bitwarden utilizes and the tools Bitwarden makes available to users for protecting data stored in Bitwarden. ### Key security measures Bitwarden utilizes the following key security measures to protect data stored in Bitwarden: **End-to-end encryption:** Lock your passwords and private information with end-to-end AES-CBC 256 bit encryption with HMAC authentication, salted hashing, and Key Derivation Functions such as [PBKDF2 SHA-256](https://bitwarden.com/help/what-encryption-is-used/#pbkdf2/) or [Argon2id](https://bitwarden.com/help/what-encryption-is-used/#argon2id/). All cryptographic keys are generated and managed by the client on your devices, and all encryption is done locally. See more details [here](https://bitwarden.com/help/bitwarden-security-white-paper/#hashing-key-derivation-and-encryption/). **Zero knowledge encryption:** Bitwarden team members cannot see your passwords. Your data remains end-to-end encrypted with your individual email and master password. Bitwarden never stores and cannot access your master password or your cryptographic keys. **Secure password sharing:** Bitwarden enables secure sharing and management of sensitive data with users across an entire organization. A combination of asymmetric and symmetric encryption protects sensitive information as it is shared. **Open source and source available code:**The source code for all Bitwarden software products is hosted on [GitHub](https://github.com/bitwarden/) and we welcome everyone to review, audit, and contribute to the Bitwarden codebase. Bitwarden source code is audited by reputable third-party security auditing firms as well as independent security researchers. Additionally, the [Bitwarden Vulnerability Disclosure Program](https://hackerone.com/bitwarden?type=team&view_policy=true) enlists the help of the hacker community at HackerOne to make Bitwarden more secure. **Privacy by design:** Bitwarden stores all of your logins in an encrypted vault that syncs across all of your devices. Since it’s fully encrypted before it ever leaves your device, only you have access to your data. Not even the team at Bitwarden can read your data (even if we wanted to). **Security Auditing:** Third-party security reviews and assessments of applications and/or the platform are performed at a minimum of once per year. **Compliance:** Bitwarden complies with AICPA SOC2 Type 2 / Data Privacy Framework, GDPR, and CCPA regulations.[ Learn more](https://bitwarden.com/help/is-bitwarden-audited/). ### Security tools for users The following tools are provided by Bitwarden, and must be acted on by individual users and businesses, to optimize account protection and lockout avoidance: #### Master passwords User data protection in Bitwarden begins the moment a user creates an account and a master password. A master password is the token a user uses to access their vault, where sensitive data is stored. Users should create their accounts with a strong master password and Bitwarden includes a password strength meter as a guide to help users do so: ![Password strength meter](https://bitwarden.com/assets/6Nopwp0Wbr6FmfQBfzhAGb/e80b52613f70186f491e629cc7906c91/Screenshot_2024-04-01_at_9.41.44_AM.png) Users are warned when they try to sign up with a weak master password, and are also given the option to check known data breaches for the master password using an integration with [Have I Been Pwned (HIBP)](https://haveibeenpwned.com/FAQs): ![Weak or exposed master password](https://bitwarden.com/assets/2fc9uAmERxfK7QEkFzeeO0/0fbe2a9b1d207950a2d30358f904c405/Screenshot_2024-04-01_at_9.50.46_AM.png) **It is very important that users never forget their master passwords.** Master passwords are: - Cleared or marked for removal from memory after usage. - Never transmitted over the internet to Bitwarden servers. - Unable to be seen, read, or reverse engineered by anyone at Bitwarden. Because of this, and the fact that your data is fully encrypted and/or hashed before ever leaving your local device, forgetting a master password **will** result in a user being locked out of their account unless they have emergency access or account recovery active, both of which will be covered later in this paper. > [!NOTE] Master password can be changed > Users can change their master password from the Bitwarden web app. [Learn how](https://bitwarden.com/help/master-password/#change-master-password/). #### Alternative log in methods Bitwarden clients offer the following alternative methods of authentication. Some of these methods may also be used for decryption on log in: - **Log in with device**: Initiate an authentication request from a Bitwarden client and complete authentication by approving the request on a device you're already logged in to. [Learn how it works](https://bitwarden.com/help/log-in-with-device/). - **Log in with passkeys**: Use a passkey to log in to a Bitwarden client and, if the passkey is PRF-capable, use it to decrypt your vault data. [Learn how it works](https://bitwarden.com/help/login-with-passkeys/). - **SSO with trusted devices**: SSO with trusted devices allows users to authenticate using SSO and decrypt their vault using a device-stored encryption key, eliminating the need to enter a master password. [Learn how it works](https://bitwarden.com/help/about-trusted-devices/). #### Two-step login Two-step login (also called "two-factor authentication" or "2FA") is an extra layer of security for online accounts, designed to protect access to Bitwarden even if someone has the master password. When two-step login is active, users are required to complete a secondary step while logging into Bitwarden, like using a [FIDO2 security key](https://bitwarden.com/help/setup-two-step-login-fido/) or an [authenticator app](https://bitwarden.com/help/setup-two-step-login-authenticator/) to confirm the login attempt. As a best practice, **Bitwarden recommends all users activate and use two-step login**. Bitwarden provides users a [recovery code](https://bitwarden.com/help/two-step-recovery-code/) that they can use to turn off two-step login in the event a secondary device is lost, for example if a YubiKey goes missing. **Users should retrieve and save their recovery code immediately after activating the feature**, as Bitwarden policy prohibits facilitating support requests to deactivate two-step login on a users' behalf. Further, no tools have been built to facilitate internal teams doing so. Learn more about the [available two-step login methods](https://bitwarden.com/help/setup-two-step-login/), using [multiple methods](https://bitwarden.com/help/setup-two-step-login/#using-multiple-methods/), and what to do in the event of a [lost secondary device](https://bitwarden.com/help/lost-two-step-device/). #### Emergency access Premium users, including members of paid organizations (Families, Teams, or Enterprise) can [designate trusted emergency contacts](https://bitwarden.com/help/emergency-access/) who may request access to their vault in cases of emergency. Trusted emergency contacts can be assigned either view-only or takeover access to users' accounts. Emergency access uses asymmetric encryption to allow users to give a trusted emergency contact permission to access vault data in a zero knowledge environment: > [!NOTE] WP: See encryption section > The following information references encryption key names and processes that are covered in the [Hashing, key derivation, and encryption](https://bitwarden.com/help/bitwarden-security-white-paper/#hashing-key-derivation-and-encryption/) section. Consider reading that section first. 1. A Bitwarden user (the grantor) invites another Bitwarden user to become a trusted emergency contact (the grantee). The invitation (valid for only five days) specifies a user access level and includes a request for the grantee's **RSA Public Key**. 2. Grantee is notified of the invitation via email and accepts the invitation to become a trusted emergency contact. 3. Grantor is notified of the invitation's acceptance via email and confirms the grantee as their trusted emergency contact. On confirmation, the grantor's **User Symmetric Key** is encrypted using the grantee's **RSA Public Key** and stored with the invitation. Grantee is notified of confirmation. 4. An emergency occurs, resulting in grantee requiring access to the grantor's vault. Grantee submits a request for emergency access. 5. Grantor is notified of the request via email. The grantor may manually approve the request at any time, otherwise the request is bound by a grantor-specified wait time. When the request is approved or the wait time lapses, the **Public Key-encrypted User Symmetric Key** is delivered to the grantee for decryption with the grantee's **RSA Private Key**. 6. Depending on the specified user access level, the grantee will either: - Obtain view/read access to items in the grantor's vault. - Be asked to create a new master password for the grantor's vault. #### Account recovery [Account recovery](https://bitwarden.com/help/account-recovery/) allows designated administrators of Enterprise organizations to recover member accounts and restore access in the event that an employee forgets their master password. Businesses may also wish to use account recovery to reclaim ownership of a member's account when an employment relationship is ended. > [!NOTE] WP: See encryption section > The following information references encryption key names and processes that are covered in the [Hashing, key derivation, and encryption](https://bitwarden.com/help/bitwarden-security-white-paper/#hashing-key-derivation-and-encryption/) section. Consider reading that section first. When an organization member enrolls in account recovery, that user's account encryption key (a.k.a. **User Symmetric Key**) is encrypted with the organization's RSA Public Key. The result is stored as the **Account Recovery Key**. When a recovery action is taken: 1. The organization**RSA Private Key** is decrypted with the **Organization Symmetric Key**. 2. The user's **Account Recovery Key** is decrypted with the decrypted **RSA Private Key**, resulting in the **User Symmetric Key** (referred to as "account encryption key" in-product). 3. The **User Symmetric Key** is encrypted for the new **Master Password**. Similar to a standard password change; The server-stored encrypted account encryption key, and server authentication hash are replaced. ## Hashing, key derivation, and encryption This section will cover the cryptographic processes that are implemented when a user creates a Bitwarden account and subsequently logs in to access their data: ### Account creation When an account is created, Bitwarden uses Password-Based Key Derivation Function 2 (PBKDF2) with 600,000 iteration rounds to stretch the user's master password with a salt of the user's email address. > [!NOTE] PBKDF by default, but Argon available > Though user accounts are initiated with PBKDF2, users may elect to change their key derivation function to [Argon2id](https://bitwarden.com/help/what-encryption-is-used/#argon2id/) after the account has been created. Learn how to [change the KDF algorithm](https://bitwarden.com/help/kdf-algorithms/#changing-kdf-algorithm/). The resulting salted value is the 256-bit **Master Key**. The **Master Key** is then again stretched to 512-bits using HMAC-based Extract-and-Expand Key Derivation Function (HKDF), resulting in the **Stretched Master Key**. The **Master Key** and **Stretched Master Key** are never stored on or transmitted to Bitwarden servers: ![Password-based key derivation](https://bitwarden.com/assets/6nm36M2VAPwxdwlD8HoR2N/0b39079292cb7c80ac5147ffa5ab36eb/whitepaper-1.png) Next, a 512-bit **Generated Symmetric Key** and 128-bit **Initialization Vector** are created using a Cryptographically Secure Pseudorandom Number Generator (CSPRNG). The **Generated Symmetric Key** is encrypted with AES-256 bit encryption using the **Stretched Master Key** and **Initialization Vector**. The result is called the **Protected Symmetric Key**, and is the main key associated with the user. The **Protected Symmetric Key** is sent to the Bitwarden server upon account creation and sent back to Bitwarden client applications upon syncing. An asymmetric key pair is also created when the user registers their account. This **Generated RSA Key Pair** is used [when the user creates an organization](https://bitwarden.com/help/bitwarden-security-white-paper/#when-you-create-an-organization/) and in processes like [emergency access](https://bitwarden.com/help/emergency-access/) that can be used to share data between users. Finally, a **Master Password Hash** is generated using PBKDF-SHA256 with a payload of the **Master Key** and with a salt of the master password. The **Master Password Hash** is sent to the Bitwarden server upon account creation and login, and used to authenticate the user account. Once reaching the server, the **Master Password Hash** is hashed again using PBKDF2-SHA256 with a random salt and 600,000 iterations: ![Bitwarden password hashing, key derivation, and encryption ](https://bitwarden.com/assets/1rLMJoZFka4Per5lIyuMv9/33bc3f62358591bfe4cb86d3c3375535/whitepaper-acctcreate.png) ### Authentication and decryption Users are required to enter an email address and, typically, a master password in order to [log in](https://vault.bitwarden.com/#/) to a Bitwarden account. When they do so, Bitwarden uses Password-Based Key Derivation Function 2 (PBKDF2) with a default of 600,000 iteration rounds to stretch the master password with a salt of the account email address. The resulting salted value is the 256-bit **Master Key**. A **Master Password Hash**, generated using PBKDF-SHA256 with a payload of the **Master Key** and with a salt of the master password, is sent to the server for authentication by comparing the hash to that which is stored server-side. > [!NOTE] PBKDF by default, but Argon available > Though user accounts are initiated with PBKDF2, users may elect to change their key derivation function to [Argon2id](https://bitwarden.com/help/what-encryption-is-used/#argon2id/) after the account has been created. Learn how to [change the KDF algorithm](https://bitwarden.com/help/kdf-algorithms/#changing-kdf-algorithm/). Concurrently, the **Master Key** is stretched to 512-bits in length using HMAC-based Extract-and-Expand Key Derivation Function (HKDF), resulting in the **Stretched Master Key**. The **Protected Symmetric Key**, which is stored server-side and retrieved by the client, is decrypted using this **Stretched Master Key**. The resultant **Symmetric Key** is used by the client to decrypt vault data. This decryption is done entirely on the Bitwarden client. Master passwords and **Stretched Master Keys** are never stored on or transmitted to Bitwarden servers: ![An overview of user login ](https://bitwarden.com/assets/lrLsAOcvBsN1vaYAaZQKt/a73a6f46d55cf705423aa7a6a12b7f8a/whitepaper-login.png) Bitwarden does not keep the master password itself stored locally or in-memory on the Bitwarden client. Your account encryption key (**User** **Symmetric Key**) is kept in memory while the app is unlocked in order to decrypt vault data. When the Bitwarden client is locked, your encryption keys and vault data are purged as aggressively as possible from memory. After a certain period of inactivity on the lock screen, we reload application processes or perform other cleanup operations to ensure that any leftover managed memory is also purged or expect underlying systems to purge that memory when it is outside our control. We do our best to ensure that any data that may be in memory for the application to function is only held in memory for as long as you need it and that memory is cleaned up appropriately whenever the application is locked. We regularly review the Bitwarden application’s memory state and adjust processes wherever possible to clear sensitive contents while locked. ### Rotating the account encryption key During a password change operation, users have the option to rotate (i.e. change) their **User Symmetric Key** (referred to as "account encryption key" in-product). Rotating this key is a good idea if users believe that their previous master password was compromised or that the data they've stored in Bitwarden was stolen from one of their devices. > [!NOTE] WP: Rotating encryption key > Rotating the account’s encryption key is a sensitive operation, which is why it is not a default option when changing a master password. A key rotation involves generating a new, random encryption key for the account and **re-encrypting all vault data** using this new key. See additional details in [this article](https://bitwarden.com/help/account-encryption-key/). ### Variations This section will cover variations to encryption processes when users are using Log in with device, Log in with passkeys, or SSO with trusted devices. #### Log in with device When logging in with a device is initiated: 1. The initiating client sends a request which includes the account email address, a unique **Auth-request Public Key**ª, and an access code, to an Authentication Request table in the Bitwarden database. Registered devices, meaning clients that are logged in and have a [device-specific GUID](https://bitwarden.com/help/administrative-data/) stored in the Bitwarden database, are provided the request. 2. When the request is approved, the approving client encrypts the account's **User Encryption key** using the **Auth-request public key** enclosed in the request. 3. The approving client then sends the **User Encryption key** to the Authentication Request record and marks the request fulfilled. 4. The initiating client requests the encrypted **User Encryption key**. 5. The initiating client then **locally**decrypts the **User Encryption key** using the **Auth-request private key.** 6. The initiating client then uses the access code to authenticate the user with the Bitwarden Identity service. 7. The initiating client can then retrieve the user's vault data and use the **User Encryption key** to decrypt it. ª - **Auth-request Public and Private Keys** are uniquely generated for each passwordless login request and only exist for as long as the request does. Requests expire and are purged periodically if they aren't approved or denied. #### Log in with passkeys The following describes the mechanics of logging in with passkeys when users' passkeys are set up for encryption. Users may opt to not use their passkeys for encryption instead. When a passkey is registered for log in to Bitwarden: 1. A **Passkey Public and Private Key Pair** is generated by the authenticator via the WebAuthn API. This key pair, by definition, is what constitutes your passkey. Attestation options, such as what encryption algorithm to use, and provided by Bitwarden to the authenticator. 2. A **PRF Symmetric Key** is generated by the authenticator via the WebAuthn API's PRF extension. This key is derived from an **internal secret** unique to your passkey and a **salt** provided by Bitwarden. 3. A **PRF Public and Private Key Pair** is generated by the Bitwarden client. The PRF public key encrypts your **User Symmetric Key** (referred to as "account encryption key" in-product), which your client will have access to by virtue of being logged in and unlocked, and the resulting **PRF-Encrypted User Symmetric Key** is sent to the server. 4. The **PRF Private Key** is encrypted with the **PRF Symmetric Key** (see Step 2) and the resulting **PRF-Encrypted Private Key** is sent to the server. 5. Your client sends data to Bitwarden servers to create a new passkey credential record for your account. If your passkey is registered with support for vault encryption and decryption, this record includes: - The passkey name - The Passkey Public Key - The PRF Public Key - The PRF-Encrypted User Symmetric Key - The PRF-Encrypted Private Key Your **Passkey Private Key**, which is required to accomplish authentication, only ever leaves the client in an encrypted format. When a passkey is used to log in and, specifically, to decrypt your vault data: 1. Using WebAuthn API public key cryptography, your authentication request is asserted and affirmed. 2. Your **PRF-Encrypted User Symmetric Key** (referred to as "account encryption key" in-product) and **PRF-Encrypted Private Key** are sent from the server to your client. 3. Using the same **salt** provided by Bitwarden and the **internal secret** unique to your passkey, the **PRF Symmetric Key** is re-created locally. 4. The **PRF Symmetric Key** is used to decrypt your **PRF-Encrypted Private Key**, resulting in your **PRF Private Key**. 5. The **PRF Private Key** is used to decrypt your **PRF-Encrypted User Symmetric Key**, resulting in your **User Symmetric Key**. This is used to decrypt your vault data. #### SSO with trusted devices The following sections describe encryption processes and key exchanges that occur during different trusted devices procedures: ### Onboarding When a new user joins an organization, an **Account Recovery Key** ([learn more](https://bitwarden.com/help/account-recovery/)) is created by encrypting their account encryption key with the **Organization Public Key**. Account recovery is required to enable SSO with trusted devices. The user is then asked if they want to remember, or trust, the device. When they opt to do so: ![Create a trusted device](https://bitwarden.com/assets/2o9o8L0JZMvWZYJvfKGMzj/b7cab59682862c8e782331ed6a2ef9d9/td-create.png) *Create a trusted device* 1. A new **Device Key**is generated by the client. This key never leaves the client. 2. A new RSA key pair, called the **Device Private Key**and **Device Public Key**, is generated by the client. 3. The user's account encryption key is encrypted with the unencrypted **Device Public Key** and the resultant value is sent to the server as the **Public Key-Encrypted User Key**. 4. The **Device Public Key**is encrypted with the user's account encryption key and the resultant value is sent to the server as the **User Key-Encrypted Public Key**. 5. The **Device Private Key** is encrypted with the first **Device Key** and the resultant value is sent to the server as the **Device Key-Encrypted Private Key**. The **Public Key-Encrypted User Key** and **Device Key-Encrypted Private Key** will, crucially, be sent from server to client when a login is initiated. The **User Key-Encrypted Public Key** will be used should the user need to rotate their account encryption key. ### Logging in When a user authenticates with SSO on an already-trusted device: ![Use a trusted device](https://bitwarden.com/assets/61SSa6ITlRaICIUoCzEiVp/746cf3ba3005b4118d20319e894c47c7/td-use.png) *Use a trusted device* 1. The user's **Public Key-Encrypted User Key**, which is an encrypted version of the account encryption key used to decrypt vault data, is sent from the server to the client. 2. The user's **Device Key-Encrypted Private Key**, the unencrypted version of which is required to decrypt the **Public Key-Encrypted User Key**, is sent from the server to the client. 3. The client decrypts the **Device Key-Encrypted Private Key**using the **Device Key**, which never leaves the client. 4. The now-unencrypted **Device Private Key**is used to decrypt the **Public Key-Encrypted User Key**, resulting in the user's account encryption key. 5. The user's account encryption key decrypts vault data. ### Approving When a user authenticates with SSO and opts to decrypt their vault with an un-trusted device (i.e. a **Device Symmetric Key**does not exist on that device), they are required to choose a method of approving the device and optionally trusting it for future use without further approval. What happens next depends on the selected option: - **Approve from another device**: 1. The process documented [here](https://bitwarden.com/help/log-in-with-device/#how-it-works/) is triggered, resulting in the client having obtained and decrypted the account encryption key. 2. The user can now decrypt their vault data with the decrypted account encryption key. If they have chosen to trust the device, trust is established with the client as described in the **Onboarding**tab. - **Request admin approval**: 1. The initiating client POSTs a request, which includes the account email address and a unique **auth-request public key**ª, to an Authentication Request table in the Bitwarden database. ![User requests admin approval (Step 1)](https://bitwarden.com/assets/1CgwXVCrjssDwsz2Aie4mV/aac6c3975c9a8d225074268c093cadc3/2025-04-30_09-33-37.png) *User requests admin approval (Step 1)* 2. Administrators can [approve or deny the request](https://bitwarden.com/help/approve-a-trusted-device/) on the Device approvals page. 3. When the request is approved by an administrator, the approving client encrypts the user's account encryption key using the **auth-request public key** enclosed in the request. 4. The approving client then PUTs the encrypted account encryption key to the Authentication Request record and marks the request fulfilled. ![Admin approves auth request (Steps 3-4)](https://bitwarden.com/assets/4Y9q6Y3KmLskDaqfF03YmJ/8a99742b2bf8e7394cb0988495dc13b0/2025-04-30_09-34-10.png) *Admin approves auth request (Steps 3-4)* 5. The initiating client GETs the encrypted account encryption key and **locally **decrypts it using the **auth-request private key**. ![User receives admin approval (Step 5)](https://bitwarden.com/assets/7LNcFuhupPeR4DJhg2k4po/10ae5da219f1e5338e5cdf6554655e9f/2025-04-30_09-34-28.png) *User receives admin approval (Step 5)* 6. Using the decrypted account encryption key, trust is established with the client as described in the **Onboarding**tab. ª - **Auth-request public** and **private keys** are uniquely generated for each passwordless login request and only exist for as long as the request does. Unapproved requests will expire after 1 week. - **Approve with master password**: 1. The users's account encryption key is retrieved and decrypted as documented in the [Authentication and decryption](https://bitwarden.com/help/bitwarden-security-white-paper/#authentication-and-decryption/) section of the security whitepaper. 2. Using the decrypted account encryption key, trust is established with the client as described in the **Onboarding**tab. ### Key rotation > [!NOTE] Which TDE users can rotate an enc key > Only users who have a master password can rotate their [account encryption key](https://bitwarden.com/help/account-encryption-key/). [Learn more](https://bitwarden.com/help/about-trusted-devices/#impact-on-master-passwords/). When a user rotates their [account encryption key](https://bitwarden.com/help/account-encryption-key/), during the normal rotation process: 1. The **User-Key Encrypted Public Key** is sent from the server to the client, and subsequently decrypted with the old account encryption key (a.k.a. **User Key**), resulting in the **Device Public Key**. 2. The user's new account encryption key is encrypted with the unencrypted **Device Public Key** and the resultant value is sent to the server as the new **Public Key-Encrypted User Key**. 3. The **Device Public Key**is encrypted with the user's new account encryption key and the resultant value is sent to the server as the new **User Key-Encrypted Public Key**. 4. The Public Key-Encrypted User Key is then re-shared with each trusted device. ## Sharing data between users Collaboration is one of the leading benefits of using a password manager. In order to enable sharing, you need to first create an [organization](https://bitwarden.com/help/about-organizations/). A Bitwarden organization is an entity that relates users together that want to share items. An organization could be a family, team, company, or any other type of group that desires to share data. This section will cover the cryptographic processes that are implemented to ensure a secure, end-to-end, zero knowledge encryption method for sharing data as well as the additional security measures implemented to ensure control of your data: ![Organization key protection and exchange](https://bitwarden.com/assets/1f8B41wwuVVuaJP8NjI8jy/c059ab0fa4a645eb14973571c7669128/whitepaper-orgcloseup.png) ### When you create an organization When you create an organization, a Cryptographically Secure Pseudorandom Number Generator (CSPRNG) is used to generate the **Organization Symmetric Key**. This key is what's used to encrypt vault data owned by the organization, therefore sharing data with organization members requires securely providing access to the **Organization Symmetric Key**. The unprotected **Organization Symmetric Key** is never stored on Bitwarden servers. As soon as the **Organization Symmetric Key** is created, RSA-OAEP is used to encrypt it with the organization creator's **RSA Public Key**. > [!NOTE] RSA Private Key > A **RSA Key Pair** is generated for every user upon account creation, regardless of whether they are an organization member or not, so this key will already exist prior to organization creation. The **RSA Private Key**, the use for which is described below, is stored encrypted with the user's **User Symmetric Key**, so users must be fully logged in to gain access to it. The resultant value of this operation is referred to as the **Protected Organization Symmetric Key** and is sent to Bitwarden servers. When the organization creator, or any organization member, logs in to their account, the client application uses the decrypted **RSA Private Key** to decrypt the **Protected Organization Symmetric Key**, resulting in the **Organization Symmetric Key**. Using this, organization-owned vault data is decrypted locally. ### When users join an organization The process for subsequent users joining an organization is quite similar, however some differences are worth noting. First, an established member of the organization, specifically someone with permission to onboard other users, confirms the user to the organization. This established member, by virtue of having already logged in to their account and gone through the organization data decryption process described in the previous section, has access to the decrypted **Organization Symmetric Key**. So, when the new user is confirmed, the established member's client reaches out to Bitwarden servers, retrieves the new user's **RSA Public Key**, which is stored on Bitwarden servers at the time of account creation, and encrypts the decrypted **Organization Symmetric Key** with it. This results in a new **Protected Organization Symmetric Key** that is sent to Bitwarden servers and stored for the new member. > [!NOTE] Protected org symmetric > Each **Protected Organization Symmetric Key** is unique to its user, but each will decrypt to the same required **Organization Symmetric Key** when decrypted with its specific user's **RSA Private Key**. When the new user logs in to their account, the client application uses the decrypted **RSA Private Key** to decrypt the new **Protected Organization Symmetric Key**, resulting in the raw **Organization Symmetric Key**. Using this, organization-owned vault data is decrypted locally. ### Additional security measures #### Access controls, permissions, and roles Bitwarden organizations use collections, projects, and groups to logically group together vault data and users: - **Collections & projects**: Logically organize your vault data into discrete units to help ensure members are getting access to all and only the resources they need. - **Groups**: Logically organize your members into discrete units to help ensure that everyone is getting access to everything and only what they need. - **Member roles**: Assign roles to members to provide them access to the appropriate level of tools within the context of your organization. - **Permissions**: Designate what actions your members are allowed to take on the vault data they've been granted access to. #### Event logs Event logs contain time-stamped, detailed information about what actions or changes have occurred within an organization. These logs are helpful with researching changes in credentials or configuration and are very useful for audit trail investigation and troubleshooting purposes. Event logs are available for Teams and Enterprise organizations for both Password Manager and Secrets Manager. Learn more about [event logs](https://bitwarden.com/help/event-logs/). Teams and Enterprise organizations may also use the [Bitwarden public API](https://bitwarden.com/help/public-api/) to gather more data for their event logs. #### SIEM integrations Several Security Information and Event Management (SIEM) integrations are available for Bitwarden: - [Splunk](https://bitwarden.com/help/splunk-siem/) - [Panther](https://bitwarden.com/help/panther-siem/) - [Elastic](https://bitwarden.com/help/elastic-siem/) For other SIEM systems, a combination of data from the API and CLI may be used to gather data. This process is outlined [here](https://bitwarden.com/help/event-logs/#siem-and-external-systems-integrations/). ## Data protection This section will cover the measures taken to ensure that data remains secure: ![Multifactor encryption](https://bitwarden.com/assets/5hrNLuFuk9laua0zD0zSL/2f9a008c97f9bf98b969e96a85a0a32a/multifactor_encryption__2_.png) *Multifactor encryption* ### How vault data is encrypted All vault data (logins, passkeys, cards, identities, notes, and secrets) are protected with end-to-end-encryption. Data that you choose to store in Bitwarden is first stored as an object called a Cipher. Ciphers are encrypted locally when a vault item is created, edited, or imported, using a unique, random, 64-byte **Cipher Key**. Each **Cipher Key** is encrypted with either the **User Symmetric Key** or the **Organization Symmetric Key**, depending on whether the item is individually- or organizationally-owned, before being sent to Bitwarden servers. These encryption operations are performed entirely on the Bitwarden client application. When a user logs in to Bitwarden, the client gains access to their **User Symmetric Key** by decrypting their **Protected Symmetric Key** using the **Stretched Master Key**. If they're a member of an organization, the client gains access to the **Organization Symmetric Key** through their **RSA Private Key**. With one of these keys, **Cipher Keys** are locally decrypted and the resultant value is used to decrypt individual or organization vault data. When a user rotates their account encryption Key, here referred to as their **User Symmetric Key**, each existing **Cipher Key** is re-encrypted with the new **User Symmetric Key**. > [!NOTE] Cipher Keys for Attachments > In the case of attachments, the **Cipher Key** is used to encrypt the attachment's metadata, specifically the file name and size. The **Cipher Key** is also used to encrypt the **Attachment Key**, which in turn is used to encrypt the attachment data itself. Passkeys, stored in the vault are generated using the ES256 algorithm. ### Vault health reports Vault health reports can be used to evaluate the security of the data stored in Bitwarden Password Manager. Reports, for example the Reused Passwords and Weak Passwords reports, are run locally on the Bitwarden client application. This allows offending items to be identified without Bitwarden ever having access to unencrypted versions of this data. Learn more about [the available vault health reports](https://bitwarden.com/help/reports/). ### Data protection in transit Bitwarden uses TLS/SSL to secure communications between Bitwarden clients and user devices to the Bitwarden cloud. Bitwarden’s TLS implementation uses X.509 certificates for server authentication and key exchange and a strong cipher suite for bulk encryption. Bitwarden servers are configured to reject weak ciphers and protocols. Bitwarden also implements HTTP Security headers such as HTTP Strict Transport Security (HSTS), which will force all connections to use TLS. This additional layer of protection with HSTS mitigates the risks of downgrade attacks and misconfiguration. ### Data protection at rest Bitwarden always encrypts and/or hashes your data on your local device before it is sent to the cloud servers for syncing. Bitwarden servers are only used for storing and synchronizing encrypted vault data. It is not possible to get your unencrypted data from the Bitwarden cloud servers. AES is a standard in cryptography and used by the U.S. government and other government agencies around the world for protecting top-secret data. With proper implementation and a strong encryption key, AES is considered unbreakable. A password based key-derivation function is used to derive an intermediate key from your master password. This key is then salted and hashed for authenticating with the Bitwarden servers. The default iteration count used with PBKDF2 is 600,000 iterations on the client (this client-side iteration count is configurable from your account settings.) > [!NOTE] PBKDF by default, but Argon available > Though user accounts are initiated with PBKDF2, users may elect to change their key derivation function to [Argon2id](https://bitwarden.com/help/what-encryption-is-used/#argon2id/) after the account has been created. Learn how to [change the KDF algorithm](https://bitwarden.com/help/kdf-algorithms/#changing-kdf-algorithm/). The Bitwarden cloud database stores your encrypted vault and is hosted within the secure Microsoft Azure cloud infrastructure. It is configured with an encryption-at-rest technology provided by Azure called Transparent Data Encryption (TDE). TDE performs real-time encryption and decryption of the entire Bitwarden cloud database, associated backup data, and transaction log files when they’re not in-use. Azure handles the encryption keys for TDE, which only authorized Bitwarden server components are able to access. Read more about Azure’s Transparent Data Encryption [here](https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview?view=azuresql&tabs=azure-portal). Additionally, Bitwarden server applications perform their own encryption of sensitive database columns related to your user account. Master password hashes and protected user keys are encrypted on the fly as they move in and out of the Bitwarden cloud database. These column-level encryption operations are performed with keys that Bitwarden manages in a strictly controlled key management service (KMS). Learn more: [How end-to-end encryption paves the way for zero knowledge](https://bitwarden.com/blog/end-to-end-encryption-and-zero-knowledge/) and [What encryption is being used](https://bitwarden.com/help/what-encryption-is-used/) ### Data types and data retention Bitwarden processes two kinds of user data to deliver the Bitwarden Service: (i) Vault Data and (ii) Administrative Data. (i) Vault Data Vault Data includes all information stored within accounts to the Bitwarden Service and may include Personal Information. If we host the Bitwarden Service for you, we will host Vault Data. Vault Data is encrypted using secure cryptographic keys under your control. Bitwarden cannot access Vault Data. Data Retention of Vault Data: You may add, modify, and delete Vault Data at any time. (ii) Administrative Data Bitwarden obtains Personal Information in connection with your account creation, usage of the Bitwarden Service and support, and payments for the Bitwarden Service such as names, emails address, phone and other contact information for users of the Bitwarden Service and the number of items in your Bitwarden Service account ("Administrative Data"). Bitwarden uses Administrative Data to provide the Bitwarden Service to you. We retain Administrative Data for as long as you are a customer of Bitwarden and as required by law. If you terminate your relationship with Bitwarden, we will delete your Personal Information in accordance with our data retention policies. When you use the website or communicate with us (e.g., via email) you will provide, and Bitwarden will collect certain Personal Information such as: - Name - Business name and address - Business telephone number - Email address - IP-address and other online identifiers - Any customer testimonial you have given us consent to share. - Information you provide to the Site's Interactive Areas, such as fillable forms or text boxes, training, webinars or event registration. - Information about the device you are using, comprising the hardware model, operating system and version, unique device identifiers, network information, IP address, and/or Bitwarden Service information when interacting with the Site. - If you interact with the Bitwarden Community or training, or registered for an exam or event, we may collect biographical information and the content that you share. - Information gathered via cookies, pixel tags, logs, or other similar technologies. Please refer to the [Bitwarden Privacy Policy](https://bitwarden.com/privacy/) for additional information. ## Cloud platform and web application security ### Architecture overview Bitwarden processes and stores all data securely in the Microsoft Azure cloud using services that are managed by the team at Microsoft, including Azure Kubernetes Services (AKS). Azure Kubernetes Services is a managed Kubernetes service provided by Microsoft that reduces the complexity of deploying and managing Kubernetes clusters. Microsoft fully manages the control plane. The control plane contains all of the components and services that are used to operate and maintain the Bitwarden Kubernetes clusters. Microsoft and the AKS team deploy, operate, and are responsible for the AKS service availability and functionality. The team at Bitwarden manages: - The access management of the AKS service - The patching and updating to apply the Node OS security patches, Node image version upgrades, and the Kubernetes version (cluster upgrades) - The container security for the docker images and running containers in AKS - The network security of the nodes ![Bitwarden architectural overview](https://bitwarden.com/assets/6PDqnG1zfXQLQ54rm0auc0/8b41d77f1451ae0aed8c259fa85ed5a2/Security_White_Paper_Diagrams_August_2023_-GO_BR-.png) ### Security updates and patching #### Azure Kubernetes Services (AKS) Microsoft provides patches, new node images, and new Kubernetes versions for their AKS service. The team at Bitwarden manages and monitors the AKS environment and follows the upgrade recommendations from Microsoft and vulnerability reports to ensure that Node OS security patches, Node image version upgrades, and the Kubernetes version (cluster upgrades) are applied. In addition, the Bitwarden team applies updates and patches to maintain the container security for the docker imagers and running containers in AKS. ### Control of production systems Bitwarden maintains documented runbooks for all production systems that cover deployment, update, and troubleshooting processes. Extensive alerts are set up to notify and escalate in case of issues. #### Baseline configurations Bitwarden processes and stores all data securely in the Microsoft Azure cloud using services that are managed by the team at Microsoft, including Azure Kubernetes Service (AKS). ##### Azure Kubernetes Services (AKS) Security baseline configurations are established and monitored using Cloud Security Posture Management and Vulnerability Management services. #### HTTP security headers Bitwarden leverages HTTP Security headers as an additional level of protection for the Bitwarden web application and communications. For example, HTTP Strict Transport Security (HSTS) will force all connections to use TLS, which mitigates the risks of downgrade attacks and misconfiguration. Content Security Policy headers provide further protection from injection attacks, such as cross-site scripting (XSS). In addition, Bitwarden implements X-Frame-Options: SAMEORIGIN to defend against clickjacking. ### Key management procedures Keys and other secrets utilized by the Bitwarden platform itself, including credentials for Bitwarden cloud provider accounts, are generated, securely stored, and rotated as needed in accordance with industry-standard practices. Bitwarden uses internal Bitwarden vaults for secure storage and backup of sensitive keys or other secrets utilized by the Bitwarden platform. Access to these vaults is carefully managed with access controls, permissions, and roles. ### Logging, monitoring, and alert notification Bitwarden maintains documented runbooks for all production systems that cover deployment, update, and troubleshooting processes. Extensive alerts are set up to notify and escalate in case of issues. A combination of manual and automated monitoring of Bitwarden cloud infrastructure provides a comprehensive and detailed view of system health as well as proactive alerts on areas of concern. Issues are surfaced quickly so that the Bitwarden infrastructure team can effectively respond and mitigate problems with minimal disruption. ### Threat prevention and response Bitwarden performs continuous security monitoring of our networks, assets, data, and services leveraging services and tools including but not limited to Security Information Event Management (SIEM), established Security Operations Center (SOC), Vulnerability Management, Data Loss Prevention (DLP), and Endpoint Detection and Response (EDR). Bitwarden maintains a Security Incident Response policy and plan which is designed to minimize the overall impact of cyber incidents and includes the following as part of the Incident Response Lifecycle: - Preparation and Planning - Detection and Analysis - Containment - Eradication - Recovery - Post-Incident Activities Bitwarden uses Content Delivery Network (CDN) services in order to provide Web Application Firewalls (WAF) at the edge, better DDoS protection, distributed availability, and caching. Bitwarden also uses proxies within the CDN provider for better network security and performance of its services and sites. ### Code assessments Bitwarden is open source software. All of our source code is hosted on GitHub and is free for anyone to review. Bitwarden source code is audited by reputable third-party security auditing firms as well as independent security researchers. In addition, the Bitwarden Vulnerability Disclosure Program enlists the help of the hacker community at HackerOne to make Bitwarden more secure. ### Code scanning In addition to Bitwarden source code being audited by reputable third-party security auditing firms and independent security researchers, Bitwarden source code is scanned by the following set of tools whenever a push is made to any branch in any Bitwarden repository: - **Checkmarx One**: Used for static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA), malicious package detection, infrastructure as code (IaC), and container scanning to uncover potential vulnerabilities quickly and surface them to Bitwarden engineers. - **SonarQube**: Used for code quality analysis to ensure best practices for security, reliability, and maintainability are followed. - **Codecov**: Used for test coverage analysis to maximize the amount of code that is included in automated testing. - **Linters**: Several security-focused linters are also used to inspect all code changes. ### Business continuity and disaster recovery Bitwarden employs a full range of disaster recovery and business continuity practices from Microsoft Azure that are built into the Bitwarden cloud. This includes high availability and backup services for our application and database tiers. ### Software lifecycle and change management Bitwarden evaluates changes to platform, applications, and production infrastructure to minimize risk and such changes are implemented following the standard operating procedures at Bitwarden. Change request items are planned based on the roadmap and submitted to engineering. Engineering will review and evaluate their capacity and assess the level of effort for each change request item. After review and evaluation, the product and engineering teams will formulate what they are going to work on for a specific release. The CTO provides details of the release through communication channels and management meetings when the development life cycle begins for that release. At a high-level, the development, release, testing, and approval process includes: - Develop, build, and iterate using pull requests in GitHub. - Get features to a point where they are testable. - Engineering performs functional testing of the feature and/ or product as they are developing and building. - Unit testing build and static application security testing (SAST) are automated as part of Bitwarden Continuous Integration (CI) pipelines. - Some testing is also performed by the Customer Success team. - Engineering management assists with review and helps to formalize the process, including documentation updates. - CTO Provides Final Go / No-Go Approval **Meeting Attendance**: To ensure successful review, approval implementation and closure of change requests, each core Operation and IT service staff should be represented during the meeting to review and discuss the change request. Emergency deployment and hotfixes get escalated priority, and review and approval of the change is received from a manager or director prior to the change being made and is subsequently reviewed, communicated and closed during the next scheduled change meeting. This is normally in a service outage, system down or in an urgent outage prevention situation. ### Auditability and compliance The Bitwarden Security and Compliance Program is based on the ISO-27001 Information Security Management System (ISMS). Bitwarden staff have defined policies that govern security and processes, and continually update the security program to be consistent with applicable legal, industry, and regulatory requirements for services that are provided to you under our [Terms of Service Agreement](https://bitwarden.com/terms/). Bitwarden complies with industry-standard application security guidelines that include a dedicated security engineering team and include regular reviews of application source code and IT infrastructure to detect, validate, and remediate any security vulnerabilities. #### External security reviews Third-party security reviews and assessments of applications and/or the platform are performed at a minimum of once per year. #### Certifications Bitwarden certifications include: - SOC2 Type II (renewed annually) - SOC3 (renewed annually) - ISO 27001 According to the AICPA, the use of the Systems and Organization Controls (SOC), SOC 2 Type II report is restricted. For SOC 2 report inquiries, please [contact us](https://bitwarden.com/contact/). Read More: [Bitwarden achieves SOC2 certification](https://bitwarden.com/blog/bitwarden-achieves-soc-2-certification/) The SOC 3 report provides a summary of the SOC 2 report and is distributed publicly. According to the AICPA, SOC 3 is the SOC for service organizations to report on trust services criteria for general use. Bitwarden makes a copy of the SOC 3 report [available here](https://assets.ctfassets.net/7rncvj1f8mw7/2Sljjp4w5WkruimAllgaks/ec0064fd6e1839185f7dfd2803227e13/Bitwarden_-_2025_SOC_3_Report.pdf) and the summary demonstrates our commitment to security and privacy standards. These SOC certifications represent one facet of Bitwarden's commitment to safeguarding the security and privacy of customers, and compliance with rigorous standards. Bitwarden also performs a regular cadence of audits on our network security and code integrity. Read more: [Bitwarden 2020 security audit is complete](https://bitwarden.com/blog/bitwarden-network-security-assessment-2020/) and [Bitwarden completes third-party security audit](https://bitwarden.com/blog/third-party-security-audit/) ### Employee access controls Bitwarden employees have significant training and expertise for the type of data, systems, and information assets that they design, architect, implement, manage, support, and interact with. Bitwarden follows an established on-boarding process to ensure that the appropriate level of access is assigned and maintained. Bitwarden has established levels of access that are appropriate for each role. All requests, including any access change requests, need to be reviewed and approved by the manager. Bitwarden follows a least-privilege policy that grants employees the minimum level of access required to complete their duties. Bitwarden follows an established off-boarding process through Bitwarden Human Resources that revokes all access rights upon an employee's termination. ## Threat model and attack surface analysis overview Bitwarden follows a risk-based approach to designing secure services and systems which include threat modeling and attack surface analysis to identify threats and develop mitigation for them. The risk and threat modeling analysis extends to all areas of the Bitwarden platform including the core Bitwarden cloud server application and the Bitwarden clients such as mobile, desktop, web application, browser and/or command line interfaces. #### Bitwarden clients Users primarily interact with Bitwarden through client applications such as mobile, desktop, web application, browser and/or command line interfaces. The security of these devices, workstations, and web browsers is critical because if one or more of these devices are compromised an attacker may be able to install malware such as a keylogger which would capture all information entered on these devices including any of your passwords and secrets. You, as the end-user and/or device owner, are responsible for ensuring that your devices are secured and protected from non-authorized access. #### HTTPS TLS and web browser crypto end-to-end encryption The Bitwarden web client runs in your web browser. The authenticity and integrity of the Bitwarden web client depend on the integrity of the HTTPS TLS connection by which it is delivered. An attacker capable of tampering with the traffic that delivers the web client could deliver a malicious client to the user. Web browser attacks are one of the most popular ways for attackers and cybercriminals to inject malware or inflict damage. Attack vectors on the web browser might include: - An element of **social engineering, such as phishing,** to trick and persuade the victim to take any action that compromises the security of their user secrets and account. - **Web browser attacks and browser extension / add-on exploits:** A malicious extension designed to be able to capture user secrets as they are typed on the keyboard. - **Attacks on web applications through the browser:** Clickjacking, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF). Bitwarden leverages [HTTP Security headers](https://bitwarden.com/help/bitwarden-security-white-paper/#http-security-headers/) as an additional level of protection for the Bitwarden web application and communications. ## Conclusion This overview of the Bitwarden Security and Compliance program is offered for your review. Bitwarden’s solution, software, infrastructure, and security processes have been designed from the ground up with a multi-layered, defense-in-depth approach. The Bitwarden Security and Compliance Program is based on the ISO-27001 Information Security Management System (ISMS). Bitwarden staff have defined policies that govern security and processes, and continually update the security program to be consistent with applicable legal, industry, and regulatory requirements for services that are provided to you under our [Terms of Service Agreement](https://bitwarden.com/terms/). If you have any questions, please [contact us](https://bitwarden.com/contact/). ### Document changelog | Date published | Summary of changes | |------|------| | October 9, 2025 | Added information on source code scanning. | | June 30, 2025 | Various clarifications added regarding encryption process. | | May 21, 2025 | Corrected a statement about our policy that prohibits disabling users' 2FA. | | April 30, 2025 | Added diagrams for SSO with trusted devices approvals. | | March 11, 2025 | Added ISO 27001 certification. | | December 11, 2024 | Adjusted language around memory management. | | August 2, 2024 | Restructured the document for easier navigation, improved information architecture, and more consistent style. | | July 25, 2024 | Added information related to Cipher Keys for vault item encryption. | | March 23, 2024 | Added new descriptions and diagrams to **Sharing data between users** section. | | Jan 12, 2024 | Added information related to Log in with Passkeys. | --- URL: https://bitwarden.com/help/bitwarden-software-release-support/ --- # Software Release Support Bitwarden maintains software versions for the Bitwarden server, Bitwarden clients, and other supported integrations and modules. This document describes software lifecycle policies followed by Bitwarden, this information will help you prepare for updates appropriate for your organization. As a security company building a globally trusted product, Bitwarden maintains up-to-date and relevant software versions for all of our user base, making them widely available and easy to access. At the same time, we recognize there needs to be a balance between frequent updates and release lifespan. We also recognize there needs to be a balance between pushing forward with new features on newer systems and relinquishing support for older systems. (“Systems” in this case represents devices, operating systems, and software applications and frameworks.) ## Bitwarden software support > [!NOTE] Definition of "major version" > A "major version", as described in this document, is indicated by the second number in the version format used for Bitwarden clients and servers (e.g. 2025.**`6`**.0 or 2025.**`7`**.1). The following sections describe support policies for software developed by Bitwarden: ### Bitwarden cloud server The Bitwarden cloud servers are operated and maintained directly by Bitwarden. We update the Bitwarden cloud servers regularly and post updates at [status.bitwarden.com](https://status.bitwarden.com/). ### Bitwarden self-hosted server For self-hosted implementations with applicable subscription plans, Bitwarden servers receive ongoing updates: - At a given time, Bitwarden maintains the current major server version and the previous 2 major server versions. - Each server version is compatible with clients of the same major version, the previous 2 major client versions, and the subsequent 2 major client versions. > [!NOTE] Client compatibility tip > Self-hosted users are expected to keep their server up-to-date to stay current on Bitwarden features and support, and remain compatible with the latest released clients. Self-hosted instances that do not update client and server versions in accordance with the Bitwarden version support policy risk introducing a client change that is incompatible with their server. ### Bitwarden clients For Bitwarden client applications: - At a given time, Bitwarden maintains the current major client version and the previous 2 major client versions. - Each client version is compatible with servers of the same major version, the previous 2 major server versions, and the subsequent 2 major server versions. [Learn how to check your client version](https://bitwarden.com/help/versioning/#client-version/). ### Bitwarden API The Bitwarden API release cycle and duration aligns with Bitwarden servers. As a practice, we aim to provide backwards compatibility to the API indefinitely through semantic versioning. However, if we add enhancements that make it difficult or impossible to maintain backwards compatibility to all prior versions, we will indicate that by incrementing the major version number. ## Platform software support The following sections describe support policies for software on which Bitwarden is installed or used: ### Platforms for Bitwarden clients For all underlying platforms on which Bitwarden clients applications are installed or used, for example desktop or mobile operating systems and web browser versions, Bitwarden aims to support those versions which are currently supported by the vendor. ### Platforms for self-hosted Bitwarden servers Unless otherwise specified in the System Requirements, self-hosted installations should be maintained on up-to-date operating systems and compute platforms under active support from their vendor(s). --- URL: https://bitwarden.com/help/blocker-access-rule/ --- # uMatrix and NoScript access rules By default, the uMatrix and NoScript extensions may block the Bitwarden Firefox extension from accessing the Bitwarden API servers. Without adding proper rules to whitelist the Bitwarden API servers, logging in and other API operations will fail. ## uMatrix The following [uMatrix rule](https://github.com/gorhill/uMatrix/wiki/Rules-syntax) is required: ``` dc8ef5f6-eb0d-4c87-9e9f-0cf803f619e8.moz-extension-scheme bitwarden.com xhr allow ``` > [!NOTE] > The UUID included in the above rule (`dc8ef5f6-eb0d-4c87-9e9f-0cf803f619e8`) will be different for your installation. > Use the `about:debugging#/runtime/this-firefox` page (navigate from Firefox's address bar) to locate your Bitwarden extension UUID. ## NoScript Whitelisting the following domain in NoScript is required: `bitwarden.com` --- URL: https://bitwarden.com/help/blocking-uris/ --- # Block Autofill on Specific Sites Users of the Bitwarden browser extensions and Android mobile app can explicitly prevent autofill from being allowed on certain domains or URIs: ### Browser extensions > [!TIP] What blocking autofill does on browser extension > Domains that are designated for blocking will block autofill, passkey prompts, and prompts to save or update your credentials. To specify domains to block for browser extensions: 1. In the Bitwarden browser extension, open the ⚙️ **Settings** tab. 2. Select **Autofill**, then scroll to the bottom of the screen and select **Blocked domains**. 3. Select **Add domain** and specify the domain you want to block on. 4. Select **Save**. ### Android > [!NOTE] Support for URI blacklisting > Autofill blocking URIs is currently only available for Bitwarden **Android 8.0 (Oreo)** or higher. To specify URIs to block autofill on for Android: 1. In the Bitwarden Android app, tap ⚙️ **Settings**. 2. Tap **Autofill**. 3. Scroll down and tap **Block autofill**. 4. Tap **New blocked URI** and enter the URIs. Separate multiple URIs with a comma, like: ``` https://instagram.com,androidapp://com.instagram.android,https://facebook.com ``` 5. Tap **Save**. #### Getting Android app URIs For websites accessed via a web browser, a proper URI will be the `https://..` address of the login page, for example `https://instagram.com` or `https://instagram.com/accounts/login`. **For Android apps**, the [URI scheme](https://bitwarden.com/help/uri-match-detection/#uri-schemes/) always starts with `androidapp://` and is usually a bit different from a typical web browser URI. For example, - The Instagram Android app has the URI `androidapp://com.instagram.android` - The Reddit Android app has the URI `androidapp://com.reddit.frontpage` - The Bitwarden Android app has the URI `androidapp://com.x8bit.bitwarden` > [!TIP] Get URI from Mobile > An easy way to obtain the proper URI for an Android app is to visit the app's page in the Google Play Store, tap the share button, and paste the copied link somewhere you can read it. The link will look like `https://play.google.com/store/apps/details?id=com.instagram.android`. The value after `id= `is your URI, in this case `com.instagram.android`. > > For iOS users, an app URI can be obtained by using autofill to open Bitwarden. Once Bitwarden is open, select the + icon on the top right corner of the screen. From here, copy the URI that has been included in the new vault item. Paste the URI into your existing login item for this app. `` --- URL: https://bitwarden.com/help/browserext-deploy/ --- # Deploy Browser Extensions using GPOs, Linux Policies, & .plist Files When operating Bitwarden in a business setting, administrators may want to automate deployment of Bitwarden browser extensions to users with an endpoint management platform or group policy. This article will cover how to use GPOs and other templates to automate deployment of Bitwarden browser extensions to users with an endpoint management platform. ## Windows Deploying Bitwarden browser extensions to browsers on Windows generally require using Windows Group Policy to target managed computers an ADMX policy template. The procedure is slightly different for each browser: ### Chrome To deploy the browser extension on Windows and Google Chrome: 1. Download and unzip the [Chrome Enterprise Bundle](https://chromeenterprise.google/browser/download/#windows-tab) for Windows. 2. From the unzipped directory: - Copy `\Configuration\admx\chrome.admx` to `C:\Windows\PolicyDefinitions` - Copy `\Configuration\admx\en-US\chrome.adml` to `C:\Windows\PolicyDefinitions\en-US` 3. Open the Windows Group Policy Manager and create a new GPO for Bitwarden browser extension installation. 4. Right-click on the new GPO and select **Edit...**, and proceed to navigate to **Computer Configuration** → **Policies** → **Administrative Templates** → **Google Chrome** → **Extensions**. 5. In the right-hand settings area, select **Configure the list of force-installed apps and extensions**. In the dialog, toggle the **Enabled** option. 6. Select the **Show...** button and add the following: ``` nngceckbapebfimnlniiiahkandclblb;https://clients2.google.com/service/update2/crx ``` Click **OK**. 7. Still in **...Administrative Templates** → **Google Chrome**, select **Password manager** from the file tree. 8. In the right-hand settings area, right-click **Enable saving passwords to the password manager** and select **Edit**. In the dialog, toggle the **Disabled** option and select **OK**. 9. Repeat **Step 8** for the **Enable Autofill for addresses** and **Enable Autofill for credit cards** options, found in settings area for **...Administrative Templates** → **Google Chrome**. 10. Apply the newly-configured GPO to your desired scope. ### Firefox To deploy the browser extension on Windows and Firefox: 1. Download and unzip the [Firefox ADMX Template](https://github.com/mozilla/policy-templates/releases) file. 2. From the unzipped directory: - Copy `\policy_templates_\windows\firefox.admx` to `C:\Windows\PolicyDefinitions` - Copy `\policy_templates_\windows\en-US\firefox.adml` to `C:\Windows\PolicyDefinitions\en-US` 3. Open the Windows Group Policy Manager and create a new GPO for the Bitwarden browser extension installation. 4. Right-click on the new GPO and select **Edit...**, and proceed to navigate to **Computer Configuration** → **Policies** → **Administrative Templates** → **Firefox** → **Extensions**. 5. In the right-hand settings area, select **Extensions to Install**. In the dialog, toggle the **Enabled** option. 6. Select the **Show...** button and add the following: ``` https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi ``` Click **OK**. 7. Back in the file tree select **Firefox**. In the right-hand settings area, **Edit...** and disable both the **Offer to save logins** and **Offer to save logins (default)** options. 8. Apply the newly-configured GPO to your desired scope. ### Edge To deploy the browser extension on Windows and Edge: 1. Download and unzip the [Microsoft Edge Policy Files](https://www.microsoft.com/en-us/edge/business/download). 2. From the unzipped directory: - Copy `\windows\admx\msedge.admx` to `C:\Windows\PolicyDefinitions` - Copy `\windows\admx\en-US\msedge.adml` to `C:\Windows\PolicyDefinitions\en-US` 3. Open the Windows Group Policy Manager and create a new GPO for the Bitwarden browser extension installation. 4. Right-click on the new GPO and select **Edit...**, and proceed to navigate to **Computer Configuration** → **Policies** → **Administrative Templates** → **Microsoft Edge** → **Extensions**. 5. In the right-hand settings area, select **Control which extensions are installed silently**. In the dialog, toggle the **Enabled** option. 6. Select the **Show...** button and add the following: ``` jbkfoedolllekgbhcbcoahefnbanhhlh;https://edge.microsoft.com/extensionwebstorebase/v1/crx ``` Click **OK**. 7. Still in **..Administrative Templates** → **Microsoft Edge**, select **Password manager and protection** from the file tree. 8. In the right-hand settings area, right-click **Enable saving passwords to the password manager** and select **Edit**. In the dialog, toggle the **Disabled** option and select **OK**. 9. Repeat **Step 8** for the **Enable Autofill for addresses** and **Enable Autofill for payment instruments** options, found in settings area for **...Administrative Templates** → **Microsoft Edge**. 10. Apply the newly-configured GPO to your desired scope. ## Linux Deploying Bitwarden browser extensions to browsers on Linux generally involves using a `.json` file to set configuration properties. The procedure is slightly different for each browser: ### Chrome To deploy the browser extension on Linux and Google Chrome: 1. Download the [Google Chrome .deb or .rpm](https://www.google.com/chrome/?platform=linux) for Linux. 2. Download the [Chrome Enterprise Bundle](https://chromeenterprise.google/browser/download/#windows-tab). 3. Unzip the Enterprise Bundle (`GoogleChromeEnterpriseBundle64.zip` or `GoogleChromeEnterpriseBundle32.zip`) and open the `/Configuration` folder. 4. Make a copy of the `master_preferences.json` (in Chrome 91+, `initial_preferences.json`) and rename it `managed_preferences.json`. 5. Add the following to `managed_preferences.json`: ``` { "policies:" { "ExtensionSettings": { "nngceckbapebfimnlniiiahkandclblb": { "installation_mode": "force_installed", "update_url": "https://clients2.google.com/service/update2/crx" } } } } ``` In this JSON object, `"nngceckbapebfimnlniiiahkandclblb"` is the application identifier for the Bitwarden browser extension. Similarly, `"https://clients2.google.com/service/update2/crx"` signals Chrome to use the Chrome Web Store to retrieve the identified application. > [!NOTE] > You may also configure forced installations using the [ExtensionInstallForcelist](https://chromeenterprise.google/policies/?policy=ExtensionInstallForcelist) policy, however the [ExtensionSettings](https://support.google.com/chrome/a/answer/7517525#getID&zippy=%2Cset-custom-message-for-blocked-apps-and-extensions%2Cprevent-apps-and-extensions-from-altering-webpages) method will supersede ExtensionInstallForceList. 6. (**Recommended**) To [disable](https://chromeenterprise.google/policies/#PasswordManagerEnabled) Chrome's built-in password manager, add the following to `managed_preferences.json` inside of `"policies": { }`: ``` { "PasswordManagerEnabled": false } ``` 7. Create the following directories if they do not already exist: ``` mkdir /etc/opt/chrome/policies mkdir /etc/opt/chrome/policies/managed ``` 8. Move `managed_preferences.json` into `/etc/opt/chrome/policies/managed`. 9. As you will need to deploy these files to users' machines, we recommend making sure only admins can write files in the `/managed` directory: ``` chmod -R 755 /etc/opt/chrome/policies ``` 10. Using your preferred software distribution or MDM tool, deploy the following to users' machines: - Google Chrome Browser - `/etc/opt/chrome/policies/managed/managed_preferences.json` > [!TIP] Linux Managed Chrome Help > For more help, refer to Google's [Chrome Browser Quick Start for Linux](https://support.google.com/chrome/a/answer/9025926?hl=en&ref_topic=9025817) guide. ### Firefox To deploy the browser extension on Linux and Firefox: 1. Download [Firefox for Linux](https://www.mozilla.org/en-US/firefox/all/#product-desktop-release). 2. Create a `distribution` directory within the Firefox installation directory. 3. In the `distrubition` directory, create a file `policies.json`. 4. Add the following to `policies.json`: ``` { "policies": { "ExtensionSettings": { "446900e4-71c2-419f-a6a7-df9c091e268b": { "installation_mode": "force_installed", "install_url": "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi" } } } } ``` In this JSON object, `"446900e4-71c2-419f-a6a7-df9c091e268b"` is the extension ID for the Bitwarden browser extension. Similarly, `"https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi"` signals Firefox to use the extension store to retrieve the extension. 5. (**Recommended**) To [disable](https://github.com/mozilla/policy-templates/blob/master/README.md#passwordmanagerenabled) Firefox's built-in password manager, add the following to `policies.json` inside of `"policies": { }`: ``` { "PasswordManagerEnabled": false } ``` 6. Using your preferred software distribution or MDM tool, deploy the following to users' machines: - Firefox Browser - `/distribution/policies.json` > [!TIP] Linux Managed Firefox Help > For more help, refer to Firefox's [policies.json Overview](https://support.mozilla.org/en-US/kb/customizing-firefox-macos-using-configuration-prof) or [Policies README](https://github.com/mozilla/policy-templates/blob/master/README.md) on Github. ## MacOS Deploying Bitwarden browser extensions to browsers on macOS generally involves using a property list (`.plist`) file. The procedure is slightly different for each browser: ### Chrome To deploy the browser extension on macOS & Google Chrome: 1. Download the [Google Chrome .dmg or .pkg](https://chromeenterprise.google/browser/download/#mac-tab) for macOS. 2. Download the [Chrome Enterprise Bundle](https://chromeenterprise.google/browser/download/#windows-tab). 3. Unzip the Enterprise Bundle (`GoogleChromeEnterpriseBundle64.zip` or `GoogleChromeEnterpriseBundle32.zip`). 4. Open the `/Configuration/com.Google.Chrome.plist` file with any text editor. 5. Add the following to the `.plist` file: ``` ExtensionSettings nngceckbapebfimnlniiiahkandclblb installation_mode force_installed update_url https://clients2.google.com/service/update2/crx ``` In this codeblock, `nngceckbapebfimnlniiiahkandclblb` is the application identifier for the Bitwarden browser extension. Similarly, `https://clients2.google.com/service/update2/crx` signals Chrome to use the Chrome Web Store to retrieve the identified application. > [!NOTE] > You may also configure forced installations using the [ExtensionInstallForcelist](https://chromeenterprise.google/policies/?policy=ExtensionInstallForcelist) policy, however the [ExtensionSettings](https://support.google.com/chrome/a/answer/7517525#getID&zippy=%2Cset-custom-message-for-blocked-apps-and-extensions%2Cprevent-apps-and-extensions-from-altering-webpages) method will supersede ExtensionInstallForceList. 6. (**Recommended**) To [disable](https://chromeenterprise.google/policies/#PasswordManagerEnabled) Chrome's built-in password manager, add the following to `com.Google.Chrome.plist`: ``` PasswordManagerEnabled ``` 7. Convert the `com.Google.Chrome.plist` file to a configuration profile using a conversion tool like [mcxToProfile](https://github.com/timsutton/mcxToProfile). 8. Deploy the Chrome `.dmg` or `.pkg` and the configuration profile using your software distribution or MDM tool to all managed computers. > [!NOTE] > For more help, refer to Google's [Chrome Browser Quick Start for Mac](https://support.google.com/chrome/a/answer/9020580?hl=en&ref_topic=7650028) guide. ### Firefox To deploy the browser extension on MacOS and Firefox: 1. Download and install [Firefox for Enterprise](https://www.mozilla.org/en-US/firefox/enterprise/#download) for macOS. 2. Create a `distribution` directory in `Firefox.app/Contents/Resources/`. 3. In the created `/distribution` directory, create a new file `org.mozilla.firefox.plist`. > [!NOTE] > Use the [Firefox .plist template](https://github.com/mozilla/policy-templates/blob/master/mac/org.mozilla.firefox.plist) and [Policy README](https://github.com/mozilla/policy-templates/blob/master/README.md) for reference. 4. Add the following to `org.mozilla.firefox.plist`: ``` ExtensionSettings 446900e4-71c2-419f-a6a7-df9c091e268b installation_mode force_installed update_url https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi ``` In this codeblock, `446900e4-71c2-419f-a6a7-df9c091e268b` is the extension ID for the Bitwarden browser extension. Similarly, `https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi` signals Firefox to use the extension store to retrieve the application. 5. (**Recommended**) To [disable](https://github.com/mozilla/policy-templates/blob/master/README.md#passwordmanagerenabled) Firefox's built-in password manager, add the following to `org.mozilla.firefox.plist`: ``` PasswordManagerEnabled ``` 6. Convert the `org.mozilla.firefox.plist` file to a configuration profile using a conversion tool like [mcxToProfile](https://github.com/timsutton/mcxToProfile). 7. Deploy the Firefox `.dmg` and the configuration profile using your software distribution or MDM tool to all managed computers. ### Edge To deploy the browser extension on macOS and Microsoft Edge: 1. Download the [Microsoft Edge for macOS .pkg](https://www.microsoft.com/en-us/edge) file. 2. In Terminal, use the following command to create a `.plist` file for Microsoft Edge: ``` /usr/bin/defaults write ~/Desktop/com.microsoft.Edge.plist RestoreOnStartup -int 1 ``` 3. Use the following command to convert the `.plist` from binary to plain text: ``` /usr/bin/plutil -convert xml1 ~/Desktop/com.microsoft.Edge.plist ``` 4. Open `com.microsoft.Edge.plist` and add the following: ``` ExtensionSettings jbkfoedolllekgbhcbcoahefnbanhhlh installation_mode force_installed update_url https://edge.microsoft.com/extensionwebstorebase/v1/crx ``` In this codeblock, `jbkfoedolllekgbhcbcoahefnbanhhlh` is the application identifier for the Bitwarden browser extension. Similarly, `https://edge.microsoft.com/extensionwebstorebase/v1/crx` signals Edge to use the Edge Add-On Store to retrieve the identified application. > [!NOTE] > You may also configure forced installations using the [ExtensionInstallForceList](https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#extensioninstallforcelist), however the [ExtensionSettings](https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#extensionsettings) method will supersede ExtensionInstallForceList. 5. (**Recommended**) To [disable](https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#passwordmanagerenabled) Edge's built-in password manager, add the following to `com.microsoft.Edge.plist`: ``` PasswordManagerEnabled ``` 6. Convert the `com.microsoft.Edge.plist` file to a configuration profile using a conversion tool like [mcxToProfile](https://github.com/timsutton/mcxToProfile). 7. Deploy the Edge `.pkg` and the configuration profile using your software distribution or MDM tool to all managed computers. > [!NOTE] > **For Jamf-specific** help, refer to Microsoft's documentation on [Configuring Microsoft Edge policy settings on macOS with Jamf](https://docs.microsoft.com/en-us/deployedge/configure-microsoft-edge-on-mac-jamf). --- URL: https://bitwarden.com/help/business-unit-portal-quick-start/ --- # Business Unit Portal Quick Start > [!NOTE] Sign up for Business Unit Portal > Interested in managing a Business Unit? [Contact us](https://bitwarden.com/contact-sales/) to learn more about the Business Unit Portal. To get started, you must have at least one Enterprise organization. ## Onboard users As the Business Unit Portal owner, you will be automatically given admin status, allowing you to fully manage all aspects of Business Unit organizations. Bitwarden strongly recommends that you provision additional admins for failover purposes. Now, begin adding your employees as service users, which will allow them to administer all Business Unit organizations and create new ones, or manage the unit itself. 1. **Invite users**. From the Business Unit Portal 🎚️ **Manage** → **Members** tab, invite users as service users (or invite additional admins): ![Invite business unit members](https://bitwarden.com/assets/3pFCcxegChJXePdeG6Qku/407a11969d79ea7c58f0845e3072922a/2025-04-23_08-56-22.png) 2. **Instruct users to accept invites**. Invited users will receive an email from Bitwarden inviting them to join the Business Unit. Inform users that they should expect an invitation and that they will need to **Log In** with an existing Bitwarden account or **Create Account** to proceed. ![Business Unit Invite](https://bitwarden.com/assets/4p9XEQjOB8nd1beMrTUo0z/2eef7bcb01b850d8544caea5703f5821/Screenshot_2025-03-27_151609.png) 3. **Confirm accepted invitations**. To complete the secure onboarding of your users, confirm accepted invitations from the Business Unit Portal **Members** tab: ![Confirm business unit invites](https://bitwarden.com/assets/40cMs63Aj1g3xrZ8SwHqMX/615ed6f09ba10c9ef3cba9d858742c3f/2025-04-23_09-08-12.png) With the assembled team of service users, you're ready to start setting up Business Unit organizations. ## Business Unit organizations Business Unit organizations are any organization that is attached to or administered by the Business Unit Portal. To your users, there's no difference between a "Business Unit" organization and a "regular" organization, except who is conducting the administration. Organizations relate Bitwarden users and vault items together for secure sharing of logins, cards, notes, and identities. Organizations have a view, the Admin Console, where service users can manage the organization's collections, manage members and groups, run reporting, import data, and configure organization settings: ![Business Unit Portal](https://bitwarden.com/assets/5nwhryDcaYUXFl72AWBeyO/8a5183b4e34803c173ca0281f641d708/2025-04-24_08-59-33.png) Members of a Business Unit organization will find shared items in the **Vaults** view alongside individually-owned items, as well as several methods for filtering the item list to only organization items or items in particular collections: ![Organization-enabled vault](https://bitwarden.com/assets/4D2tlh9YKPzDY20SYGVKcG/dff56b66549d29405b1af211860f698e/2024-12-03_14-07-28.png) ## Create a Business Unit organization To create a new Business Unit organization, you must be as a Business Unit Admin. Navigate to the [bank] **Clients** tab of the Business Unit Portal and select the + **New** button: ![Add business unit](https://bitwarden.com/assets/3Z2OgnsPU5RUx5J05pPYs8/00f61fb7d980105bce9feb56496143a5/2025-04-24_09-02-23.png) ## Add an existing organization To add an existing organization to the Business Unit, you must be an active Business Unit admin and owner of the organization you wish to add. 1. Navigate to the **Business Unit Portal** using the product switcher and select the + **Add** button → **Existing organization**: ![Business Unit add Existing Organization](https://bitwarden.com/assets/7xFhBj38LTp1iWJdOadbU7/7f6b2185de459bef885095d8aef0951d/2025-10-02_15-38-46.png) 2. The Add existing organization dialogue will appear. Select the Organization you wish to add: ![Add existing organization to Business Unit](https://bitwarden.com/assets/2j9Zja0U0NJ761L0AzJDJv/843f4135b36ab02c01bf2c1a3f7f17c6/2025-10-02_15-54-06.png) 3. You will be prompted to confirm the subscription and billing changes to your provider subscription. Once complete, select **Add organization**. ## Setup the Business Unit organization With your newly-created Business Unit organization, start building the perfect solution for your users. Exact setup will be different for each Business Unit organization based on your needs, but will typically involve: 1. **Create collections**. A good first step is to [create a set of collections](https://bitwarden.com/help/about-collections/#create-a-collection/), which provide an organizing structure for the vault items you will add to the vault in the next step. Common collections patterns include **Collections by Department** (for example, users in the client's Marketing Team are assigned to a **Marketing** collection) or **Collections by Function** (for example, users from the client's Marketing Team are assigned to a **Social Media** collection): ![Collections](https://bitwarden.com/assets/6qodHGqBPABEFv3XJxaOUe/780cd4624a5d0a5fe315677968003e2d/collections-graphic-2.png) 2. **Import data**. Once the structure of how you will store vault items is in place, you can begin i[mporting data to the organization](https://bitwarden.com/help/import-to-org/). > [!NOTE] Service user permissions > Note that, as a service user, you will not be able to directly view, create, or manage individual items. 3. **Configure enterprise policies**. Before beginning the user management portion of setup, [configure enterprise policies](https://bitwarden.com/help/policies/) in order to set rules-of-use for things such as [master password complexity](https://bitwarden.com/help/policies/#master-password-requirements/), [use of two-step login](https://bitwarden.com/help/policies/#require-two-step-login/), and [admin password reset](https://bitwarden.com/help/account-recovery/#master-password-reset/). > [!NOTE] Enterprise policy > Enterprise policies are **only available to Enterprise organizations**. 4. **Setup login with SSO**. If your business unit uses single sign-on (SSO) to authenticate with other applications, [connect Bitwarden with their IdP](https://bitwarden.com/help/about-sso/) to allow authentication with Bitwarden using end-users' SSO credentials. 5. **Create user groups**. For teams and enterprise organizations, [create a set of groups](https://bitwarden.com/help/about-groups/#create-a-group/) for scalable permissions assignment. When you start adding users, add them to groups to have each user automatically inherit the group's configured permissions (for example, access to which collections). One common group-collection pattern is to create **Groups by Department** and **Collections by Function**, for example: ![Collections](https://bitwarden.com/assets/6qodHGqBPABEFv3XJxaOUe/780cd4624a5d0a5fe315677968003e2d/collections-graphic-2.png) ## Invite client users With the infrastructure for secure and scalable sharing of credentials in place, you can begin inviting users to the organization. Onboarding users to Bitwarden can be accomplished in three ways, depending on the size of your Business Unit: 1. **For smaller units**, you can send email invitations to users from the Admin Console 🎚️ **Members** view: ![Invite member to an organization](https://bitwarden.com/assets/7AJjR4oqEnCH3A89YYoWpH/a4bd30d71a74ead44e13768dab8c5dff/2024-12-03_14-02-20.png) 2. **For larger units**who leverage an IdP such as Azure AD, Okta, OneLogin, or JumpCloud, use [SCIM](https://bitwarden.com/help/about-scim/) to automatically provision users. 3. **For larger units** who leverage a directory service (Active Directory, LDAP, Okta, and more), use [Directory Connector](https://bitwarden.com/help/directory-sync/) to sync organization users from the source directory and automatically issue invitations. Regardless of whether you have invited users from the organization vault, using SCIM, or using Directory Connector, the same three-step process (Invite → Accept → Confirm) that you followed when [onboarding service users](https://bitwarden.com/help/getting-started-providers/#onboard-users/) will apply here as well. ## Managing self-hosted organizations Business Unit Portal access to managed organizations is currently available for cloud-hosted environments only. To provide administrative services for a self-hosted instance, an additional service seat will need to be purchased to manage the self-hosted instance. For more information, see [managing self-hosted organizations](https://bitwarden.com/help/getting-started-providers/#managing-self-hosted-organizations/). ### --- URL: https://bitwarden.com/help/business-unit-portal/ --- # Business Unit Portal > [!NOTE] Sign up for Business Unit Portal > Interested in managing a Business Unit? [Contact us](https://bitwarden.com/contact-sales/) to learn more about the Business Unit Portal. To get started, you must have at least one Enterprise organization. The Business Unit Portal is an administrative center that allows Enterprise administrators to create and manage any number of Enterprise organizations. Once you have requested access and been approved, the portal is accessible by selecting **Business Unit Portal**, available through the product switcher: ![Open the Business Unit Portal](https://bitwarden.com/assets/PdRRyABfSMxDBcAk7fQDb/0e394d3a94eaf85511625c1a15bff384/2025-04-24_08-59-33.png) ## What is the Business Unit Portal? The Business Unit Portal empowers administrators to manage large Enterprise organizations at scale. The Business Unit Portal streamlines administration tasks by centralizing a dedicated space to access and support each managed organization, or to create a new one: ![Business Unit Portal](https://bitwarden.com/assets/5nwhryDcaYUXFl72AWBeyO/8a5183b4e34803c173ca0281f641d708/2025-04-24_08-59-33.png) The Business Unit Portal is built with two distinct user types: - **Service users** can administer Business Units - **Unit admins** can administer business unit organizations, including adding new service users to the team. ## Why Business Unit Portal? The Business Unit Portal is a solution to efficiently create and easily manage multiple Bitwarden organizations in your business. Using the Business Unit Portal, administrators may: - View all organizations under the company's management, as well as onboard new and existing organizations. - Manage user onboarding, provisioning, organization policies, settings, and collections. - View time-stamped actions made by users in the Business Unit Portal, including: creating new organizations, inviting new users, and user's access to organizations. The Business Unit Portal is an all-in-one management experience that enables business administrators to manage Bitwarden organizations at scale. The Business Unit Portal streamlines administration tasks by centralizing a dedicated space to access and support each organization, or to create a new one. ## Business Unit organizations Business Unit organizations are any organization that is attached to or administered by a Business Unit. To your users, there's no difference between a "Business Unit" organization and a "regular" organization except for who is conducting administration. All Business Unit administrators have access to all unit organizations: ![Structure of a Provider ](https://bitwarden.com/assets/28M8mkU03SyVFq70ZgD0Bp/04e3c65eba73892ae3301d366ce97ce1/provider-diagram.png) > [!NOTE] Business Unit Credentials > **As denoted in the above diagram**, if Unit administrators want to use an [organization](https://bitwarden.com/help/about-organizations/) to manage their own credentials, they **should not** include it as a Business Unit. > > Creating an independent organization for this case will ensure users can be given the appropriate [user types and access controls](https://bitwarden.com/help/user-types-access-control/) over credentials. Organizations relate Bitwarden users and vault items together for [secure sharing](https://bitwarden.com/help/sharing/) of logins, cards, notes, and identities. Organizations have a unique view, the Admin Console, where service users can manage the organization's collections, manage members and groups, run reporting, import data, and configure organization settings: ![Access business unit collections](https://bitwarden.com/assets/556sezsEi94WR2UMFWaXY0/4e1fb093daf9cf130d44464ea60474b9/2025-04-23_08-52-47.png) Members of a business unit will find shared items in their **Vaults** view alongside individually-owned items, as well as several methods for filtering the item list to only organization items or items in particular [collections](https://bitwarden.com/help/about-collections/): ![Organization-enabled vault](https://bitwarden.com/assets/4D2tlh9YKPzDY20SYGVKcG/dff56b66549d29405b1af211860f698e/2024-12-03_14-07-28.png) Once you have [contacted us](https://bitwarden.com/contact-sales/) and been setup with access by a member of the Bitwarden team, [start a Business Unit organization](https://bitwarden.com/help/client-org-setup/). --- URL: https://bitwarden.com/help/cancel-a-subscription/ --- # Cancel a Subscription Canceling a Bitwarden subscription will result in your account or organization losing access to paid features at the end of the billing cycle. If your subscription is is less than 30 days old, [contact us](https://bitwarden.com/contact/) to receive a refund. Canceling a subscription does not automatically delete your account or organization. [Learn more](https://bitwarden.com/help/delete-your-account/). If you're self-hosting, cancel your subscription from the Bitwarden-hosted web app you created the account on. [Learn more](https://bitwarden.com/help/licensing-on-premise/). ## Cancel a personal subscription To cancel a personal subscription: 1. In the web app, navigate to **Settings** → **Subscription**: ![Subscription page](https://bitwarden.com/assets/3Ru9TSLguhRNYtLe2TLwXk/d601c1c639cf3eccc0860793aae3299e/2024-12-04_10-15-22.png) 2. Take note of the **Next charge**date. This is when you will lose access to paid features once your subscription is cancelled. 3. Select the **Cancel subscription**button. When you confirm cancelation, your account will move into a **Pending cancellation**status until the noted **Next charge**date is reached. When the **Next charge**date is reached, you will be moved to a free account. [Learn what happens when you lose premium](https://bitwarden.com/help/premium-renewal/). > [!TIP] Reinstate Sub > If you change your mind before the end of the billing cycle, you can **Reinstate Subscription**with a single button! ## Cancel an organization subscription To cancel an organization subscription: 1. In the web app, open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Navigate to **Billing**→ **Subscription:** ![Organization subscription view](https://bitwarden.com/assets/7MT9lfZZDTOQOBmnrLGceN/1ac8c615153e35250d15ce3921148cfe/2024-12-04_10-33-12.png) > [!NOTE] Only org owners may access subscription page > Only organization owners are able to access to the organization's subscription page. 3. Take note of the **Subscription expiration**date. This is when your organization will lose access to paid features once your subscription is cancelled. 4. Scroll down and select the **Cancel subscription**button. When you confirm cancelation, your organization will move into a **Pending cancellation**status until the noted **Subscription expiration**date is reached. When the **Subscription expiration**date is reached, your subscription will end. [Learn what happens next](https://bitwarden.com/help/organization-renewal/). > [!TIP] Reinstate Sub > If you change your mind before the end of the billing cycle, you can **Reinstate Subscription**with a single button! ## --- URL: https://bitwarden.com/help/certificates/ --- # Certificate Options This article defines the certificate options available to self-hosted instances of Bitwarden. You will select your certificate option during installation. **Setting up or changing your certificate configuration will always require** you to run the `./bitwarden.sh rebuild` or `.\bitwarden.ps1 -rebuild` command before starting Bitwarden to apply the changes to your config.yml file. > [!NOTE] Certificate options not applied to Bitwarden Unified > The information in this article may not apply to Bitwarden Unified self-hosted deployments. ## Generate a certificate with Let's Encrypt [Let's Encrypt](https://letsencrypt.org/how-it-works/) is a certificate authority (CA) that issues trusted SSL certificates free of charge for any domain. The Bitwarden installation script offers the option to generate a trusted SSL certificate for your domain using Let's Encrypt and [Certbot](https://certbot.eff.org). Certificate renewal checks occur each time Bitwarden is restarted. Using Let's Encrypt will require you to enter an email address for certificate expiration reminders. > [!NOTE] Let's Encrypt port requirement > Let's Encrypt is a third-party certificate authority that requires inbound ports 80 and 443 have access from the internet in order to validate your domain and issue a certificate. If you do not have or want to set up inbound internet access, you may use one of the other certificate options in this document. ### Manually update a Let's Encrypt certificate If you change the domain name of your Bitwarden server, you will need to manually update your generated certificate. Run the following commands to create a backup, update your certificate, and rebuild Bitwarden: 🐧 🍎 Bash ``` ./bitwarden.sh stop mv ./bwdata/letsencrypt ./bwdata/letsencrypt_backup mkdir ./bwdata/letsencrypt chown -R bitwarden:bitwarden ./bwdata/letsencrypt chmod -R 740 ./bwdata/letsencrypt docker pull certbot/certbot docker run -i --rm --name certbot -p 443:443 -p 80:80 -v /bwdata/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly --email --logs-dir /etc/letsencrypt/logs ``` Select 1, then follow the instructions: ``` openssl dhparam -out ./bwdata/letsencrypt/live//dhparam.pem 2048 ./bitwarden.sh rebuild ./bitwarden.sh start ``` 🪟 PowerShell > [!NOTE] > You will need to install a build of OpenSSL for Windows. ``` .\bitwarden.ps1 -stop mv .\bwdata\letsencrypt .\bwdata\letsencrypt_backup mkdir .\bwdata\letsencrypt docker pull certbot/certbot docker run -i --rm --name certbot -p 443:443 -p 80:80 -v \bwdata\letsencrypt\:/etc/letsencrypt/ certbot/certbot certonly --email --logs-dir /etc/letsencrypt/logs Select 1, then follow instructions dhparam -out .\bwdata\letsencrypt\live\\dhparam.pem 2048 .\bitwarden.ps1 -rebuild .\bitwarden.ps1 -start ``` ## Use an existing SSL certificate You may alternatively opt to use an existing SSL certificate, which will require you to have the following files: - A server certificate (`certificate.crt`) - A private key (`private.key`) - A CA certificate (`ca.crt`) You may need to bundle your primary certificate with intermediate CA certificates to prevent SSL trust errors. All certificates should be included in the server certificate file when using a CA certificate. The first certificate in the file should be your server certificate, followed by any intermediate CA certificate(s), followed by the root CA. Under the default configuration, place your files in `./bwdata/ssl/your.domain`. You may specify a different location for your certificate files by editing the following values in `./bwdata/config.yml`: ``` ssl_certificate_path: ssl_key_path: ssl_ca_path: ``` > [!NOTE] > The values defined in `config.yml` represent locations inside the NGINX container. Directories on the host are mapped to directories within the NGINX container. Under the default configuration, mappings line up as follows: > > The following values in `config.yml`: > > > ``` > ssl_certificate_path: /etc/ssl/your.domain/certificate.crt > ssl_key_path: /etc/ssl/your.domain/private.key > ssl_ca_path: /etc/ssl/your.domain/ca.crt > ``` > > Map to the following files on the host: > > > ``` > ./bwdata/ssl/your.domain/certificate.crt > ./bwdata/ssl/your.domain/private.key > ./bwdata/ssl/your.domain/ca.crt > ``` > > **You should only ever need to work with files in**`**./bwdata/ssl/**`**. Working with files directly in the NGINX container is not recommended.** > [!TIP] IPs for OCSP Checks > If your server is logging outbound traffic to 1.1.1.1, 1.0.0.1, 9.9.9.9, or 149.112.112.112, your server is making OCSP checks. You can prevent this traffic by configuring an empty value for `ssl_ca_path:` in your `config.yml` file. Changing this value, as with changing anything in `config.yml`, requires a rebuild and restart of your server. ### Using Diffie-Hellman key exchange Optionally, if using Diffie-Hellman key exchange to generate ephemeral parameters: - Include a `dhparam.pem` file in the same directory. - Set the `ssl_diffie_hellman_path:` value in `config.yml`. > [!NOTE] > You can create your own `dhparam.pem` file using OpenSSL with `openssl dhparam -out ./dhparam.pem 2048`. ## Using a self-signed Certificate You may alternatively opt to use a self-signed certificate, however this is only recommended for testing. Self-signed certificates will not be trusted by Bitwarden client applications by default. You will be required to manually install this certificate to the trusted store of each device you plan to use Bitwarden with. Generate a self-signed certificate: ``` mkdir ./bwdata/ssl/bitwarden.example.com openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 365 \ -keyout ./bwdata/ssl/bitwarden.example.com/private.key \ -out ./bwdata/ssl/bitwarden.example.com/certificate.crt \ -reqexts SAN -extensions SAN \ -config <(cat /usr/lib/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:bitwarden.example.com\nbasicConstraints=CA:true')) \ -subj "/C=US/ST=New York/L=New York/O=Company Name/OU=Bitwarden/CN=bitwarden.example.com" ``` Your self-signed certificate (`.crt`) and private key (`private.key`) can be placed in the `./bwdata/ssl/self/your.domain` directory and configured in the `./bwdata/config.yml`: ``` ssl_certificate_path: /etc/ssl/bitwarden.example.com/certificate.crt ssl_key_path: /etc/ssl/bitwarden.example.com/private.key ``` ### Trust a self-signed certificate #### Windows To trust a self-signed certificate on Windows, run `certmgr.msc` and import your certificate into the Trusted Root Certification Authorities. #### Linux To trust a self-signed certificate on Linux, add your certificate to the following directories: ``` /usr/local/share/ca-certificates/ /usr/share/ca-certificates/ ``` And run the following commands: ``` sudo dpkg-reconfigure ca-certificates sudo update-ca-certificates ``` For our Linux desktop app, accessing the web vault using Chromium-based browsers, and the Directory Connector desktop app, you also need to complete [this Linux cert management procedure](https://chromium.googlesource.com/chromium/src/+/refs/heads/master/docs/linux/cert_management.md). For the [Bitwarden CLI](https://bitwarden.com/help/cli/) and [Directory Connector CLI](https://bitwarden.com/help/directory-sync-cli/), your self-signed certificate must be stored in a local file and referenced by a `NODE_EXTRA_CA_CERTS=` environment variable, for example: ``` export NODE_EXTRA_CA_CERTS=~/.config/Bitwarden/certificate.crt ``` #### Android To trust a self-signed certificate on an Android device, refer to Google's [Add & remove certificates documentation](https://support.google.com/pixelphone/answer/2844832?hl=en). > [!NOTE] Selfhosting Android > If you are **not self-hosting** and encounter the following certificate error on your android device: > > > ``` > Exception message: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. > ``` > > You will need to upload Bitwarden's certificates to your device. Refer to [this community thread](https://community.bitwarden.com/t/android-client-login-bitwarden-https-cert-problem/12132) for help finding the certificates. ## Use no certificate > [!NOTE] > If you opt to use no certificate, you **must front your installation with a proxy that serves Bitwarden over SSL**. This is because Bitwarden requires HTTPS; trying to use Bitwarden without the HTTPS protocol will trigger errors. --- URL: https://bitwarden.com/help/change-at-risk-passwords/ --- # Change At-Risk Passwords If you receive an email with the subject line **{Organization} has identified at-risk passwords**, or if you see a **Review and change at-risk passwords** banner in your browser extension, your administrative team has identified and requires that you change a password that is weak, re-used, or has been exposed: ![Change an at-risk password](https://bitwarden.com/assets/2N1WqXBUVvutN9qQR73WbQ/ad56aeac00234010b56e1cc74a4ba542/2025-04-25_13-08-23.png) In your browser extension, click the banner and use the **Change**button for each at-risk password to replace a weak, re-used, or exposed password with a strong new one. In most cases, the browser extension will guide you directly to that service's "Change password" page. Remember that: - You must change the password within the website's "Change password" form as well as within Bitwarden. - You should use the [password generator](https://bitwarden.com/help/generator/#generate-a-password/) to create a strong and unique new password. --- URL: https://bitwarden.com/help/change-client-environment/ --- # Connect Individual Clients By default, Bitwarden clients will connect to Bitwarden-hosted servers, but any client application can be configured to connect to your self-hosted Bitwarden instance instead. > [!NOTE] If you do not wish to connect to a self-hosted instance > If you are trying to connect to a Bitwarden-hosted server, but your client is attempting to connect to a self-hosted instance, select **bitwarden.com** or **bitwarden.eu** from the **Logging in on** menu. ### Browser extension To connect a browser extension to your self-hosted server: 1. On the login or registration screen, select the **Logging in on**dropdown and choose the **Self-hosted**option. ![Self-hosted server selection](https://bitwarden.com/assets/1Pq95ZZLLySxwjLr7eul5W/326732e7943499236adf16e6a16378b6/2024-12-04_10-05-14.png) 2. In the **Server URL**field, enter the domain name for your server with `https://` (for example, `https://my.bitwarden.domain.com`). 3. Select **Save**. > [!TIP] Advanced Client-Server Specification > Users with unique setups can specify the URL of each service independently in the **Custom Environment**section. ### Mobile app To connect a mobile app to your self-hosted server: 1. On the login or registration screen, select the **Logging in on**dropdown and choose the **Self-hosted**option. ![Server selection on mobile](https://bitwarden.com/assets/0mBtygWpIfx8MLtcPwxwD/0041c5a129a88b9fb5dd021a07a6da4e/2025-01-22_10-17-39.png) 2. In the **Server URL**field, enter the domain name for your server with `https://` (for example, `https://my.bitwarden.domain.com`). 3. Select **Save**. > [!TIP] Advanced Client-Server Specification > Users with unique setups can specify the URL of each service independently in the **Custom Environment**section. ### Desktop app [Each account](https://bitwarden.com/help/account-switching/) that's logged in to your desktop app can be connected to a different server. To connect an account to your self-hosted server: 1. On the login or registration screen, select the **Logging in on**dropdown and choose the **Self-hosted**option. ![Server selection desktop](https://bitwarden.com/assets/4KVc44Osl3K38W0dxdCl3M/53ad13b8f456e8d92594c29c54091bd0/desktop.png) 2. In the **Server URL**field, enter the domain name for your server with `https://` (for example, `https://my.bitwarden.domain.com`). 3. Select **Save**. > [!TIP] Advanced Client-Server Specification > Users with unique setups can specify the URL of each service independently in the **Custom Environment**section. ### CLI To connect the CLI to your self-hosted server: 1. Logout using the `bw logout` command. 2. Use the following command to connect the CLI to your self-hosted server: ``` bw config server https://your.bw.domain.com ``` Users with unique setups can specify the URL of each service independently using the following commands: ``` bw config server --web-vault bw config server --api bw config server --identity bw config server --icons bw config server --notifications bw config server --events bw config server --key-connector ``` --- URL: https://bitwarden.com/help/change-theme/ --- # Change App Appearance The Bitwarden web vault, browser extension, desktop app, and mobile app come packed with stylish themes. Browser extensions also include a few other appearance options: ### Web app To change the theme of your web app: 1. Navigate to **Settings** → **Preferences**: ![Preferences](https://bitwarden.com/assets/7vKmhsOfJqieQbYRxALV75/ce2505a6fa89531d5784ca6afe45cecd/2024-12-02_11-46-04.png) 2. From the **Theme** dropdown, choose your favorite theme and select **Save**! ### Browser extension To change the theme of your browser extension: 1. Open the browser extension's **Settings** tab. 2. Select **Appearance**. ![Select theme browser ext](https://bitwarden.com/assets/6IZpsItvhtnImItOfXJ9HW/5502397e3024f97c473eaf05fc7cb9cd/2024-12-03_10-51-17.png) 3. Use the **Theme** dropdown to select your favorite theme. 4. Use the **Extension width option**to expand the dimensions of the browser extension. 5. Use **Compact mode** to increase the information density of what's shown in the browser extension. ### Desktop To change the theme of your desktop app: 1. Open the desktop app's **Preferences** panel (on Windows, **File** → **Settings**) (on macOS, **Bitwarden** → Preferences). 2. Scroll to the **App Settings** section and use the **Theme** dropdown to select your favorite theme! ![Change Theme ](https://bitwarden.com/assets/7dOzSglXr4rlM97zKoqptq/c9363541c22ee78b379010c73773e265/Change-app-appearence-1.png) > [!TIP] Theme + Account Switching > Theme is set globally for all logged-in accounts in the desktop app. [Learn more](https://bitwarden.com/help/account-switching/). ### Mobile To change the theme of your mobile app: 1. Open the mobile app's ⚙️ **Settings** tab. 2. Tap **Appearance**. 3. Tap the **Theme** option to select your favorite theme: ![Change theme on mobile ](https://bitwarden.com/assets/ntCXOl03Oi6zmXx5Z9j5C/1329fb58540811d4b195b638b2628aca/2025-05-20_15-28-44.png) > [!TIP] Material You for Android > On Android, you can also use the **Dynamic colors**option to match the color scheme of Bitwarden to your wallpaper. --- URL: https://bitwarden.com/help/choose-my-server/ --- # Choose My Server The Bitwarden cloud is available globally with data storage in both **United States** and **European Union** regions. > [!TIP] Why server geography is important > Bitwarden data regions are separate, and your account or organization only exists in the region where it was first created, meaning: > > - You can't log in on the EU server if your account was created on a US server, or vice versa. Trying to do so will mimic the experience of entering the wrong master password. > - Creating accounts on both servers will not cause data to sync between the two. If you use multiple Bitwarden apps and observe mismatched data, check that they're logged in to the same server. > - Accounts on one server can't join an organization on a different server. > - Accounts cannot change servers once created. To switch from a US server to an EU server, or vice versa, you must create a new account on the desired server. Once a new account has been created, you may [export your existing vault data](https://bitwarden.com/help/export-your-data/) to the new account. To choose which server to you're logging into or creating an account on, use the **Server** or **Logging in on:**dropdown on the login or registration screen: ### Web app ![Region selector on web app](https://bitwarden.com/assets/30W3B0aJy0dzO0pKTaBr7h/ed4fa669856dc3b13dbd80a1e0b237b5/2024-12-04_10-09-00.png) ### Browser extension ![Region selector on browser extensions](https://bitwarden.com/assets/4Kas8J6TjKZWMdaTo7pZMX/7d33be1c411bcf7eaf0816842beb824b/2025-02-18_14-09-00.png) ### Mobile app ![Region selector on mobile apps](https://bitwarden.com/assets/753jtQ6dg9u6Rln2A7TF4R/01b3d12d193d8f00432b925c29999d91/2025-02-18_14-18-33.png) ### Desktop app ![Region selector on desktop apps](https://bitwarden.com/assets/3FlU02971dqGGkp86WJJc5/43aeb8ee7de20a3cc0156fbf2c766432/choose-my-service-1.png) --- URL: https://bitwarden.com/help/claimed-accounts/ --- # Claimed Accounts When an Enterprise organization [claims a domain](https://bitwarden.com/help/claimed-domains/), any organization member accounts that have email addresses with a matching domain (e.g. `jdoe@mycompany.com`) will also be claimed by the organization. Claimed member accounts are functionally **owned by the organization**, resulting in a few key changes to the way the account works. > [!NOTE] Clarifying claimed member prereqs > A user must have a matching domain **and** be a [confirmed member](https://bitwarden.com/help/managing-users/#confirm/) of your Bitwarden organization to be considered a claimed account. Claiming a domain **does not** automatically invite any users and therefore will not in and of itself add to your subscription seat count. ## Deletion of claimed accounts Claimed member accounts can be outright deleted by organization administrators, instead of only being able to be removed from the organization. This includes deleting that user's individual vault, if one is available to them. If you are an organization member with a claimed account, it is especially important that you are not storing any personal credentials in that account. > [!NOTE] Learn how to delete claimed accounts > Claimed accounts can be deleted from the Admin Console's **Members** page using the ⋮ options menu: > > ![Delete claimed accounts](https://bitwarden.com/assets/6HUnGTfMstF4IasZcKBfdi/0d2dbd328ba4a006611576e7d91c70df/2025-01-14_10-45-56.png) > > Members of your organization that do not have claimed accounts can only be **Removed** from the organization instead. ## Restricted access to account actions If you are an organization member with a claimed account, you are not able to: - Change your account email address to a domain that is not claimed by your organization. (You can still change the username portion of your email address.) - Leave the organization. - Purge your vault. - Delete your account. --- URL: https://bitwarden.com/help/claimed-domains/ --- # Claimed Domains Enterprise customers can claim domain ownership (eg. `mycompany.com`) for their organizations. Claiming a domain supports the following features: - **Claimed member accounts**: When you claim a domain, any organization member accounts that have email addresses with a matching domain (e.g. `jdoe@mycompany.com`) will also be claimed by your organization. Claimed member accounts are functionally owned by the organization, restricting users from taking some account actions and allowing administrators to delete the account, including deleting that user's individual vault, outright instead of only removing them from the organization. [Learn more](https://bitwarden.com/help/claimed-accounts/). - **Easier SSO for members**: When you claim a domain, any organization member accounts that have email addresses with a matching domain (e.g. `jdoe@mycompany.com`) will, during SSO, automatically bypass the step that would require them to enter an [SSO identifier](https://bitwarden.com/help/using-sso/#get-your-organization-identifier/). - **Automatically verify member emails**: When you claim a domain, any organization member accounts that have email addresses with a matching domain (e.g. `jdoe@mycompany.com`) will have their [email automatically verified](https://bitwarden.com/help/product-faqs/#q-what-features-are-unlocked-when-i-verify-my-email/) when onboarded. Domains can be claimed with a valid and unique-to-Bitwarden DNS TXT record. ## Claim a domain In order to claim a domain, Bitwarden must verify that: - No other organization has verified the domain. - Your organization has ownership of the domain. Bitwarden will use a DNS TXT record to validate a domain claim. This DNS TXT record must be kept active and available at all times, as Bitwarden will continually check for it. To claim a domain, complete the following steps as an [admin or owner](https://bitwarden.com/help/user-types-access-control/#member-roles/): 1. Log in to the Bitwarden [web app](https://bitwarden.com/help/getting-started-webvault/) and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Navigate to **Settings** → **Claimed domains**: ![Claiming a domain](https://bitwarden.com/assets/6WJAs5AXufz8zSiVjEp5aA/8d9f4576f877ce74d6553430801070a9/2025-01-14_09-56-53.png) 3. On the **Claimed domains**screen you will see a list of active domains, along with status checks and options. If you have no active domains, select **New domain**. > [!TIP] Claimed a domain for the first time > When you claim a domain, the [single organization policy](https://bitwarden.com/help/policies/#single-organization/) will automatically be activated during the claiming workflow. Domains that were claimed prior to the 2025.3.0 release will not automatically activate this policy, however any subsequent domains claimed by the organization will. 4. In the pop-up window, enter a **Domain name**. > [!NOTE] domain format > The format of the domain name entry **should not** include `https://` or `www.`. 5. Copy the **DNS TXT record** and add it to your domain. 6. Select **Claim domain**. ### Manage your domains You can manage and view the status of your domains from the **Claimed domains** page. All domains will have a status of **Claimed** or **Not Claimed**: ![Claimed domain](https://bitwarden.com/assets/1sgIhVJzsRce0VyNIvH1ze/9ebaf423a88815e476bf2d81231fbf8e/2025-04-15_09-52-34.png) > [!TIP] If you need to edit your domain. > Before updating your claimed domain in Bitwarden, verify that your TXT record is publicly visible using the `dig` command: > > > ```bash > dig your.domain.com TXT > ``` > > **If the wrong TXT record is found**, your DNS changes may need more time to propagate. **If the right TXT record is found but claiming still fails**, your Bitwarden server may be configured to use a internal DNS server than the public one in which the update was made. Use the ⋮ menu located on the right side of the domain to: - Edit or delete a domain. - **Copy DNS TXT record**to provide it to your DNS provider. - Manually **verify domain** if automatic claiming was not successful. > [!NOTE] Domain verification attempts > Bitwarden will attempt to verify the domain 3 times during the first 72 hours. If the domain has not been verified within 7 days after the 3rd attempt, the domain will be removed from your organization. Domain claiming activities will be logged in the organization event logs. To view events, navigate to **Reporting** → **Event logs** in the Admin Console. ## Once your domain is claimed Once your domain is claimed and verified, your organization will gain access to the following: ### Claimed member accounts When you claim a domain, any organization member accounts that have email addresses with a matching domain (e.g. `jdoe@mycompany.com`) will also be claimed by your organization. Claimed member accounts are functionality owned by the organization, resulting in a few key changes to the way the account works: > [!NOTE] Clarifying claimed member prereqs > A user must have a matching domain **and** be a [confirmed member](https://bitwarden.com/help/managing-users/#confirm/) of your Bitwarden organization to be considered a claimed account. Claiming a domain **does not** automatically invite any users and therefore will not in and of itself add to your subscription seat count. #### Org-managed account deletion Claimed member accounts can be outright deleted by organization administrators, instead of only being able to be removed from the organization. Owners and admins can delete a claimed account from the Admin Console's **Members** page using the ⋮ menu: ![Delete claimed accounts](https://bitwarden.com/assets/6HUnGTfMstF4IasZcKBfdi/0d2dbd328ba4a006611576e7d91c70df/2025-01-14_10-45-56.png) Members of your organization that do not have claimed accounts can be **Removed** from the organization instead. > [!NOTE] Claimed accounts with Directory Connector and SCIM > Directory Connector and SCIM do not have the ability to delete claimed accounts, this action can only be taken by admins and owners from the web app Admin Console. #### Restricted access to account actions Users with member accounts will be restricted from: - Changing their account email address to a different domain (members can still change the username portion of their email address). - Leaving the organization. - Purging their vault. - Deleting their account. ### Easier SSO for members When you claim a domain, any organization member accounts that have email addresses with a matching domain (e.g. `jdoe@mycompany.com`) will, during SSO, automatically bypass the step that would require them to enter an [SSO identifier](https://bitwarden.com/help/using-sso/#get-your-organization-identifier/). --- URL: https://bitwarden.com/help/clear-sync-cache/ --- # Clear Sync Cache Directory Connector keeps a local cache while syncing changes to your Bitwarden organization. This cache helps Directory Connector to **only send the deltas between the two directories** (before / after). If you encounter sync errors, or if a particular directory change is not being synced as expected, you should clear this cache. Clearing the cache will trigger a full sync to occur during the next sync operation. To clear the local cache: ### Desktop From the Directory Connector [desktop app](https://bitwarden.com/help/directory-sync-desktop/): 1. Select the **More** tab. 2. In the Other section, select the **Clear Sync Cache** button. ### CLI Use the following command: ``` bwdc clear-cache ``` --- URL: https://bitwarden.com/help/cli-auth-challenges/ --- # CLI Authentication Challenges The August 2021 release of Bitwarden (**2021-09-21**) introduced [Captcha](https://www.hcaptcha.com/about) requirements to increase security against bot traffic. On the CLI, Captcha challenges are substituted with authentication challenges that can validated using your account's [personal API key](https://bitwarden.com/help/personal-api-key/) `client_secret`. > [!NOTE] bwlogin api key > **For automated workflows or for providing access to an external application**, we recommend using the `bw login --apikey` [method](https://bitwarden.com/help/cli/#using-an-api-key/). This method follows a more predictable authentication flow and revoking an application or machine's access can be achieved by rotating the [API key](https://bitwarden.com/help/personal-api-key/#rotate-your-api-key/). ## Get your personal API key To get your personal API key: 1. In the Bitwarden web app, navigate to **Settings** → **Security** → **Keys**: ![Keys](https://bitwarden.com/assets/3IHpaOpEB5a13TF3B3RqqB/05511a849898a1d2d46efb2764df0547/2024-12-03_10-47-30.png) 2. Select the **View API key** button and enter your master password to validate access. 3. From the **API key** dialog box, copy the **client_secret:** value, which is a random string like `efrbgT9C6BogEfXi5pZc48XyJjfpR`. ## Answering challenges Depending on your preferences, you can [save an environment variable](https://bitwarden.com/help/cli-auth-challenges/#answer-challenges-with-an-environment-variable/) to automatically pass authentication challenges or [manually enter](https://bitwarden.com/help/cli-auth-challenges/#using-the-prompt/) your `client_secret` whenever a challenge is made: ### Answer challenges with an environment variable Authentication challenges will look for a non-empty environment variable `BW_CLIENTSECRET` before prompting you to enter one manually. Saving this variable with the [retrieved client_secret value](https://bitwarden.com/help/cli-auth-challenges/#get-your-personal-api-key/) will allow you to automatically pass authentication challenges. To save this environment variable: 🐧 🍎 Bash ``` export BW_CLIENTSECRET="client_secret" ``` 🪟 PowerShell ``` env:BW_CLIENTSECRET="client_secret" ``` > [!NOTE] Client secret value incorrect > If your `client_secret` is incorrect, you will receive an error. In most cases, this is because you have [rotated your API key](https://bitwarden.com/help/personal-api-key/#rotate-your-api-key/) since saving the variable. [Use the above steps](https://bitwarden.com/help/cli-auth-challenges/#get-your-personal-api-key/) to retrieve the correct value. ### Answer challenges manually When an authentication challenge is made and no `BW_CLIENTSECRET` value is found, you will be prompted to manually enter your `client_secret` value: ![Login Prompt with Auth Challenge ](https://bitwarden.com/assets/6YPFmH0ALYCuKcpOs6yf8X/e12166c2a561203f4605401b716f89e6/cli-captcha-1-markup.png) > [!NOTE] Client secret value incorrect > If your `client_secret` is incorrect, you will receive an error. In most cases, this is because you have [rotated your API key](https://bitwarden.com/help/personal-api-key/#rotate-your-api-key/) since saving the variable. [Use the above steps](https://bitwarden.com/help/cli-auth-challenges/#get-your-personal-api-key/) to retrieve the correct value. --- URL: https://bitwarden.com/help/cli/ --- # Password Manager CLI The Bitwarden command-line interface (CLI) is a powerful, fully-featured tool for accessing and managing your vault. Most features that you find in other Bitwarden client applications (desktop, browser extension, etc.) are available from the CLI. ![Bitwarden CLI](https://bitwarden.com/assets/269bjiuC0f18YVu0VYJO9V/e192e552baa3bfe2f2efba30161f4a70/cli.png) The Bitwarden CLI is self-documented. From the command line, learn about the available commands using: ``` bw --help ``` Or, pass `--help `as an option on any `bw `command to see available options and examples: ``` bw list --help bw move --help ``` Most information you'll need can be accessed using `--help`, however this article replicates all that information and goes into greater depth on some topics. ## Download and install The CLI can be used cross-platform on Windows, macOS, and Linux distributions. To download and install the Bitwarden CLI: > [!NOTE] arm64 required npm > For arm64 devices, install the CLI using `npm`. ### Native Executable Natively packaged versions of the CLI are available for each platform and have no dependencies. Download using one of these links: - [Windows x64](https://bitwarden.com/download/?app=cli&platform=windows/) - [macOS x64](https://bitwarden.com/download/?app=cli&platform=macos/) - [Linux x64](https://bitwarden.com/download/?app=cli&platform=linux/) Note that, when using the downloaded native executable, you'll need to add the executable to your PATH or else run commands from the directory the file is downloaded to. > [!NOTE] > In Linux and UNIX systems, you might get a `Permission denied` message. If you do, grant permission by running: > > > ``` > chmod +x > ``` For each bundle of the Password Manager CLI available on GitHub, there is an OSS (e.g. `bw-oss-windows-2024.12.0.zip`) and non-OSS build (e.g. `bw-windows-2024.12.0.zip`). The non-OSS version is the default package distributed on distribution platforms and includes features under a non-OSS license, such as [device approval](https://bitwarden.com/help/cli/#device-approval/) commands, that the OSS version lacks. > [!TIP] Checksums for CLI > The Bitwarden Password Manager CLI build pipeline creates SHA-256 checksum files that are available on GitHub. [Learn how to validate checksums for the CLI](https://bitwarden.com/help/security-faqs/#tab-cli-4iwx6mhPS3Bgu3eLpNthUw/). ### NPM If you have Node.js installed on your system, you can install the CLI using NPM. Installing with NPM is the simplest way to keep your installation up-to-date and should be the **preferred method for those already comfortable with NPM**: ``` npm install -g @bitwarden/cli ``` View the package on [npmjs.org](https://www.npmjs.com/package/@bitwarden/cli). > [!NOTE] npm on linux may require build-essential > Installing the Bitwarden CLI on Linux systems using `npm` may require the build-essential dependency (or distribution equivalent) to be installed first. For example: > > > > ```plain text > apt install build-essential > ``` ### Chocolatey To install with Chocolatey: ``` choco install bitwarden-cli ``` View the package on [community.chocolatey.org](https://chocolatey.org/packages/bitwarden-cli). ### Snap To install with snap: ``` sudo snap install bw ``` View the package on [snapcraft.io](https://snapcraft.io/bw). ### Flatpak The Bitwarden CLI is included with the Flatpak desktop app download. Install the Flatpak: ```bash flatpak install flathub com.bitwarden.desktop ``` View the package on [Flathub](https://flathub.org/apps/com.bitwarden.desktop). Run CLI commands using the following: ```bash flatpak run --command=bw com.bitwarden.desktop # use a shell alias to authorize a session alias bw="flatpak run --command=bw com.bitwarden.desktop" bw ``` ## Log in Before logging in, make sure your CLI is connected to the correct server (for example, [EU cloud](https://bitwarden.com/help/server-geographies/) or self-hosted) using the config command ([learn more](https://bitwarden.com/help/cli/#config/)). There are three methods for logging in to the Bitwarden CLI using the `login` command, each of which is suited to different situations. Please review the following options to determine which method to use: - [Using email and master password](https://bitwarden.com/help/cli/#using-email-and-password/) - [Using an API key](https://bitwarden.com/help/cli/#using-an-api-key/) - [Using SSO](https://bitwarden.com/help/cli/#using-sso/) > [!NOTE] CLI vs. unlock > No matter which option you use, a master password will be required to `unlock` the client in order to access data with a [session key](https://bitwarden.com/help/cli/#unlock/). The [email and master password](https://bitwarden.com/help/cli/#using-email-and-password/) option will authenticate your identity and generate a session key simultaneously, however the [API key](https://bitwarden.com/help/cli/#using-an-api-key/) or [SSO](https://bitwarden.com/help/cli/#using-sso/) will require you subsequent use of the `unlock` command to generate a session key if you will be working with data directly. > > **Users who don't have master passwords**, for example as a result of [joining an organization using trusted devices](https://bitwarden.com/help/about-trusted-devices/#impact-on-master-passwords/), will not be able to access data using the CLI. There are, however, a few commands that do not require decrypted data and therefore can be used without a master password, including `config`, `encode`, `generate`, `update`, and `status`. ### Using email and password Logging in with email and password is **recommended for interactive sessions**. To log in with email and password: ``` bw login ``` This will initiate a prompt for your **Email Address**, **Master Password**, and ([if enabled](https://bitwarden.com/help/setup-two-step-login/)) at **Two-step Login code**. The CLI currently supports two-step login via [authenticator](https://bitwarden.com/help/setup-two-step-login-authenticator/), [email](https://bitwarden.com/help/setup-two-step-login-email/), or [Yubikey](https://bitwarden.com/help/setup-two-step-login-yubikey/). You *can* string these factors together into a single command as in the following example, however this isn't recommended for security reasons: ``` bw login [email] [password] --method --code ``` See [Enums](https://bitwarden.com/help/cli/#enums/) for two-step login `` values. > [!NOTE] Authenticator Request Error > Getting prompted for additional authentication or getting a `Your authentication request appears to be coming from a bot.` error? Use your API Key `client_secret` to answer the authentication challenge. [Learn more](https://bitwarden.com/help/cli-auth-challenges/). ### Using an API key Logging in with the [personal API key](https://bitwarden.com/help/personal-api-key/) is recommended for automated workflows, for providing access to an external application, or if your account uses a 2FA method not supported by the CLI (FIDO2 or Duo). To log in with the API key: ``` bw login --apikey ``` This will initiate a prompt for your personal `client_id` and `client_secret`. Once your session is authenticated using these values, you can use the `unlock` command. [Learn more](https://bitwarden.com/help/cli/#unlock/). > [!NOTE] Organization SSO > If your organization [requires SSO](https://bitwarden.com/help/policies/#single-sign-on-authentication/), you can still use `--apikey` to log in to the CLI. #### Using API key environment variables In scenarios where automated work is being done with the Bitwarden CLI, you can save environment variables to prevent the need for manual intervention at authentication. `` | **Environment variable name** | **Required value** | |------|------| | BW_CLIENTID | `client_id` | | BW_CLIENTSECRET | `client_secret` | ### Using SSO Logging in with [SSO](https://bitwarden.com/help/about-sso/) is recommended if an organization requires SSO authentication. To log in with SSO: ``` bw login --sso ``` This will initiate the [SSO authentication flow](https://bitwarden.com/help/using-sso/) in your web browser. Once your session is authenticated, you can use the `unlock` command. [Learn more](https://bitwarden.com/help/cli/#unlock/). > [!NOTE] Organization SSO API Key > If your organization [requires SSO](https://bitwarden.com/help/policies/#single-sign-on-authentication/), you may alternatively use` --apikey` to log in to the CLI. ### Log in to multiple accounts Like using [account switching](https://bitwarden.com/help/account-switching/) on other Bitwarden apps, the CLI has the ability to log in to multiple accounts simultaneously using the `BITWARDENCLI_APPDATA_DIR` environment variable pointing to the location of a `bw` configuration file, usually named `data.json`. You can, for example, set aliases in a `.bashrc` profile for two separate configurations: ``` alias bw-personal="BITWARDENCLI_APPDATA_DIR=~/.config/Bitwarden\ CLI\ Personal /path/to/bw $@" alias bw-work="BITWARDENCLI_APPDATA_DIR=~/.config/Bitwarden\ CLI\ Work /path/to/bw $@" ``` Using this example, you could then use login to two accounts by running first `source /path/to/.bashrc`, followed by `bw-personal login` and `bw-work login`. ## Unlock Using an [API key](https://bitwarden.com/help/cli/#using-an-api-key/) or [SSO](https://bitwarden.com/help/cli/#using-sso/) to log in will require you to follow-up the `login` command with an explicit `bw unlock` if you'll be working with vault data directly. Unlocking your vault generates a **session key** which acts as a decryption key used to interact with data in your vault. The [session key must be used](https://bitwarden.com/help/cli/#using-a-session-key/) to perform any command that touches vault data (for example, `list`, `get`, `edit`). Session keys are valid until invalidated using `bw lock` or `bw logout`, however they will not persist if you open a new terminal window. Generate a new session key at any time using: ``` bw unlock ``` When you're finished, always end your session using the `bw lock` command. ### Unlock options You can use the `--passwordenv ` or `--passwordfile ` options with `bw unlock` to retrieve your master password rather than enter it manually, for example: 1. The following will look for an environment variable `BW_PASSWORD`. If `BW_PASSWORD` is non-empty and has correct values, the CLI will successfully unlock and return a session key: ``` bw unlock --passwordenv BW_PASSWORD ``` 2. The following will look for the file `~Users/Me/Documents/mp.txt` (which must have your master password as the first line). If the file is non-empty and has a correct value, the CLI will successfully unlock and return a session key: ``` bw unlock --passwordfile ~/Users/Me/Documents/mp.txt ``` > [!NOTE] > If you use the `--passwordfile` option, protect your password file by locking access down to only the user who needs to run `bw unlock` and only providing read access to that user. ### Using a session key When you unlock your vault using `bw login` with [email and password](https://bitwarden.com/help/cli/#using-email-and-password/) or `bw unlock`, the CLI will return both an `export BW_SESSION` (Bash) and `env:BW_SESSION` (PowerShell) command, including your session key. Copy and paste the relevant entry to save the required environment variable. With the BW_SESSION environment variable set, `bw` commands will reference that variable and can be run cleanly, for example: ``` export BW_SESSION="5PBYGU+5yt3RHcCjoeJKx/wByU34vokGRZjXpSH7Ylo8w==" bw list items ``` Alternatively, if you don't set the environment variable, you can pass the session key as an option with each `bw` command: ``` bw list items --session "5PBYGU+5yt3RHcCjoeJKx/wByU34vokGRZjXpSH7Ylo8w==" ``` > [!NOTE] Session Environment CLI > When you're finished, always end your session using the `bw lock` or `bw logout` commands. This will invalidate the active session key. ## Core Commands ### create The `create` command creates a new object (`item`, `attachment`, and more) in your vault: ``` bw create (item|attachment|folder|org-collection) [options] ``` The `create` command takes encoded JSON. A typical workflow for creating an object might look something like: 1. Use the `get template` command (see [get core commands](https://bitwarden.com/help/cli/#get/) for details) to output the appropriate JSON template for the object type. 2. Use a [command-line JSON processor like jq](https://stedolan.github.io/jq/) to manipulate the outputted template as required. 3. Use the `encode` command (see [details](https://bitwarden.com/help/cli/#encode/)) to encode the manipulated JSON. 4. Use the `create` command to create an object from the encoded JSON. For example: ``` bw get template folder | jq '.name="My First Folder"' | bw encode | bw create folder ``` or ``` bw get template item | jq ".name=\"My Login Item\" | .login=$(bw get template item.login | jq '.username="jdoe" | .password="myp@ssword123"')" | bw encode | bw create item ``` Upon successful creation, the newly created object will be returned as JSON. #### create other item types The create command defaults to creating a login item, but you can use a[ command-line JSON processor like jq](https://stedolan.github.io/jq/) to change a `.type=` attribute to create other [item types](https://bitwarden.com/help/managing-items/): | **Name** | **Value** | |------|------| | Login | `.type=1` | | Secure note | `.type=2` | | Card | `.type=3` | | Identity | `.type=4` | For example, the following command will create a secure note: ``` bw get template item | jq '.type = 2 | .secureNote.type = 0 | .notes = "Contents of my Secure Note." | .name = "My Secure Note"' | bw encode | bw create item ``` > [!NOTE] > Notice in the above example that Secure Notes require a sub-template (`.secureNote.type`). You can view item type sub-templates using `bw get template` (see [here](https://bitwarden.com/help/cli/#get-template/) for details). #### create attachment The `create attachment` command attaches a file to an **existing** item. Unlike other `create` operations, you don’t need to use a JSON processor or `encode` to create an attachment. Instead, use the `--file` option to specify the file to attach and the `--itemid` option to specify the item to attach it to. For example: ``` bw create attachment --file ./path/to/file --itemid 16b15b89-65b3-4639-ad2a-95052a6d8f66 ``` > [!NOTE] > If you don’t know the exact `itemid` you want to use, use `bw get item ` to return the item (see [details](https://bitwarden.com/help/cli/#get/)), including its `id`. ### get The `get` command retrieves a single object (`item`, `username`, `password`, and more) from your vault: ``` bw get (item|username|password|uri|totp|exposed|attachment|folder|collection|organization|org-collection|template|fingerprint) [options] ``` The `get` command takes an item `id` or string for its argument. If you use a string (for example, anything other than an exact `id`), `get` will search your vault objects for one with a value that matches. For example, the following command would return a Github password: ``` bw get password Github ``` > [!NOTE] > The `get` command can **only return one result**, so you should use specific search terms. If multiple results are found, the CLI will return an error. #### get attachment The `get attachment` command downloads a file attachment: ``` bw get attachment --itemid ``` The `get attachment` command takes a `filename` and **exact** `id`. By default, `get attachment` will download the attachment to the current working directory. You can use the `--output` option to specify a different output directory, for example: ``` bw get attachment photo.png --itemid 99ee88d2-6046-4ea7-92c2-acac464b1412 --output /Users/myaccount/Pictures/ ``` > [!NOTE] > When using `--output`, the path **must** end a forward slash (`/`) to specify a directory or a filename (`/Users/myaccount/Pictures/photo.png`). #### get notes The `get notes` command retrieves the note for any vault item: ``` bw get notes ``` The `get notes` command takes an exact item `id` or string. If you use a string (for example, anything other than an exact `id`), `get notes` will search your vault objects for one with a value that matches. For example, the following command would return a Github note: ``` bw get notes Github ``` #### get template The `get template` command returns the expected JSON formatting for an object (`item`, `item.field`, `item.login`, and more): ``` bw get template (item|item.field|item.login|item.login.uri|item.card|item.identity|item.securenote|folder|collection|item-collections|org-collection) ``` While you can use `get template` to output the format to your screen, the most common use-case is to pipe the output into a `bw create` operation, using a [command-line JSON processor like jq](https://stedolan.github.io/jq/) and `bw encode` to manipulate the values retrieved from the template, for example: ``` bw get template folder | jq '.name="My First Folder"' | bw encode | bw create folder ``` > [!NOTE] > Any `item.xxx` template should be used as a sub-object to an `item` template, for example: > > > ``` > bw get template item | jq ".name=\"My Login Item\" | .login=$(bw get template item.login | jq '.username="jdoe" | .password="myp@ssword123"')" | bw encode | bw create item > ``` #### get fingerprint Retrieve the `fingerprint` phrase of a user. You may specify `userId` directly, or use the shortcut `me` to get your own fingerprint phrase: ```plain text bw get fingerprint ``` ```plain text bw get fingerprint me ``` ### edit The `edit` command edits an object (`item`, `item-collections`, etc.) in your vault: ``` bw edit (item|item-collections|folder|org-collection) [encodedJson] [options] ``` The `edit` command takes an **exact** `id` (the object to edit) and encoded JSON (edits to be made). A typical workflow might look something like: 1. Use the `get` command (see [details](https://bitwarden.com/help/cli/#get/)) to output the object to edit. 2. Use a [command-line JSON processor like jq](https://stedolan.github.io/jq/) to manipulate the outputted object as required. 3. Use the `encode` command (see [details](https://bitwarden.com/help/cli/#encode/)) to encode the manipulated JSON. 4. Use the `edit` command (including the object `id`) to edit the object. For example, to edit the password of a login item: ``` bw get item 7ac9cae8-5067-4faf-b6ab-acfd00e2c328 | jq '.login.password="newp@ssw0rd"' | bw encode | bw edit item 7ac9cae8-5067-4faf-b6ab-acfd00e2c328 ``` Or, to edit the collection(s) an item is in: ``` echo '["5c926f4f-de9c-449b-8d5f-aec1011c48f6"]' | bw encode | bw edit item-collections 28399a57-73a0-45a3-80f8-aec1011c48f6 --organizationid 4016326f-98b6-42ff-b9fc-ac63014988f5 ``` Or, to edit a collection: ``` bw get org-collection ee9f9dc2-ec29-4b7f-9afb-aac8010631a1 --organizationid 4016326f-98b6-42ff-b9fc-ac63014988f5 | jq '.name="My Collection"' | bw encode | bw edit org-collection ee9f9dc2-ec29-4b7f-9afb-aac8010631a1 --organizationid 4016326f-98b6-42ff-b9fc-ac63014988f5 ``` The `edit` command will perform a **replace** operation on the object. Once completed, the updated object will be returned as JSON. ### list The `list` command retrieves an array of objects (`items`, `folders`, `collections`, and more) from your vault: ``` bw list (items|folders|collections|organizations|org-collections|org-members) [options] ``` Options for the `list` command are **filters** used to dictate what will be returned, including `--url `, `--folderid `, `--collectionid `, `--organizationid ` and `--trash`. Any filter will accept `null` or `notnull`. Combining multiple filters in one command will perform an OR operation, for example: ``` bw list items --folderid null --collectionid null ``` This command will return items that aren't in a folder or collection. Additionally, you can **search** for specific objects using `--search `. Combining filter and search in one command will perform an AND operation, for example: ``` bw list items --search github --folderid 9742101e-68b8-4a07-b5b1-9578b5f88e6f ``` This command will search for items with the string `github` in the specified folder. ### delete The `delete` command deletes an object from your vault. `delete` takes **only an exact** `id` for its argument. ``` bw delete (item|attachment|folder|org-collection) [options] ``` By default, `delete` will send an item to the [Trash](https://bitwarden.com/help/managing-items/#items-in-the-trash/), where it will remain for 30 days. You can permanently delete an item using the `-p, --permanent` option. ``` bw delete item 7063feab-4b10-472e-b64c-785e2b870b92 --permanent ``` To delete an `org-collection`, you'll also need to specify `--organizationid `. See [Organization IDs](https://bitwarden.com/help/cli/#organization-ids/). > [!NOTE] Delete function > While items that are deleted using `delete` can be recovered using the `restore` command for up to 30 days (see [details](https://bitwarden.com/help/cli/#restore/)), items that are deleted using `delete --permanent` **are completely removed and irrecoverable.** ### restore The `restore` command restores a deleted object from your trash. `restore` takes **only an exact** `id` for its argument. ``` bw restore (item) [options] ``` For example: ``` bw restore item 7063feab-4b10-472e-b64c-785e2b870b92 ``` ### send The `send` command creates a [Bitwarden Send](https://bitwarden.com/help/about-send/) object for ephemeral sharing. This section will detail simple `send` operations, however send is a highly flexible tool and we recommend referring to the dedicated article on [Send from CLI](https://bitwarden.com/help/send-cli/). To create a simple text Send: ``` bw send -n "My First Send" -d 7 --hidden "The contents of my first text Send." ``` To create a simple file Send: ``` bw send -n "A Sensitive File" -d 14 -f /Users/my_account/Documents/sensitive_file.pdf ``` ### receive The `receive` command accesses a [Bitwarden Send](https://bitwarden.com/help/about-send/) object. To receive a Send object: ``` bw receive --password passwordforaccess https://vault.bitwarden.com/#/send/yawoill8rk6VM6zCATXv2A/9WN8wD-hzsDJjfnXLeNc2Q ``` ## Organizations commands ### Organization IDs Accessing an organization from the CLI requires knowledge of an ID for your organization, as well as IDs for individual [members](https://bitwarden.com/help/managing-users/) and [collections](https://bitwarden.com/help/about-collections/). Retrieve this information directly from the CLI using `bw list`, for example: ``` bw list organizations bw list org-members --organizationid 4016326f-98b6-42ff-b9fc-ac63014988f5 bw list org-collections --organizationid 4016326f-98b6-42ff-b9fc-ac63014988f5 ``` > [!NOTE] bw list > You can `bw list` both `collections` and `org-collections`. The `bw list collections` command will list all collections, agnostic of which organization they belong to. `bw list org-collections` will list only collections that belong to the organization specified using `--organizationid`. ### move > [!NOTE] > **August 2021**: The `share` command has been changed to `move`. [Find out more](https://bitwarden.com/help/releasenotes/). The `move` command transfers a vault item [to an organization](https://bitwarden.com/help/sharing/): ``` bw move [encodedJson] ``` The `move` command requires you to `encode` a collection ID, and takes an **exact** `id` (the object to share) and an **exact** `organizationid` (the organization to share the object to). For example: ``` echo '["bq209461-4129-4b8d-b760-acd401474va2"]' | bw encode | bw move ed42f44c-f81f-48de-a123-ad01013132ca dfghbc921-04eb-43a7-84b1-ac74013bqb2e ``` Once completed, the updated item will be returned. ### confirm The `confirm` command confirms [invited members](https://bitwarden.com/help/managing-users/#confirm-invited-users/) to your organization who have accepted their invitation: > [!WARNING] Confirm via CLI > Before administering the `confirm` command, it is strongly advised that administrators validate the legitimacy of a request by ensuring that the fingerprint phrase self-reported by the user matches the fingerprint phrase associated with the user you expect to be confirmed: > > - From the Admin Console, you can view a user's associated fingerprint phrase [during the confirm step](https://bitwarden.com/help/managing-users/#confirm/). > - From the CLI, you can view a user's associated fingerprint phrase with the command `bw get fingerprint `, where `` is that member's user identifier. User identifiers can be retrieved [with the Public API](https://bitwarden.com/help/api/). > > Once a user is confirmed, they have the ability to decrypt organization data, so ensuring users' self-reported fingerprint phrases match expected values is an important step prior to confirming. ``` bw confirm org-member --organizationid ``` The `confirm` command takes an **exact** member `id` and an **exact** `organizationID`, for example: ``` bw confirm org-member 7063feab-4b10-472e-b64c-785e2b870b92 --organizationid 310d5ffd-e9a2-4451-af87-ea054dce0f78 ``` ### Device approval Allows admins and owners to manage device approval requests where a user has requested admin approval. > [!NOTE] Bulk Device approval only available via Bitwarden.com download > At this time, bulk device approval is only available for the Bitwarden CLI client downloaded from [Bitwarden.com](https://bitwarden.com/download/#downloads-command-line-interface/). > [!NOTE] Bulk device approval warning > In most scenarios, users are able to approve their own login requests, and admin device approval is not necessary. See [Add a trusted device](https://bitwarden.com/help/add-a-trusted-device/). Automatic or bulk approval of admin device approval requests neglect verification steps that administrators can perform in order to ensure a request is legitimate, such as checking the user's reported Fingerprint Phrase. > > Bitwarden recommends that significant security controls such as IdP credential standards, IdP MFA, and IdP device registration and trust be reviewed before enabling and using bulk device approval. The `list` command will show all pending device approval requests for an organization: ```plain text bw device-approval list --organizationid ``` The `approve` command is used to approve pending device authorization requests for an organization: ```plain text bw device-approval approve --organizationid ``` Similarly, `approve-all` command can be used to approve all current pending requests: ```plain text bw device-approval approve-all --organization ``` To `deny` a pending authorization request: ```plain text bw device-approval deny --organizationid ``` To `deny-all` pending authorization requests: ```plain text bw device-approval deny-all --organizationid ``` ## Other commands ### config The `config` command specifies settings for the Bitwarden CLI to use: ``` bw config server [value] ``` A primary use of `bw config` is to [connect your CLI to a self-hosted](https://bitwarden.com/help/change-client-environment/#cli/) Bitwarden server: ``` bw config server https://your.bw.domain.com ``` > [!NOTE] > Connect to the Bitwarden [EU server](https://bitwarden.com/help/server-geographies/) by running the following command: > > > ``` > bw config server https://vault.bitwarden.eu > ``` > > Pass `bw config server` without a value to read the server you're connected to. Users with unique setups may elect to specify the URL of each service independently. Note that any subsequent use of the config command will overwrite all previous specifications, so this must be run as a single command each time you make a change: ``` bw config server --web-vault \ --api \ --identity \ --icons \ --notifications \ --events \ --key-connector ``` > [!NOTE] bw config server --key-connector > The `bw config server --key-connector ` command is required if your organization uses [Key Connector](https://bitwarden.com/help/about-key-connector/) and you’re using the `--apikey` option to login after having [removed your master password](https://bitwarden.com/help/using-sso/#login-using-sso/). > > Contact an organization owner to get the required URL. ### sync The `sync` command downloads your encrypted vault from the Bitwarden server. This command is most useful when you have changed something in your Bitwarden vault on another client application (for example web vault, browser extension, mobile app) since [logging in](https://bitwarden.com/help/cli/#log-in/) on the CLI. ``` bw sync ``` You can pass the `--last` option to return only the timestamp ([ISO 8601](https://en.wikipedia.org/wiki/ISO_8601)) of the last time a sync was performed. > [!NOTE] sync Pull from server > It’s important to know that `sync` **only performs a pull** from the server. Data is automatically pushed to the server any time you make a change to your vault (for example, `create`, `edit`, `delete`). ### encode The `encode` command Base 64 encodes stdin. This command is typically used in combination with a [command-line JSON processor like jq](https://stedolan.github.io/jq/) when performing `create` and `edit` operations, for example: ``` bw get template folder | jq '.name="My First Folder"' | bw encode | bw create folder bw get item 7ac9cae8-5067-4faf-b6ab-acfd00e2c328 | jq '.login.password="newp@ssw0rd"' | bw encode | bw edit item 7ac9cae8-5067-4faf-b6ab-acfd00e2c328 ``` ### import The `import` command imports data from a Bitwarden export or other [supported password management application](https://bitwarden.com/help/import-data/). The command must be pointed to a file and include the following arguments: ``` bw import ``` For example: ``` bw import lastpasscsv /Users/myaccount/Documents/mydata.csv ``` > [!NOTE] bw import -- formats > Bitwarden supports lots of formats for import, too many to list here! Use `bw import --formats` to return the list in your CLI, or [see here](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). > > If you are importing an [encrypted .json file that you've created with a password](https://bitwarden.com/help/cli/#export/), you will be prompted to enter the password before import completes. #### import to an organization vault Using the import command with the --organizationid option, you can import data to an organization vault: ```plain text bw import --organizationid cf14adc3-aca5-4573-890a-f6fa231436d9 bitwardencsv ./from/source.csv ``` ### export The `export` command exports vault data as a `.json` or `.csv`, [encrypted .json](https://bitwarden.com/help/encrypted-export/), or as a `.zip` with [attachments](https://bitwarden.com/help/attachments/): ``` bw export [--output ] [--format ] [--password ] [--organizationid ] ``` By default, the `export` command will generate a `.csv` (equivalent to specifying `--format csv`) to the current working directory, however you can specify: - `--format json` to export a `.json` file - `--format encrypted_json` to export an [encrypted .json](https://bitwarden.com/help/encrypted-export/) file - `--password ` to specify a password to use to encrypt `encrypted_json` exports instead of your [account encryption key](https://bitwarden.com/help/account-encryption-key/) - `--format zip` to export a `.zip` that includes your [attachments](https://bitwarden.com/help/attachments/) - `--output ` to export to a specific location - `--raw` to return the export to stdout instead of to a file #### export from an organization vault Using the `export` command with the `--organizationid` option, you can export an organization vault: ``` bw export --organizationid 7063feab-4b10-472e-b64c-785e2b870b92 --format json --output /Users/myaccount/Downloads/ ``` ### generate The `generate` command generates a strong password or [passphrase](https://bitwarden.com/help/cli/#generate-a-passphrase/): ``` bw generate [--lowercase --uppercase --number --special --length --passphrase --separator --words ] ``` By default, the `generate` command will generate a 14-character password with uppercase characters, lowercase characters, and numbers. This is the equivalent of passing: ``` bw generate -uln --length 14 ``` You can generate more complex passwords using the options available to the command, including: - `--uppercase`, `-u` (include uppercase) - `--lowercase`, `-l` (include lowercase) - `--number`, `-n` (include numbers) - `--special`, `-s` (include special characters) - `--length ` (length of the password, min of 5) #### generate a passphrase Using the `generate` command with the `--passphrase` option, you can generate a passphrase instead of a password: ``` bw generate --passphrase --words --separator ``` By default, `bw generate --passphrase` will generate a three-word passphrase separated by a dash (`-`). This is the equivalent of passing: ``` bw generate --passphrase --words 3 --separator - ``` You can generate a complex passphrase using the options available to the command, including: - `--words ` (number of words) - `--separator ` (separator character) - `--capitalize`, `-c` (include to title-case the passphrase) - `--includeNumber` (Include a single numerical character in your passphrase) ### update The `update` command checks whether your Bitwarden CLI is running the most recent version. `update` **doesn't automatically update the CLI for you.** ``` bw update ``` If a new version is detected, you'll need to download the new version of the CLI using the printed URL for the executable, or using the tools available for the package manager you used to [download the CLI](https://bitwarden.com/help/cli/#download-and-install/) (for example, `npm install -g @bitwarden/cli`). ### status The `status` command returns status information about the Bitwarden CLI, including [configured](https://bitwarden.com/help/cli/#config/) server URL, timestamp for the last sync ([ISO 8601](https://en.wikipedia.org/wiki/ISO_8601)), user email and ID, and the vault status. ``` bw status ``` Status will return information as a JSON object, for example: ``` { "serverUrl": "https://bitwarden.example.com", "lastSync": "2020-06-16T06:33:51.419Z", "userEmail": "user@example.com", "userId": "00000000-0000-0000-0000-000000000000", "status": "unlocked" } ``` `status` may be one of the following: - `"unlocked"`, indicating you are logged in and your vault is unlocked (a `BW_SESSION` key environment variable is saved with an [active session key](https://bitwarden.com/help/cli/#using-a-session-key/)) - `"locked"`, indicating you are logged in but your vault is locked (**no** `BW_SESSION` key environment variable is saved with an [active session key](https://bitwarden.com/help/cli/#using-a-session-key/)) - `"unauthenticated"`, indicating you aren't logged in > [!NOTE] > When `"status": "unauthenticated"`, `lastSync`, `userEmail`, and `userID` will always return `null`. ### serve The `serve` command starts a local express web server that can be used to take all actions accessible from the CLI in the form of RESTful API calls from an HTTP interface. ``` bw serve --port --hostname ``` By default, `serve` will start the web server at port 8087 however you can specify an alternate port with the `--port` option. By default, `serve` will bind your API web server to `localhost` however you can specify an alternate hostname with the `--hostname` option. API requests can only be made from the bound hostname. By default, `serve` will block any request with an `Origin` header. You can circumvent this protection using the `--disable-origin-protection` option, however **this is not recommended**. > [!NOTE] Serve --hostname all warning > You can specify `--hostname all` for no hostname binding, however this will allow any machine on the network to make API requests. [View the API spec ](https://bitwarden.com/help/vault-management-api/)for help making calls with `serve`. ### Debug The debug environment variable can be added for additional troubleshooting information. ```plain text export BITWARDENCLI_DEBUG=true ``` ## Appendices ### Global options The following options are available globally: | **Option** | **Description** | |------|------| | `--pretty` | Format output. JSON is tabbed with two spaces. | | `--raw` | Return raw output instead of a descriptive message. | | `--response` | Return a JSON formatted version of response output. | | `--quiet` | Don't return anything to stdout. You might use this option, for example, when piping a credential value to a file or application. | | `--nointeraction` | Do not prompt for interactive user input. | | `--session ` | Pass session key instead of reading from an environment variable. | | `-v, --version` | Output the Bitwarden CLI version number. | | `-h, --help` | Display help text for the command. | ### ZSH shell completion The Bitwarden CLI includes support for ZSH shell completion. To setup shell completion, use one of the following methods: 1. **Vanilla ZSH:**Add the following line to your `.zshrc` file: ``` eval "$(bw completion --shell zsh); compdef _bw bw;" ``` 2. **Vanilla (vendor-completions):** Run the following command: ``` bw completion --shell zsh | sudo tee /usr/share/zsh/vendor-completions/_bw ``` 3. [zinit:](https://github.com/zdharma/zinit) Run the following commands: ``` bw completion --shell zsh > ~/.local/share/zsh/completions/_bw zinit creinstall ~/.local/share/zsh/completions ``` ### Using self-signed certificates If your self-hosted Bitwarden server exposes a self-signed TLS certificate, specify the Node.js environment variable [NODE_EXTRA_CA_CERTS](https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file): 🐧 🍎 Bash ``` export NODE_EXTRA_CA_CERTS="absolute/path/to/your/certificates.pem" ``` 🪟 PowerShell ``` $env:NODE_EXTRA_CA_CERTS="absolute/path/to/your/certificates.pem" ``` ### Enums The following tables enumerate values required in documented scenarios: #### Two-step login methods Used to specify which [two-step login method](https://bitwarden.com/help/setup-two-step-login/) to use when [logging in](https://bitwarden.com/help/cli/#log-in/): | **Name** | **Value** | |------|------| | Authenticator | 0 | | Email | 1 | | YubiKey | 3 | > [!NOTE] > FIDO2 and Duo are not supported by the CLI. #### Item types Used with the `create` command to specify a [vault item type](https://bitwarden.com/help/managing-items/): | **Name** | **Value** | |------|------| | Login | 1 | | Secure Note | 2 | | Card | 3 | | Identity | 4 | #### Login URI match types Used with the `create` and `edit` command to specify [URI match detection](https://bitwarden.com/help/uri-match-detection/) behavior for a login item: | **Name** | **Value** | |------|------| | Domain | 0 | | Host | 1 | | Starts With | 2 | | Exact | 3 | | Regular Expression | 4 | | Never | 5 | #### Field types Used with the `create` and `edit` commands to configure [custom fields](https://bitwarden.com/help/custom-fields/): | **Name** | **Value** | |------|------| | Text | 0 | | Hidden | 1 | | Boolean | 2 | #### Organization user types Indicates a [user's type](https://bitwarden.com/help/user-types-access-control/): | **Name** | **Value** | |------|------| | Owner | 0 | | Admin | 1 | | User | 2 | | Manager | 3 | | Custom | 4 | #### Organization user statuses Indicates a user's [status within the organization](https://bitwarden.com/help/managing-users/): | **Name** | **Value** | |------|------| | Invited | 0 | | Accepted | 1 | | Confirmed | 2 | | Revoked | -1 | --- URL: https://bitwarden.com/help/client-org-removal/ --- # Unlink Client Organization As a Provider, you may need to remove your Provider-client relationship with an organization if you are no longer providing services to them. In order for a client organization to be eligible for removal: - You must be a [Provider admin](https://bitwarden.com/help/provider-users/#provider-user-types/). - The client organization must have at least one [confirmed owner](https://bitwarden.com/help/managing-users/#onboard-users/). Once these criteria are met: 1. Open the Provider Portal using the product switcher: ![Product switcher - Provider Portal](https://bitwarden.com/assets/4xn04Sj9u8n73TPxZUWi5f/dac0d56f47a05e2d8b28754e997a1391/2025-02-25_15-16-00.png) 2. In the Clients view, use the ⚙️ gear dropdown for the desired client organization to select the [close] **Unlink organization** option: ![Unlink client organization](https://bitwarden.com/assets/5U9GTBeSblIONdtg4q1duw/3579f9c80ca8f188d24a7910d8506643/2024-12-05_09-39-10.png) > [!TIP] Once a client org is removed > Once a client organization is unlinked, they will need to set up their own billing in order to retain access to Bitwarden services. --- URL: https://bitwarden.com/help/client-org-setup/ --- # Start a Client Organization This article will walk you through the [creation of a client organization](https://bitwarden.com/help/client-org-setup/#create-a-client-organization/) and outline a typical [setup procedure](https://bitwarden.com/help/client-org-setup/#initial-setup-procedure/) for getting started administering a customer's organization. ## Create a client organization To create a client organization you must be a [Provider admin](https://bitwarden.com/help/provider-users/#provider-user-types/): 1. Open the Provider Portal using the product switcher: ![Product switcher - Provider Portal](https://bitwarden.com/assets/4xn04Sj9u8n73TPxZUWi5f/dac0d56f47a05e2d8b28754e997a1391/2025-02-25_15-16-00.png) 2. Navigate to the [bank] **Clients** tab of the Provider Portal and select + **Add** → [business]**New client**: ![New client organization](https://bitwarden.com/assets/5WjBETB0YFm7TS1zpIHeSC/a22563b9172036b1c90bfb61d9ab310b/new_client_org_1.png) 3. On the New client organization screen - Select whether to create a **Teams** or **Enterprise**organization. - Enter an **Organization name**, **Client owner email**, and **Seats**. The amount of available unassigned seats, that is seats that you have paid for but aren't utilizing, will be shown on this screen. Should you go above this number, a number of additional seats purchased will be shown. [Learn more](https://bitwarden.com/help/provider-billing/). > [!NOTE] Owner invitation > An invitation will automatically be sent to the **Client owner email** to join the organization as an [owner](https://bitwarden.com/help/user-types-access-control/). 4. Once you are happy with the organization, select **Add organization**. Once created, navigating to the client organization from the Provider Portal will bring you to the organization vault, from which you can fully complete [initial setup](https://bitwarden.com/help/client-org-setup/#initial-setup-procedure/) and engage in [ongoing administration](https://bitwarden.com/help/manage-client-orgs/): ![Client organization vault ](https://bitwarden.com/assets/5fXREt9aHmnVgLLRPBs8yg/dbecd580231e8ea2f4eec2be224a1e64/2025-02-25_15-20-08.png) ## Initial setup procedure With your newly-created client organization, you are ready to start building the perfect solution for your customer. Exact setup will be different for each client organization depending on your customers' needs, but typically will involve the following steps: 1. **Create collections**. A good first step is to [create a set of collections](https://bitwarden.com/help/about-collections/#create-a-collection/), which provide an organizing structure for the vault items you will add to the vault in the next step. Common collections patterns include **Collections by Department** (for example, users in the client's Marketing Team are assigned to a **Marketing** collection) or **Collections by Function** (such as users from the client's Marketing Team are assigned to a **Social Media** collection): ![Collections](https://bitwarden.com/assets/6kJ7wMESirqmkfZ8KlfK09/9210ef5cf3cd2442b429760edb98001f/collections-graphic-1.png) 2. **Import data**. Once the structure of how you will store vault items is in place, you can begin i[mporting data to the organization](https://bitwarden.com/help/import-to-org/). > [!NOTE] Provider restricted access > Note that, as a provider user, you will not be able to directly view, create, or manage individual items. 3. **Configure enterprise policies**. Before beginning the user management portion of setup, [configure enterprise policies](https://bitwarden.com/help/policies/) in order to set rules-of-use for things such as [master password complexity](https://bitwarden.com/help/policies/#master-password-requirements/), [use of two-step login](https://bitwarden.com/help/policies/#require-two-step-login/), and [admin password reset](https://bitwarden.com/help/account-recovery/#master-password-reset/). > [!NOTE] Enterprise policies availability > Enterprise Policies are **only available to Enterprise organizations**. 4. **Setup login with SSO**. If your customer uses single sign-on (SSO) to authenticate with other applications, [connect Bitwarden with their IdP](https://bitwarden.com/help/about-sso/) to allow authentication with Bitwarden using end-users' SSO credentials. 5. **Create user groups**. For Teams and Enterprise organizations, [create a set of groups](https://bitwarden.com/help/about-groups/#create-a-group/) for scalable permissions assignment. When you start adding users, add them to groups to have each user automatically inherit the group's configured permissions (such as access to specific collections). One common group-collection pattern is to create **Groups by Department** and **Collections by Function**, for example: ![Collections](https://bitwarden.com/assets/6qodHGqBPABEFv3XJxaOUe/780cd4624a5d0a5fe315677968003e2d/collections-graphic-2.png) 6. **Start inviting users**. Now that the infrastructure for the secure and scalable sharing of credentials is in place for your client, you can begin [inviting users to the organization](https://bitwarden.com/help/managing-users/#onboard-users/). To ensure the security of the organization, Bitwarden applies a three-step process for onboarding new users, **Invite** → **Accept**→ **Confirm**. > [!TIP] SCIM & BWDC for Providers. > **If your customer uses directory service** or IdP (active directory, an LDAP, Okta, and more), use [SCIM](https://bitwarden.com/help/about-scim/) or [Directory Connector](https://bitwarden.com/help/directory-sync/) to automatically sync organization users from the source directory and automatically issue invitations. --- URL: https://bitwarden.com/help/cloud-setup-checklist/ --- # Cloud setup checklist With cloud hosting, Bitwarden manages the infrastructure, security, and operational responsibilities. Use this checklist to understand the organizational and user management requirements for cloud deployments. ## Pre-deployment planning - Determine cloud server region (US, EU) - Choose authentication strategy (Email or SSO via identity provider) - Select encryption type (Master Password or Trusted Device) - Define user provisioning approach (Manual, Directory Connector, SCIM, Just-in-Time SSO) - Define vault ownership strategy (Individual vaults vs. Organization-only) - Identify user groups for rollout phases **Support links:** - [Server geographies](https://bitwarden.com/help/server-geographies/) - [Bitwarden authentication guide](https://bitwarden.com/resources/reference-guide-bitwarden-authentication/) - [Bitwarden implementation guide ](https://bitwarden.com/resources/bitwarden-enterprise-password-manager-implementation-guide/) ## Stakeholder selections Select key roles: - Project lead - Identity provider admin - Executive sponsor - Security and compliance admin - Support/help desk admin - Device management admin (for client deployment) - Business continuity admin - Directory/user management admin ## Security and compliance decisions - Determine cloud server region (US, EU) - Choose authentication strategy (Email or SSO via identity provider) - Select encryption type (Master Password or Trusted Device) - Define user provisioning approach (Manual, Directory Connector, SCIM, Just-in-Time SSO) - Define vault ownership strategy (Individual vaults vs. Organization-only) - Identify user groups for rollout phases **Support links:** - [SSO integration ](https://bitwarden.com/help/about-sso/) - [SCIM](https://bitwarden.com/help/about-scim/) - [Directory Connector](https://bitwarden.com/help/directory-sync-cli/) ## Organizational build-out and configuration - Identify Organization Owner(s) (recommend two for redundancy) - Add additional administrators to the organization - Configure enterprise policies (before user invitation) - Select collection management settings - Create collections for administrators and users to share - Create groups for managing users - Assign collections to groups - Test 'Read Only' and 'Hide Password' options - Add test items to collections **Support links:** - [Bitwarden implementation guide](https://bitwarden.com/resources/bitwarden-enterprise-password-manager-implementation-guide/) - [Least privilege access](https://bitwarden.com/blog/additional-enterprise-options-for-least-privileged-access-control/#flexible-collections-options-for-your-organization/) ## User provisioning and directory integration - Enable SCIM provisioning in admin console - Configure identity provider - Map user attributes and group memberships - Test SCIM synchronization - Download and install directory connector - Configure sync filters, user/group mappings **Support links:** - [Enable SCIM provisioning](https://bitwarden.com/help/about-scim/) - [Microsoft Entra ID SCIM Integration](https://bitwarden.com/help/microsoft-entra-id-scim-integration/) - [JumpCloud SCIM Integration](https://bitwarden.com/help/jumpcloud-scim-integration/) - [OneLogin SCIM Integration](https://bitwarden.com/help/onelogin-scim-integration/) - [Ping Identity SCIM Integration](https://bitwarden.com/help/ping-identity-scim-integration/) ## Deployment and go-live preparation - Complete final security review and sign off from stakeholders - Set up production monitoring and alerting systems - Coordinate with network and security teams for go-live ## Monitoring - Monitor system performance and adoption metrics - Conduct post-implementation review with stakeholders - Plan ongoing maintenance and update procedures - Document lessons learned and process improvements - Schedule regular security audits and policy reviews **Support links:** - [Vault health reports](https://bitwarden.com/help/reports/) ## Change management and training - Develop communication plan for organization - Create timeline for rollout announcements and milestones - Prepare exec updates on security benefits and ROI - Schedule admin and end-user training - Plan ongoing communication and feedback channels - Set up support processes and escalation procedures --- URL: https://bitwarden.com/help/cloudflare-zero-trust-sso-implementation/ --- # Cloudflare Zero Trust SSO This article contains **Cloudflare Zero Trust-specific** help for configuring login with SSO. Cloudflare Zero Trust is a cloud-based identity and access management platform that can integrate with multiple identity providers (IdPs). You can also configure gateways and tunneling for secure access to the platform. > [!NOTE] CFZT prerequisite information > Cloudflare Zero Trust can be configured with any IdP that operates using SAML 2.0 or OIDC SSO configurations. If you are not familiar with these configurations, refer to these articles: > > - [SAML 2.0 Configuration](https://bitwarden.com/help/configure-sso-saml/) > - [OIDC Configuration](https://bitwarden.com/help/configure-sso-oidc/) ## Why use Cloudflare Zero Trust with SSO? Cloudflare Zero Trust is a cloud-based proxy identity and access management platform that can integrate with multiple identity providers (IdPs). The benefit of using Cloudflare Zero Trust in addition to your standard IdP is its ability to configure multiple IdPs for login. Cloudflare Zero Trust can provide SSO access to Bitwarden from multiple separate directories, or sets of users within a directory. ## Open SSO in the web app > [!NOTE] Bitwarden requires SAML 2.0 > Cloudflare will only support SAML via the Access Application Gateway. This means that the **SAML 2.0** must be selected in the Bitwarden configuration. OIDC authentication can still be configured from the IdP and Cloudflare. Log in to the Bitwarden web app and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) Open your organization's **Settings** → **Single sign-on** screen: ![SAML 2.0 configuration ](https://bitwarden.com/assets/20720mRAluo6crSdTiYJrn/1175889d7f6ab42fe7614f34cdd1dcdd/2024-12-04_09-41-15.png) If you haven't already, create a unique **SSO identifier**for your organization and select **SAML**from the the **Type**dropdown. Keep this screen open for easy reference. You can turn off the **Set a unique SP entity ID**option at this stage if you wish. Doing so will remove your organization ID from your SP entity ID value, however in almost all cases it is recommended to leave this option on. > [!TIP] Self-hosting, use alternative Member Decryption Options. > There are alternative **Member decryption options**. Learn how to get started using [SSO with trusted devices](https://bitwarden.com/help/about-trusted-devices/) or [Key Connector](https://bitwarden.com/help/about-key-connector/). ## Create a Cloudflare Zero Trust login method Create a Cloufdlare Zero Trust login method: 1. Navigate to [Cloudflare Zero Trust](https://dash.cloudflare.com/login) and log in or create an account. 2. Configure a domain, which will act as the URL used by your users to access your applications or **App Launcher**, for example `https://my-business.cloudflareaccess.com/`. From the Cloudflare Zero Trust menu , select **Settings**→**Custom Pages**: ![Team domain setting](https://bitwarden.com/assets/4lN2NFw46RAynArFfiW3kD/6dfd8ef5b844347a60f9e230b9736450/2024-12-16_15-43-43.png) 3. Begin configuring the first login method by navigating to **Settings**→ **Authentication**→ **Add new.** 4. Select the login method to connect to Cloudflare Zero Trust. If the IdP you are using is not present on the IdP list, use the SAML or OIDC generic options. In this article, Okta will be used as an example: ![Cloudflare Zero Trust IdP list ](https://bitwarden.com/assets/5Zk3txh2X9fhcPVpMZVJPC/18ad36aaf277af50df063c96f89804e8/Screen_Shot_2022-10-11_at_4.17.21_PM.png) > [!NOTE] Google Workspace app cannot be used for login methos > Google Workspace users should select the generic **SAML** setup during this step. The Google Workspace login method may result in errors. 5. After selecting your chosen IdP login method, follow the in-product guide provided by Cloudflare for integrating your IdP. > [!NOTE] Disable support groups cfzt > If the IdP you are using has a **support groups** feature, this option must be **disabled**. Bitwarden does not support group based claims, enabling this option will result in an XML element error on the Bitwarden end. ## Create a Cloudflare Zero Trust application After an IdP has been configured, you'll have to create a Cloudflare Zero Trust application for Bitwarden. **In this example we'll create a SAML application**: 1. Navigate to **Access**→ **Applications**→ **Add an application**and then select **SaaS**. ![CFZT add an application](https://bitwarden.com/assets/70oK8FUQYXpKEvX00NZ9ai/a065258c17b5b01360a6aed574ce2192/2024-07-08_10-46-37.png) 2. On the following screen, add an Application name such as **Bitwarden**. Then, Select the authentication protocol, **SAML**. Once complete, select **Add application**. ![Add an application Cloufflare Zero Trust](https://bitwarden.com/assets/1zm03fKF8Nqu30YbH7duoo/58e66188a1437c3339daee414d7f9bb3/2024-07-08_10-43-34.png) 3. In the Bitwarden web vault, open your organization and navigate to the **Settings**→ **Single Sign-On** screen. Use information from the web vault to fill-in information on the **Configure app**screen: | **Key** | **Description** | |------|------| | **Application** | Enter `Bitwarden`. | | **Entity ID** | Copy the **SP entity ID**from the Bitwarden Single Sign-On page into this field. | | **Assertion Consumer Service URL** | Copy the **Assertion consumer service (ACS) URL**from the Bitwarden Single Sign-On page into this field. | | **Name ID Format** | Select **Email**from the dropdown menu. | > [!NOTE] CFZT OIDC > For the generic OIDC configuration, the Auth URL, Token URL, and Certificate URL can be located with the well-known URL. 4. Scroll down to the **Identity providers** menu. Select the IdP(s) that you configured in the previous section, scroll back to the top, and select **Next.** 5. Next, create access policies for user access to the application. Complete the **Policy name**, **Action**, and **Session duration**fields for each policy. 6. You can choose to assign a group policy (**Access**→ **Groups**) or explicit user policy rules (such as emails, "emails ending in", "country", or "everyone"). In the following example, the group "Anon Users" has been included in the policy. An additional rule has been added as well to include emails ending in the chosen domain: ![CFZT app policy](https://bitwarden.com/assets/2VCZsMzbeUtuO9jx1oh6g7/a1fbe343872934b796ce486cf46835fb/Screen_Shot_2022-10-12_at_10.55.31_AM.png) > [!NOTE] User access to the app launcher > You can also apply user access through the **App Launcher**for access to the Bitwarden login with SSO shortcut. This can be managed by navigating to **Authentication**→ **App Launcher**→ **Manage**. The application policies in the above example can be duplicated or generated here. 7. Once access policies have been configured, scroll to the top and select **Next**. 8. While on the **Setup** screen, copy the following values and input them into their respective fields on the Bitwarden **Single Sign-On**page: | **Key** | **Description** | |------|------| | **SSO endpoint** | The SSO endpoint directs where your SaaS application will send login requests. This value will be entered into the **Single Sign On Service URL** field in Bitwarden. | | **Access Entity ID or Issuer** | The Access Entity ID or Issuer is the unique identifier of your SaaS application. This will value will be entered into the **Entity ID** field on Bitwarden. | | **Public key** | The Public key is the access public certificate that will be used to verify your identity. This value will be entered into the **X509 Public Certificate** field on Bitwarden. | 9. After the values have been entered into Bitwarden, select **Save**on the Bitwarden Single Sign-On screen and select **Done**on the Cloudflare page to save the application. 10. To create a bookmark to the Bitwarden login with SSO screen, select **Add an application**→ **Bookmark**. Check that the Bookmark is visible in the **App launcher**. ## Test the configuration Once your configuration is complete, test it by navigating to [https://vault.bitwarden.com](http://www.vault.bitwarden.com/) or [https://vault.bitwarden.eu](https://vault.bitwarden.eu/), entering your email address and selecting the **Use single sign-on** button: ![Log in options screen](https://bitwarden.com/assets/3BdlHeogd42LEoG06qROyQ/c68021df4bf45d72e9d37b1fbf5a6040/login.png) Enter the configured organization identifier and select **Log In**. If your implementation is successfully configured, you will be redirected to a Cloudflare Access screen, where you can select the IdP to login with: ![Cloudflare IdP selection](https://bitwarden.com/assets/5SyHu8lc0ZJqjpL4hF53ie/b0d661e6772b58f681c47b7b01ebbaa0/Screen_Shot_2022-10-12_at_5.15.39_PM__2_.png) After selecting your IdP, you will be directed to your IdP login page. Enter in the information used to login via your IdP: ![CFZT IdP login](https://bitwarden.com/assets/7Avc5GWZaeGSk59v3rZ531/3be901d4f137012ef6d1e3cb13d9a4eb/Screen_Shot_2022-10-13_at_4.45.02_PM.png) After you authenticate with your IdP credentials, enter your Bitwarden credentials to decrypt your vault! --- URL: https://bitwarden.com/help/collection-management/ --- # Collection Settings [Collection](https://bitwarden.com/help/about-collections/) management settings are a set of organization-wide rules that interact directly with [member roles](https://bitwarden.com/help/user-types-access-control/) and [collection permissions](https://bitwarden.com/help/collection-permissions/) to allow or limit certain actions for certain user populations. These settings can only be set by an organization owner from the Admin Console's **Settings **→ **Organization info** view: ## List of settings ### Allow owners and admins to manage all collections and items from the Admin Console This option interacts with the [owner and admin member roles](https://bitwarden.com/help/user-types-access-control/) to determine whether that user population has automatic access to all collections, and therefore all items, in your organization. | **On** | When on, owners and admins gain the equivalent of the [Manage collection permission](https://bitwarden.com/help/collection-permissions/) for all collections in your organization. Functionally, this means that owners and admins can alter or remove any collection, alter or remove the items in any collection, alter or remove the groups and members assigned to any collection, and alter the collection permissions assigned to any group or member for any collection. | |------|------| | **Off** | When off, collections can only be managed in the above manner by members with the [Manage collection permission](https://bitwarden.com/help/collection-permissions/) specifically assigned to them. Owners and admins will only have access to collections to which they have permissions directly assigned. This does not prevent owners and admins from exporting all organization owned data. To prevent the possibility of orphaned collections, an **Add Access**badge will be displayed in the Collections view for any collection that does not have a member with [Manage collection](https://bitwarden.com/help/user-types-access-control/) permission. Owners and admins will **temporarily** gain access to these collections until they assign a member that permission. | > [!TIP] Using flexible collections option 2 > This option is suited for you if, for example, your IT team requires access to all vault items associated with your organization for regular auditing. ### Restrict collection creation to owners and admins This option interacts with the [owner and admin member roles](https://bitwarden.com/help/user-types-access-control/) to determine whether **only** that user population has the ability to create collections. | **On** | When on, only owners and admins can create collections. This user population will be required to create your organization's collection structure on behalf of your users, but can assign individual users to manage the items and people in those collections once created. | |------|------| | **Off** | When off, members with any role can create collections for themselves and their team. Members who create a collection will automatically have [Manage collection](https://bitwarden.com/help/user-types-access-control/) permission over that collection. | > [!TIP] Manage collection permission > Even if turned **on**, any user can still be granted [Manage collection permission](https://bitwarden.com/help/collection-permissions/) for a collection so that they can manage its members and contents once created. ### Restrict collection deletion to owners and admins This option interacts with the [owner and admin member roles](https://bitwarden.com/help/user-types-access-control/) to determine whether **only** that user population has the ability to delete collections. When on, this option also has downstream impact on the [Manage collection](https://bitwarden.com/help/user-types-access-control/) permission. | **On** | When on, only owners and admins can delete collections. Functionally, this option supersedes the ability to delete a collection that would have been granted to members with the [Manage collection](https://bitwarden.com/help/user-types-access-control/) permission. | |------|------| | **Off** | When off, members with any role can delete collections provided they have [Manage collection](https://bitwarden.com/help/user-types-access-control/) permission over the collection they'd like to delete. | ### Restrict item deletion to members with the Manage collection permissions This option interacts with the [Manage collection permission](https://bitwarden.com/help/collection-permissions/) to determine whether **only**that user population has the ability to delete items. When off, this option also has downstream impact on the [Can edit permissions](https://bitwarden.com/help/collection-permissions/). | **On** | When on, only users with the [Manage collection](https://bitwarden.com/help/user-types-access-control/) permission will be able to delete collection items. | |------|------| | **Off** | When off, users with [Can edit and Can edit, hidden passwords](https://bitwarden.com/help/collection-permissions/) permissions will also have the ability to delete collection items. | --- URL: https://bitwarden.com/help/collection-permissions/ --- # Collection Permissions Collection permissions determine what actions a [group](https://bitwarden.com/help/about-groups/) or member can take with the items in a particular collection, including whether they can directly modify items in a collection or whether they can change who has access to the collection. Refer to the table on this page for more information on what actions each permission grants. Collection permissions can, depending on your [organization's settings](https://bitwarden.com/help/collection-management/), be altered by up to three types of user: - Members with the **Manage collection**permission for a collection can alter the permissions assigned to groups and members for that specific collection. - Custom role members with the **Edit any collection** permission can alter the permissions assigned to groups and members for any collection. - If the **Owners and admins can manage all collections and items** setting is on, all owners and admins can alter the permissions assigned to groups and members for any collection. > [!TIP] Check collection access via Member access report > The [Member access report](https://bitwarden.com/help/reports/#member-access/) can be used by Enterprise organizations to download a comprehensive `.csv` detailing what groups a member is in, what collections they have access to, their level of permission within each assigned collection, and more. ## Permissions table > [!TIP] Breadth of assigning permissions vs. roles > While [member role](https://bitwarden.com/help/user-types-access-control/#member-role/) can only be set at an individual-member level, [permissions](https://bitwarden.com/help/collection-permissions/) can either* *be set for an individual member or for a group as a whole. **Permissions set at a member level will supercede permissions set at a group level.** | **Permission** | **Description** | |------|------| | View items | Can view all items in the collection, including hidden fields like passwords. | | View items, hidden passwords | Can view all items in the collection, except hidden fields like passwords (please see the note following this table). | | Edit items | Can view and edit all items in the collection, + Can add new items or assign existing items to the collection. + Can change the collections an included item is shared in, including removing it. + Can delete items from the collection, [if permitted by the organization](https://bitwarden.com/help/collection-management/). | | Edit items, hidden passwords | Can view and edit all items in the collection, except hidden fields like passwords (please see the note following this table), + Can add new items or assign existing items to the collection. - Cannot change the collections an included item is shared in. - Cannot delete items from the collection. | | Manage collection | Can view and edit all items in the collection, + Can assign members and groups to the collection, including adding others with the Manage collection permission. + Can remove items from the collection. + Can delete items from the collection. + Can delete the collection. | > [!WARNING] Hidden Passwords > **Hidden passwords permissions**: Hiding passwords prevents easy copy-and-paste, however it does not completely prevent user access to this information. Treat hidden passwords as you would any shared credential. ## Next steps - [Learn about collections](https://bitwarden.com/help/about-collections/) at a conceptual level. - [Create a collection](https://bitwarden.com/help/create-collections/) that you can add shared items to. - [Share items with organization members](https://bitwarden.com/help/sharing/) through your new collection. - [Assign groups and members](https://bitwarden.com/help/assign-users-to-collections/) access to your new collection. - [Configure collection management settings](https://bitwarden.com/help/collection-management/) for your organization. --- URL: https://bitwarden.com/help/condition-bitwarden-import/ --- # Import from a Custom File This article describes how to format` .csv` and `.json` files for importing into Bitwarden. The formats are identical to [Bitwarden vault exports](https://bitwarden.com/help/export-your-data/). To select a file type and format, determine the destination vault and which item types you need to import: - Format your file based on whether you're importing to an [individual](https://bitwarden.com/help/import-data/#import-to-your-individual-vault/) or [organization vault](https://bitwarden.com/help/import-to-org/#import-to-an-organization-vault/). - Bitwarden `.csv` files only include logins and secure notes. If you need to also handle identities and cards, use a `.json` file. > [!NOTE] Items not imported > While some item types cannot be imported, you can still add them to a vault: > > - Upload [file attachments](https://bitwarden.com/help/attachments/) to the new vault individually. > - Re-create [Sends](https://bitwarden.com/help/about-send/) in the new vault. ## Condition a .csv ### .csv for individual vault ⬇️ [Download sample csv](https://bitwarden.com/assets/4j3wYIYVQYW2MZUBogVxM3/2299910bb8fc93f6a8916d870be0458c/bitwarden_export.csv) Create a UTF-8 encoded plaintext file with the following header as the first line in the file: ``` folder,favorite,type,name,notes,fields,reprompt,login_uri,login_username,login_password,login_totp ``` For example: ``` folder,favorite,type,name,notes,fields,reprompt,login_uri,login_username,login_password,login_totp Social,1,login,Twitter,,,0,twitter.com,me@example.com,password123, ,,login,EVGA,,,,https://www.evga.com/support/login.asp,hello@bitwarden.com,fakepassword,TOTPSEED123 ,,login,My Bank,Bank PIN is 1234,"PIN: 1234",,https://www.wellsfargo.com/home.jhtml,john.smith,password123456, ,,note,My Note,"This is a secure note.",,,,, ``` When importing this file, select **Bitwarden (csv)** as your file format. ### .csv for organization ⬇️ [Download sample csv](https://bitwarden.com/assets/YYnGrBJO8O5Xv2O0dFW9Z/6de667ded7567da41dcdf4af5186311a/bitwarden_export_org.csv) Create a UTF-8 encoded plaintext file with the following header as the first line in the file: ``` collections,type,name,notes,fields,reprompt,login_uri,login_username,login_password,login_totp ``` For example, ``` collections,type,name,notes,fields,reprompt,login_uri,login_username,login_password,login_totp "Social,Marketing",login,Twitter,,,0,twitter.com,me@example.com,password123, "Finance",login,My Bank,"Bank PIN is 1234","PIN: 1234",0,https://www.wellsfargo.com/home.jhtml,john.smith,password123456, "Finance",login,EVGA,,,0,https://www.evga.com/support/login.asp,hello@bitwarden.com,fakepassword,TOTPSEED123 "Finance",note,My Note,"This is a secure note.",,0,,, ``` > [!TIP] Conditioning nested collections into a .csv > If you're conditioning a `.csv` with nested collections, create dedicated entries for **each collection that does not have an an item in it**, for example: > > > ```bash > collections,type,name,notes,fields,reprompt,login_uri,login_username,login_password,login_totp > Parent Collection,,,,,,,,,, > Parent Collection/First Child Collection,,,,,,,,,, > Parent Collection/First Child Collection/Second Child Collection,login,Shared Credential,,,,https://website.com,username,password,, > ``` When importing this file, select **Bitwarden (csv)** as your file format. ### Minimum required values You may not have data for all the values shown in the above formats, however most are optional. In order for the Bitwarden `.csv` importer to function properly, you are only required to have the following values for any given object: ``` folder,favorite,type,name,notes,fields,reprompt,login_uri,login_username,login_password,login_totp ,,login,Login Name,,,,,, ,,note,Secure Note Name,,,,,, ``` ## Condition a .json ⬇️ [Download sample json](https://bitwarden.com/assets/2iwtn9YFqooYJmw1JWwCXa/8b03a95f1c27240c22a7578aa703f7b1/individual.json) ### .json for individual vault Create a UTF-8 encoded plaintext file in the following format: ``` { "folders": [ { "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "name": "Folder Name" }, ], "items": [ { "passwordHistory": [ { "lastUsedDate": "YYYY-MM-00T00:00:00.000Z", "password": "passwordValue" } ], "id": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy", "organizationId": null, "folderId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "type": 1, "reprompt": 0, "name": "My Gmail Login", "notes": "This is my gmail login for import.", "favorite": false, "fields": [ { "name": "custom-field-1", "value": "custom-field-value", "type": 0 }, ], "login": { "uris": [ { "match": null, "uri": "https://mail.google.com" } ], "username": "myaccount@gmail.com", "password": "myaccountpassword", "totp": "otpauth://totp/my-secret-key" }, "collectionIds": null }, ] } ``` When importing this file, select **Bitwarden (json)** as your file format. ### .json for organization ⬇️ [Download sample json](https://bitwarden.com/assets/2Pui1E5uLs2FSw6GhO6pdU/141c68c6ad63ea8f395067c02592ddbc/organization.json) Create a UTF-8 encoded plaintext file in the following format: ``` { "collections": [ { "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "organizationId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy", "name": "My Collection", "externalId": null }, ], "items": [ { "passwordHistory": [ { "lastUsedDate": "YYYY-MM-00T00:00:00.000Z", "password": "passwordValue" } ], "id": "vvvvvvvv-vvvv-vvvv-vvvv-vvvvvvvvvvvv", "organizationId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy", "folderId": "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz", "type": 1, "reprompt": 1, "name": "Our Shared Login", "notes": "A login for sharing", "favorite": false, "fields": [ { "name": "custom-field-1", "value": "custom-field-value", "type": 0 }, ], "login": { "uris": [ { "match": null, "uri": "https://mail.google.com" } ], "username": "myaccount@gmail.com", "password": "myaccountpassword", "totp": "otpauth://totp/my-secret-key" }, "collectionIds": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, ] } ``` When importing this file, select **Bitwarden (json)** as your file format. ### Import to existing collections By conditioning your organization .`json` file appropriately, you can import new login items to pre-existing [collections](https://bitwarden.com/help/about-collections/). The following example demonstrates the proper format for importing a single item into a pre-existing collection. Note that you will need to: - Obtain organization and collection IDs. These can be obtained by navigating to the collection in your web app and pulling them from the address bar (e.g. `https://vault.bitwarden.com/#/organizations//vault?collectionId=`). - Define a `"collections": []` array that contains data for the pre-existing collection, including organization and collection IDs (see above) as well as its name. As long as these 3 data points match, a new collection will not be created on import and instead items in the file will be imported to the pre-existing collection. ``` { "encrypted": false, "collections": [ { "id": "b8e6df17-5143-495e-92b2-aff700f48ecd", "organizationId": "55d8fa8c-32bb-47d7-a789-af8710f5eb99", "name": "My Existing Collection", "externalId": null } ], "folders": [], "items": [ { "id": "2f27f8f8-c980-47f4-829a-aff801415845", "organizationId": "55d8fa8c-32bb-47d7-a789-af8710f5eb99", "folderId": null, "type": 1, "reprompt": 0, "name": "Item to Import", "notes": "A login item for sharing.", "favorite": false, "login": { "uris": [ { "match": null, "uri": "https://mail.google.com" } ], "username": "my_username", "password": "my_password", "totp": null }, "collectionIds": ["b8e6df17-5143-495e-92b2-aff700f48ecd"] } ] } ``` ### Minimum required key-value pairs You may not have data for all the key-value pairs shown in the above formats, however most are optional. In order for the Bitwarden `.json` importer to function properly, you are only required to have the following key-value pairs for each object: ``` { "items": [ { "type": 1, "name": "Login Item's Name", "login": {} }, { "type": 2, "name": "Secure Note Item's Name", "secureNote": {} }, { "type": 3, "name": "Card Item's Name", "card": {} }, { "type": 4, "name": "Identity Item's Name", "identity": {} } ] } ``` The `"login":`, `"secureNote":`, `"card":`, and `"identity":` objects can be imported as empty objects, however we recommend conditioning files with as much data as you are able. ## Import into Bitwarden Once your `.csv` or `.json` file is ready, import it to an [individual vault](https://bitwarden.com/help/import-data/#import-to-your-individual-vault/) or [organization vault](https://bitwarden.com/help/import-to-org/#import-to-an-organization-vault/). Select **Bitwarden (csv)** or **Bitwarden (json)** from the **File format** list. --- URL: https://bitwarden.com/help/configure-clients-selfhost/ --- # Connect Managed Devices When operating a self-hosted Bitwarden server in a business setting, administrators may want to centrally configure client application settings (particularly, Server URL) before deploying to users with an endpoint management platform. Settings are applied upon installation of the client application. These processes may also be helpful if you're using a [Bitwarden Cloud EU server](https://bitwarden.com/help/server-geographies/). > [!NOTE] Server connections require https > While configuring your self-host server URL, `https:// `must be included in the URL. Addresses that do **not** include `https://` such as `my.server.com` or `http://my.server.com` will result in an error message. The process for doing so will be different for each client application: ## Browser extensions ### Chrome and Chromium The following steps assume that users do not yet have the Bitwarden browser extension installed on their machines. If they do, they will need to reset to pre-configured settings, which they will be prompted to do when following [this workflow](https://bitwarden.com/help/change-client-environment/#tab-browser-extension-4dQ4hW1QAwVBuReXk2Txx0/): ### Linux To pre-configure environment URLs for Linux: 1. Create one of the following directory structures if they do not already exist on your system: - For Chrome, `/etc/opt/chrome/policies/managed/` - For Chromium, `/etc/opt/chromium/policies/managed/` 2. In the `managed` folder, create a `bitwarden.json` file with the following contents: ``` { "3rdparty": { "extensions": { "nngceckbapebfimnlniiiahkandclblb": { "environment": { "base": "https://my.bitwarden.server.com" } } } } } ``` The extension ID (`nngceckbapebfimnlniiiahkandclblb`) will vary depending on your installation method. You can find your extension ID by navigating to your browser's extension menu (for example, `chrome://extensions`). Most installations will only require the `"base":` URL, however some unique setups may require you to enter URLs for each service independently: ``` { "3rdparty": { "extensions": { "nngceckbapebfimnlniiiahkandclblb": { "environment": { "base": "https://my.bitwarden.server.com", "webVault": "https://my.bitwarden.server.com", "api": "https://my.bitwarden.server.com", "identity": "https://my.bitwarden.server.com", "icons": "https://my.bitwarden.server.com", "notifications": "https://my.bitwarden.server.com", "events": "https://my.bitwarden.server.com" } } } } } ``` > [!NOTE] Link Configure Clients Centrally to Deploy via MDM (Linux) > If you'll be using the Chrome or Chromium Web Store version of Bitwarden, you can follow [these instructions](https://bitwarden.com/help/browserext-deploy/#linux/) to force install Bitwarden on end-user machines when you distribute managed policies. You can skip overlapping steps, like creating required directories. 3. As you will need to deploy these files to users' machines, we recommend making sure only admins can write files in the `/policies` directory. 4. Using your preferred software distribution or MDM tool, deploy the following to users' machines: - The Chrome or Chromium-based browser - `/etc/opt/{chrome or chromium}/policies/managed/bitwarden.json` > [!TIP] Linux Managed Chrome Help > For more help, refer to Google's [Chrome Browser Quick Start for Linux](https://support.google.com/chrome/a/answer/9025926?hl=en&ref_topic=9025817) guide. ### Windows To pre-configure environment URLs for Windows: 1. Open the Windows Group Policy Manager and create a new Group Policy Object (GPO) or use an existing GPO scoped for your end-users. 2. Edit the GPO and navigate to **User Configuration -> Preferences -> Windows Settings -> Registry.** 3. Right-click**Registry** in the file tree and select **New > Registry Item.** 4. Create a new Registry Item with the following properties: - **Action**: Update - **Hive**: `HKEY_LOCAL_MACHINE` - **Key Path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\\policy\environment` The `` will vary depending on your installation method. You can find your extension ID by navigating to your browser's extension menu (for example, `chrome://extensions`). > [!NOTE] Microsoft Edge keypath > While Microsoft edge is a Chromium based browser, the **Key Path** location is different than the input for Google Chrome. For Microsoft Edge, use the following key path: > > - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\3rdparty\extensions\\policy\environment` - **Value name**: `base` - **Value type**: `REG_SZ` - **Value data**: Your server's configured domain > [!NOTE] HKLM Registry Keys > Registry key management systems may omit `HKEY_LOCAL_MACHINE\` from the Full Key Path. `HKEY_LOCAL_MACHINE` is a Hive and is omitted from the Key Path if the system has a separate Hive setting. 5. Select **OK**once the item is configured. Most installations will only require the `base` URL, however some unique setups may require you to enter URLs for each service independently. If your setup requires this, repeat **Step 4** to create a new Registry Item for each of the following: - Value name: `webVault` - Value name: `api` - Value name: `identity` - Value name: `icons` - Value name: `notifications` - Value name: `events` > [!NOTE] Link Configure Clients Centrally to Deploy via MDM (macOS) > You can also use a GPO to force-install the browser extension. [Learn more](https://bitwarden.com/help/browserext-deploy/#windows/). ### macOS To pre-configure environment URLs for macOS: 1. Create a new file `com.google.chrome.extensions..plist`. The `` will vary depending on your installation method. You can find your extension ID by navigating to your browser's extension menu (for example, `chrome://extensions`). 2. In the created `.plist` file, add the following contents: ``` environment base https://my.bitwarden.server.com ``` Most installations will only require the `base` `` and `` pair, however some unique setups may require you to enter URLs for each service independently: ``` environment base https://my.bitwarden.server.com webVault https://my.bitwarden.server.com api https://my.bitwarden.server.com> identity https://my.bitwarden.server.com icons https://my.bitwarden.server.com notifications https://my.bitwarden.server.com events https://my.bitwarden.server.com ``` 3. Convert the `.plist` file to a `.mobileconfig` configuration profile. > [!NOTE] Link Configure Clients Centrally to Deploy via MDM (macOS) > If you'll be using the Chrome or Chromium Web Store version of Bitwarden, you can follow [these instructions](https://bitwarden.com/help/browserext-deploy/#macos/) to force install Bitwarden on end-user machines by creating another configuration profile that can be distributed in the next step. 4. Using your preferred software distribution or MDM tool, install the following on users' machines: - The Chrome or Chromium-based browser - The `.mobileconfig` configuration profile ### Firefox ### Linux To pre-configure environment URLs for Linux: 1. Create a directory `/etc/firefox/policies`: ``` mkdir -p /etc/firefox/policies ``` 2. As you will need to deploy this directory and the files in it to users' machines, we recommend making sure old admins can write files in the `/policies` directory: ``` chmod -R 755 /etc/firefox/policies ``` 3. Create a `policies.json` file in `/etc/firefox/policies` and add the following contents: ``` { "policies": { "3rdparty": { "Extensions": { "{446900e4-71c2-419f-a6a7-df9c091e268b}": { "environment": { "base": "https://my.bitwarden.server.com" } } } } } } ``` Most installations will only require the `"base":` URL, however some unique setups may require you to enter URLs for each service independently: ``` { "policies": { "3rdparty": { "Extensions": { "{446900e4-71c2-419f-a6a7-df9c091e268b}": { "environment": { "base": "https://my.bitwarden.server.com", "webVault": "https://my.bitwarden.server.com", "api": "https://my.bitwarden.server.com", "identity": "https://my.bitwarden.server.com", "icons": "https://my.bitwarden.server.com", "notifications": "https://my.bitwarden.server.com", "events": "https://my.bitwarden.server.com" } } } } } } ``` 4. Using your preferred software distribution or MDM tool, deploy `/etc/firefox/policies/policies.json` to users' machines. ### Windows To pre-configure environment URLs for Windows: 1. Open the Windows Group Policy Manager and create a new Group Policy Object (GPO) or use an existing GPO scoped for your end-users. 2. Edit the GPO and navigate to **User Configuration > Preferences > Windows Settings > Registry**. 3. Right-click **Registry**in the file tree and select **New > Registry Item**. 4. Create a new Registry item with the following properties: - **Action**: Update - **Hive**: `HKEY_LOCAL_MACHINE` - **Key Path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\3rdparty\Extensions\{446900e4-71c2-419f-a6a7-df9c091e268b}\environment` - **Value name**: `base` - **Value type**: `REG_SZ` - **Value data**: Your server's configured domain > [!NOTE] HKLM Registry Keys > Registry key management systems may omit `HKEY_LOCAL_MACHINE\` from the Full Key Path. `HKEY_LOCAL_MACHINE` is a Hive and is omitted from the Key Path if the system has a separate Hive setting. 5. Select **OK**once the item is configured. Most installations will only require the base URL, however some unique setups may require you to enter URLs for each service independently. If you setup requires this, repeat **Step 4** to create a new Registry item for each of the following: - Value name: `webVault` - Value name: `api` - Value name: `identity` - Value name: `icons` - Value name: `notifications` - Value name: `events` ### macOS To pre-configure environment URLs for macOS: 1. Remove the quarantining attribute automatically applied to Firefox by running the following command: ``` xattr -r -d com.apple.quarantine /Applications/Firefox.app ``` 2. Create a directory `/Applications/Firefox.app/Contents/Resources/distribution`. 3. Create a file `policies.json` in the `distribution` folder and add the following contents: ``` { "policies": { "3rdparty": { "Extensions": { "{446900e4-71c2-419f-a6a7-df9c091e268b}": { "environment": { "base": "https://my.bitwarden.server.com" } } } } } } ``` Most installations will only require the `"base":` URL, however some unique setups may require you to enter URLs for each service independently: ``` { "policies": { "3rdparty": { "Extensions": { "{446900e4-71c2-419f-a6a7-df9c091e268b}": { "environment": { "base": "https://my.bitwarden.server.com", "webVault": "https://my.bitwarden.server.com", "api": "https://my.bitwarden.server.com", "identity": "https://my.bitwarden.server.com", "icons": "https://my.bitwarden.server.com", "notifications": "https://my.bitwarden.server.com", "events": "https://my.bitwarden.server.com" } } } } } } ``` 4. Using your preferred software distribution or MDM tool, deploy `/etc/firefox/policies/policies.json` to users' machines. > [!NOTE] Central deployment to EU servers > In order to centrally deploy the Bitwarden browser extension to EU servers, `base` and `notifications` must be set to the EU cloud. For example: > > > ```plain text > "base": "https://vault.bitwarden.eu" > "notifications": "https://notifications.bitwarden.eu" > ``` > > If enabled correctly, user's browser extensions will display **Logging in on: self-hosted** but will still connect to bitwarden.eu. ## Desktop apps To centrally configure the Desktop app for deployment, first complete the following steps on a single workstation: 1. Install the Desktop app. If you're using Windows, silently install Bitwarden as an administrator using `installer.exe /allusers /S` (see [NSIS documentation](https://nsis.sourceforge.io/Docs/Chapter4.html#silent)). 2. Navigate to the Desktop app's locally stored settings. This directory is different depending on your OS (e.g. `%AppData%\Bitwarden` on Windows, `~/Library/Application Support/Bitwarden` on macOS). [Find your directory.](https://bitwarden.com/help/data-storage/) 3. In the directory, open the `data.json` file. 4. Edit `data.json` to configure the Desktop app as desired. In particular, create the following object to configure the app with your self-hosted Server URL: ``` "global_environment_environment": { "region": "Self-hosted", "urls": { "base": "self-host.com" } } ``` > [!TIP] EU instead of self-host desktop config > Customers using Bitwarden cloud servers may instead set `"region":` to `"US"` or `"EU"` to connect to those servers. 5. Once configured the way you want it, use your endpoint management solution of choice (like [Jamf](https://www.jamf.com/)) to deploy the pre-configured Desktop app as a template. > [!NOTE] Copy data.json after configuring in GUI > As an alternative to manually configuring the `data.json` file, you can assign `environmentUrls` using the Bitwarden desktop app. Select your desired region using the desktop app GUI, then close the app and[ locate your data.json file](https://bitwarden.com/help/data-storage/#on-your-local-machine/) in order to copy the environment variable information. If users are experiencing graphics or performance issues, Bitwarden includes settings that can be adjusted to improve performance. [See Password Manager FAQs](https://bitwarden.com/help/product-faqs/#q-does-bitwarden-have-any-settings-that-can-be-adjusted-for-graphics-or-performance/). ## Mobile apps Most Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) solutions allow administrators to pre-configure applications before deployment in a standard fashion. To pre-configure Bitwarden Mobile apps to use your self-hosted Server URL, construct the following Application Configuration: | **Configuration Key** | **Value Type** | **Configuration Value** | |------|------|------| | `baseEnvironmentUrl` | string | Your self-hosted Server URL, for example `https://my.bitwarden.server.com`. | ## Web app For users of the web app, Bitwarden recommends using your endpoint, group policy, or mobile device management tool to setup a bookmark or desktop shortcut pointing to the appropriate web app URL (for example, `https://vault.bitwarden.eu` or your self-hosted server). Learn how to [deploy managed bookmarks using Google Admin Console](https://support.google.com/chrome/a/answer/10265060?hl=en#zippy=%2Cadd-a-bookmark). --- URL: https://bitwarden.com/help/configure-push-relay/ --- # Configure Push Relay By default, your self-hosted Bitwarden server is configured to communicate with Bitwarden's push relay service (`https://push.bitwarden.com`). You can configure the server with your own push relay service, connect to the EU push relay service (`https://push.bitwarden.eu`) if you're using the [EU cloud](https://bitwarden.com/help/server-geographies/), or disable push relay entirely. > [!WARNING] Disable Push Relay > Disabling push relay will prevent **mobile apps** from receiving push notifications, which may impact: > > - The ability for the app to [automatically sync](https://bitwarden.com/help/vault-sync/#automatic-sync/). Users will still be able to [manually sync](https://bitwarden.com/help/vault-sync/#manual-sync/). > - The ability for the app to automatically log users out, which may be relevant when rotating an encryption key or during offboarding. > - The ability for the app to automatically register that the user is revoked or removed from an organization, which may cause access to organization items to persist longer than intended. For each self-hosted server that uses the Bitwarden push relay service, Bitwarden collects a record including a timestamp for the most recent connection to the service and the initiating server's installation ID. ## Disable push relay To disable push relay for standard server installations: 1. Open `./bwdata/config.yml`. 2. Change the `push_notifications: true` attribute to `false`. 3. Run `./bitwarden.sh rebuild` to apply your changes. To disable push relay for offline and manual server installations: 1. Open `./bwdata/env/global.override.env`. 2. Add the line `globalSettings__pushRelayBaseUri= `(the variable should be **blank**). 3. Restart Bitwarden to apply the changes. --- URL: https://bitwarden.com/help/configure-sso-oidc/ --- # Generic OIDC ## Step 1: Set an SSO identifier Users who [authenticate their identity using SSO](https://bitwarden.com/help/using-sso/#login-using-sso/) will be required to enter an **SSO identifier** that indicates the organization (and therefore, the SSO integration) to authenticate against. To set a unique SSO Identifier: 1. Log in to the Bitwarden [web app](https://bitwarden.com/help/getting-started-webvault/) and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Navigate to **Settings** → **Single sign-on**, and enter a unique **SSO Identifier** for your organization: ![Enter an identifier ](https://bitwarden.com/assets/6pr4tqMnrLCvwDBMlba5x7/7ef7563f7017f58adffff5d15ac68512/2024-12-04_09-39-25.png) 3. Proceed to **Step 2: Enable login with SSO**. > [!NOTE] Sharing organization identifier > You will need to share this value with users once the configuration is ready to be used. ## Step 2: Enable login with SSO Once you have your SSO identifier, you can proceed to enabling and configuring your integration. To enable login with SSO: 1. On the **Settings** → **Single sign-on** view, check the **Allow SSO authentication** checkbox: ![OIDC configuration](https://bitwarden.com/assets/51wSToXTHHVmBCrLrE8T0E/85aa432ea19eadf0195317f4f233e973/2024-12-04_09-41-46.png) 2. From the **Type** dropdown menu, select the **OpenID Connect** option. If you intend to use SAML instead, switch over the the [SAML Configuration guide](https://bitwarden.com/help/configure-sso-saml/). > [!TIP] Self-hosting, use alternative Member Decryption Options. > There are alternative **Member decryption options**. Learn how to get started using [SSO with trusted devices](https://bitwarden.com/help/about-trusted-devices/) or [Key Connector](https://bitwarden.com/help/about-key-connector/). ## Step 3: Configuration From this point on, implementation will vary provider-to-provider. Jump to one of our specific **implementation guides** for help completing the configuration process: | Provider | Guide | |------|------| | Azure | [Azure Implementation Guide](https://bitwarden.com/help/oidc-azure/) | | Okta | [Okta Implementation Guide](https://bitwarden.com/help/oidc-okta/) | ### Configuration reference materials The following sections will define fields available during single sign-on configuration, agnostic of which IdP you are integration with. Fields that must be configured will be marked (**required**). > [!NOTE] OpenID proficiency > **Unless you are comfortable with OpenID Connect**, we recommend using one of the [above implementation guides](https://bitwarden.com/help/configure-sso-oidc/#step-3-configuration/) instead of the following generic material. | **Field** | **Description** | |------|------| | Callback Path | (**Automatically generated**) The URL for authentication automatic redirect. For cloud-hosted customers, this is `https://sso.bitwarden.com/oidc-signin` or `https://sso.bitwarden.eu/oidc-signin.` For self-hosted instances, this is determined by your [configured server URL](https://bitwarden.com/help/install-on-premise/#configure-your-domain/), for example `https://your.domain.com/sso/oidc-signin`. | | Signed Out Callback Path | (**Automatically generated**) The URL for sign-out automatic redirect. For cloud-hosted customers, this is `https://sso.bitwarden.com/oidc-signedout` or `https://sso.bitwarden.eu/oidc-signedout`. For self-hosted instances, this is determined by your [configured server URL](https://bitwarden.com/help/install-on-premise/#configure-your-domain/), for example `https://your.domain.com/sso/oidc-signedout`. | | Authority | (**Required**) The URL of your authorization server ("Authority"), which Bitwarden will perform authentication against. For example, `https://your.domain.okta.com/oauth2/default `or `https://login.microsoft.com//v2.0`. | | Client ID | (**Required**) An identifier for the OIDC client. This value is typically specific to a constructed IdP app integration, for example an [Azure app registration](https://bitwarden.com/help/oidc-azure/) or [Okta web app](https://bitwarden.com/help/oidc-okta/). | | Client Secret | (**Required**) The client secret used in conjunction with the client ID to exchange for an access token. This value is typically specific to a constructed IdP app integration, for example an [Azure app registration](https://bitwarden.com/help/oidc-azure/) or [Okta Web App](https://bitwarden.com/help/oidc-okta/). | | Metadata Address | (**Required if Authority is not valid**) A Metadata URL where Bitwarden can access authorization server metadata as a JSON object. For example, `https://your.domain.okta.com/oauth2/default/.well-known/oauth-authorization-server` | | OIDC Redirect Behavior | (**Required**) Method used by the IdP to respond to authentication requests from Bitwarden. Options include **Form POST**and **Redirect GET**. | | Get claims from user info endpoint | Enable this option if you receive URL too long errors (HTTP 414), truncated URLS, and/or failures during SSO. | | Additional/custom scopes | Define custom scopes to be added to the request (comma-delimited). | | Additional/custom user id claim types | Define custom claim type keys for user identification (comma-delimited). When defined, custom claim types are searched for before falling back on standard types. | | Additional/custom email claim types | Define custom claim type keys for users' email addresses (comma-delimited). When defined, custom claim types are searched for before falling back on standard types. | | Additional/custom name claim types | Define custom claim type keys for users' full names or display names (comma-delimited). When defined, custom claim types are searched for before falling back on standard types. | | Requested authentication context class reference values | Define authentication context class reference identifiers (`acr_values`) (space-delimited). List `acr_values `in preference-order. | | Expected "acr" Claim Value in Response | Define the `acr `claim value for Bitwarden to expect and validate in the response. | ### OIDC attributes & claims An **email address is required for account provisioning**, which can be passed as any of the attributes or claims in the below table. A unique user identifier is also highly recommended. If absent, email will be used in its place to link the user. Attributes/claims are listed in order of preference for matching, including fallbacks where applicable: | **Value** | **Claim/Attribute** | **Fallback claim/attribute** | |------|------|------| | Unique ID | Configured Custom User ID Claims NameID (when not transient) urn:oid:0.9.2342.19200300.100.1.1 Sub UID UPN EPPN | | | Email | Configured Custom Email Claims Email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress urn:oid:0.9.2342.19200300.100.1.3 Mail EmailAddress | Preferred_Username Urn:oid:0.9.2342.19200300.100.1.1 UID | | Name | Configured Custom Name Claims Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name urn:oid:2.16.840.1.113730.3.1.241 urn:oid:2.5.4.3 DisplayName CN | First Name + “ “ + Last Name (see below) | | First Name | urn:oid:2.5.4.42 GivenName FirstName FN FName Nickname | | | Last Name | urn:oid:2.5.4.4 SN Surname LastName | | --- URL: https://bitwarden.com/help/configure-sso-saml/ --- # Generic SAML ## Step 1: Set an SSO identifier Users who [authenticate their identity using SSO](https://bitwarden.com/help/using-sso/#login-using-sso/) will be required to enter an **SSO identifier** that indicates the organization (and therefore, the SSO integration) to authenticate against. To set a unique SSO Identifier: 1. Log in to the Bitwarden [web app](https://bitwarden.com/help/getting-started-webvault/) and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Navigate to **Settings** → **Single sign-on**, and enter a unique **SSO Identifier** for your organization: ![Enter an identifier ](https://bitwarden.com/assets/6pr4tqMnrLCvwDBMlba5x7/7ef7563f7017f58adffff5d15ac68512/2024-12-04_09-39-25.png) 3. Proceed to **Step 2: Enable login with SSO**. > [!NOTE] Sharing organization identifier > You will need to share this value with users once the configuration is ready to be used. ## Step 2: Enable login with SSO Once you have your SSO identifier, you can proceed to enabling and configuring your integration. To enable login with SSO: 1. On the **Settings** → **Single sign-on** view, check the **Allow SSO authentication** checkbox: ![SAML 2.0 configuration ](https://bitwarden.com/assets/20720mRAluo6crSdTiYJrn/1175889d7f6ab42fe7614f34cdd1dcdd/2024-12-04_09-41-15.png) 2. From the **Type** dropdown menu, select the **SAML 2.0** option. If you intend to use OIDC instead, switch over to the [OIDC Configuration Guide](https://bitwarden.com/help/configure-sso-oidc/). You can turn off the **Set a unique SP entity ID**option at this stage if you wish. Doing so will remove your organization ID from your SP entity ID value, however in almost all cases it is recommended to leave this option on. > [!TIP] Self-hosting, use alternative Member Decryption Options. > There are alternative **Member decryption options**. Learn how to get started using [SSO with trusted devices](https://bitwarden.com/help/about-trusted-devices/) or [Key Connector](https://bitwarden.com/help/about-key-connector/). ## Step 3: Configuration From this point on, implementation will vary provider-to-provider. Jump to one of our specific **implementation guides** for help completing the configuration process: | **Provider** | **Guide** | |------|------| | AD FS | [AD FS Implementation Guide](https://bitwarden.com/help/saml-adfs/) | | Auth0 | [Auth0 Implementation Guide](https://bitwarden.com/help/saml-auth0/) | | AWS | [AWS Implementation Guide](https://bitwarden.com/help/saml-aws/) | | Azure | [Azure Implementation Guide](https://bitwarden.com/help/saml-azure/) | | Duo | [Duo Implementation Guide](https://bitwarden.com/help/saml-duo/) | | Google | [Google Implementation Guide](https://bitwarden.com/help/saml-google/) | | JumpCloud | [JumpCloud Implementation Guide](https://bitwarden.com/help/saml-jumpcloud/) | | Keycloak | [Keycloak Implementation Guide](https://bitwarden.com/help/saml-keycloak/) | | Okta | [Okta Implementation Guide](https://bitwarden.com/help/saml-okta/) | | OneLogin | [OneLogin Implementation Guide](https://bitwarden.com/help/saml-onelogin/) | | PingFederate | [PingFederate Implementation Guide](https://bitwarden.com/help/saml-pingfederate/) | The following sections will define fields available during single sign-on configuration, agnostic of which IdP you are integration with. Fields that must be configured will be marked (**required**). > [!NOTE] SAML confidence > **Unless you are comfortable with SAML 2.0**, we recommend using one of the [above implementation guides](https://bitwarden.com/help/configure-sso-saml/#step-3-configuration/) instead of the following generic material. The single sign-on screen separates configuration into two sections: - **SAML Service Provider Configuration** will determine the format of SAML requests. - **SAML Identity Provider Configuration** will determine the format to expect for SAML responses. ### Service Provider Configuration | **Field** | **Description** | |------|------| | SP Entity ID | (**Automatically generated**) The Bitwarden endpoint for authentication requests. This automatically-generated value can be copied from the organization's **Settings** → **Single sign-on** screen and will vary based on your setup. | | SAML 2.0 Metadata URL | (**Automatically generated**) Metadata URL for the Bitwarden endpoint. This automatically-generated value can be copied from the organization's **Settings** → **Single sign-on** screen and will vary based on your setup. | | Assertion Consumer Service (ACS) URL | (**Automatically generated**) Location where the SAML assertion is sent from the IdP. This automatically-generated value can be copied from the organization's **Settings** → **Single sign-on** screen and will vary based on your setup. | | Name ID Format | Format Bitwarden will request of the SAML assertion. Must be cast as a string. Options include: -Unspecified (default) -Email address -X.509 Subject name -Windows Domain Qualified Name -Kerberos Principal Name -Entity identifier -Persistent -Transient | | Outbound Signing Algorithm | The algorithm Bitwarden will use to sign SAML requests. Options include: - `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256` (default) - `http://www.w3.org/2000/09/xmldsig#rsa-sha384` - `http://www.w3.org/2000/09/xmldsig#rsa-sha512` | | Signing Behavior | Whether/when SAML requests will be signed. Options include: -If IdP wants authn requests signed (default) -Always -Never | | Minimum Incoming Signing Algorithm | Minimum strength of the algorithm that Bitwarden will accept in SAML responses. | | Expect signed assertations | Check this checkbox if Bitwarden should expect responses from the IdP to be signed. | | Validate certificates | Check this box when using trusted and valid certificates from your IdP through a trusted CA. Self-signed certificates may fail unless proper trust chains are configured within the Bitwarden login with SSO docker image. | ### Identity Provider Configuration | **Field** | **Description** | |------|------| | Entity ID | (**Required**) Address or URL of your identity server or the IdP Entity ID. This field is case sensitive and must match the IdP value exactly. | | Binding Type | Method used by the IdP to respond to Bitwarden SAML requests. Options include: -Redirect (recommended) -HTTP POST | | Single Sign On Service URL | (**Required if Entity ID is not a URL**) SSO URL issued by your IdP. | | Single log out service URL | Login with SSO currently **does not**support SLO. This option is planned for future use, however we strongly recommend pre-configuring this field. | | X509 Public Certificate | (**Required**) The X.509 Base-64 encoded certificate body. Do not include the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines or portions of the CER/PEM formatted certificate. The certificate value is case sensitive, extra spaces, carriage returns, and other extraneous characters inside this field will cause certificate validation failure. Copy **only**the certificate data into this field. | | Outbound Signing Algorithm | The algorithm your IdP will use to sign SAML responses/assertions. Options include: - `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256` (default) - `http://www.w3.org/2000/09/xmldsig#rsa-sha384` - `http://www.w3.org/2000/09/xmldsig#rsa-sha512` | | Allow outbound logout requests | Login with SSO currently **does not**support SLO. This option is planned for future use, however we strongly recommend pre-configuring this field. | | Sign authentication requests | Check this checkbox if your IdP should expect SAML requests from Bitwarden to be signed. | > [!NOTE] X509 cert expiration > When completing the X509 certificate, take note of the expiration date. Certificates will have to be renewed in order to prevent any disruptions in service to SSO end users. If a certificate has expired, Admin and Owner accounts will always be able to log in with email address and master password. ### SAML attributes & claims An **email address is required for account provisioning**, which can be passed as any of the attributes or claims in the following table. A unique user identifier is also highly recommended. If absent, email will be used in its place to link the user. Attributes/claims are listed in order of preference for matching, including fallbacks where applicable: | **Value** | **Claim/Attribute** | **Fallback claim/attribute** | |------|------|------| | Unique ID | NameID (when not transient) urn:oid:0.9.2342.19200300.100.1.1 Sub UID UPN EPPN | | | Email | Email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress urn:oid:0.9.2342.19200300.100.1.3 Mail EmailAddress | Preferred_Username Urn:oid:0.9.2342.19200300.100.1.1 UID | | Name | Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name urn:oid:2.16.840.1.113730.3.1.241 urn:oid:2.5.4.3 DisplayName CN | First Name + “ “ + Last Name (see below) | | First Name | urn:oid:2.5.4.42 GivenName FirstName FN FName Nickname | | | Last Name | urn:oid:2.5.4.4 SN Surname LastName | | --- URL: https://bitwarden.com/help/courses/ --- # Courses Get started with Bitwarden through bite-sized courses. Whether you're deploying Bitwarden to your entire organization, setting it up for your family, or just getting started as an individual, these courses have you covered. ### Password Manager - [Personal User](https://bitwarden.com/help/courses/password-manager-personal) - [Admin](https://bitwarden.com/help/courses/password-manager-admin) - [Team Member](https://bitwarden.com/help/courses/password-manager-team-member) - [Reseller or MSP](https://bitwarden.com/help/courses/password-manager-partner) ### Beyond password management - [Secrets Manager](https://bitwarden.com/help/courses/secrets-manager) - [Passwordless.dev](https://bitwarden.com/help/courses/passwordless-dev) --- URL: https://bitwarden.com/help/courses/bitwarden-for-business-admins/ --- # Bitwarden for Business Admins This article is designed to introduce Bitwarden administrators to all the features and functionality available with Teams and Enterprise business plans. Follow these video guides and discover key steps for security success. Learn what is available with your plan, how to import passwords from an existing solution, share items across the organization, recover a user’s account, and other topics important to your implementation. ## Bitwarden Teams & Enterprise demo [![Vimeo Video](https://vumbnail.com/734127077.jpg)](https://vimeo.com/734127077) *[Watch on Vimeo](https://vimeo.com/734127077)* **Video Chapters:** Learn more about available Bitwarden plans [here](https://learning-center-update.bw-web.dev/help/password-manager-plans/). Learn more about available Bitwarden plans [here](https://bitwarden.com/help/password-manager-plans/), or jump to the following points in the video to learn more about specific topics: - **0:19**: Why Bitwarden? - **0:49**: Zero-knowledge encryption at Bitwarden. - **2:14**: Bitwarden server hosting and client app options. - **3:20**: End-user experience. - **3:22**: Sign in to Bitwarden. - **3:52**: Autofill from Bitwarden - **4:18**: Types of vault items. - **5:16**: Individual and organization vaults. - **6:01**: Customize your vaults. - **6:56**: Import data to Bitwarden. - **7:21**: Create a new login. - **8:30**: Use Bitwarden Send. - **9:26**: Sponsored Bitwarden Families plans. - **10:27**: Administrator experience. - **10:42**: Onboard users. - **14:02**: Use groups to assign permissions. - **14:38**: Share items using collections. - **15:18**: User succession. - **15:52**: Import data as an admin. - **16:09**: Configure enterprise policies. - **17:17**: Analyze vault health reports. - **17:41**: Analyze event logs. ## How to verify your domain for enterprise SSO > [!TIP] Only available for Enterprise > This feature is only available for [Enterprise organizations](https://bitwarden.com/help/password-manager-plans/). [![Vimeo Video](https://vumbnail.com/808093301.jpg)](https://vimeo.com/808093301) *[Watch on Vimeo](https://vimeo.com/808093301)* Learn more about domain verification [here](https://bitwarden.com/help/claimed-domains/), or jump to the following points in the video to learn more about specific topics: - **0:20**: Activate domain verification. - **1:00**: How Bitwarden verifies a domain. ## Single Sign-on with Trusted Devices > [!TIP] Only available for Enterprise > This feature is only available for [Enterprise organizations](https://bitwarden.com/help/password-manager-plans/). [![Vimeo Video](https://vumbnail.com/1075687841.jpg)](https://vimeo.com/1075687841) *[Watch on Vimeo](https://vimeo.com/1075687841)* **Video Chapters:** Learn more about how users will experience the SSO Login workflow when the Enterprise Organization is configured for [SSO with Trusted Device Encryption](https://learning-center-update.bw-web.dev/help/about-trusted-devices/). Learn more about how users will experience the SSO Login workflow when the Enterprise Organization is configured for [SSO with Trusted Device Encryption](https://bitwarden.com/help/about-trusted-devices/) or jump to the following topics: - **0:10**: Introduction to SSO Login with Trusted Devices - **0:40**: Start the SSO login process - **1:10**: Approve login from another device ## Redeeming your free Families plan > [!TIP] Only available for Enterprise > This feature is only available for [Enterprise organizations](https://bitwarden.com/help/password-manager-plans/). [![Vimeo Video](https://vumbnail.com/828094070.jpg)](https://vimeo.com/828094070) *[Watch on Vimeo](https://vimeo.com/828094070)* **Video Chapters:** Learn more about Enterprise-sponsored Families organizations [here](https://learning-center-update.bw-web.dev/help/families-for-enterprise/). Learn more about Enterprise-sponsored Families organizations [here](https://bitwarden.com/help/families-for-enterprise/), or jump to the following points in the video to learn more about specific topics: - **0:14**: About sponsored Families plans. - **0:35**: Redeem a sponsored Families plan. --- URL: https://bitwarden.com/help/courses/password-manager-admin/ --- # Admin Your biggest impact as an admin comes from making Bitwarden easy for others to adopt. This course covers setup, smart policies, and onboarding strategies that turn password security into a daily habit, whether you're managing an enterprise, a small team, or just sharing with family. ### Enterprise > [!NOTE] Enterprise Admin course callout > You can also [watch a demo](https://bitwarden.com/help/courses/password-manager-admin/#enterprise-admin-demo/), join a public [training session](https://bitwarden.com/events/tag/demo/) or check out helpful [onboarding resources](https://bitwarden.com/help/courses/password-manager-admin/#enterprise-admin-resources/). > > The first few steps in the document assume you're going to create an organization. If you're joining an existing organization, skip down to **Or join an existing organization**. ## Get started ### Sign up for Bitwarden (2 min) Bitwarden offers free accounts with no limits to the number of devices or number of logins you can use. [Get started today](https://bitwarden.com/go/start-free/). ### Your master password During sign-up, you'll create a master password for logging in to Bitwarden. It's important that your master password is: - **Memorable**: Bitwarden employees and systems have **no** knowledge of, way to retrieve, or way to reset your master password. **Do not forget your master password!** - **Strong**: A longer, more complex, and less common password is the best way to protect your account. Bitwarden provides a free [password strength testing tool](https://bitwarden.com/password-strength/) to test the strength of some memorable passwords you are considering. ![Set a master password](https://bitwarden.com/assets/2pST1WXY0Xk7GQ4GpwzELn/59b88f130a5d65b51c75bbe3a742a702/2024-12-02_10-20-39.png) ### Create an organization (2 min) [Create your organization](https://bitwarden.com/help/about-organizations/#create-an-organization/) today by selecting the **New organization** button in the Bitwarden web app: ![New organization](https://bitwarden.com/assets/3eSqWiTIuPSFxXdo5AAjT9/248b0fa7bb381add0d71682acd244a63/2024-12-03_13-57-58.png) ### Or join an existing organization (1 min) If your organization has already been created, ask the IT team at your company or your manager for information on how you're expected to join Bitwarden. Some organizations send email invitations to your work inbox, others will allow you to enroll by simply logging in with your single sign-on (SSO) account. ### Get to know the Admin Console (2 min) Once created, you'll land in the Admin Console, which is the central hub for all things sharing and organization administration. As the organization owner, you'll be able to see your **Vault**items and [collections](https://bitwarden.com/help/getting-started-organizations/#get-to-know-collections/), to manage **Members,** run **Reports**, change **Billing**settings, and configure other organization **Settings**: ![Free organization Admin Console](https://bitwarden.com/assets/hzBuypc5ISzqC3jUmYbea/edcb03ce3d3071cea4f9afb6c7f8eca9/2024-12-03_13-46-09.png) ### Managing vault items and collections (3 min) As an owner or admin, you might be responsible for managing access to **vault items**, like shared credentials, for your company or team. You can create directly from the web app and assign them to collections in order to share them with your team: ![Assign to collections in bulk](https://bitwarden.com/assets/1u6EPNgAlCnvC9DcmUIosQ/327c0c24e09dce687540499a8eaa5aac/2024-12-02_15-47-21.png) Speaking of [**collections**](https://bitwarden.com/help/about-collections/), they're an important construct for grouping together related logins, notes, cards, and identities for secure sharing with your organization: - Organizations can define access to collections, allowing users or groups to access only the items they need. - Items stored in an organization's collections(s) do not belong to any individual user, but rather to the organization. - Organization-owned items **must** be included in at least one collection. > [!TIP] Items can also be imported > Data can also be imported directly to your organization! Learn how [here](https://bitwarden.com/help/import-to-org/#import-to-your-organization/). ### Managing members and groups (2 min) As an owner or admin, you might be responsible for managing members of your team or your company more broadly. Members can be added to your organization: - Directly from the Admin Console's **Members** page ([learn more](https://bitwarden.com/help/managing-users/#invite/)). - By integrating Bitwarden with your IdP using SCIM ([learn more](https://bitwarden.com/help/about-scim/)). - By integrating Bitwarden with your directory service using Directory Connector ([learn more](https://bitwarden.com/help/directory-sync/)). Members can assigned directly to collections in order to regulate what vault data they have access to, but so can [**groups**](https://bitwarden.com/help/about-groups/). Groups relate together individual members and provide a scalable way to assign access to and permissions for specific collections: ![New group ](https://bitwarden.com/assets/FefJG4qBRiWkTzsxBKfm6/53093b4dd48e534cdde9f3e249d3c382/2024-12-03_14-22-27.png) ### Policies, integrations, and more (2 min) Enterprise Bitwarden organizations provide powerful tools for improving your online security and integrating with existing workflows and tools. Some other things you might manage as an administrator of your organization include: - Setting up [policies](https://bitwarden.com/help/policies/) to enforce security rules for users, for example mandating use of two-step login. - Auditing what credentials [organization members have access to](https://bitwarden.com/help/reports/#member-access/). - Integrating Bitwarden with your existing [SSO](https://bitwarden.com/help/about-sso/) workflow. - [Verifying your organization's domain](https://bitwarden.com/help/claimed-domains/) for an seamless login experience. - [Setting up](https://bitwarden.com/help/setup-sso-with-trusted-devices/) a system for, or [approving](https://bitwarden.com/help/approve-a-trusted-device/), device trust requirements for members. - Integrating Bitwarden with your existing SIEM tool, like [Microsoft Sentinel](https://bitwarden.com/help/microsoft-sentinel-siem/). ### SSO with Trusted Devices workflow (2 min) [![Vimeo Video](https://vumbnail.com/1075687841.jpg)](https://vimeo.com/1075687841) *[Watch on Vimeo](https://vimeo.com/1075687841)* **Video Chapters:** Learn more about how users will experience the SSO Login workflow when the Enterprise Organization is configured for [SSO with Trusted Device Encryption](https://learning-center-update.bw-web.dev/help/about-trusted-devices/). ### Claim your domain (2 min) [![Vimeo Video](https://vumbnail.com/808093301.jpg)](https://vimeo.com/808093301) *[Watch on Vimeo](https://vimeo.com/808093301)* Learn more about domain verification [here](https://learning-center-update.bw-web.dev/help/claimed-domains/). ### Redeeming your free Families plan (2 min) [![Vimeo Video](https://vumbnail.com/828094070.jpg)](https://vimeo.com/828094070) *[Watch on Vimeo](https://vimeo.com/828094070)* **Video Chapters:** Learn more about Enterprise-sponsored Families organizations [here](https://learning-center-update.bw-web.dev/help/families-for-enterprise/). ## Watch a demo ### Enterprise Demo (20 min) [![Vimeo Video](https://vumbnail.com/734127077.jpg)](https://vimeo.com/734127077) *[Watch on Vimeo](https://vimeo.com/734127077)* **Video Chapters:** Learn more about available Bitwarden plans [here](https://learning-center-update.bw-web.dev/help/password-manager-plans/). ## Onboarding Resources ### Customer Success Hub This resource hub provides IT and security leaders with a proven path to password security success, offering a curated set of guides, checklists, resources, and milestones. [Embedded content componentCtaLink] ### Onboarding Playbook This playbook provides IT administrators with a flexible roadmap for onboarding users to Bitwarden Password Manager across five key phases. While the phases are presented in sequence, they're not strictly linear. Many steps can happen in parallel based on your team's needs and timeline. [Embedded content componentCtaLink] ### Customer Activation Kit This comprehensive toolkit provides everything admins and IT teams need to build excitement, communicate password security benefits, and turn your end users into security champions. Whether you're rolling out to a small team or enterprise-wide deployment, these resources support successful adoption at any scale. [Embedded content componentCtaLink] ### Member Signup Workflows This document should be used to provide instructions to your users for signing up for the organization. There are a number of different factors that will impact the exact steps your users will need to take. Use this decision tree to help pick the correct option for your organization's users. [Embedded content componentCtaLink] ### Teams > [!TIP] Teams course > You can also [watch a demo](https://bitwarden.com/help/courses/password-manager-admin/#teams-admin-demo/), join a public [training session](https://bitwarden.com/events/tag/demo/) or check out helpful [onboarding resources](https://bitwarden.com/help/courses/password-manager-admin/#teams-admin-resources/). > > The first few steps in the document assume you're going to create an organization. If you're joining an existing organization, skip down to **Or join an existing organization**. ## Get started ### Sign up for Bitwarden (2 min) Bitwarden offers free accounts with no limits to the number of devices or number of logins you can use. [Get started today](https://bitwarden.com/go/start-free/). ### Your master password During sign-up, you'll create a master password for logging in to Bitwarden. It's important that your master password is: - **Memorable**: Bitwarden employees and systems have **no** knowledge of, way to retrieve, or way to reset your master password. **Do not forget your master password!** - **Strong**: A longer, more complex, and less common password is the best way to protect your account. Bitwarden provides a free [password strength testing tool](https://bitwarden.com/password-strength/) to test the strength of some memorable passwords you are considering. ![Set a master password](https://bitwarden.com/assets/2pST1WXY0Xk7GQ4GpwzELn/59b88f130a5d65b51c75bbe3a742a702/2024-12-02_10-20-39.png) ### Create an organization (2 min) [Create your organization](https://bitwarden.com/help/about-organizations/#create-an-organization/) today by selecting the **New organization** button in the Bitwarden web app: ![New organization](https://bitwarden.com/assets/3eSqWiTIuPSFxXdo5AAjT9/248b0fa7bb381add0d71682acd244a63/2024-12-03_13-57-58.png) ### Or join and existing organization (1 min) If your organization has already been created, ask the other member of your organization to send you an invite. ### Get to know the Admin Console (2 min) Once created, you'll land in the Admin Console, which is the central hub for all things sharing and organization administration. As the organization owner, you'll be able to see your **Vault**items and [collections](https://bitwarden.com/help/getting-started-organizations/#get-to-know-collections/), to manage **Members,** run **Reports**, change **Billing**settings, and configure other organization **Settings**: ![Free organization Admin Console](https://bitwarden.com/assets/hzBuypc5ISzqC3jUmYbea/edcb03ce3d3071cea4f9afb6c7f8eca9/2024-12-03_13-46-09.png) ### Managing vault items and collections (3 min) As an owner or admin, you might be responsible for managing access to **vault items**, like shared credentials, for your company or team. You can create directly from the web app and assign them to collections in order to share them with your team: ![Assign to collections in bulk](https://bitwarden.com/assets/1u6EPNgAlCnvC9DcmUIosQ/327c0c24e09dce687540499a8eaa5aac/2024-12-02_15-47-21.png) Speaking of [**collections**](https://bitwarden.com/help/about-collections/), they're an important construct for grouping together related logins, notes, cards, and identities for secure sharing with your organization: - Organizations can define access to collections, allowing users or groups to access only the items they need. - Items stored in an organization's collections(s) do not belong to any individual user, but rather to the organization. - Organization-owned items **must** be included in at least one collection. > [!TIP] Items can also be imported > Data can also be imported directly to your organization! Learn how [here](https://bitwarden.com/help/import-to-org/#import-to-your-organization/). ### Managing members and groups (2 min) As an owner or admin, you might be responsible for managing members of your team or your company more broadly. Members can be added to your organization: - Directly from the Admin Console's **Members** page ([learn more](https://bitwarden.com/help/managing-users/#invite/)). - By integrating Bitwarden with your IdP using SCIM ([learn more](https://bitwarden.com/help/about-scim/)). - By integrating Bitwarden with your directory service using Directory Connector ([learn more](https://bitwarden.com/help/directory-sync/)). Members can assigned directly to collections in order to regulate what vault data they have access to, but so can [**groups**](https://bitwarden.com/help/about-groups/). Groups relate together individual members and provide a scalable way to assign access to and permissions for specific collections: ![New group ](https://bitwarden.com/assets/FefJG4qBRiWkTzsxBKfm6/53093b4dd48e534cdde9f3e249d3c382/2024-12-03_14-22-27.png) ### Integrations and more (1 min) Teams Bitwarden organizations provide powerful tools for improving your online security and integrating with existing workflows and tools. Some other things you might manage as an administrator of your organization include: - Auditing what credentials [organization members have access to](https://bitwarden.com/help/reports/#member-access/). - Integrating Bitwarden with your existing SIEM tool, like [Microsoft Sentinel](https://bitwarden.com/help/microsoft-sentinel-siem/). ## Watch a demo ### Teams & Enterprise Demo (20 min) > [!NOTE] Teams Demo - Warning > Please note, some features require the Enterprise plan. For more information, [compare business features and plans](https://bitwarden.com/pricing/business/). [![Vimeo Video](https://vumbnail.com/734127077.jpg)](https://vimeo.com/734127077) *[Watch on Vimeo](https://vimeo.com/734127077)* **Video Chapters:** Learn more about available Bitwarden plans [here](https://learning-center-update.bw-web.dev/help/password-manager-plans/). ## Onboarding Resources ### Customer Success Hub This resource hub provides IT and security leaders with a proven path to password security success, offering a curated set of guides, checklists, resources, and milestones. [Embedded content componentCtaLink] ### Onboarding Playbook This playbook provides IT administrators with a flexible roadmap for onboarding users to Bitwarden Password Manager across five key phases. While the phases are presented in sequence, they're not strictly linear. Many steps can happen in parallel based on your team's needs and timeline. [Embedded content componentCtaLink] ### Customer Activation Kit This comprehensive toolkit provides everything admins and IT teams need to build excitement, communicate password security benefits, and turn your end users into security champions. Whether you're rolling out to a small team or enterprise-wide deployment, these resources support successful adoption at any scale. [Embedded content componentCtaLink] ### Member Signup Workflows This document should be used to provide instructions to your users for signing up for the organization. There are a number of different factors that will impact the exact steps your users will need to take. Use this decision tree to help pick the correct option for your organization's users. [Embedded content componentCtaLink] ### Families ## Get started ### Sign up for Bitwarden (2 min) Bitwarden offers free accounts with no limits to the number of devices or number of logins you can use. [Get started today](https://bitwarden.com/go/start-free/). ### Your master password During sign-up, you'll create a master password for logging in to Bitwarden. It's important that your master password is: - **Memorable**: Bitwarden employees and systems have **no** knowledge of, way to retrieve, or way to reset your master password. **Do not forget your master password!** - **Strong**: A longer, more complex, and less common password is the best way to protect your account. Bitwarden provides a free [password strength testing tool](https://bitwarden.com/password-strength/) to test the strength of some memorable passwords you are considering. ![Set a master password](https://bitwarden.com/assets/2pST1WXY0Xk7GQ4GpwzELn/59b88f130a5d65b51c75bbe3a742a702/2024-12-02_10-20-39.png) ### Create an organization (2 min) [Create your organization](https://bitwarden.com/help/about-organizations/#create-an-organization/) today by selecting the **New organization** button in the Bitwarden web app: ![New organization](https://bitwarden.com/assets/3eSqWiTIuPSFxXdo5AAjT9/248b0fa7bb381add0d71682acd244a63/2024-12-03_13-57-58.png) ### Or join an existing organization (1 min) If your organization has already been created, ask the other member of your organization to send you an invite. ### Get to know the Admin Console (2 min) Once created, you'll land in the Admin Console, which is the central hub for all things sharing and organization administration. As the organization owner, you'll be able to see your **Vault**items and [collections](https://bitwarden.com/help/getting-started-organizations/#get-to-know-collections/), to manage **Members,** run **Reports**, change **Billing**settings, and configure other organization **Settings**: ![Free organization Admin Console](https://bitwarden.com/assets/hzBuypc5ISzqC3jUmYbea/edcb03ce3d3071cea4f9afb6c7f8eca9/2024-12-03_13-46-09.png) ### Managing vault items and collections (3 min) As an owner or admin, you might be responsible for managing access to **vault items**, like shared credentials, for your family. You can create directly from the web app and assign them to collections in order to share them with your family: ![Assign to collections in bulk](https://bitwarden.com/assets/1u6EPNgAlCnvC9DcmUIosQ/327c0c24e09dce687540499a8eaa5aac/2024-12-02_15-47-21.png) Speaking of [**collections**](https://bitwarden.com/help/about-collections/), they're an important construct for grouping together related logins, notes, cards, and identities for secure sharing with your organization: - Organizations can define access to collections, allowing users to access only the items they need. - Items stored in an organization's collections(s) do not belong to any individual user, but rather to the organization. - Organization-owned items **must** be included in at least one collection. > [!TIP] Items can also be imported > Data can also be imported directly to your organization! Learn how [here](https://bitwarden.com/help/import-to-org/#import-to-your-organization/). ### Managing members and groups (2 min) As an owner or admin, you might be responsible for managing members of your family more broadly. Members can be added to your organization directly from the Admin Console's **Members** page ([learn more](https://bitwarden.com/help/managing-users/#invite/)): ![Invite member to an organization](https://bitwarden.com/assets/7AJjR4oqEnCH3A89YYoWpH/a4bd30d71a74ead44e13768dab8c5dff/2024-12-03_14-02-20.png) ### Help your family stay protected (3 min) Now that you're setup to securely share data with your family through Bitwarden, consider some other ways of making sure your loved ones stay safe online: - Help your family set up [two-step login](https://bitwarden.com/help/setup-two-step-login/) to protect their Bitwarden accounts. - Help your family set up [emergency access](https://bitwarden.com/help/emergency-access/) so important data can be accessed in cases of emergency. ### Free ## Get started ### Sign up for Bitwarden (2 min) Bitwarden offers free accounts with no limits to the number of devices or number of logins you can use. [Get started today](https://bitwarden.com/go/start-free/). ### Your master password During sign-up, you'll create a master password for logging in to Bitwarden. It's important that your master password is: - **Memorable**: Bitwarden employees and systems have **no** knowledge of, way to retrieve, or way to reset your master password. **Do not forget your master password!** - **Strong**: A longer, more complex, and less common password is the best way to protect your account. Bitwarden provides a free [password strength testing tool](https://bitwarden.com/password-strength/) to test the strength of some memorable passwords you are considering. ![Set a master password](https://bitwarden.com/assets/2pST1WXY0Xk7GQ4GpwzELn/59b88f130a5d65b51c75bbe3a742a702/2024-12-02_10-20-39.png) ### Create an organization (2 min) [Create your organization](https://bitwarden.com/help/about-organizations/#create-an-organization/) today by selecting the **New organization** button in the Bitwarden web app: ![New organization](https://bitwarden.com/assets/3eSqWiTIuPSFxXdo5AAjT9/248b0fa7bb381add0d71682acd244a63/2024-12-03_13-57-58.png) ### Or join an existing organization (1 min) If your organization has already been created, ask the other member of your organization to send you an invite. ### Get to know the Admin Console (2 min) Once created, you'll land in the Admin Console, which is the central hub for all things sharing and organization administration. As the organization owner, you'll be able to see your **Vault**items and [collections](https://bitwarden.com/help/getting-started-organizations/#get-to-know-collections/), to manage **Members**, and configure other organization **Settings**: ![Free organization Admin Console](https://bitwarden.com/assets/hzBuypc5ISzqC3jUmYbea/edcb03ce3d3071cea4f9afb6c7f8eca9/2024-12-03_13-46-09.png) ### Managing vault items and collections (3 min) As an owner or admin, you might be responsible for managing access to **vault items**, like shared credentials, for your organization. You can create directly from the web app and assign them to collections in order to share them: ![Assign to collections in bulk](https://bitwarden.com/assets/1u6EPNgAlCnvC9DcmUIosQ/327c0c24e09dce687540499a8eaa5aac/2024-12-02_15-47-21.png) Speaking of [**collections**](https://bitwarden.com/help/about-collections/), they're an important construct for grouping together related logins, notes, cards, and identities for secure sharing with your organization: - Organizations can define access to collections, allowing users to access only the items they need. - Items stored in an organization's collections(s) do not belong to any individual user, but rather to the organization. - Organization-owned items **must** be included in at least one collection. - As a free organization, you can have up to two collections. > [!TIP] Items can also be imported > Data can also be imported directly to your organization! Learn how [here](https://bitwarden.com/help/import-to-org/#import-to-your-organization/). ### Managing members and groups (2 min) As an owner, you'll be responsible for inviting the other member to your organization directly from the Admin Console's **Members** page ([learn more](https://bitwarden.com/help/managing-users/#invite/)): ![Invite member to an organization](https://bitwarden.com/assets/7AJjR4oqEnCH3A89YYoWpH/a4bd30d71a74ead44e13768dab8c5dff/2024-12-03_14-02-20.png) --- URL: https://bitwarden.com/help/courses/password-manager-partner/ --- # MSP or Reseller Whether you're a managed service provider (MSP) or reselling Bitwarden to your customers, these partner courses teach you how to leverage the Provider Portal, market to clients, and train clients effectively. ### Provider admin > [!NOTE] MSP or Reseller Course call out > You can also view a [demo](https://bitwarden.com/help/courses/password-manager-partner/#msp-demo/), browse [deployment instructions](https://bitwarden.com/help/courses/password-manager-partner/#customer-deployment-guide/), or join a public [MSP training session](https://bitwarden.com/events/tag/msp/). ## Get started ### Become a partner (2 min) Becoming a member of the Bitwarden Partner Program is quick and easy. Our partnership program has been designed to maximize your success across a wide range of shared priorities, strategic requirements, and customer benefits. [Get started today](https://bitwarden.com/partners/). > [!NOTE] If you're an admin joining an existing provider > Manage your organization separately—do not include it in your Provider Portal client list > > If you're an admin joining an existing provider, use the provider invitation in your email inbox to log in or create a new Bitwarden account. ### Your master password (2 min) ### Your master password During sign-up, you'll create a master password for logging in to Bitwarden. It's important that your master password is: - **Memorable**: Bitwarden employees and systems have **no** knowledge of, way to retrieve, or way to reset your master password. **Do not forget your master password!** - **Strong**: A longer, more complex, and less common password is the best way to protect your account. Bitwarden provides a free [password strength testing tool](https://bitwarden.com/password-strength/) to test the strength of some memorable passwords you are considering. ### Get to know the provider portal (5 min) The [Provider Portal](https://bitwarden.com/help/providers/) is an all-in-one management experience that enabled providers to manage customers' Bitwarden organizations at scale. It streamlines administration tasks by centralizing access and support for each client, as well as allowing you to create new ones as your business grows: ![Provider Portal](https://bitwarden.com/assets/7AoSHeZgJJTBXQmpZ13UBr/56ca464fe6987c8c5fc8e7099235d640/2025-02-25_15-17-46.png) ### Invite your provider team (2 min) Every all-star Provider needs an all-star team. Start inviting your employees from the **Manage** → **Members** view to [round out your client management team](https://bitwarden.com/help/provider-users/#onboard-provider-users/): ![Add a provider user](https://bitwarden.com/assets/6E5GA111xdiHHkA0gb5LtG/5e5b5fddb5911e1b2ed468c1d49134ad/2024-12-05_09-27-45.png) **Services users** can fully manage any client organizations, while**Provider admins** can do the same and additionally manage your Provider setup and billing. For protective redundancy, we recommend including at least one other Provider admin on your team. ### Onboard clients (5 min) As a Provider admin, you'll have the ability to fully manage all aspects of a client organization on behalf of your customers, including setting up their [collection](https://bitwarden.com/help/about-collections/) and [group](https://bitwarden.com/help/about-groups/) structure, [importing data](https://bitwarden.com/help/import-to-org/), and setting up [policies](https://bitwarden.com/help/policies/) and [SSO](https://bitwarden.com/help/about-sso/). Learn how to [create new Client Organizations](https://bitwarden.com/help/client-org-setup/) and take a look at the [first steps toward configuring a successful Client Organization](https://bitwarden.com/help/client-org-setup/#initial-setup-procedure/). ### Manage client subscriptions (3 min) As a Provider admin, one of your key roles will be to manage the subscriptions and seat counts of your client organizations. Learn more [here](https://bitwarden.com/help/provider-billing/). ### Learn about client administration (5 min) Client organizations allow your customers to securely share passwords, credit cards, and more, and give you the tools to manage these things on their behalf. There's a lot you can do, but here are some [key day-to-day tasks you'll tackle as a Provider](https://bitwarden.com/help/manage-client-orgs/). ## Watch a demo ### Provider Portal Demo (35 min) [![Vimeo Video](https://vumbnail.com/668382756.jpg)](https://vimeo.com/668382756) *[Watch on Vimeo](https://vimeo.com/668382756)* Learn more about becoming a Bitwarden MSP or reseller [here](https://bitwarden.com/partners/). - **1:36**: Overview of Bitwarden Password Manager. - **1:46**: Bitwarden client apps. - **2:15**: How Bitwarden integrates with your tech stack. - **4:53**: Overview of terminology and concepts. - **8:34**: MSP architecture deep dive. - **10:05**: Your organization. - **16:19**: The Provider Portal. - **23:13**: Client organizations. - **25:49**: Manage your clients. - **26:50**: Manage policies. - **27:43**: Import data. - **28:18**: Set up SSO and SCIM. - **29:00**: Q&A. ## Customer deployment guide Use the following steps and best practices to deploy Bitwarden to your customers ### Phase 1 - Pre-onboarding Define technical requirements and onboarding strategy for your customer's Bitwarden organization and environment. | Step | Topic | Action | Resources | Duration (hours) | |------|------|------|------|------| | 1 | Environment decision | Determine Cloud or Self-Hosted environment | [Hosting FAQs](https://bitwarden.com/help/hosting-faqs/) | 0.5 | | 2 | Authentication strategy | Determine if the customer will use Single Sign-On (SSO) | [About SSO](https://bitwarden.com/help/about-sso/) | 0.25 | | 3 | Decryption method | If using Login with SSO, select Master Password or trusted devices for decryption | [About trusted devices](https://bitwarden.com/help/about-trusted-devices/) | 0.25 | | 4 | Provisioning strategy | Select provisioning strategy like SCIM, directory connector, or manual provisioning. | [Managing users](https://bitwarden.com/help/managing-users/#onboard-users/) | 0.25 | | 5 | User identification | Identify users, teams, or departments for rollout groups | | 0.25 | | 6 | Training strategy | Identify groups and internal advocates who will attend training. Example: end users, service desk, admins | | 0.5 | | 7 | Document collection (sharing) strategy | Determine how collections will be configured. Considerations include: Will users be allowed to create collections? Will collections be configured by department, project, function? Will data be imported from another application, which often defines structure? Do Admin and Owner users get access to all shared items, or only the Managers of delegated Collections? | [About collections](https://bitwarden.com/help/about-collections/) | 1 | | 8 | Policy planning | Select policies to be configured at launch | [Policies](https://bitwarden.com/help/policies/) | 0.5 | | 9 | Rollout timeline | Determine invitation and onboarding mechanisms and timing | | 0.5 | | 10 | Internal communication | Create internal messaging or memo about Bitwarden rollout. Review Bitwarden templates to get a sense of the communications | [Welcome email templates](https://bitwarden.com/help/welcome-email-templates/) | 1 | | 11 | Leadership communication | Communicate to internal leaders about Password Management Rollout Strategy | | 0.25 | ### Phase 2 - Organization set up Set up the technical foundation and configure Bitwarden settings for your customer.  | Step | Topic | Action | Resources | Duration (hours) | |------|------|------|------|------| | 12 | Organization owner | Identify the organization owner. The owner is the super-user that can control all aspects of your organization. Decide if you want the email to be associated with a specific user or a team inbox. Additionally, the best practice is two owner accounts for redundancy | [Member roles](https://bitwarden.com/help/user-types-access-control/#member-roles/) | 0.25 | | 13 | Enterprise policies | Configure Enterprise policies. Any policies should be enabled prior to user invitation. Be sure to check out the following policies: Account recovery administration Enforce organization data ownership Activate autofill | [Policies](https://bitwarden.com/help/policies/) | 1 | | 14 | Collection management settings | Choose how collections will behave in the organization. These settings allow for a spectrum of full admin control to completely self-serve where users can create their own collections. These settings can be used to establish a policy of least privilege | [Managing users](https://bitwarden.com/help/managing-users/) | 0.25 | | 15 | Co-managed environment | Add administrators or owners to the client organization to co-manage. Best practice is to configure a second owner for redundancy | [Managing users](https://bitwarden.com/help/managing-users/) | 0.5 | | 16 | Create collections | Collections are where secure items are located and shared with groups of users | [Collections](https://bitwarden.com/help/collections/) | 0.5 | | 17 | Create user groups | Creating user groups allows easy assignment of collections. If you decide to sync groups and users from your Identity Provider or Directory Service, you may need to reconfigure user and group assignments later | [Groups](https://bitwarden.com/help/groups/) | 0.5 | | 18 | Collection assignment | Assign groups to collections, making sure to test and demonstrate 'Read Only' and 'Hide Password' options | [User types access control](https://bitwarden.com/help/user-types-access-control/) | 0.5 | | 19 | Add items | Add items manually to test collections or import via CSV or JSON from another password management application | [Collections](https://bitwarden.com/help/collections/) | 0.25 | | 20 | Login with SSO | If applicable, configure Login with SSO and organization identifier Configure to work with SAML 2.0 or OpenID Connect | [Get started with SSO](https://bitwarden.com/help/getting-started-with-sso/) | 1.5 | | 21 | Domain verification | if applicable, verify company and/or other email domains to allow your users to skip entering the Organization identifier during the Enterprise SSO process. Not necessary for non-SSO organizations | [Domain verification](https://bitwarden.com/help/domain-verification/) | 0.5 | ### Phase 3 - Organization roll out Deploy Bitwarden across your customer's teams and functions. | Step | Topic | Action | Resources | Duration (hours) | |------|------|------|------|------| | 22 | Technical cadence meeting | Plan implementation phase 3 with client | | 0.5 | | 23 | Add items to collections | Add items manually to production collections or import data from another password management application | [About collections](https://bitwarden.com/help/about-collections/) | 0.25 | | 24 | Enterprise policies | Enterprise Policies can be used to tailor your Bitwarden Organization to fit your security needs. Enable and configure desired policies before user onboarding begins | [Policies](https://bitwarden.com/help/policies/) | 0.1 | | 25 | Login with SSO | If applicable, configure Bitwarden to authenticate using your SAML 2.0 or OIDC Identity Provider | [About SSO](https://bitwarden.com/help/about-sso/) | 1.5 | | 26 | Early users | Add a set of users to the client organization manually and assign them to different groups. With these users, you'll broadly test all pre-configured functionality in the next step, before moving on to advanced functions like Directory Connector. Share the attached onboarding workflow instructions with the users | [Managing users - Invite](https://bitwarden.com/help/managing-users/#invite/) [Onboarding Workflows](https://bitwarden.com/help/onboarding-workflows/) | 0.5 | | 27 | SIEM integration | If applicable, connect Bitwarden to customer's SIEM tool | [SIEM](https://bitwarden.com/help/event-logs/#siem-and-external-systems-integrations/) | 0.5 | | 28 | Bitwarden clients | All Organization members added for the pilot group should download Bitwarden on an assortment of devices, login, and test access to shared items via collections. They should test the proper implementation of policies. | [Download](https://bitwarden.com/download/) | 0.5 | | 29 | Deploy client applications | Configure your application management or MDM tooling to prepare for mass deployment of Bitwarden applications | [Deploy client applications](https://bitwarden.com/help/browserext-deploy/) | 0.5 | | 30 | Disable built-in password manager | Make Bitwarden Password Manager the default password manager and turn off built-in browser solutions. Educate users how to do the same when onboarded | [Disable built-in password manager](https://bitwarden.com/help/getting-started-browserext/#disable-a-built-in-password-manager/) | 0.25 | | 31 | Test user onboarding | Configure and test Bitwarden SCIM or Directory Connector integrations to automatically sync users and groups | [About SCIM](https://bitwarden.com/help/about-scim/) [About Directory Connector](https://bitwarden.com/help/directory-sync/) | 1.5 | | 32 | User onboarding | Execute on SCIM or Directory Connector syncing to invite additional users in groups to the organization. Share the attached onboarding workflow instructions with the users | [About SCIM](https://bitwarden.com/help/about-scim/) [About Directory Connector](https://bitwarden.com/help/directory-sync/) [Onboarding Workflows](https://bitwarden.com/help/onboarding-workflows/) | 1 | ### Phase 4 - User training Train all users and stakeholders on how to use Bitwarden and provide continuing education. | Step | Topic | Action | Resources | Duration (hours) | |------|------|------|------|------| | 33 | Admin training | Provide essential day-to-day task training for administrative users with the addition of any special topics requested Example special topics include, but are not limited to: Demonstrating the configured SSO login flow User onboarding and offboarding Custom roles | [Get to know the Admin Console](https://bitwarden.com/help/get-started-administrator/#get-to-know-the-admin-console/) [Bitwarden for business admins](https://bitwarden.com/help/courses/bitwarden-for-business-admins/) | 0.75 | | 34 | Service desk training | Advise service desk users on their role/operations. Review what tasks can be done with the custom role and what require admin intervention | | 0.75 | | 35 | Team member training | A general training session for end users will cover: Bitwarden for all devices Setting up the Bitwarden Browser Extension Creating your account Getting to know the Bitwarden vault How to use the Bitwarden Password Manager Bitwarden Send | [Get to know your vault ](https://bitwarden.com/help/get-started-team-member/#get-to-know-your-vault/) [Get to know Password Manager](https://bitwarden.com/help/get-to-know-password-manager/) | 0.75 | | 36 | Ongoing education | All users can take advantage of monthly new and updated learning content in the Bitwarden Learning Center | [Learning](https://bitwarden.com/learning/) | 0.75 | ### Service user ## Get started ### Join your provider (2 min) Check your inbox for an invitation to your new organization! If you already have an existing account, great! All you need to do is accept the invitation. If you don’t, you will be prompted to create an account after you accept the invitation. ### Your master password During sign-up, you'll create a master password for logging in to Bitwarden. It's important that your master password is: - **Memorable**: Bitwarden employees and systems have **no** knowledge of, way to retrieve, or way to reset your master password. **Do not forget your master password!** - **Strong**: A longer, more complex, and less common password is the best way to protect your account. Bitwarden provides a free [password strength testing tool](https://bitwarden.com/password-strength/) to test the strength of some memorable passwords you are considering. ### Get to know the provider portal (5 min) The Provider Portal is an all-in-one management experience that enabled providers to manage customers' Bitwarden organizations at scale. It streamlines administration tasks by centralizing access and support for each client, as well as allowing you to create new ones as your business grows: ![Provider Portal](https://bitwarden.com/assets/7AoSHeZgJJTBXQmpZ13UBr/56ca464fe6987c8c5fc8e7099235d640/2025-02-25_15-17-46.png) ### Onboard clients (5 min) As a service user, you'll have the ability to set up your customer’s [collection](https://bitwarden.com/help/about-collections/) and [group](https://bitwarden.com/help/about-groups/) structure, [import data](https://bitwarden.com/help/import-to-org/), and set up [policies](https://bitwarden.com/help/policies/) and SSO. Learn how to take the first steps toward configuring a [successful Client Organization](https://bitwarden.com/help/client-org-setup/#initial-setup-procedure/). ### Learn about client administration (5 min) Client organizations allow your customers to securely share passwords, credit cards, and more, and give you the tools to manage these things on their behalf. There's a lot you can do, but here are some [key day-to-day tasks you'll tackle as a Provider](https://bitwarden.com/help/manage-client-orgs/). ### Reseller ## Reseller ### Become a partner (2 min) Becoming a member of the Bitwarden Partner Program is quick and easy. Our partnership program has been designed to maximize your success across a wide range of shared priorities, strategic requirements, and customer benefits. [Get started today](https://bitwarden.com/partners/). ### Learn about organization types (2 min) As a reseller, most of your customers will pursue either Teams or Enterprise Organizations. Learn more about the unique features of each plan using our [comparison chart](https://bitwarden.com/help/password-manager-plans/#compare-business-plans/). ### Learn about Bitwarden (5 min) Trusted by millions, Bitwarden can help your customers drive collaboration, boost productivity, and share data securely, whether within the same organization or externally. For your clients, some of the most popular features that Bitwarden Password Manager offers are: - **Easy import**: [Import](https://bitwarden.com/help/import-to-org/) your company's shared credentials from almost any password management solution. - **User management integrations**: Sync end-users to your Bitwarden organization using one of many [system for cross-domain identity management (SCIM)](https://bitwarden.com/help/about-scim/) or [direct-to-directory](https://bitwarden.com/help/directory-sync/) integrations. - **Login with SSO**: [Authenticate your end-users with your existing single sign-on (SSO)](https://bitwarden.com/help/about-sso/) setup through any SAML 2.0 or OIDC identity provider. - **Robust policies**: Enforce security practices for your end-users, like setting up the ability for admins to [recover lost accounts](https://bitwarden.com/help/account-recovery/), using [enterprise policies](https://bitwarden.com/help/policies/). Bitwarden is committed to building security-first products. Password Manager is: - **Open source**: All source code is hosted on GitHub and is free for anyone to review and audit. Third-party auditing firms and security researchers are paid to do so regularly. - **End-to-end encrypted**: All encryption and decryption of vault data is done client-side, meaning no sensitive data ever hits our servers unencrypted. - **Zero-knowledge encrypted**: Bitwarden team members can't see your vault data, including data like URLs that other password managers don't encrypt, or your master password. --- URL: https://bitwarden.com/help/courses/password-manager-personal/ --- # Personal User Ready to finally get your passwords under control? This course walks you through setting up your personal Bitwarden account, securing your most important logins, and making password management feel effortless instead of overwhelming. > [!NOTE] Personal Account - other courses > See other personal courses: [Free sharing for two](https://bitwarden.com/help/courses/password-manager-admin/#tab-free-1brEDAEI7F0yUV0OW5WlV8/), [Family Member](https://bitwarden.com/help/courses/password-manager-team-member/#tab-families-6DNMd9cYeG6aig4l63wA0S/), and [Family Admin](https://bitwarden.com/help/courses/password-manager-admin/#tab-families-1brEDAEI7F0yUV0OW5WlV8/). ## Get started ### Sign up for Bitwarden (3 min) [![Vimeo Video](https://vumbnail.com/1086379394.jpg)](https://vimeo.com/1086379394) *[Watch on Vimeo](https://vimeo.com/1086379394)* Bitwarden offers free accounts with no limits to the number of devices or number of logins you can use. [Why wait?](https://bitwarden.com/go/start-free/) Learn more about creating your Bitwarden account [here](https://bitwarden.com/help/create-bitwarden-account/). ### Your master password During sign-up, you'll create a master password for logging in to Bitwarden. It's important that your master password is: - **Memorable**: Bitwarden employees and systems have **no** knowledge of, way to retrieve, or way to reset your master password. **Do not forget your master password!** - **Strong**: A longer, more complex, and less common password is the best way to protect your account. Bitwarden provides a free [password strength testing tool](https://bitwarden.com/password-strength/) to test the strength of some memorable passwords you are considering. ![Set a master password](https://bitwarden.com/assets/2pST1WXY0Xk7GQ4GpwzELn/59b88f130a5d65b51c75bbe3a742a702/2024-12-02_10-20-39.png) ### Two-step login Using two-step login, also called 2-factor authentication or 2FA, is the most important thing you can do to protect your data other than using a strong master password. It's so important that we offer a few options for free, including [Bitwarden Authenticator](https://bitwarden.com/help/bitwarden-authenticator/), a standalone mobile authenticator. ### Get to know your vault (1 min) The Bitwarden Password Manager web app will list all your vault items, including [logins, cards, identities, and secure notes](https://bitwarden.com/help/managing-items/): ![Password Manager web app](https://bitwarden.com/assets/2xTpSA11EOCzx8VIuVffcF/d3bc18e7fc3c3cb0bf1779fad9262cd3/2024-12-02_13-42-14.png) From the web app, you can fill your vault with information to keep secure, organize your credentials for easy access, and more. Items that you add in any Bitwarden app will sync to other Bitwarden apps you log in to so you can log into accounts from anywhere. ### Import your data (2 min) Do you have passwords saved in a browser, like Chrome? Or are you coming to Bitwarden from another password manager? You can import logins directly to Bitwarden to [avoid a painful day of copy-and-pasting](https://bitwarden.com/help/import-data/). Or, if you store passwords on paper or in your brain, let's get you started [adding more items to your vault](https://bitwarden.com/help/getting-started-webvault/#first-steps/). ### Use Bitwarden while browsing (4 min) [![Vimeo Video](https://vumbnail.com/1084695614.jpg)](https://vimeo.com/1084695614) *[Watch on Vimeo](https://vimeo.com/1084695614)* **Video Chapters:** Learn more about getting started with the browser extension [here](https://bitwarden.com/help/getting-started-browserext/). Bitwarden browser extensions make it easy to quickly log in to your accounts with saved passwords with the magic of autofill. [Download](https://bitwarden.com/download/) the browser extension and [learn how to autofill passwords](https://bitwarden.com/help/auto-fill-browser/) while browsing the web: ![Autofill via browser extension](https://bitwarden.com/assets/1pamjhdWn7obh8UBxXcIPF/1841242fa5299a780d53f3ae70e546b3/screenshot_5.png) It's best to [disable your browser's built-in password manager](https://bitwarden.com/help/getting-started-browserext/#disable-a-built-in-password-manager/) to ensure that Bitwarden is always your go-to password manager. ### Chrome [![Vimeo Video](https://vumbnail.com/1077612510.jpg)](https://vimeo.com/1077612510) *[Watch on Vimeo](https://vimeo.com/1077612510)* ### Microsoft Edge [![Vimeo Video](https://vumbnail.com/1077612658.jpg)](https://vimeo.com/1077612658) *[Watch on Vimeo](https://vimeo.com/1077612658)* ### Take Bitwarden on-the-go (1 min) Security anywhere is security everywhere! Get the Bitwarden mobile app so you can safely use your passwords while you're on-the-go. [Download](https://bitwarden.com/download/) the mobile app and learn how to autofill passwords on [iOS](https://bitwarden.com/help/auto-fill-ios/) or [Android](https://bitwarden.com/help/auto-fill-android/): ![Bitwarden on iOS and Android](https://bitwarden.com/assets/53OzJZ4klYWemxUepHMtq4/5ab47331f033259bd2e82817a99e992f/2025-01-21_15-22-10.png) ## Learn More ### Change the default language (2 min) [![Vimeo Video](https://vumbnail.com/795737043.jpg)](https://vimeo.com/795737043) *[Watch on Vimeo](https://vimeo.com/795737043)* **Video Chapters:** Learn more about changing the app's language [here](https://bitwarden.com/help/localization/). ### Get Bitwarden for all your devices (1 min) [![Vimeo Video](https://vumbnail.com/796410440.jpg)](https://vimeo.com/796410440) *[Watch on Vimeo](https://vimeo.com/796410440)* Download Bitwarden apps for all your devices [here](https://bitwarden.com/download/). ### Sharing secure links with Bitwarden Send (2 min) [![Vimeo Video](https://vumbnail.com/797850224.jpg)](https://vimeo.com/797850224) *[Watch on Vimeo](https://vimeo.com/797850224)* **Video Chapters:** Learn more about Bitwarden Send [here](https://bitwarden.com/help/about-send/). ### Using Custom Fields (2 min) [![Vimeo Video](https://vumbnail.com/821402921.jpg)](https://vimeo.com/821402921) *[Watch on Vimeo](https://vimeo.com/821402921)* **Video Chapters:** Learn more about using custom fields [here](https://bitwarden.com/help/custom-fields/). ## Advanced ### Self-host on a Raspberry Pi (4 min) [![YouTube Video](https://img.youtube.com/vi/4GjjfkMYqqs/maxresdefault.jpg)](https://www.youtube.com/watch?v=4GjjfkMYqqs) *[Watch on YouTube](https://www.youtube.com/watch?v=4GjjfkMYqqs)* Learn more about self-hosting with Bitwarden Unified [here](https://bitwarden.com/help/install-and-deploy-unified-beta/). --- URL: https://bitwarden.com/help/courses/password-manager-team-member/ --- # Team Member Your admin has set up Bitwarden for your organization or family—now it's time to make it work for you. This course shows you how to save passwords automatically, share credentials securely, and integrate Bitwarden into your daily workflow so staying secure becomes effortless. ### Enterprise > [!NOTE] Enterprise User Callout > You can also join a [public training session](https://bitwarden.com/events/tag/demo/). ## Get started ### Join your organization (3 min) There are a few different ways to join a Bitwarden organization; the one you'll need to use depends on your company's unique setup. Some organizations allow you to enroll by simply logging in with your single sign-on (SSO) account, and others will send email invitations to your work inbox: ![Organization invitation](https://bitwarden.com/assets/4Fe96NuWb7yRe6muKf7UbZ/bcb1a8df0bc2ffdecbcd86b82d16c9a3/2025-09-03_10-41-25.png) If you're not sure, ask the IT team at your company or your manager for information on how you're expected to join Bitwarden. [![Vimeo Video](https://vumbnail.com/1086379394.jpg)](https://vimeo.com/1086379394) *[Watch on Vimeo](https://vimeo.com/1086379394)* ### Master password vs trusted devices (2 min) ### Your master password In most cases, but not all, you'll create a master password for logging in to Bitwarden. If you do create a master password, it's important that it is: - **Memorable**: Bitwarden employees and systems have **no** knowledge of, way to retrieve, or way to reset your master password. **Do not forget your master password!** - **Strong**: A longer, more complex, and less common password is the best way to protect your account. Bitwarden provides a free [password strength testing tool](https://bitwarden.com/password-strength/) to test the strength of some memorable passwords you are considering. ![Set a master password](https://bitwarden.com/assets/2pST1WXY0Xk7GQ4GpwzELn/59b88f130a5d65b51c75bbe3a742a702/2024-12-02_10-20-39.png) ### Trusted devices In other cases, logging in to Bitwarden will require that the device you're logging in from be registered as a trusted one. When you join the organization, the device you use to join will automatically be registered as trusted, but you should [acquaint yourself with the process for adding more trusted devices](https://bitwarden.com/help/add-a-trusted-device/) so you can securely access company credentials on-the-go. [![Vimeo Video](https://vumbnail.com/1075687841.jpg)](https://vimeo.com/1075687841) *[Watch on Vimeo](https://vimeo.com/1075687841)* **Video Chapters:** Learn more about how users will experience the SSO Login workflow when the Enterprise Organization is configured for [SSO with Trusted Device Encryption](https://learning-center-update.bw-web.dev/help/about-trusted-devices/). ### Get to know your vault (2 min) The Bitwarden Password Manager web app will list all your vault items, including [logins, cards, identities, and secure notes](https://bitwarden.com/help/managing-items/): ![Password Manager web app](https://bitwarden.com/assets/2xTpSA11EOCzx8VIuVffcF/d3bc18e7fc3c3cb0bf1779fad9262cd3/2024-12-02_13-42-14.png) From the web app, you can fill your vault with information to keep secure, organize your credentials for easy access, and more. Items that you add in any Bitwarden app will sync to other Bitwarden apps you log in to so you can log into accounts from anywhere. ### Use Bitwarden while browsing (4 min) Bitwarden browser extensions make it easy to quickly log in to your accounts with saved passwords with the magic of autofill. [Download](https://bitwarden.com/download/) the browser extension and [learn how to autofill passwords](https://bitwarden.com/help/auto-fill-browser/) while browsing the web: ![Autofill via browser extension](https://bitwarden.com/assets/1pamjhdWn7obh8UBxXcIPF/1841242fa5299a780d53f3ae70e546b3/screenshot_5.png) [![Vimeo Video](https://vumbnail.com/1084695614.jpg)](https://vimeo.com/1084695614) *[Watch on Vimeo](https://vimeo.com/1084695614)* **Video Chapters:** Learn more about getting started with the browser extension [here](https://bitwarden.com/help/getting-started-browserext/). It's best to [disable your browser's built-in password manager](https://bitwarden.com/help/getting-started-browserext/#disable-a-built-in-password-manager/) to ensure that Bitwarden is always your go-to password manager. ### Chrome [![Vimeo Video](https://vumbnail.com/1077612510.jpg)](https://vimeo.com/1077612510) *[Watch on Vimeo](https://vimeo.com/1077612510)* ### Microsoft Edge [![Vimeo Video](https://vumbnail.com/1077612658.jpg)](https://vimeo.com/1077612658) *[Watch on Vimeo](https://vimeo.com/1077612658)* ### Import your data (2 min) Do you have passwords saved in a browser, like Chrome? Or are you coming to Bitwarden from another password manager? You can import logins directly to Bitwarden to [avoid a painful day of copy-and-pasting](https://bitwarden.com/help/import-data/). Or, if you store passwords on paper or in your brain, let's get you started [adding more items to your vault](https://bitwarden.com/help/getting-started-webvault/#first-steps/). ### Share with your team (2 min) As a member of your organization, you can securely share information like company credit cards and login credentials with members of your team. Shared items can be accessed through a separate vault that is added to your Bitwarden apps when you join the organization: ![Organization-enabled vault](https://bitwarden.com/assets/4D2tlh9YKPzDY20SYGVKcG/dff56b66549d29405b1af211860f698e/2024-12-03_14-07-28.png) Shared items are grouped-together into [collections](https://bitwarden.com/help/about-collections/), which your team can organize based on things like business unit (e.g. "Sales Team"), business function (e.g. "Social Media Logins"), system (e.g. "AWS Credentials"), and more. Learn [how to share credentials with your team](https://bitwarden.com/help/sharing/). ### Take Bitwarden on-the-go (1 min) Security anywhere is security everywhere! Get the Bitwarden mobile app so you can safely use your passwords while you're on-the-go. [Download](https://bitwarden.com/download/) the mobile app and learn how to autofill passwords on [iOS](https://bitwarden.com/help/auto-fill-ios/) or [Android](https://bitwarden.com/help/auto-fill-android/). ### Bring secure browsing home (1 min) Some Enterprise organizations offer members a free sponsored Families organization so that employees can securely share personal vault items with up to five friends or family members. Learn [how to redeem your sponsorship](https://bitwarden.com/help/families-for-enterprise/#redeem-a-sponsorship/) and make sure your family is practicing safe browsing. ## Learn More ### Change the default language (2 min) [![Vimeo Video](https://vumbnail.com/795737043.jpg)](https://vimeo.com/795737043) *[Watch on Vimeo](https://vimeo.com/795737043)* **Video Chapters:** Learn more about changing the app's language [here](https://bitwarden.com/help/localization/). ### Get Bitwarden for all your devices (1 min) [![Vimeo Video](https://vumbnail.com/796410440.jpg)](https://vimeo.com/796410440) *[Watch on Vimeo](https://vimeo.com/796410440)* Download Bitwarden apps for all your devices [here](https://bitwarden.com/download/). ### Sharing secure links with Bitwarden Send (2 min) [![Vimeo Video](https://vumbnail.com/797850224.jpg)](https://vimeo.com/797850224) *[Watch on Vimeo](https://vimeo.com/797850224)* **Video Chapters:** Learn more about Bitwarden Send [here](https://bitwarden.com/help/about-send/). ### Using Custom Fields (2 min) [![Vimeo Video](https://vumbnail.com/821402921.jpg)](https://vimeo.com/821402921) *[Watch on Vimeo](https://vimeo.com/821402921)* **Video Chapters:** Learn more about using custom fields [here](https://bitwarden.com/help/custom-fields/). ### Teams > [!NOTE] Teams User Callout > You can also join a [public training session](https://bitwarden.com/events/tag/demo/). ## Get started ### Join your team (3 min) Check your inbox for an invitation to your new organization! If you already have an existing account, great! All you need to do is accept the invitation. If you don’t, you will be prompted to create an account after you accept the invitation: ![Organization invitation](https://bitwarden.com/assets/4Fe96NuWb7yRe6muKf7UbZ/bcb1a8df0bc2ffdecbcd86b82d16c9a3/2025-09-03_10-41-25.png) [![Vimeo Video](https://vumbnail.com/1086379394.jpg)](https://vimeo.com/1086379394) *[Watch on Vimeo](https://vimeo.com/1086379394)* ### Your master password (1 min) During sign-up, you'll create a master password for logging in to Bitwarden. It's important that your master password is: - **Memorable**: Bitwarden employees and systems have **no** knowledge of, way to retrieve, or way to reset your master password. **Do not forget your master password!** - **Strong**: A longer, more complex, and less common password is the best way to protect your account. Bitwarden provides a free [password strength testing tool](https://bitwarden.com/password-strength/) to test the strength of some memorable passwords you are considering. ![Set a master password](https://bitwarden.com/assets/2pST1WXY0Xk7GQ4GpwzELn/59b88f130a5d65b51c75bbe3a742a702/2024-12-02_10-20-39.png) ### Get to know your vault (2 min) The Bitwarden Password Manager web app will list all your vault items, including [logins, cards, identities, and secure notes](https://bitwarden.com/help/managing-items/): ![Password Manager web app](https://bitwarden.com/assets/2xTpSA11EOCzx8VIuVffcF/d3bc18e7fc3c3cb0bf1779fad9262cd3/2024-12-02_13-42-14.png) From the web app, you can fill your vault with information to keep secure, organize your credentials for easy access, and more. Items that you add in any Bitwarden app will sync to other Bitwarden apps you log in to so you can log into accounts from anywhere. ### Import your data (2 min) Do you have passwords saved in a browser, like Chrome? Or are you coming to Bitwarden from another password manager? You can import logins directly to Bitwarden to [avoid a painful day of copy-and-pasting](https://bitwarden.com/help/import-data/). Or, if you store passwords on paper or in your brain, let's get you started [adding more items to your vault](https://bitwarden.com/help/getting-started-webvault/#first-steps/). ### Share with your team (2 min) As a member of your organization, you can securely share information like company credit cards and login credentials with members of your team. Shared items can be accessed through a separate vault that is added to your Bitwarden apps when you join the organization: ![Organization-enabled vault](https://bitwarden.com/assets/4D2tlh9YKPzDY20SYGVKcG/dff56b66549d29405b1af211860f698e/2024-12-03_14-07-28.png) Shared items are grouped-together into [collections](https://bitwarden.com/help/about-collections/), which your team can organize based on things like business unit (e.g. "Sales Team"), business function (e.g. "Social Media Logins"), system (e.g. "AWS Credentials"), and more. Learn [how to share credentials with your team](https://bitwarden.com/help/sharing/). ### Use Bitwarden while browsing (4 min) Bitwarden browser extensions make it easy to quickly log in to your accounts with saved passwords with the magic of autofill. [Download](https://bitwarden.com/download/) the browser extension and [learn how to autofill passwords](https://bitwarden.com/help/auto-fill-browser/) while browsing the web: ![Autofill via browser extension](https://bitwarden.com/assets/1pamjhdWn7obh8UBxXcIPF/1841242fa5299a780d53f3ae70e546b3/screenshot_5.png) [![Vimeo Video](https://vumbnail.com/1084695614.jpg)](https://vimeo.com/1084695614) *[Watch on Vimeo](https://vimeo.com/1084695614)* **Video Chapters:** Learn more about getting started with the browser extension [here](https://bitwarden.com/help/getting-started-browserext/). It's best to [disable your browser's built-in password manager](https://bitwarden.com/help/getting-started-browserext/#disable-a-built-in-password-manager/) to ensure that Bitwarden is always your go-to password manager. ### Chrome [![Vimeo Video](https://vumbnail.com/1077612510.jpg)](https://vimeo.com/1077612510) *[Watch on Vimeo](https://vimeo.com/1077612510)* ### Microsoft Edge [![Vimeo Video](https://vumbnail.com/1077612658.jpg)](https://vimeo.com/1077612658) *[Watch on Vimeo](https://vimeo.com/1077612658)* ### Take Bitwarden on-the-go (1 min) Security anywhere is security everywhere! Get the Bitwarden mobile app so you can safely use your passwords while you're on-the-go. [Download](https://bitwarden.com/download/) the mobile app and learn how to autofill passwords on [iOS](https://bitwarden.com/help/auto-fill-ios/) or [Android](https://bitwarden.com/help/auto-fill-android/): ![Bitwarden on iOS and Android](https://bitwarden.com/assets/53OzJZ4klYWemxUepHMtq4/5ab47331f033259bd2e82817a99e992f/2025-01-21_15-22-10.png) ## Learn More ### Change the default language (2 min) [![Vimeo Video](https://vumbnail.com/795737043.jpg)](https://vimeo.com/795737043) *[Watch on Vimeo](https://vimeo.com/795737043)* **Video Chapters:** Learn more about changing the app's language [here](https://bitwarden.com/help/localization/). ### Get Bitwarden for all your devices (1 min) [![Vimeo Video](https://vumbnail.com/796410440.jpg)](https://vimeo.com/796410440) *[Watch on Vimeo](https://vimeo.com/796410440)* Download Bitwarden apps for all your devices [here](https://bitwarden.com/download/). ### Sharing secure links with Bitwarden Send (2 min) [![Vimeo Video](https://vumbnail.com/797850224.jpg)](https://vimeo.com/797850224) *[Watch on Vimeo](https://vimeo.com/797850224)* **Video Chapters:** Learn more about Bitwarden Send [here](https://bitwarden.com/help/about-send/). ### Using Custom Fields (2 min) [![Vimeo Video](https://vumbnail.com/821402921.jpg)](https://vimeo.com/821402921) *[Watch on Vimeo](https://vimeo.com/821402921)* **Video Chapters:** Learn more about using custom fields [here](https://bitwarden.com/help/custom-fields/). ### Families ## Get started ### Join your family (2 min) Check your inbox for an invitation to your new organization! If you already have an existing account, great! All you need to do is accept the invitation. If you don’t, you will be prompted to create an account after you accept the invitation: ![Organization invitation](https://bitwarden.com/assets/4Fe96NuWb7yRe6muKf7UbZ/bcb1a8df0bc2ffdecbcd86b82d16c9a3/2025-09-03_10-41-25.png) ### Your master password (2 min) During sign-up, you'll create a master password for logging in to Bitwarden. It's important that your master password is: - **Memorable**: Bitwarden employees and systems have **no** knowledge of, way to retrieve, or way to reset your master password. **Do not forget your master password!** - **Strong**: A longer, more complex, and less common password is the best way to protect your account. Bitwarden provides a free [password strength testing tool](https://bitwarden.com/password-strength/) to test the strength of some memorable passwords you are considering. ![Set a master password](https://bitwarden.com/assets/2pST1WXY0Xk7GQ4GpwzELn/59b88f130a5d65b51c75bbe3a742a702/2024-12-02_10-20-39.png) ### Get to know your vault (2 min) The Bitwarden Password Manager web app will list all your vault items, including [logins, cards, identities, and secure notes](https://bitwarden.com/help/managing-items/): ![Password Manager web app](https://bitwarden.com/assets/2xTpSA11EOCzx8VIuVffcF/d3bc18e7fc3c3cb0bf1779fad9262cd3/2024-12-02_13-42-14.png) From the web app, you can fill your vault with information to keep secure, organize your credentials for easy access, and more. Items that you add in any Bitwarden app will sync to other Bitwarden apps you log in to so you can log into accounts from anywhere. ### Import your data (2 min) Do you have passwords saved in a browser, like Chrome? Or are you coming to Bitwarden from another password manager? You can import logins directly to Bitwarden to [avoid a painful day of copy-and-pasting](https://bitwarden.com/help/import-data/). Or, if you store passwords on paper or in your brain, let's get you started [adding more items to your vault](https://bitwarden.com/help/getting-started-webvault/#first-steps/). ### Share with your family (2 min) As a member of your organization, you can securely share information like credit cards and streaming logins with members of your family. Shared items can be accessed through a separate vault that is added to your Bitwarden apps when you join the organization: ![Organization-enabled vault](https://bitwarden.com/assets/4D2tlh9YKPzDY20SYGVKcG/dff56b66549d29405b1af211860f698e/2024-12-03_14-07-28.png) Shared items are grouped-together into [collections](https://bitwarden.com/help/about-collections/), which your family can organize based on things like who can have access unit (e.g. "Parents Only"), the type of logins they contain (e.g. "Streaming Logins"), and more. Learn [how to share credentials with your team](https://bitwarden.com/help/sharing/). ### Use Bitwarden while browsing (4 min) Bitwarden browser extensions make it easy to quickly log in to your accounts with saved passwords with the magic of autofill. [Download](https://bitwarden.com/download/) the browser extension and [learn how to autofill passwords](https://bitwarden.com/help/auto-fill-browser/) while browsing the web: ![Autofill via browser extension](https://bitwarden.com/assets/1pamjhdWn7obh8UBxXcIPF/1841242fa5299a780d53f3ae70e546b3/screenshot_5.png) It's best to [disable your browser's built-in password manager](https://bitwarden.com/help/getting-started-browserext/#disable-a-built-in-password-manager/) to ensure that Bitwarden is always your go-to password manager. [![Vimeo Video](https://vumbnail.com/1084695614.jpg)](https://vimeo.com/1084695614) *[Watch on Vimeo](https://vimeo.com/1084695614)* **Video Chapters:** Learn more about getting started with the browser extension [here](https://bitwarden.com/help/getting-started-browserext/). ### Take Bitwarden on-the-go (1 min) Security anywhere is security everywhere! Get the Bitwarden mobile app so you can safely use your passwords while you're on-the-go. [Download](https://bitwarden.com/download/) the mobile app and learn how to autofill passwords on [iOS](https://bitwarden.com/help/auto-fill-ios/) or [Android](https://bitwarden.com/help/auto-fill-android/): ![Bitwarden on iOS and Android](https://bitwarden.com/assets/53OzJZ4klYWemxUepHMtq4/5ab47331f033259bd2e82817a99e992f/2025-01-21_15-22-10.png) --- URL: https://bitwarden.com/help/courses/passwordless-dev/ --- # Passwordless.dev Learn how Bitwarden Passwordless.dev can help you establish smooth passwordless authentication for your workforce or application users. ### Passkeys with Passwordless.dev (4 min) [![Vimeo Video](https://vumbnail.com/840978573.jpg)](https://vimeo.com/840978573) *[Watch on Vimeo](https://vimeo.com/840978573)* Learn more about Passwordless.dev [here](https://bitwarden.com/products/passwordless/). 0:05: Using passkeys on a mobile device. 1:59: Using passkeys in a web browser. --- URL: https://bitwarden.com/help/courses/secrets-manager/ --- # Secrets Manager Get started with Bitwarden Secrets Manager and begin securely storing, sharing, and injecting infrastructure secrets into your development pipelines. Learn how to switch between Bitwarden products, add secrets, and grant machine access. ### How to switch between Bitwarden products (1 min) [![Vimeo Video](https://vumbnail.com/840459200.jpg)](https://vimeo.com/840459200) *[Watch on Vimeo](https://vimeo.com/840459200)* Learn more about all the products available from Bitwarden [here](https://bitwarden.com/products/). ### How to add a project (1 min) [![Vimeo Video](https://vumbnail.com/846445432.jpg)](https://vimeo.com/846445432) *[Watch on Vimeo](https://vimeo.com/846445432)* **Video Chapters:** Learn more about projects [here](https://bitwarden.com/help/projects/). ### How to add secrets (3 min) [![Vimeo Video](https://vumbnail.com/854758635.jpg)](https://vimeo.com/854758635) *[Watch on Vimeo](https://vimeo.com/854758635)* **Video Chapters:** Learn more about secrets [here](https://bitwarden.com/help/secrets/). ### How to create a machine account (1 min) [![Vimeo Video](https://vumbnail.com/845933062.jpg)](https://vimeo.com/845933062) *[Watch on Vimeo](https://vimeo.com/845933062)* **Video Chapters:** Learn more about machine accounts [here](https://bitwarden.com/help/machine-accounts/). ### How to create and use an access token (3 min) [![Vimeo Video](https://vumbnail.com/854806168.jpg)](https://vimeo.com/854806168) *[Watch on Vimeo](https://vimeo.com/854806168)* **Video Chapters:** Learn more about access tokens [here](https://bitwarden.com/help/access-tokens/). ### How to export projects and secrets (1 min) [![Vimeo Video](https://vumbnail.com/846444688.jpg)](https://vimeo.com/846444688) *[Watch on Vimeo](https://vimeo.com/846444688)* **Video Chapters:** Learn more about exporting Secrets Manager data [here](https://bitwarden.com/help/export-secrets-data/). --- URL: https://bitwarden.com/help/create-bitwarden-account/ --- # Create a Bitwarden Account We are thrilled to be a part of your secure information management journey. To create a Bitwarden account, select the **Get Started** button on our homepage, or click [**here**](https://bitwarden.com/go/start-free/). Whether you're starting from that linked page, or directly from the Bitwarden web app, enter your **Email address** and choose a domain from the **Creating account on** dropdown: > [!TIP] Bitwarden offers 2 server regions. > Your Bitwarden account can be created on our cloud servers in the **United States** or **European Union,** or on a self-hosted server. To [choose which server to create your account on](https://bitwarden.com/help/choose-my-server/), scroll to the bottom of the page and use the **Server** or **Logging in on**dropdown to make a selection before submitting the form. ![Create your account](https://bitwarden.com/assets/32lwhyZi7zd0OvjvXZqAnB/291dd7d800b59d95f14655d9ab966d80/2024-12-02_10-18-15.png) Select **Continue** to proceed. Bitwarden will send a verification email to your email inbox. When you receive that email, select the **Verify email** button to finish creating your account by setting and confirming a **Master password**: ![Set a master password](https://bitwarden.com/assets/2pST1WXY0Xk7GQ4GpwzELn/59b88f130a5d65b51c75bbe3a742a702/2024-12-02_10-20-39.png) *Set a master password* When you're happy with your master password, select **Create account**. You'll also have the option to **check known data breaches for the password** ([learn more](https://bitwarden.com/help/reports/#data-breach-report-individual-vaults-only/)) before submitting a master password**.** > [!NOTE] Older accounts may need to verify an email > Older accounts may not yet have their email verified, as described above! If you weren't required to do so when you created your account, log in to your [web app](https://vault.bitwarden.com/) and select the **Verify Email** button ## Create an account from an organization invite Organizations, like an employer or family member, can invite users to sign up for Bitwarden. If you have been invited to an organization, check your email for an invitation from Bitwarden to join the organization. Open the email before it expires and select **Join Organization Now**. ![After clicking an emailed link, the invited user is prompted to accept the invitation to the organization](https://bitwarden.com/assets/3rZSnNkT3NPYThquuWqpeb/95516ccdedbb99931be5ee4d207fe2d8/image5.png) ## Next steps Now that you have created your account, we recommend: - [Getting started using the web app](https://bitwarden.com/help/getting-started-webvault/) - [Installing Bitwarden on other devices](https://bitwarden.com/download/) --- URL: https://bitwarden.com/help/create-collections/ --- # Create Collections > [!NOTE] Collection Creation ONLY in Web Vault > Collections can only be created from the Password Manager web app by users who are permitted by your organization's [collection management settings](https://bitwarden.com/help/collection-management/). To create a collection: 1. Log in to the Bitwarden web app, select the + **New** button, and choose **Collection**from the dropdown: ![Create new collection](https://bitwarden.com/assets/3rq5lVSQlvNT9gu2M2bCbk/8741dc155e8f2fa83d2caeb69218ce64/2024-12-02_15-35-48.png) > [!TIP] Can also be done from Admin Console > Organization [owners, admins, and some custom users](https://bitwarden.com/help/user-types-access-control/) can also take this step directly from the **Admin Console** to skip some of the steps in this process. 2. In the **New collection**panel give your collection a **Name**, choose the **Organization** it should belong to, and, optionally, select a collection to nest this collection under. > [!NOTE] Nested collections > Collections can be nested in order to logically organize them within your vault: > > ![Nested collection in filter column](https://bitwarden.com/assets/7EXnVptHEKQkSfKY1FsOmI/7ffee8ed6f5712cc9fa4419c4eb88b11/Nested_collections_in_filter_column.png) > > Nested collections are **for display-purposes only**. They will not inherit items, access, or permissions from their "parent" collection. 3. In the **Access**tab, [assign access to any existing members or groups](https://bitwarden.com/help/assign-users-to-collections/). For each selection, assign the appropriate level of [permission](https://bitwarden.com/help/collection-permissions/). As the creator of the collection, you will have **Manage collection** permission. 4. Select **Save** to finish creating your collection. > [!TIP] External ID (Org Entities) > The **External Id** field is only relevant if you are using [Directory Connector](https://bitwarden.com/help/directory-sync/) and will be visible in the dialogue when configured using [SCIM](https://bitwarden.com/help/about-scim/), Directory Connector, or the API. ## Next steps - [Learn about collections](https://bitwarden.com/help/about-collections/) at a conceptual level. - [Share items with organization members](https://bitwarden.com/help/sharing/) through your new collection. - [Assign groups and members](https://bitwarden.com/help/assign-users-to-collections/) access to your new collection. - [Configure the permissions](https://bitwarden.com/help/collection-permissions/) your groups and members have to the collection. - [Configure collection management settings](https://bitwarden.com/help/collection-management/) for your organization. --- URL: https://bitwarden.com/help/create-send/ --- # Create a Send Anyone can create text Sends, but file Sends can only be created by [premium users](https://bitwarden.com/help/password-manager-plans/) or members of a paid organization (families, teams, or enterprise). Choose the Bitwarden app you want to Send from to get started: ### Web app To create a new Send from the web app: 1. Select **Send** from the navigation. > [!NOTE] About the Send View > This view will list Sends that have not reached their [deletion date](https://bitwarden.com/help/send-lifespan/#deletion-date/). Like the **Vaults** view, you can filter your Sends by selecting one of the available **Types**. 2. Select the + **New Send** button: ![New Send](https://bitwarden.com/assets/63ReMUtu41rk0xNrxr6aHF/76e84697397cad9915a24d0f37f58374/2024-12-03_10-06-39.png) 3. On the **New Send** dialog, specify the following: - **What type of Send is this?**: Choose whether this Send will be **Text** or a **File**: | **Type** | **Steps** | |------|------| | **Text** | Type or paste the desired text into the input box. Toggle the **When accessing the Send, hide the text by default**option to require recipients to [toggle visibility](https://bitwarden.com/help/send-privacy/#hide-text/) when they open a Send. Sends may not exceed 1000 characters encrypted. When saved, the character count of a Send's text is increased due to encryption, meaning that an 700-character Send will scale to ~1,000 characters when it comes into contact with Bitwarden, triggering this error. As a rule of thumb, character counts will grow between 30-50% when encrypted. | | **File** | Select the **Choose File**button and browse for the file to Send. The maximum file size per Send is 500 MB (100 MB on Mobile). (**Requires Premium**& Verified Email) | - **Name**: Choose an identifiable, meaningful name for this Send. - By default, a Send is scheduled for deletion seven days from its creation. You can change this and other options using the [angle-down] **Options** menu (see Step 4), otherwise select **Save** to finish creating your Send. 4. Select the [angle-down] **Options** menu to configure the following options as needed: | **Option** | **Description** | |------|------| | **Deletion date** | The Send will be permanently [deleted](https://bitwarden.com/help/send-lifespan/#deletion-behavior/) on the specified date and time. By default, seven days from creation. The **maximum allowed value**is 30 days from creation. | | **Maximum access count** | The Send will be [disabled](https://bitwarden.com/help/send-lifespan/#maximum-access-count-behavior/) after the specified access count is reached. By default, unspecified. | | **Password** | [Require a password](https://bitwarden.com/help/send-privacy/#send-passwords/) to be entered by recipients of this Send in order to gain access. | | **Notes** | Enter private notes for this Send, which will only be visible to you. | | **Hide my email address from recipients** | [Hide your email](https://bitwarden.com/help/send-privacy/#hide-email/) from Send recipients. | | **Deactivate this Send so that no one can access it** | Check this box to prevent this Send from being accessible to any recipients. You will still be able to interact with this Send from your Send view. | > [!TIP] Create Send (Rest of this section) > The rest of this section covers copying a send link to your clipboard, but you can do that automatically by checking the **Copy the link to share this Send to my clipboard upon save** option before you click **Save**. Once you are happy with your Send, select **Save** to finish. Once your Send is created, use the ⋮ **Options** menu and select the [clone] **Copy Send link** button to copy the generated link to your clipboard: ![Send options](https://bitwarden.com/assets/6y6TJ0P7YbMza7p90kxu6X/929e10a4eac5d842b4cf283d46a41824/2024-12-03_10-09-52.png) Once copied, share your Send link with intended recipients however you prefer. Sends are end-to-end encrypted, so you don't need to worry about exposing any data to whatever intermediary communications services you use. ### Browser extension To create a new Send from a browser extension: 1. Select the [send-f] **Send** tab. > [!NOTE] About the Send View > This view will list Sends that have not reached their [deletion date](https://bitwarden.com/help/send-lifespan/#deletion-date/). Like the **Vaults** view, you can filter your Sends by selecting one of the available **Types**. 2. Select the + **New** button and choose **Text** or **File**: ![Send view in a browser extension ](https://bitwarden.com/assets/2qOv6DJYX1is2zurmeVBOd/b7a99ad66a86a39cec32f4136209e49c/2024-12-03_10-14-26.png) 3. On the **Add Send** view, specify the following: - **Name**: Choose an identifiable, meaningful name for this Send. - Some options will depend on whether you selected **Text** or **File**: | **Type** | **Steps** | |------|------| | **Text** | Type or paste the desired text into the input box. Toggle the **When accessing the Send, hide the text by default**option to require recipients to [toggle visibility](https://bitwarden.com/help/send-privacy/#hide-text/) when they open a Send. Sends may not exceed 1000 characters encrypted. When saved, the character count of a Send's text is increased due to encryption, meaning that an 700-character Send will scale to ~1,000 characters when it comes into contact with Bitwarden, triggering this error. As a rule of thumb, character counts will grow between 30-50% when encrypted. | | **File** | Select the **Choose File**button and browse for the file to Send. The maximum file size per Send is 500 MB (100 MB on Mobile). (**Requires Premium**& Verified Email). | By default, a Send is scheduled for deletion seven days from its creation. You can change this and other options using the [angle-down] **Options** menu (see Step 4), otherwise select **Save** to finish creating your Send. > [!NOTE] Firefox and Safari browser send > To create a send while using the Firefox or Safari browser extension, you must open the extension in the side bar or select the popout button: > > ![Browser extension pop-out](https://bitwarden.com/assets/1cbJy0jLBmSQmRumvYzVwp/a9e43f4c154686249056924eb3e56323/pop_out_screenshot.png) 4. Select the [angle-down] **Options** menu to configure the following options as needed: | **Option** | **Description** | |------|------| | **Deletion date** | The Send will be permanently [deleted](https://bitwarden.com/help/send-lifespan/#deletion-behavior/) after the specified peroid of time. By default, seven days from creation. The **maximum allowed value**is 31 days from creation. | | **Limit views** | The Send will be [disabled](https://bitwarden.com/help/send-lifespan/#maximum-access-count-behavior/) after the specified access count is reached. By default, unspecified. | | **Password** | [Require a password](https://bitwarden.com/help/send-privacy/#send-passwords/) to be entered by recipients of this Send in order to gain access. | | **Notes** | Enter private notes for this Send, which will only be visible to you. | | **Hide your email address from recipients** | [Hide your email](https://bitwarden.com/help/send-privacy/#hide-email/) from Send recipients. | Once you are happy with your Send, select **Save** to finish. You can copy the Send link immediately from the next screen, or copy it later from the Send view: ![Copy a Send link ](https://bitwarden.com/assets/1lLksK7QbomKPRueO41c4d/577dd2fa3ded7726096291dc4a217cd2/2024-12-03_10-19-23.png) Once copied, share your Send link with intended recipients however you prefer. Sends are end-to-end encrypted, so you don't need to worry about exposing any data to whatever intermediary communications services you use. ### Desktop To create a new Send from a desktop app: 1. Select the [send-f] **Send** tab. > [!NOTE] About the Send View > This view will list Sends that have not reached their [deletion date](https://bitwarden.com/help/send-lifespan/#deletion-date/). Like the **Vaults** view, you can filter your Sends by selecting one of the available **Types**. 2. Select the + **Add** icon in at the bottom of the center column ![Send view in a Desktop App ](https://bitwarden.com/assets/2O01p5FyMpUhlhi5bAq7mH/81a2ada22c9f66ed98ef9bda299e40fa/Create-Send_1.png) 3. In the right-most column, specify the following: - **Name**: Choose an identifiable, meaningful name for this Send. - **Type**: Choose whether this Send will be **Text** or a **File**: | **Type** | **Steps** | |------|------| | **Text** | Type or paste the desired text into the input box. Toggle the **When accessing the Send, hide the text by default**option to require recipients to [toggle visibility](https://bitwarden.com/help/send-privacy/#hide-text/) when they open a Send. Sends may not exceed 1000 characters encrypted. When saved, the character count of a Send's text is increased due to encryption, meaning that an 700-character Send will scale to ~1,000 characters when it comes into contact with Bitwarden, triggering this error. As a rule of thumb, character counts will grow between 30-50% when encrypted. | | **File** | Select the **Choose File**button and browse for the file to Send. The maximum file size per Send is 500 MB (100 MB on Mobile). (**Requires Premium**& Verified Email). | By default, a Send is scheduled for deletion seven days from its creation. You may change this and other options using the [angle-down] **Options** menu (see Step 4), otherwise select **Save** to finish creating your Send. 4. Select the [angle-down] **Options** menu to configure the following options as needed: | **Option** | **Description** | |------|------| | **Deletion date** | The Send will be permanently [deleted](https://bitwarden.com/help/send-lifespan/#deletion-behavior/) on the specified date and time. By default, seven days from creation. The **maximum allowed value**is 31 days from creation. | | **Expiration date** | The Send will [expire](https://bitwarden.com/help/send-lifespan/#expiration-behavior/) on the specified date and time. | | **Maximum access count** | The Send will be [disabled](https://bitwarden.com/help/send-lifespan/#maximum-access-count-behavior/) after the specified access count is reached. By default, unspecified. | | **Password** | [Require a password](https://bitwarden.com/help/send-privacy/#send-passwords/) to be entered by recipients of this Send in order to gain access. | | **Notes** | Enter private notes for this Send, which will only be visible to you. | | **Hide my email address from recipients** | [Hide your email](https://bitwarden.com/help/send-privacy/#hide-email/) from Send recipients. | | **Disable this Send so that no one can access it** | Check this box to prevent this Send from being accessible to any recipients. You will still be able to interact with this Send from your Send view. | > [!TIP] Create Send (Rest of this section) > The rest of this section covers copying a send link to your clipboard, but you can do that automatically by checking the **Copy the link to share this Send to my clipboard upon save** option before you click **Save**. Once you are happy your Send, select **Save** to finish. Once your Send is created, select the [clone] **Copy Link** button to copy the generated link to your clipboard: ![Copy a Send link ](https://bitwarden.com/assets/2PKATwmgbJ62JneH274vho/6728cd78ae7100aa314141ec97d658a1/create-send-2.png) Once copied, share your Send link with intended recipients however you prefer. Sends are end-to-end encrypted, so you don't need to worry about exposing any data to whatever intermediary communications services you use. ### Mobile To create a new Send from a mobile app: 1. Tap the [send-f] **Send** tab. > [!NOTE] About the Send View > This view will list Sends that have not reached their [deletion date](https://bitwarden.com/help/send-lifespan/#deletion-date/). Like the **Vaults** view, you can filter your Sends by selecting one of the available **Types**. 2. Tap the + **Add** icon: ![Send on mobile](https://bitwarden.com/assets/5vHsSA3o9O735MitlnOPVr/9d05ea07a2f1106cb84fc398304ffeb8/2025-01-22_09-57-19.png) 3. On the **Add Send** view, specify the following: - **Type**: Choose whether this Send will be **Text** or a **File**: | **Type** | **Steps** | |------|------| | **Text** | Type or paste the desired text into the input box. Toggle the **When accessing the Send, hide the text by default**option to require recipients to [toggle visibility](https://bitwarden.com/help/send-privacy/#hide-text/) when they open a Send. Sends may not exceed 1000 characters encrypted. When saved, the character count of a Send's text is increased due to encryption, meaning that an 700-character Send will scale to ~1,000 characters when it comes into contact with Bitwarden, triggering this error. As a rule of thumb, character counts will grow between 30-50% when encrypted. | | **File** | Select the **Choose File**button and browse for the file to Send. The maximum file size per Send is 500 MB (100 MB on Mobile). (**Requires Premium**& Verified Email). | - **Name**: Choose an identifiable, meaningful name for this Send. - By default, a Send is scheduled for deletion seven days from its creation. You may change this and other options using the [angle-down] **Additional options** menu (see Step 4), otherwise tap **Save** to finish creating your Send. 4. Tap the [angle-down] **Additional options** menu to configure the following options as needed: | **Option** | **Description** | |------|------| | **Deletion date** | The Send will be permanently [deleted](https://bitwarden.com/help/send-lifespan/#deletion-behavior/) on the specified date and time. By default, seven days from creation. The **maximum allowed value**is 31 days from creation. | | **Maximum access count** | The Send will be [disabled](https://bitwarden.com/help/send-lifespan/#maximum-access-count-behavior/) after the specified access count is reached. By default, unspecified. | | **Password** | [Require a password](https://bitwarden.com/help/send-privacy/#send-passwords/) to be entered by recipients of this Send in order to gain access. | | **Notes** | Enter private notes for this Send, which will only be visible to you. | | **Hide my email address from recipients** | [Hide your email](https://bitwarden.com/help/send-privacy/#hide-email/) from Send recipients. | Once you are happy with your Send, tap **Save** to finish. Once your Send is created, your device's share menu will slide up for easy sharing of your send. You can also share a send at any time using the ⋯ options by choosing the **Share link** option: ![Share a send on mobile](https://bitwarden.com/assets/6WZTQUop3KXnQKoGqgVzgu/235fe28ba18dcbef097ab7141d477cdc/2025-01-22_10-00-14.png) > [!TIP] Send via iOS Share Menu > If you are using iOS, you can also share your send directly from the iOS [Share Menu](https://developer.apple.com/design/human-interface-guidelines/ios/extensions/sharing-and-actions/). Share your Send link with intended recipients however you prefer. Sends are end-to-end encrypted, so you don't need to worry about exposing any data to whatever intermediary communications services you use. ### CLI The following are sample commands to help you get started using Send from the CLI. For more examples and help writing your own send command, we recommend reading [Send from CLI](https://bitwarden.com/help/send-cli/). To create a simple text Send with a [deletion date](https://bitwarden.com/help/send-lifespan/#deletion-date/) set to 14 days from creation: ``` bw send -n "My Text Send" -d 14 "My first secret message." ``` To create a simple file Send with a [deletion date](https://bitwarden.com/help/send-lifespan/#deletion-date/) set to 14 days from creation: ``` bw send -n "My File Send" - d 14 -f /Users/myaccount/Documents/my_file.pdf ``` --- URL: https://bitwarden.com/help/custom-fields/ --- # Custom Fields Custom fields, available for any [vault item type](https://bitwarden.com/help/managing-items/), allow you to store additional well-structured data fields for a vault item. Custom fields are saved as `Name:Value` pairs, and can be one of four types: - **Text**: Field value stores a freeform input (text, numbers, and more). - **Hidden**: Field value stores freeform input that is hidden from view (particularly useful for organizations using the [Hide Password access control](https://bitwarden.com/help/user-types-access-control/#granular-access-control/)). - **Checkbox**: (**Boolean** on some clients) Field value stores a boolean value (true/false). - **Linked**: Field value is linked to the item's username or password. Given the [right field name](https://bitwarden.com/help/custom-fields/#custom-field-names/), linked custom fields can be used to solve issues where your browser extension can't autofill usernames and passwords for a particular site ([learn more](https://bitwarden.com/help/auto-fill-custom-fields/#using-linked-custom-fields/)). > [!NOTE] custom fields for keys > **Custom fields for keys** > > In addition to common web service inputs like PINs and security questions, custom fields can be used to store values up to 5000 characters in length, for example RSA 4096-bit SSH keys. > > Character limits for custom field values are imposed on the **post-encryption character count**. For example, a 3383-character RSA-4096 Private SSH key would grow to about 4400-characters when it's encrypted and stored in your Vault. ## Creating custom fields Custom fields can be added to a vault item from any Bitwarden client using the **Custom Fields** section of the **Edit Item** panel: ![Custom fields in web app](https://bitwarden.com/assets/NoGCwyAZcnzss1EeYXKD1/23a7e619dfdcb4baa023f54923335050/2024-12-02_14-52-43.png) ### Custom field names The specified **Name** is important to get right in order to successfully [autofill a custom field](https://bitwarden.com/help/auto-fill-custom-fields/). Using the Bitwarden browser extension, you can quickly get the correct field name using the **Copy custom field name** option in the context menu (in most cases, by right-clicking on the form element): ![Copy custom field name](https://bitwarden.com/assets/5nnPLqyzgAhDCinQNB0uUC/a721194f39f0a8fa919066d73ff9e2c8/2024-10-29_10-50-34.png) Selecting this context menu option will copy the form element's `id`, `name`, `aria-label`, or `placeholder` value (in that order of preference). Once you have saved a custom field, you can [autofill it from the browser extension](https://bitwarden.com/help/auto-fill-custom-fields/). #### Find custom field names manually If you don't use the browser extension, the best way to find a field name is to use your web browser's developer tools, as in the following example: [![Vimeo Video](https://vumbnail.com/1139125687.jpg)](https://vimeo.com/1139125687) *[Watch on Vimeo](https://vimeo.com/1139125687)* To locate a custom field name: 1. On the webpage with the custom field, right-click the field you want to autofill and select **Inspect**. The HTML element will open and be highlighted in the developer console. 2. Find and copy the element `id` (find `id="xxx"`, where `xxx` is the element's `id` value). 3. In the relevant vault item's **Custom fields** section, choose the appropriate field type and select the + **New custom field** button. 4. Paste the copied element `id` in the **Name** field. 5. Specify the desired information to be autofilled (in the above example, a telephone number) in the **Value** field. 6. Save the vault item. Once you have saved a custom field, you can [autofill it from the browser extension](https://bitwarden.com/help/auto-fill-custom-fields/). ### More about custom field names #### Order of preference If you are naming a custom field manually, you should use one of the following HTML form element attributes/values **in order of preference**: 1. HTML form element's `id` attribute. 2. HTML form element's `name` attribute. 3. HTML form element's `aria-label` attribute. 4. HTML form element's `placeholder` attribute. #### Matching Field name matching is an **exact** and **case-insensitive** comparison. For example, if your custom field has the name `PIN`: - **Autofill is offered** for `pin`, `PiN`, `PIN`, etc. - **Autofill is not offered** for `pin2` or `mypin` #### Prefixing There are two cases in which you can exercise more control over [matching](https://bitwarden.com/help/custom-fields/#matching/) by using prefixes: - **csv**: Prefixing your custom field's name with `csv=` allows you to specify multiple names to search for and compare against for autofill, for example `csv=pin,mypin,pincode`. - **regex**: Prefixing your custom field's name with `regex=` allows you to perform [regular expression comparisons](https://regexone.com) when auto-fill is performed. For example, `regex=^first.*name` will offer autofill for `firstName`, `First_name`, and `First Name`. --- URL: https://bitwarden.com/help/customer-activation-kit/ --- # Customer Activation Kit Welcome to the Bitwarden Customer Activation Kit. This comprehensive toolkit provides everything admins and IT teams need to build excitement, communicate password security benefits, and turn your end users into security champions. Whether you're rolling out to a small team or enterprise-wide deployment, these resources support successful adoption at any scale. ## One-pagers Introduce Bitwarden to your teams with comprehensive one-page explainer documents: - [One-page explainer for end users](https://start.bitwarden.com/hubfs/PUBLIC_bitwarden-intro.pdf): a concise, user-friendly overview - [One-page explainer for admins and IT teams](https://start.bitwarden.com/hubfs/PUBLIC_bitwarden-1page.pdf): covers deployment tips and core product benefits - [Posters for internal promotion](https://bitwarden.com/resources/bitwarden-posters/): eye-catching, on-brand printables to keep Bitwarden top of mind ![one-pagers](https://bitwarden.com/assets/2lOqXRI2qegaZGm0OfxBtx/0a9c2ba06794fa18627f2d7790201a7e/one-pagers.png) ## Videos Understand Bitwarden quickly, or explore comprehensive training with these videos: - [Bitwarden in 30 Seconds](https://vimeo.com/799946080): high-level introduction - [Overview of individual vs. organization vault](https://vimeo.com/823390347): ensuring proper separation of individual and organizational credentials - [Bitwarden 101 admin walkthrough](https://youtube.com/playlist?list=PL-IZTwAxWO4XtrO78m2GrHRGS_YKzNmYW&si=R5ihNY1HMIonViMY): comprehensive training videos covering organization setup, organizational reporting capabilities, and user management best practices - Additional [b-roll](https://vimeo.com/showcase/11841052) and [educational clips](https://drive.google.com/drive/folders/1nZiUlOA5b5ljjnG29R_mqhKVn8uTIEts?usp=drive_link): suitable for internal presentations or onboarding decks ![videos](https://bitwarden.com/assets/3u8EFXlixwuVXCsvh5eJJZ/e74695e3d4d70527195556580860f924/videos.png) ## Documentation and templates Step-by-step documentation, templates, and resources to help teams embrace credential management: - [Admin and owner onboarding templates](https://bitwarden.com/help/customer-success-hub/): pre-written email templates for effective team communication throughout deployment, including welcome emails, admin onboarding sequences, and end user engagement campaigns - End user training resources: user-friendly tutorials providing step-by-step instruction on core Bitwarden features, [understanding vault item types](https://bitwarden.com/learning/individual-and-organizational-vaults/). - Importing passwords from [Chrome](https://bitwarden.com/help/import-from-chrome/#export-from-chrome/), [macOS and Safari](https://bitwarden.com/help/import-from-safari/), [Firefox](https://bitwarden.com/help/import-from-firefox/). - [Disabling browser autofill and password storage](https://bitwarden.com/help/disable-browser-autofill/): instructions to replace browser-based password storage with Bitwarden's secure autofill capabilities ![documentation](https://bitwarden.com/assets/6fQemeZ7Iqy11zxI7bjua7/0507c44e665cbb6796406b985c0c6a7a/documentation.png) ## Bitwarden merch Spread Bitwarden awareness with physical and digital merch: - [Magic Background Maker](https://bitwarden.com/magic-background/): Enhance your team's virtual meetings with branded backgrounds when using the new Magic Background Maker - [Password Security Animations](https://bitwarden.com/blog/password-security-gifs/): Fun animated digital swag featuring boy bands and judgmental squirrels to make your security communications actually entertaining - [The Bitwarden Shop](https://bitwarden.com/shop/): Encourage adoption by delivering Bitwarden-exclusive swag directly to your team ![store](https://bitwarden.com/assets/37t7bjm21Y8wVkbFvKtJ5p/b9bf3d9b6dc6ffce833c046e54d5803b/store.png) ## Brand and design resources Stay on-brand when creating your own assets: - [Bitwarden brand guidelines and downloads](https://bitwarden.com/brand/) - Product mockups and imagery: - [Bitwarden Password Manager](https://drive.google.com/drive/folders/10LNjuihl6PBWRef-CenXrJNNi1fu-N0P?usp=sharing) - [Bitwarden Secrets Manager](https://drive.google.com/drive/folders/1_NWWPeecq5FRZwXimAhOw2g6gazaT6Mn?usp=sharing) --- URL: https://bitwarden.com/help/customer-success-hub/ --- # Customer Success Hub This resource hub provides IT and security leaders with a proven path to password security success, offering a curated set of guides, checklists, resources, and milestones. ![customer success hub image ](https://bitwarden.com/assets/7M9VtPT5qIOVXVYGRfnoPw/3fcb1643e0ab11fec200dd90b0d0754a/Screenshot_2025-07-23_at_6.24.51â__PM.png) ## Awareness: Discovery and validation You’re new to enterprise password management and recognize the need for better password security within your organization. These materials will help you understand your options and make an informed decision. - [Why enterprises need password management:](https://bitwarden.com/resources/why-enterprises-need-a-password-manager/#because-a-password-manager-is-critical-to-staying-safe-online/) This resource outlines why securing credentials is foundational to every other security investment you make. - [Credential management in the enterprise:](https://bitwarden.com/blog/credential-management-in-the-enterprise/) Besides passwords, your enterprise needs to protect secrets, passkeys, and more. Learn how Bitwarden offers centralized control and governance across all types of credentials, not just passwords. - [Password management maturity model:](https://bitwarden.com/resources/password-management-maturity-model/) This model helps you benchmark progress, identify gaps, and chart a path toward a mature, secure, and scalable approach to password management. ## Evaluation: Requirements, assessment, decision For teams that are actively comparing, evaluating, and trialing solutions, the resources below will help you see how Bitwarden fits your needs.  **Set requirements** - [Critical capabilities for enterprise password management:](https://bitwarden.com/resources/critical-capabilities-for-enterprise-password-management/) Explore the must-have features that set enterprise-grade password managers apart, from secure credential sharing and role-based access control to integration with SSO, SCIM provisioning, and audit logs. - [Password management for global organizations:](https://bitwarden.com/resources/password-management-for-global-organizations/) Learn how Bitwarden supports distributed workforces with multilingual interfaces, compliance, and secure access for users in every location, ideal for multinational teams operating at scale. - [The credential lifecycle starts with central ownership:](https://bitwarden.com/resources/credential-lifecycle-management-security-perspective/#how-bitwarden-supports-credential-lifecycle-management/) Understand why centralized control over credentials is foundational to security. See how Bitwarden enables IT and security teams to manage credential creation, storage, access, rotation, and revocation across the full lifecycle. **Make an assessment** - [Prepare your trial for production:](https://bitwarden.com/help/prepare-your-org-for-prod/) Get the most from your Bitwarden trial. This resource walks you through key setup steps and considerations to ensure your trial mirrors a production-ready environment. - [Enterprise trial guide:](https://bitwarden.com/resources/enterprise-trial-guide/) A step-by-step guide to planning, configuring, and evaluating a successful enterprise trial of Bitwarden. **Leadership alignment** - [InfoTech Data Quadrant Report](https://bitwarden.com/go/password-management-data-quadrant-report/): See how Bitwarden ranks across key satisfaction and feature categories in a third-party comparison of password management vendors, based on real user feedback from IT leaders. - [G2 Grid Report: ](https://bitwarden.com/blog/bitwarden-g2-enterprise-grid/)Bitwarden top rankings in the G2 Grid Report reflect high satisfaction, ease of use, and market presence. Compare peer reviews and ratings to see how Bitwarden stacks up against competitors. - [Convince your leadership team:](https://bitwarden.com/resources/bitwarden-business-insights-report/) Arm your executive stakeholders with data on password-related risks, user behavior, and IT priorities, based on enterprise customer findings from security and IT professionals across industries. - [Build company-wide alignment:](https://bitwarden.com/resources/successful-top-down-approach-with-your-password-manager/) Learn how security conscious organizations secure buy-in from executives and champion a security-first culture, starting at the top. ## **Onboarding: Training, setup, and rollout** Congratulations! You’ve selected Bitwarden as your password manager. Now it’s time to implement Bitwarden into your current systems, train your teams, prepare for a successful deployment, and introduce password management to users across your company.   T**echnical foundation setup** - [Enterprise Password Manager implementation guide:](https://bitwarden.com/resources/bitwarden-enterprise-password-manager-implementation-guide/) Step by step instructions on how to successfully launch Bitwarden Password manager across your teams - [Cloud setup checklist](https://bitwarden.com/help/cloud-setup-checklist/): A checklist to guide your team through setting up Bitwarden in the cloud. Covers key steps from account creation to policy configuration. - [Self host setup checklist](https://bitwarden.com/help/self-host-setup-checklist/): A checklist for a successful self-hosted deployment, including infrastructure requirements and installation steps. **Prepare for rollout** - [Bitwarden onboarding playbook](https://bitwarden.com/help/bitwarden-onboarding-playbook/)**:** A comprehensive 5-phase implementation roadmap for IT administrators, complete with actionable checklists and step-by-step recommendations to ensure successful user adoption across your organization. - [Announcement slide deck template](https://docs.google.com/presentation/d/1zK8NDB6E8ID_ok_yxn5x5qjO7mzeI5CZ-kqcOsfcQcU/edit?slide=id.g37260cb3e91_1_0#slide=id.g37260cb3e91_1_0): Slide deck template to announce the Bitwarden Password Manager to your whole organization. - [Welcome email templates:](https://bitwarden.com/help/welcome-email-templates/) Email templates to announce the Bitwarden Password Manager rollout to your end users, administrative users, and IT teams. - [Admin team onboarding emails:](https://bitwarden.com/help/admin-team-onboarding-emails/) Onboarding emails automatically sent to new business admins and owners. Read them all at once or grab them and adapt them to your team's needs. - [Onboarding workflows:](https://bitwarden.com/help/onboarding-workflows/) Guidance for onboarding users across different organizational setups, whether you’re using SSO, SCIM, manual provisioning, or directory sync. - [Onboarding checklist](https://bitwarden.com/help/onboarding-checklist/): A practical, ready-to-use checklist to help IT and security teams confidently onboard users to Bitwarden. ## **Adoption: Training, engagement, and building momentum** How do you ensure your investment pays off, with everyone using Bitwarden and embracing new password security habits? These materials will help you boost engagement and usage, while preparing your team to adopt advanced features. **Drive strong usage and behavior change** - [End-user adoption emails:](https://bitwarden.com/help/end-user-adoption-emails/) Emails automatically sent to Bitwarden Enterprise and Teams admins and owners to help increase overall team adoption of their new password manager. Read them all at once or grab them and adapt them to your team's needs. - [Change management success story:](https://bitwarden.com/resources/90-adoption-across-220-employees-in-4-months-one-agencys-success-story/) These change strategies helped this customer achieve 90% adoption in under 4 months. - [Adoption checklist](https://bitwarden.com/help/adoption-checklist/): This checklist helps ensure Bitwarden becomes an everyday part of your team’s security habits. **Get the most out of Bitwarden** - [Bitwarden newsletter: ](https://bitwarden.com/newsletter-subscribe/)Stay informed and knowledgeable on the latest from Bitwarden. - [Product updates:](https://bitwarden.com/help/releasenotes/) Get release news for product enhancements and capabilities. - [Bitwarden community:](https://community.bitwarden.com) Where security enthusiasts gather for feature requests, best practices, and tips. - **Custom training:** Dig deeper into advanced functionalities with dedicated training sessions for select customers. Reach out to your account representative for details. ## **Success: Impact, leadership, and innovation** You’ve built a team of password security champions, you’re achieving security improvements by minimizing password risks. Now, it’s time to showcase your security success internally and externally.   **Prove Bitwarden is paying off** - [Security impact report:](https://bitwarden.com/resources/bitwarden-security-impact-report/) Use these insights to build a strong, data-backed business case for investing in enterprise password management. **Share your success, contribute to the security community** - [Open Source Security Summit: ](https://bitwarden.com/open-source-security-summit/)Share your expertise, spotlight your team's innovation, and contribute to thought leadership shaping the future of secure open source software. - [Customer reference and success story program: ](https://bitwarden.com/case-studies/#case-studies/)Highlight your achievements through case studies, speaking engagements, and press features, while building your brand as a security-forward leader. - [Influence product roadmap:](https://community.bitwarden.com) As a valued customer, your feedback helps guide development priorities. - [Bitwarden on GitHub:](https://github.com/bitwarden/) Explore the Bitwarden codebase, contribute to the community, and stay informed on active development. --- URL: https://bitwarden.com/help/data-storage/ --- # Data Storage This articles describes where Bitwarden stores your vault data and administrative data. Bitwarden **always** encrypts and/or hashes your data on your local device before anything is sent to cloud servers for storage. **Bitwarden servers are only used for storing encrypted data.** For more information, see [Encryption](https://bitwarden.com/help/what-encryption-is-used/). Some encrypted data, including a user's protected symmetric key and master password hash, are also transparently encrypted at rest by the application, meaning they're encrypted and decrypted again as they flow in and out of the Bitwarden database. Bitwarden additionally uses Azure transparent data encryption (TDE) to protect against the threat of malicious offline activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest. ## On Bitwarden servers Bitwarden processes and stores all vault data securely in the [Microsoft Azure Cloud](https://en.wikipedia.org/wiki/Microsoft_Azure) in the [US or EU](https://bitwarden.com/help/server-geographies/) using services that are managed by the team at Microsoft. Since Bitwarden only uses service offerings provided by Azure, there is no server infrastructure to manage and maintain. All uptime, scalability, security updates, and guarantees are backed by Microsoft and their cloud infrastructure. Review the [Microsoft Azure Compliance Offerings](https://learn.microsoft.com/en-us/azure/compliance/) documentation for more detail. Bitwarden maintains point-in-time restore (PITR) policies for disaster recovery. The functionality leveraged by Bitwarden for this purpose **does not** involve creating or storing a BACPAC or otherwise moveable backup file, but instead allows for disaster recovery by reverse-processing transactional logs to make the database consistent with a selected point-in-time (see [Microsoft’s documentation](https://learn.microsoft.com/en-us/azure/azure-sql/database/hyperscale-automated-backups-overview?view=azuresql)). Bitwarden has configured a strict 7-day retention policy for PITR and a policy of no long-term retention. This functionality is for **disaster recovery purposes only**, users and organizations are responsible for creating and securely storing backups of their own vault data. Blob-stored data, specifically attachments and Send files, are not subject to PITR functionality and are irrecoverable once deleted from Bitwarden. Don't trust Bitwarden servers? You don't have to. Open source is beautiful. You can easily host the entire Bitwarden stack yourself. You control your data. Learn more [here](https://bitwarden.com/help/install-on-premise-linux/). ## On your local machine Data that is stored on your computer/device is encrypted and only decrypted when you unlock your vault. Decrypted data is stored **in memory** only and is **never written to persistent storage**. Encrypted data is stored in the following locations at rest: #### Desktop app - Windows - Standard installation: `%AppData%\Bitwarden` - Microsoft Store installation: ``` %LocalAppData%\Packages\8bitSolutionsLLC.bitwardendesktop_h4e712dmw3xyy\LocalCache\Roaming\Bitwarden ``` - Portable: `.\bitwarden-appdata` - macOS - Standard installations: `~/Library/Application Support/Bitwarden` - Mac App Store: `~/Library/Containers/com.bitwarden.desktop/Data/Library/Application Support/Bitwarden` - Linux - Standard installations: `~/.config/Bitwarden` - Flatpak: `~/.var/app/com.bitwarden.desktop/` - Snap: `~/snap/bitwarden/current/.config/Bitwarden` > [!NOTE] desktop app storage location > You can override the storage location for your Bitwarden desktop app data by setting the `BITWARDEN_APPDATA_DIR` environment variable to an absolute path. #### Browser extension - Windows - Chrome: `%LocalAppData%\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb` - Edge: `%LocalAppData%\Microsoft\Edge\User Data\Default\Local Extension Settings\jbkfoedolllekgbhcbcoahefnbanhhlh` - Brave: `%LocalAppData%\BraveSoftware\Brave-browser\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb` - Vivaldi: `%LocalAppData%\Vivaldi\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb` > [!TIP] Default profile in storage location > In Chromium browsers, `Default` represents the name of a browser profile. If you've installed Bitwarden under a different profile, substitute that profile's name in the path. - Firefox: `%AppData%\Mozilla\Firefox\Profiles\your_profile\storage\default\moz-extension+++[UUID]^userContextId=[integer]` - Opera: `%AppData%\Opera Software\Opera Stable\Local Extension Settings\ccnckbpmaceehanjmeomladnmlffdjgn` - macOS - Chrome: `~/Library/Application Support/Google/Chrome/Default/Local Extension Settings/nngceckbapebfimnlniiiahkandclblb` - Edge:` ~/Library/Application Support/Microsoft Edge/Default/Local Extension Settings/jbkfoedolllekgbhcbcoahefnbanhhlh` > [!TIP] Default profile in storage location > In Chromium browsers, `Default` represents the name of a browser profile. If you've installed Bitwarden under a different profile, substitute that profile's name in the path. - Firefox: `~/Library/Application Support/Firefox/Profiles/your_profile/storage/default/moz-extension+++[UUID]^userContextID=[integer]` - Safari: `~/Library/Safari/Databases` - Linux - Chrome: `~/.config/google-chrome/Default/Local Extension Settings/nngceckbapebfimnlniiiahkandclblb` - Edge:` ~/.config/microsoft-edge/Default/Local Extension Settings/`jbkfoedolllekgbhcbcoahefnbanhhlh > [!TIP] Default profile in storage location > In Chromium browsers, `Default` represents the name of a browser profile. If you've installed Bitwarden under a different profile, substitute that profile's name in the path. - Firefox: `~/.mozilla/firefox/your_profile/storage/default/moz-extension+++[UUID]^userContextID=[integer]` > [!NOTE] Firefox UUID > To enhance security, Firefox uses universally unique identifiers (UUIDs) within extension storage folder names. In the address bar, navigate to `about:debugging#/runtime/this-firefox` to locate your Bitwarden extension UUID. Replace `[UUID]` with that value. > > Firefox also allows users to customize where to store their profiles (and thus local Bitwarden extension data). The location specified above is the default. #### Mobile - iOS: app group for `group.com.8bit.bitwarden` - Android: `/data/data/com.x8bit.bitwarden/` #### Web - Chrome: ⋮ **Menu → More Tools → Developer Tools**, then select the **Application** **→** **Local storage**. - Safari: **Develop →** **Show Web Inspector →** **Storage** **→ Local Storage**. - Firefox: ☰ **Menu** **→ More tools → Web Developer Tools → Storage → Local Storage**. - Edge: ⋯ **Menu** **→ More tools → Developer tools → Application → Local storage**. - Opera: - Windows: **Menu** **→ Developer** **→ Developer Tools → Application → Local storage**. - MacOS: **Developer** **→ Developer Tools → Application → Local storage**. #### CLI - Windows: `%AppData%\Bitwarden CLI` - macOS: `~/Library/Application Support/Bitwarden CLI` - Linux: `~/.config/Bitwarden CLI` > [!NOTE] Bitwarden CLI Location > You can override the storage location for your Bitwarden CLI app data by setting the `BITWARDENCLI_APPDATA_DIR` environment variable to an absolute path. --- URL: https://bitwarden.com/help/database-options/ --- # Database Options ## Default database for server deployments All Bitwarden self-hosted server deployments, except for [unified](https://bitwarden.com/help/install-and-deploy-lite/), ship with an MSSQL Express image by default. This colocates your encrypted vault data with the application containers and simplifies deployments by ensuring that updates, maintenance, and backups are delivered concurrently with the rest of the code. This default database does not require additional licensing and is pre-configured to Bitwarden standards to securely store and automatically backup vault data ([learn more](https://bitwarden.com/help/backup-on-premise/)). ### Using an external database for server deployments In those self-hosted server deployments that are shipped with an MSSQL Express image, use of that container is optional. For high-availability or to leverage existing infrastructure, customers may connect to an external MSSQL server or cluster ([learn more](https://bitwarden.com/help/external-db/)) of version 2022. Regardless of whether you use the included MSSQL Express image or your own external MSSQL server or cluster, standard Bitwarden deployments must currently use MSSQL. ## Databases for Unified deployments Bitwarden unified self-host deployments do not ship with a built-in database, but can connect to an existing MySQL/MariaDB, MSSQL, SQLite, or PosgreSQL database ([learn more](https://bitwarden.com/help/install-and-deploy-lite/)). As this database is not collocated with the application container, database maintenance from an infrastructural perspective, including updates, maintenance, and backups, must be managed separately. Only Unified deployments support these database options, standard deployments require MSSQL. ## Optional database jobs ### Database preparation In non-unified self-host deployments, Bitwarden will check for the existence of the database specified in the constructed connection string and, if it doesn't exist, create it. This job requires the configured SQL user to have administrative privileges within the database server. Insufficient privileges will cause this job to fail. If you are deploying your own external database, deactivate this deployment step by setting the following environment variable in `global.override.env`: ```plain text globalSettings__sqlServer__skipDatabasePreparation=true ``` ### Database maintenance In all self-hosted deployments, including unified, Bitwarden runs scheduled jobs on the database to perform routine maintenance, such as computing database statistics and building indices. These jobs require the configured SQL user to have administrative privileges within the database server. Insufficient privileges will cause this job to fail, which will be logged to `admin` container logs. If you prefer to run these maintenance jobs as a separate user, deactivate this behavior by setting the following environment variable in `global.override.env`: ```plain text globalSettings__sqlServer__disableDatabaseMaintenanceJobs=true ``` > [!NOTE] Skipping database maintenance jobs > If you deactivate database maintenance jobs, manually review database clean-up and index creations regularly. --- URL: https://bitwarden.com/help/deactivate-browser-password-managers/ --- # Deactivate Browser Password Managers Using Device Management This article will direct you on how to disable various web browser's built-in password managers using group policy. These steps will help prevent corporate logins from being saved and synchronized to personal accounts. You may also consider deploying the [Bitwarden browser extension to all browsers](https://bitwarden.com/help/browserext-deploy/) as part of this same policy. ## Disable with Windows GPO ### Disable Edge 1. Open Group Policy Management Editor on your managing Windows server. 2. [Download the appropriate Edge Policy Template](https://www.microsoft.com/en-us/edge/business/download?form=MA13FJ). 3. In Group Policy Editor, create a new GPO for Edge and provide an appropriate name. 4. Choose your desired scope. 5. Right-click the new Group Policy **Object** → **Edit**. 6. On the Group Policy Management Editor, go to **User Configuration** → **Policies** → **Administrative Templates**→**Microsoft Edge**. 7. Set the following policies: - Open "Password manager and protection," disable the policy **Enable saving passwords to the password manager**. - Disable the policy **Enable AutoFill for addresses**. - Disable the policy **Enable AutoFill for payment instruments**. - Optionally, you can enable the policy **Disable synchronization of data using Microsoft sync services**. Once complete, the GPO **settings** should show the following: ![Edge Settings](https://bitwarden.com/assets/7JYNg4j0ETWUYqxvC1aA35/b2330512b7ccfd0c2371d14349f6f91d/image.png) 8. Ensure the GPO link is enabled. ### Disable Chrome 1. Open Group Policy Management Editor on your managing Windows server. 2. [Download the Google Chrome Administrative Templates.](https://support.google.com/chrome/a/answer/187202?hl) 3. In the `ADMX` file, copy the following: `policy_templates\windows\admx\chrome.admx `and` policy_templates\windows\admx\google.admx `**TO** `C:\Windows\PolicyDefinitions` 4. In the `ADML` file, copy the following: `policy_templates\windows\admx\en-us\chrome.adml `and` policy_templates\windows\admx\en-us\google.adml ` **TO** `C:\Windows \PolicyDefinitions\en-us` 5. In Group Policy Editor, create a new GPO for Chrome and provide an appropriate name. 6. Choose your desired scope. 7. Right-click the **Group Policy Object** → **Edit**. 8. Go to **User Configuration** → **Policies** → **Administrative Templates** → **Google** → **Google Chrome**. 9. Edit the following settings: - Under "Password Manager," disable the policy **Enable saving passwords to the password manager**. - Disable the policy **Enable AutoFill for Addresses**. - Disable the policy**Enable AutoFill for credit cards**. 10. Once complete, the GPO **settings** should show the following: ![Chrome Settings](https://bitwarden.com/assets/4g4UFkO53OhzFhZlnSPoKY/000e4a638d423783c6e1c94c10b13395/chrome_gpo.png) 11. Ensure the GPO link is enabled. ### Disable Firefox 1. Open Group Policy Editor on your managing Windows server. 2. [Download the latest Firefox Policy Templates .zip file.](https://github.com/mozilla/policy-templates/releases) 3. Copy the **ADMX** file: **FROM** the downloaded folder `policy_templates_v1.##\windows\firefox.admx & mozilla.admx` **TO** `C:\Windows\PolicyDefinitions` 4. Copy the **ADML** file **FROM** `policy_templates\windows\en-us\firefox.adml & mozilla.adml` **TO** `C:\Windows \PolicyDefinitions\en-us` 5. In Group Policy Editor, create a new GPO for FireFox and provide an appropriate name. 6. Choose your desired scope. 7. Right-click the **new group policy** → **Edit**. 8. Open **User Configuration** → **Policies** → **Administrative Templates** → **Mozilla**→ **Firefox**. 9. Locate and edit the following policies: - Enable the policy **Disable Firefox Accounts**. - Disable the policy **Offer to save logins**. - Disable the policy **Offer to save logins (default)**. - Disable the policy **Password Manager**. 10. Once complete, the GPO **settings** should show the following: ![Firefox Settings](https://bitwarden.com/assets/75Do1uQgOThyyIfdXU3ti7/5ab03c79118217b0fdd6485ad8c71527/image.png) 11. Ensure the GPO link is enabled. ### How to check if it worked? Check that the previous steps worked correctly for your setup: ### Edge 1. On a user's computer, Open the command line, and run: `gpupdate /force`. 2. Open Edge, then click the three dots for settings **...** → **Settings** → **Passwords**. 3. Ensure "Offer to save passwords" is turned off and managed by the organization. > [!NOTE] Disable Edge GPO > **Sign-in automatically** is still checked because there is no policy setting to turn this off. > > Any logins previously saved in Edge will not be removed and will continue to be displayed to the user, despite autofill being disabled. Be sure to instruct the user to [import any saved logins](https://bitwarden.com/help/import-from-chrome/) into Bitwarden before deleting them from Edge. ### Chrome 1. On a user's computer, Open the command line, and run: `gpupdate /force`. 2. Open Chrome and click the **profile** **icon** on the top right. See that the user is not signed in. 3. Open Chrome, then click the three dots **...** → **Settings** → **Passwords**. See that **Offer to save passwords** is unchecked and managed by the organization. ### Firefox 1. On a user's computer, Open the command line, and run: `gpupdate /force`. 2. Open Firefox and select **Logins and Passwords** from the menu bar. 3. Ensure that a "Blocked Page" message is displayed. ## Disable on Linux ### Chrome To disable the Chrome Password Manager via group policy: 1. Download the [Google Chrome .deb or .rpm](https://www.google.com/chrome/?platform=linux) for Linux. 2. Download the [Chrome Enterprise Bundle](https://chromeenterprise.google/browser/download/#windows-tab). 3. Unzip the Enterprise Bundle (`GoogleChromeEnterpriseBundle64.zip` or `GoogleChromeEnterpriseBundle32.zip`) and open the `/Configuration` folder. 4. Make a copy of the `master_preferences.json` (in Chrome 91+, `initial_preferences.json`) and rename it `managed_preferences.json`. 5. To [disable](https://chromeenterprise.google/policies/#PasswordManagerEnabled) Chrome's built-in password manager, add the following to `managed_preferences.json` inside of `"policies": { }`: ```plain text { "PasswordManagerEnabled": false } ``` 6. Create the following directories if they do not already exist: ```plain text mkdir /etc/opt/chrome/policies mkdir /etc/opt/chrome/policies/managed ``` 7. Move `managed_preferences.json` into `/etc/opt/chrome/policies/managed`. 8. As you will need to deploy these files to users' machines, we recommend making sure only admins can write files in the `/managed` directory. ```plain text chmod -R 755 /etc/opt/chrome/policies ``` 9. Additionally, we recommend admins should add the following to files to prevent modifications to the files themselves: ```plain text chmod 644 /etc/opt/chrome/policies/managed/managed_preferences.json ``` 10. Using your preferred software distribution or MDM tool, deploy the following to users' machines: 1. Google Chrome Browser 2. `/etc/opt/chrome/policies/managed/managed_preferences.json` > [!NOTE] Refer to Google's guide to chome for linux > For more help, refer to Google's [Chrome Browser Quick Start for Linux](https://support.google.com/chrome/a/answer/9025926?hl=en&ref_topic=9025817) guide. ### Firefox To disable the Firefox Manager via group policy: 1. Download [Firefox for Linux](https://www.mozilla.org/en-US/firefox/linux/). 2. Open a terminal and navigate to the directory your download has been saved to. For example:` cd ~/Downloads ` 3. `Extract to contents of the downloaded file: ` ```plain text tar xjf firefox-*.tar.bz2 ``` The following commands must be executed as root, or preceded by `sudo`. 4. Move the uncompressed Firefox folder to `/opt`: ```plain text mv firefox /opt ``` 5. Create a symlink to the Firefox executable: ```plain text ln -s /opt/firefox /usr/local/bin/firefox ``` 6. Download a copy of the desktop file: ```plain text wget https://raw.githubusercontent.com/mozilla/sumo-kb/main/install-firefox-linux/firefox.desktop -P /usr/local/share/applications ``` 7. To disable Firefox's built-in password manager, add the following to `policies.json` inside of `"policies": {}`: ```plain text { "PasswordManagerEnabled": false } ``` 8. Create the following directory if it does not already exist: ```plain text mkdir /opt/firefox/distribution ``` 9. Modify the directory with the following: ```plain text chmod 755 /opt/firefox/distribution ``` 10. Additionally, we recommend admins should add the following to files to prevent modifications to the files themselves: ```plain text chmod 644 /opt/firefox/distribution/policies.json ``` 11. Using your preferred software distribution or MDM tool, deploy the following to users' machines: 12. Firefox Browser 13. `/distribution/policies.json` > [!NOTE] disable firefox group policy > For more help, refer to Firefox's [policies.json Overview](https://support.mozilla.org/en-US/kb/customizing-firefox-macos-using-configuration-prof) or [Policies README](https://github.com/mozilla/policy-templates/blob/master/README.md) on Github. ## Disable on MacOS ### Chrome 1. Download the [Google Chrome .dmg or .pkg](https://chromeenterprise.google/browser/download/#mac-tab) for macOS. 2. Download the [Chrome Enterprise Bundle](https://support.google.com/chrome/a/answer/7650032?hl=en&sjid=15647115866896992845-NA). 3. Unzip the Enterprise Bundle (`GoogleChromeEnterpriseBundle64.zip` or `GoogleChromeEnterpriseBundle32.zip`). 4. Open the `/Configuration/com.Google.Chrome.plist` file with any text editor. 5. To [disable](https://chromeenterprise.google/policies/#PasswordManagerEnabled) Chrome's built-in password manager, add the following to `com.Google.Chrome.plist`: ```plain text PasswordManagerEnabled ``` 6. Convert the `com.Google.Chrome.plist` file to a configuration profile using a conversion tool of your choice. 7. Deploy the Chrome `.dmg` or `.pkg` and the configuration profile using your software distribution or MDM tool to all managed computers. > [!NOTE] disable google chrome mac > For more help, refer to Google's [Chrome Browser Quick Start for Mac](https://support.google.com/chrome/a/answer/9020580?hl=en&ref_topic=7650028) guide. For additional information, see [Chrome's documentation](https://support.google.com/chrome/a/answer/7550274?hl=en) for setting up Chrome browser on Mac. ### Firefox 1. Download and install [Firefox for Enterprise](https://www.mozilla.org/en-US/firefox/enterprise/#download) for macOS. 2. Create a `distribution` directory in `Firefox.app/Contents/Resources/`. 3. In the created `/distribution` directory, create a new file `org.mozilla.firefox.plist`. > [!NOTE] > Use the [Firefox .plist template](https://github.com/mozilla/policy-templates/blob/master/mac/org.mozilla.firefox.plist) and [Policy README](https://github.com/mozilla/policy-templates/blob/master/README.md) for reference. 4. To [disable](https://github.com/mozilla/policy-templates/blob/master/README.md#passwordmanagerenabled) Firefox's built-in password manager, add the following to `org.mozilla.firefox.plist`: ```plain text PasswordManagerEnabled ``` 5. Convert the `org.mozilla.firefox.plist` file to a configuration profile using a conversion tool of your choice. 6. Deploy the Firefox `.dmg` and the configuration profile using your software distribution or MDM tool to all managed computers. For additional information, see [Firefox's documentation ](https://support.mozilla.org/en-US/kb/customizing-firefox-macos-using-configuration-prof)for MacOS configuration profiles. ### Edge 1. Download the [Microsoft Edge for macOS .pkg](https://www.microsoft.com/en-us/edge) file. 2. In Terminal, use the following command to create a `.plist` file for Microsoft Edge: ```plain text /usr/bin/defaults write ~/Desktop/com.microsoft.Edge.plist RestoreOnStartup -int 1 ``` 3. Use the following command to convert the `.plist` from binary to plain text: ```plain text /usr/bin/plutil -convert xml1 ~/Desktop/com.microsoft.Edge.plist ``` 4. To [disable](https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#passwordmanagerenabled) Edge's built-in password manager, add the following to `com.microsoft.Edge.plist`: ```plain text PasswordManagerEnabled ``` 5. Deploy the Edge `.pkg` and the configuration profile using your software distribution or MDM tool to all managed computers. > [!NOTE] > **For Jamf-specific** help, refer to Microsoft's documentation on [Configuring Microsoft Edge policy settings on macOS with Jamf](https://docs.microsoft.com/en-us/deployedge/configure-microsoft-edge-on-mac-jamf). For additional information, see [Edge's documentation](https://learn.microsoft.com/en-us/deployedge/configure-microsoft-edge-on-mac#configure-microsoft-edge-policies-on-macos) for configuration profiles. --- URL: https://bitwarden.com/help/delete-member-accounts/ --- # Delete Organization Member Accounts > [!WARNING] Danger Zone > Deleting an account is permanent and cannot be undone or restored. To create a backup of your vault data to store in a safe location, [export your vault data](https://bitwarden.com/help/export-your-data/). Depending on your organization's setup, you may be able to delete member accounts. Deleting an account is different than removing a user. ## Delete an account You may be able delete a member's account using one of the following methods: - If you have a [claimed domain](https://bitwarden.com/help/claimed-domains/), any users with account email addresses that have a matching domain (e.g. `jdoe@mycompany.com`) can be outright deleted by organization administrators: ![Delete claimed accounts](https://bitwarden.com/assets/6HUnGTfMstF4IasZcKBfdi/0d2dbd328ba4a006611576e7d91c70df/2025-01-14_10-45-56.png) - If you are self-hosting Bitwarden, an authorized administrator can delete the account from the [System Administrator Portal](https://bitwarden.com/help/system-administrator-portal/). - If the account has an `@yourcompany.com` email address that your company controls, you can use [this procedure](https://bitwarden.com/help/delete-your-account/#tab-without-logging-in-4KcOdFa6zVp6H7xo9Ui9vc/) to initiate and confirm deletion within the `@yourcompany.com` inbox. If none of these methods fit your organization's Bitwarden configuration, [remove the member](https://bitwarden.com/help/remove-users/) from your organization. They can then [delete their personal account](https://bitwarden.com/help/delete-your-account/#delete-a-personal-account/). ## Remove an account If you don't want to permanently delete account data, consider [removing the member](https://bitwarden.com/help/remove-users/) from the organization. **Removing a user does not delete their Bitwarden account.** Instead, they lose all access to the organization and its data. If they know their master password, they can still log in to the account and access any personally-owned items. --- URL: https://bitwarden.com/help/delete-your-account/ --- # Delete an Account or Organization > [!WARNING] Danger Zone > Deleting an account is permanent and cannot be undone or restored. To create a backup of your vault data to store in a safe location, [export your vault data](https://bitwarden.com/help/export-your-data/). Deleting a Bitwarden account or organization permanently deletes the account or organization and **all data that is associated with it**. Bitwarden does not "soft delete" any data. Deleting an account or organization does not automatically cancel a subscription. [Learn how to cancel a subscription](https://bitwarden.com/help/cancel-a-subscription/) before deleting an account. If you are locked out of your vault and deleting your account so that you can create a new one, [contact us](https://bitwarden.com/contact/) and we can help transfer your subscription to the new account. ## Delete a personal account To delete your individual account: ### Without logging in To delete your account without needing to log in (for example, if you have lost your master password): 1. Open [https://vault.bitwarden.com/#/recover-delete](https://vault.bitwarden.com/#/recover-delete) (or [https://vault.bitwarden.eu/#/recover-delete](https://vault.bitwarden.eu/#/recover-delete)) in a web browser. 2. Enter the **Email Address**associated with the account to issue a deletion confirmation email. 3. In your inbox, open the email and verify you want to delete this Bitwarden account. If you are deleting your account to start a new one, here are a few next steps: - If you delete a Bitwarden account that has a premium subscription associated with it, [contact us](https://bitwarden.com/contact/) and we will reapply your existing subscription to the new account. - If you were able to successfully export your vault data prior to deletion, you can easily [import it into the new account](https://bitwarden.com/help/import-data/). The email address associated with your deleted account should be available to re-register with Bitwarden, should you wish to do so, immediately. ### Web app To delete your Bitwarden account using the web app: 1. Navigate to **Settings** → **My account**: ![My account](https://bitwarden.com/assets/74BqYDU6qE9evz6wEz8K7Y/739550589956c63e6916a41907f43a77/2024-12-04_10-31-23.png) 2. Scroll down to **Danger Zone**and select **Delete account**. You will be prompted to enter your master password to confirm you have the authority to take this action. ### Mobile To delete your Bitwarden account using the mobile app: 1. Select the **Settings**tab. 2. Select **Account security**. 3. Scroll to the bottom and select **Delete account**. 4. Confirm that you want to **Delete account**. You will be prompted to enter your master password to confirm you have the authority to take this action. ### Desktop To delete your Bitwarden account using the desktop app: 1. From the menu bar select **Account** → **Delete account**. 2. Enter your master password and select **Delete account**. Organization owners, admins, and some custom role members may be able to [delete member accounts](https://bitwarden.com/help/delete-member-accounts/). ## Delete an organization Only [organization owners](https://bitwarden.com/help/user-types-access-control/) can delete an organization. (If you are an organization member, you can instead [leave the organization](https://bitwarden.com/help/org-faqs/#q-how-do-i-leave-an-organization/).) To delete an organization: 1. Open the Admin Console: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Go to **Settings** → **Organization info**. 3. Scroll down to the **Danger Zone** and select **Delete Organization**. 4. When prompted, enter your master password to confirm you have the authority to take this action. --- URL: https://bitwarden.com/help/deploy-browser-extensions-with-intune/ --- # Deploy Browser Extensions with Intune When operating Bitwarden in a business setting, administrators may want to automate deployment of Bitwarden browser extensions to users with **Microsoft Intune**. This article will cover how to use Intune to deploy Bitwarden Password Manager browser extensions to your endpoints. ## Get extension ID & update URL In order to deploy Bitwarden browser extensions using Intune, you'll need an extension ID and update URL. This identifier will be different for each browser: ### Chrome - Extension ID: `nngceckbapebfimnlniiiahkandclblb` - Update URL: `https://clients2.google.com/service/update2/crx` ### Edge - Extension ID: `jbkfoedolllekgbhcbcoahefnbanhhlh` - Update URL: `https://edge.microsoft.com/extensionwebstorebase/v1/crx` ## Create configuration profile Next, open the Microsoft Intune portal and complete the following steps: 1. In the Intune Portal, navigate to **Devices** → **Configuration** and select **Create** → **New Policy**. 2. In the Create a profile window: - Select a **Platform** (for example, **Windows 10 and later**). - From the **Profile type** dropdown, select **Settings catalog**. 3. Select **Create**. 4. On the next screen, give your configuration profile a **Name**and **Description** and select **Next**. 5. On the Configuration settings screen, select **Add settings**. 6. In the Settings picker: - For Google Chrome, search for **Configure the list of force-installed apps and extensions**, select the **Google Google Chrome Extensions**category, and toggle that option on. - For Microsoft Edge, search for Control which extensions are installed silently, select the **Microsoft Edge\Extensions** category, and toggle that option on. > [!TIP] Disable built-in with Intune > From the Settings picker, you can also deactivate the built-in password manager that comes available on many web browsers. Typically, for Chrome or a Chromium browser like Microsoft Edge, this setting will be labelled **Enable saving passwords to the password manager** or something similar. 7. Close the Settings picker. 8. Still on the Configuration settings screen, enable whichever option(s) you chose and enter the retrieved extension ID and update URL in the format `;`. 9. Select **Next**. 10. On the Scope tags screen, enter any scope you wish to apply to the configuration and select **Next**. 11. On the Assignments screen, add and groups or users to the configuration and select **Next**. 12. On the **Review + create** screen, select **Create**. --- URL: https://bitwarden.com/help/deploy-desktop-apps-with-intune/ --- # Deploy Desktop Apps with Intune When operating Bitwarden in a business setting, administrators may want to automate deployment of Bitwarden desktop apps to users with **Microsoft Intune**. This article will cover how to use Intune to deploy Bitwarden Password Manager desktop apps to your endpoints. Bitwarden desktop apps can be deployed to endpoints using either a Win32 application (*recommended*) or via the Microsoft App Store: ### Win32 App To deploy the Microsoft App Store version of Bitwarden Password Manager, complete the following steps: 1. Download the latest Bitwarden Windows desktop app installer from [bitwarden.com/download/](https://bitwarden.com/download/). 2. Use the [Microsoft Win32 Content Prep Tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) to convert the installer into the required `.intunewin` format ([learn more](https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-prepare)). 3. Open the Intune Portal, navigate to **Apps** → **Windows** and select + **Add**. 4. In the Select app type window, use the **App type** dropdown to select **Windows app (Win32)**. 5. Hit **Select**. 6. On the App information screen, select **Select app package file.** 7. On the App package file window, use the file explorer to select your converted `.intunewin` installer and select **OK**. 8. Take note of the **Name** of your app before proceeding, particularly the version number in the executable. 9. Select **Next**. 10. On the Program screen: - Specify the following **Install command**: `Bitwarden-installer-{version}.exe /allusers /S`. Make sure to replace `{version}` with the correct version of the application, for example `2024.8.0`, as seen in the App name (Step 8). - Specify the following **Uninstall command**: `C:\Program Files\Bitwarden\Uninstall Bitwarden.exe /allusers /S`. - Choose an **Install behavior**, more information can be found by hovering over the ℹ️ icon on that page. 11. Select **Next**. 12. On the Requirements screen: - Specify an **Operating system architecture** of **64-bit / 32-bit.** - Specify a **Minimum operating system**of **Windows 10 1607**. 13. Select **Next**. 14. On the Detection rules screen: - From the **Rules** dropdown, select **Manually configure detection rules**. - Select **Add**. - From the **Rule type**dropdown, select **File**. - Specify a **Path** of `C:\Program Files\Bitwarden`. - Specify a **File or folder** of `Bitwarden.exe`. - From the **Detection method** dropdown, select **File or folder exists**. - For **Associated with a 32-bit app on 64-bit clients**, choose **No**. 15. Select **Next**. 16. On the Dependencies screen, select **Next**. 17. On the Assignments screen, add and groups or users to the configuration and select **Next**. 18. On the **Review + create** screen, select **Create**. ### App Store > [!TIP] Endpoints must qualify for app store method > In order for this method to work, endpoint devices must have access to the Microsoft App Store and must support the Intune Management Extension (IME). > > Please note that Bitwarden desktop apps from the Microsoft App Store do not currently support biometric integration with browser extensions ([learn more](https://bitwarden.com/help/biometrics/)). To deploy the Microsoft App Store version of Bitwarden Password Manager, open the Microsoft Intune portal and complete the following steps: 1. In the Intune Portal, navigate to **Apps** → **Windows** and select + **Add**. 2. In the Select app type window, use the **App type** dropdown to select **Microsoft Store app (new)**. 3. Hit **Select**. 4. On the App information screen, select **Search the Microsoft Store app (new**). 5. Search for Bitwarden and hit **Select** once you've found and highlighted it. 6. Choose an **Install behavior**, more information can be found by hovering over the ℹ️ icon on that page. 7. Select **Next**. 8. On the Assignments screen, add and groups or users to the configuration and select **Next**. 9. On the **Review + create** screen, select **Create**. --- URL: https://bitwarden.com/help/deploy-key-connector/ --- # Deploy Key Connector > [!NOTE] TDE is a good alternative to KC. > Bitwarden recommends [trusted device decryption](https://bitwarden.com/help/about-trusted-devices/) as an alternative option to Key Connector that facilitates member login without a master password and does not require deploying or managing a key server. This article will walk you through the procedure for enabling and configuring Key Connector in an existing self-hosted environment. **Before proceeding**, please thoroughly review the [about Key Connector](https://bitwarden.com/help/about-key-connector/) article to ensure a full understanding of what Key Connector is, how it works, and the impacts of implementation. Bitwarden supports deployment of one Key Connector for use by one organization for a self-hosted instance. ## Requirements > [!NOTE] > Management of cryptographic keys is incredibly sensitive and is **only recommended for enterprises with a team and infrastructure** that can securely support deploying and managing a key server. In order to use Key Connector you must: - [Have an Enterprise organization](https://bitwarden.com/help/password-manager-plans/#enterprise-organizations/). - [Have a self-hosted Bitwarden server](https://bitwarden.com/help/install-on-premise-linux/). - [Have an active SSO implementation](https://bitwarden.com/help/about-sso/). - [Activate the Single organization and Require single sign-on policies](https://bitwarden.com/help/policies/). If your organization meets or can meet these requirements, including a team and infrastructure that can support management of a key server, [contact us](https://bitwarden.com/contact/) and we'll activate Key Connector. ## Setup & deploy Key Connector **Once you have contacted us regarding Key Connector**, we'll reach out to kick off a Key Connector discussion. The steps that follow in this article must be completed in collaboration with Bitwarden customer success & implementation specialists. ### Obtain new license file Once you have contacted us regarding Key Connector, a member of the customer success & implementation team will generate a Key Connector-enabled license file for your organization. When your Bitwarden collaborator instructs you it is ready, complete the following steps to obtain the new license: 1. Open the Bitwarden cloud web app and navigate to your organization's **Billing** → **Subscription** screen in the Admin Console. 2. Scroll down and select the **Download License** button. 3. When prompted, enter the installation ID that was used to install your self-hosted server and select **Submit**. If you don't know your installation ID off-hand, you can retrieve it from `./bwdata/env/global.override.env`. You won't need your license file immediately, but you will be required to upload it to your self-hosted server [in a later step](https://bitwarden.com/help/deploy-key-connector/#activate-key-connector/). ### Initialize Key Connector To prepare your Bitwarden server for Key Connector: 1. Save a [backup](https://bitwarden.com/help/backup-on-premise/) of, at a minimum, `.bwdata/mssql`. Once Key Connector is in use, it's recommended that you have access to a pre-Key Connector backup image in case of an issue. > [!NOTE] Using external MSSQL > If you are using an [external MSSQL database](https://bitwarden.com/help/external-db/), take a backup of your database in whatever way fits your implementation. 2. Update your self-hosted Bitwarden installation in order to retrieve the latest changes: ``` ./bitwarden.sh update ``` 3. Edit the `.bwdata/config.yml` file and enable Key Connector by toggling `enable_key_connector` to `true`. ``` nano bwdata/config.yml ``` 4. Rebuild your self-hosted Bitwarden installation: ``` ./bitwarden.sh rebuild ``` 5. Update your self-hosted Bitwarden installation again in order to apply the changes: ``` ./bitwarden.sh update ``` ### Configure Key Connector To configure Key Connector: 1. Edit the `.bwdata/env/key-connector.override.env` file that will have been downloaded with the `./bitwarden.sh update`. ``` nano bwdata/env/key-connector.override.env ``` > [!NOTE] > This file will be pre-populated with default values that will spin up a functional local Key Connector setup, however the **default values are not recommended for production environments**. 2. In `key-connector.override.env`, you will need to specify values for the following: - [Endpoints](https://bitwarden.com/help/deploy-key-connector/#endpoints/): What Bitwarden endpoints Key Connector can communicate with. - [Database](https://bitwarden.com/help/deploy-key-connector/#database/): Where Key Connector will store and retrieve user keys. - [RSA key pair](https://bitwarden.com/help/deploy-key-connector/#rsa-key/): How Key Connector will access an RSA key pair to protect user keys at rest. #### Endpoints Automated setup will populate endpoint values based on your installation configuration, however it's recommended that you confirm the following values in `key-connector.override.env` are accurate for your setup: ``` keyConnectorSettings__webVaultUri=https://your.bitwarden.domain.com keyConnectorSettings__identityServerUri=http://identity:5000 ``` #### Database Key Connector must access a database which stores encrypted user keys for your organization members. Create a secure database to store encrypted users keys and replace the default `keyConnectorSettings__database__` values in `key-connector.override.env` with the values designated in the **Required Values** column for the chosen database: > [!NOTE] > Migration from one database to another is **not supported** at this time. Regardless of which provider you choose, **implement a frequent automated backup schedule** for the database. | **Database** | **Required values** | |------|------| | Local JSON (**default**) | **Not recommended outside of testing.** `keyConnectorSettings__database__provider=json` `keyConnectorSettings__database__jsonFilePath={File_Path}` | | Microsoft SQL Server | `keyConnectorSettings__database__provider=sqlserver` `keyConnectorSettings__database__sqlServerConnectionString={Connection_String}` [Learn how to format MSSQL connection strings](https://docs.microsoft.com/en-us/sql/connect/ado-net/connection-string-syntax?view=sql-server-ver15) | | PostgreSQL | `keyConnectorSettings__database__provider=postgresql` `keyConnectorSettings__database__postgreSqlConnectionString={Connection_String}` [Learn how to format PostgreSQL connection strings](https://www.npgsql.org/doc/connection-string-parameters.html) | | MySQL/MariaDB | `keyConnectorSettings__database__provider=mysql` `keyConnectorSettings__database__mySqlConnectionString={Connection_String}` [Learn how to format MySQL connection strings](https://dev.mysql.com/doc/connector-net/en/connector-net-connections-string.html) | | MongoDB | `keyConnectorSettings__database__provider=mongo` `keyConnectorSettings__database__mongoConnectionString={Connection_String}` `keyConnectorSettings__database__mongoDatabaseName={DatabaseName}` [Learn how to format MongoDB connection strings](https://docs.mongodb.com/manual/reference/connection-string/) | #### RSA key pair Key Connector uses an RSA key pair to protect user keys at rest. Create a key pair and replace the default `keyConnectorSettings__rsaKey__` and `keyConnectorSettings__certificate__` values in `key-connector.override.env` with the values required for your chosen implementation. > [!NOTE] > The RSA key pair must be **at a minimum** 2048 bits in length. Generally, your options include granting Key Connector access to an X509 **Certificate** that contains the key pair or granting Key Connector access directly to the **Key Pair**. Key Connector does not support rotation of certificates or RSA key pairs. ### Certificate To use an X509 certificate that contains an RSA key pair, specify the values required depending on the location where your certificate is stored (see **Filesystem**, **OS Certificate Store**, and so on): > [!NOTE] > The certificate **must** be made available as a PKCS12 `.pfx` file, for example: > > > ``` > openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout bwkc.key -out bwkc.crt -subj "/CN=Bitwarden Key Connector" -days 36500 > > openssl pkcs12 -export -out ./bwkc.pfx -inkey bwkc.key -in bwkc.crt -passout pass:{Password} > ``` > > In all certificate implementations, you'll need the `CN` value shown in this example. #### Filesystem (default) If the certificate is stored on the filesystem of the machine running Key Connector, specify the following values: > [!NOTE] > By default, Key Connector will be configured to create a `.pfx` file located at `etc/bitwarden/key-connector/bwkc.pfx` with a generated password. **It is not recommended** for enterprise implementations to use these defaults. ``` keyConnectorSettings__rsaKey__provider=certificate keyConnectorSettings__certificate__provider=filesystem keyConnectorSettings__certificate__filesystemPath={Certificate_Path} keyConnectorSettings__certificate__filesystemPassword={Certificate_Password} ``` #### Azure Blob Storage If the certificate is uploaded to Azure Blob Storage, specify the following values: ``` keyConnectorSettings__rsaKey__provider=certificate keyConnectorSettings__certificate__provider=azurestorage keyConnectorSettings__certificate__azureStorageConnectionString={Connection_String} keyConnectorSettings__certificate__azureStorageContainer={Container_Name} keyConnectorSettings__certificate__azureStorageFileName={File_Name} keyConnectorSettings__certificate__azureStorageFilePassword={File_Password} ``` Set `azureStorageConnectionString` to a **Connection string**you can generate in your Azure portal from the **Shared access signature** (SAS) page of your storage account. The SAS must have: - Allowed services: Blob and File - Allowed resource types: Service, Container, and Object - Allowed permissions: Read, Write, and List - Allowed blob index permissions: Read/Write and Filter #### Azure Key Vault If certificate is stored in Azure Key Vault, specify the following values: > [!NOTE] > To use Azure Key Vault to store your `.pfx` certificate, you'll need to create an Active Directory **App Registration**. This App Registration must: > > - Give delegated API permissions to access Azure Key Vault > - Have a client secret generated to allow access by Key Connector ``` keyConnectorSettings__certificate__provider=azurekv keyConnectorSettings__certificate__azureKeyvaultUri={Vault_URI} keyConnectorSettings__certificate__azureKeyvaultCertificateName={Certificate_Name} keyConnectorSettings__certificate__azureKeyvaultAdTenantId={ActiveDirectory_TenantId} keyConnectorSettings__certificate__azureKeyvaultAdAppId={AppRegistration_ApplicationId} keyConnectorSettings__certificate__azureKeyvaultAdSecret={AppRegistration_ClientSecretValue} ``` #### Hashicorp Vault If the certificate is stored in Hashicorp Vault, specify the following values: > [!NOTE] > Key Connector integrates with the Hashicorp Vault KV2 Storage Engine. As per the top of this tab, the certificate file should be in PKCS12 format and stored base64-encoded as the value to a named key in your Vault. If following a Vault tutorial for the KV2 Storage Engine, the key name may be `file` unless otherwise specified. ``` keyConnectorSettings__rsaKey__provider=certificate keyConnectorSettings__certificate__provider=vault keyConnectorSettings__certificate__vaultServerUri={Server_URI} keyConnectorSettings__certificate__vaultToken={Token} keyConnectorSettings__certificate__vaultSecretMountPoint={Secret_MountPoint} keyConnectorSettings__certificate__vaultSecretPath={Secret_Path} keyConnectorSettings__certificate__vaultSecretDataKey={Secret_DataKey} keyConnectorSettings__certificate__vaultSecretFilePassword={Secret_FilePassword} ``` ### Cloud key pair To use a cloud provider or physical device to store to a RSA 2048 key pair, specify the values required depending on your chosen implementation (see **Azure Key Vault**, **Google Cloud Key Management**, and so on): #### Azure Key Vault If you are using Azure Key Vault to store a RSA 2048 key pair, specify the following values: > [!NOTE] > To use Azure Key Vault to store your RSA 2048 key, you'll need to create an Active Directory **App Registration**. This App Registration must: > > - Give delegated API permissions to access Azure Key Vault > - Have a client secret generated to allow access by Key Connector ``` keyConnectorSettings__rsaKey__provider=azurekv keyConnectorSettings__rsaKey__azureKeyvaultUri={Vault_URI} keyConnectorSettings__rsaKey__azureKeyvaultKeyName={Key_Name} keyConnectorSettings__rsaKey__azureKeyvaultAdTenantId={ActiveDirectory_TenantId} keyConnectorSettings__rsaKey__azureKeyvaultAdAppId={AppRegistration_ApplicationId} keyConnectorSettings__rsaKey__azureKeyvaultAdSecret={AppRegistration_ClientSecretValue} ``` [Learn how to use Azure Key Vault to create a key pair](https://docs.microsoft.com/en-us/azure/key-vault/keys/quick-create-portal) #### Google Cloud Key Management If you are using Google Cloud Key Management to store a RSA 2048 key pair, specify the following values: ``` keyConnectorSettings__rsaKey__provider=gcpkms keyConnectorSettings__rsaKey__googleCloudProjectId={Project_Id} keyConnectorSettings__rsaKey__googleCloudLocationId={Location_Id} keyConnectorSettings__rsaKey__googleCloudKeyringId={Keyring_Id} keyConnectorSettings__rsaKey__googleCloudKeyId={Key_Id} keyConnectorSettings__rsaKey__googleCloudKeyVersionId={KeyVersionId} ``` [Learn how to use Google Cloud Key Management Service to create key rings and asymmetric keys](https://cloud.google.com/kms/docs/creating-asymmetric-keys) #### AWS Key Management Service If you are using AWS Key Management Service (KMS) to store a RSA 2048 key pair, specify the following values: ``` keyConnectorSettings__rsaKey__provider=awskms keyConnectorSettings__rsaKey__awsAccessKeyId={AccessKey_Id} keyConnectorSettings__rsaKey__awsAccessKeySecret={AccessKey_Secret} keyConnectorSettings__rsaKey__awsRegion={Region_Name} keyConnectorSettings__rsaKey__awsKeyId={Key_Id} ``` [Learn how to use AWS KMS to create asymmetric keys](https://docs.aws.amazon.com/kms/latest/developerguide/asymm-create-key.html) ### PKCS#11 HSM If you are using a physical HSM device with the PKCS#11 provider to store a private key, you will need to: 1. Upload the corresponding public key, configured as a PEM-encoded certificate, to a location which can be accessed by the Key Connector container (see **Certificates** tab). 2. Configure Key Connector with the following values, which include *both* PKCS#11-specific values (e.g. `keyConnectorSettings__rsaKey__pkcs11...`) and values specific to the location you've chosen store your public key (e.g. k`eyConnectorSettings_certificate_...`): ``` keyConnectorSettings__rsaKey__provider=pkcs11 keyConnectorSettings__rsaKey__pkcs11Provider={Provider} keyConnectorSettings__rsaKey__pkcs11SlotTokenSerialNumber={Token_SerialNumber} keyConnectorSettings__rsaKey__pkcs11LoginUserType={Login_UserType} keyConnectorSettings__rsaKey__pkcs11LoginPin={Login_PIN} ONE OF THE FOLLOWING TWO: keyConnectorSettings__rsaKey__pkcs11PrivateKeyLabel={PrivateKeyLabel} keyConnectorSettings__rsaKey__pkcs11PrivateKeyId={PrivateKeyId} OPTIONALLY: keyConnectorSettings__rsaKey__pkcs11LibraryPath={path/to/library/file} ``` > [!TIP] Referencing local files for PKCS#11 Configuration > Key Connector may need to access specific files, such as a local PEM certificate or PPKCS#11 driver files. By default, the directory `./bwdata/key-connector` is mounted into the container at `/etc/bitwarden/key-connector`, meaning that a certificate file stored in the host OS at `/opt/bitwarden/bwdata/key-connector/certificate.pem` is available to the container at `/etc/bitwarden/key-connector/certificate.pem`. Key Connector configurations **must** reference files in their mounted locations, as in the following example: > > > ```plain text > keyConnectorSettings__certificate__filesystemPath=/etc/bitwarden/key-connector/certificate.pem > ``` **Required in all circumstances:** - `keyConnectorSettings__rsaKey__provider=`: Must be `pkcs11`. - `keyConnectorSettings__rsaKey__pkcs11Provider=`: Must be `yubihsm` or `opensc`. - `keyConnectorSettings__rsaKey__pkcs11SlotTokenSerialNumber=`: Serial number used to identify the token to be used. - `keyConnectorSettings__rsaKey__pkcs11LoginUserType=`: Can be `user`, `so`, or `context_specific`. - `keyConnectorSettings__rsaKey__pkcs11LoginPin=`: PIN code used to access the token. - `keyConnectorSettings__certificate__provider=`: Can be `filesystem`, `azurestorage`, `azurekv`, or `vault`. **Required in some circumstances**: - `keyConnectorSettings__rsaKey__pkcs11PrivateKeyLabel=`: (Required if not using `...__pkcsPrivateKeyId=`, see below) Label, or "alias", of your privatekey. - `keyConnectorSettings__rsaKey__pkcs11PrivateKeyId=`: (Required if not using `...__pkcs11PrivateKeyLabel=`) Unique identifier of your private key. - `keyConnectorSettings__certificate__filesystem...=`: Set both `...__certificate__filesystem...` values if you store your public key on a file system (see **Certificates** tab). - `keyConnectorSettings__certificate__azure...=`: Set all `...__certificate__azure...` values if you store your public key in Azure Blob Storage (see **Certificates** tab). - `keyConnectorSettings__certificate__azureKeyvault...=`: Set all `...__certificate__azureKeyvault...` values if you store your public key in Azure Key Vault (see **Certificates** tab). - `keyConnectorSettings__certificate__vault...=`: Set all `...__certificate__vault...` values if you store your public key in Hashicorp Vault (see **Certificates** tab). **Optional**: - `keyConnectorSettings__rsaKey__pkcs11LibraryPath=`: Optionally, point Key Connector to a library file, for example `=/etc/bitwarden/libfxpkcs11.so`. Doing so will supersede the value `keyConnectorSettings__rsaKey__pkcs11Provider=`. ### Securing Key Connector Additional security measures for Key Connector users are recommended to maintain zero-knowledge encryption for databases and data transfers. - Organizations who use a TLS intercepting proxy will be required to take additional steps in order to maintain zero-knowledge encryption. To ensure security, add the Bitwarden URL to your proxy's exclusion list, this will ensure that the data transfer with Key Connector remains encrypted and un-logged throughout the entire data transfer process. - It is not always possible to migrate between encryption mechanisms. - Migration from one database to another is **not supported** at this time. Be sure to implement a frequent automated backup schedule for the database. > [!NOTE] > Management of cryptographic keys is incredibly sensitive and is **only recommended for enterprises with a team and infrastructure** that can securely support deploying and managing a key server. ### Activate Key Connector Now that Key Connector is [fully configured](https://bitwarden.com/help/deploy-key-connector/#configure-key-connector/) and you have a [Key Connector-enabled license](https://bitwarden.com/help/deploy-key-connector/#obtain-a-new-license/), complete the following steps: 1. Restart your self-hosted Bitwarden installation in order to apply the configuration changes: ``` ./bitwarden.sh restart ``` 2. Log in to your self-hosted Bitwarden as an organization**owner** and navigate to the Admin Console's **Billing** → **Subscription** screen. 3. Select the **Update license** button and upload the Key Connector-enabled license [retrieved in an earlier step](https://bitwarden.com/help/deploy-key-connector/#obtain-new-license-file/). 4. If you haven't already, navigate to the **Settings**→ **Policies** screen and enable the [Single organization](https://bitwarden.com/help/policies/#single-organization/) and [Require single sign-on authentication](https://bitwarden.com/help/policies/#require-single-sign-on-authentication/) policies. **Both are required to use Key Connector**. 5. Navigate to the **Settings**→ **Single sign-on** screen. > [!NOTE] > The next few steps assume that you already have an active [login with SSO](https://bitwarden.com/help/about-sso/) implementation using [SAML 2.0](https://bitwarden.com/help/configure-sso-saml/) or [OIDC](https://bitwarden.com/help/configure-sso-oidc/). **If you don't**, please implement and test login with SSO before proceeding. 6. In the **Member decryption options** section, select **Key Connector**. 7. In the **Key Connector URL** input, enter the address Key Connector is running at (by default, `https://your.domain/key-connector`) and select the **Test** button to ensure you can reach Key Connector. 8. Scroll to the bottom of the screen and select **Save**. --- URL: https://bitwarden.com/help/deploy-mobile-apps-with-intune/ --- # Deploy Mobile Apps with Intune When operating Bitwarden in a business setting, administrators may want to automate deployment of Bitwarden mobile apps to users with **Microsoft Intune**. Bitwarden mobile apps can be deployed to managed devices with Intune. On **Android,** the Google Play store and on iOS, use the **Apple** App Store. Follow Microsoft's official documentation for instructions on how to do this: - **Android**: See Microsoft's documentation [here](https://learn.microsoft.com/en-us/mem/intune-service/apps/store-apps-android). - **iOS**: See Microsoft's documentation [here](https://learn.microsoft.com/en-us/mem/intune-service/apps/store-apps-ios). --- URL: https://bitwarden.com/help/developer-quick-start/ --- # Developer Quick Start Bitwarden Secrets Manager enables developers, DevOps, and cybersecurity teams to centrally store, manage, and deploy secrets at scale. The [Secrets Manager CLI](https://bitwarden.com/help/secrets-manager-cli/) is your primary vehicle for injecting [secrets](https://bitwarden.com/help/secrets/) into your applications and infrastructure through an authenticated [machine account](https://bitwarden.com/help/machine-accounts/). In this article, we'll demonstrate use of the Secrets Manager CLI by looking at a few ways to retrieve database credentials stored in your vault to be injected at container runtime for a [Bitwarden Unified](https://bitwarden.com/help/install-and-deploy-lite/) Docker image. > [!TIP] Look for SDK > If you're looking for SDK information and language wrappers for Secrets Manager functionality, refer to [this article](https://bitwarden.com/help/secrets-manager-sdk/). If you haven't already gone through the [Secrets Manager Quick Start](https://bitwarden.com/help/secrets-manager-quick-start/) article, we recommend doing so before reading on. ## Basic tutorial In this most simple example, you'll retrieve database credentials stored in your vault and store them as temporary environment variables on a Linux system. Once stored, you'll inject them at runtime inside a `docker run` command. To do this, you'll need to have installed: - Bitwarden [Secrets Manager CLI](https://bitwarden.com/help/secrets-manager-cli/) - [Docker](https://docs.docker.com/get-docker/) - A [command-line JSON processor like jq](https://stedolan.github.io/jq/)  ### Authenticate The Secrets Manager CLI can be logged in to using an [access token](https://bitwarden.com/help/access-tokens/) generated for a particular [machine account](https://bitwarden.com/help/machine-accounts/). This means that **only secrets and projects which the machine account has access to**may be interacted with using the CLI (learn more about [machine account permissions](https://bitwarden.com/help/service-accounts/#create-a-service-account/)). There are a number of ways to authenticate a CLI session, but for the simplest option do so by saving an environment variable `BWS_ACCESS_TOKEN` with the value of your access token, for example: ``` export BWS_ACCESS_TOKEN=0.48c78342-1635-48a6-accd-afbe01336365.C0tMmQqHnAp1h0gL8bngprlPOYutt0:B3h5D+YgLvFiQhWkIq6Bow== ``` ### Retrieve the secret Next, use the following command to retrieve your database username and store it as a temporary environment variable. In this example, `fc3a93f4-2a16-445b-b0c4-aeaf0102f0ff` represents the specific identifier for the database username secret: ``` export SECRET_1=$(bws secret get fc3a93f4-2a16-445b-b0c4-aeaf0102f0ff | jq '.value') ``` This command will save the `value` of your secret to a temporary environment variable, which will be cleared on system reboot, user logout, or in any new shell. Now, run the same command for the database password: ``` export SECRET_2=$(bws secret get 80b55c29-5cc8-42eb-a898-acfd01232bbb | jq '.value') ``` ### Inject the secret Now that your database credentials are saved as temporary environment variables, they can be injected inside a `docker run` command. In this example, we've omitted many of variables required by [Bitwarden Unified](https://bitwarden.com/help/install-and-deploy-lite/) to emphasize the injected secrets: ``` docker run -d --name bitwarden .... -env BW_DB_USERNAME=$SECRET_1 BW_BD_PASSWORD=$SECRET_2 .... bitwarden/self-host:beta ``` When this command is run, your Docker container will start up and inject your database credentials from the temporarily stored environment variables, allowing you to securely spin up Bitwarden Unified without passing sensitive values as plaintext. ## Advanced tutorial In this example, you'll use the Secrets Manager CLI in your Docker image to inject database credentials stored in your vault at runtime. You'll accomplish this by manipulating your Dockerfile to install the CLI on the image, instead of on the host, and to retrieve the database credentials at container runtime. You'll then prepare your environment variables file for injection and string it all together by running a container. ### Setup your Dockerfile To install the Secrets Manager CLI in your Docker image, you'll need to add the following to your Dockerfile: ```plain text # Install dependencies ENV DEBIAN_FRONTEND=noninteractive RUN apt-get update && \ apt-get install -y \ ca-certificates \ curl \ jq \ unzip && \ rm -rf /var/lib/apt/lists/* # Download bws RUN curl -LO https://github.com/bitwarden/sdk/releases/download/bws-v1.0.0/bws-x86_64-unknown-linux-gnu-1.0.0.zip && \ unzip bws-x86_64-unknown-linux-gnu-1.0.0.zip -d /usr/local/bin/ && \ rm -f bws-x86_64-unknown-linux-gnu-1.0.0.zip # Add anything else you will need to your image # Entrypoint script will retrieve secrets at runtime COPY ./entrypoint.sh / ENTRYPOINT ["/entrypoint.sh"] ``` Next, use an `entrypoint.sh` file in order to inject secrets at run time. One method is to construct `RUN` statements in your `entrypoint.sh` file that will retrieve each credential . This however, is not the only method you'd be able to implement: ```plain text #!/usr/bin/env bash # One way to retrieve individual secrets is to use the `get` command and extract the value: SECRET_1=$(bws secret get fc3a93f4-2a16-445b-b0c4-aeaf0102f0ff | jq '.value') # Another option., this method is sensitive to spaces in the secret name. See the `run` command documentation for more options bws run -- 'echo $SECRET_NAME' # Run your project ``` These `RUN` statements will prompt your Dockerfile to retrieve the indicated secrets, where `fc3a93f4-2a16-445b-b0c4-aeaf0102f0ff` represents the secret's specific identifier. The other option included in the code example represents the secret's name, `'echo $SECRET_NAME'`. ### Build the image To build the docker image, first make `entrypoint.sh` executable: ```plain text chmod +x ./entrypoint.sh ``` Build the image: ```plain text docker build -t image-name ``` ### Run the container Now that your database credentials are primed and ready for injection, start up your container: ``` docker run --rm -it -e BWS_ACCESS_TOKEN= image-name ``` When this command is run, your Docker container will start up and inject your database credentials from the values retrieved by the container, allowing you to securely spin up Bitwarden Unified without passing sensitive values as plaintext. --- URL: https://bitwarden.com/help/directory-sync-cli/ --- # Directory Connector CLI The Directory Connector CLI is suited toward work in environments where a desktop GUI is unavailable, or if you want to programmatically script directory sync operations using tools provided by the operating system (cron job, scheduled task, and more). The Directory Connector CLI can be used cross-platform on Windows, macOS, and Linux distributions. ## Getting started > [!TIP] Using BWDC GUI to Get Started > The desktop app and CLI [share a database and configurations](https://bitwarden.com/help/directory-sync-shared/), so **simultaneous** use on a single machine is not recommended. The recommended path is to complete configuration and testing using the [desktop app](https://bitwarden.com/help/directory-sync-desktop/), and subsequently using the [CLI](https://bitwarden.com/help/directory-sync-cli/) to [schedule automatic syncing](https://bitwarden.com/help/schedule-directory-sync/) to your production organization. To get started using the Bitwarden Directory Connector CLI: 1. Download the CLI from one of the following links: - 🪟 [Windows CLI](https://bitwarden.com/download/?app=connector&platform=windows&variant=cli-zip/) - 🍎 [macOS CLI](https://bitwarden.com/download/?app=connector&platform=macos&variant=cli-zip/) - 🐧 [Linux CLI](https://bitwarden.com/download/?app=connector&platform=linux&variant=cli-zip/) 2. Extract the `.zip` and move the contents (`bwdc` and `keytar.node`) to `/usr/local/bin` or another directory in your `$PATH`. Please note, `keytar.node` **must** be in the same directory as the primary `bwdc` executable. **Linux only:** If not already installed, install `libsecret` with your package manager of choice. Note that the package is titled `libsecret-1-0` for Ubuntu and Debian specifically, users should find the equivalent title for their particular distribution: ``` apt-get install libsecret-1-0 brew install libsecret ``` **Windows only:** Windows users can [add `bwdc.exe` to the current user's `PATH`](https://www.howtogeek.com/118594/how-to-edit-your-system-path-for-easy-command-line-access/). 3. Verify that the `bwdc` command works in your terminal by running the following: ``` bwdc --help ``` 4. Connect Directory Connector to your directory using the `bwdc config ` command (see [here](https://bitwarden.com/help/directory-sync-cli/#config/)). 5. Configure sync options by editing your `data.json` file (to learn more, see [Directory Connector File Storage](https://bitwarden.com/help/directory-sync-shared/)). Use the `bwdc data-file` command to obtain the absolute path of your `data.json` file. Available **sync options** depend on the directory type in use, so refer to one of the following articles for a list of options available to you: - [Sync with Active Directory or LDAP](https://bitwarden.com/help/ldap-directory/) - [Sync with Azure Active Directory](https://bitwarden.com/help/microsoft-entra-id/) - [Sync with G Suite (Google)](https://bitwarden.com/help/workspace-directory/) - [Sync with Okta](https://bitwarden.com/help/okta-directory/) - [Sync with OneLogin](https://bitwarden.com/help/onelogin-directory/) 6. Run the `bwdc test` command to check whether your configuration would sync the expected results. 7. Once your directory and sync options are properly configured, and `bwdc test` yields the expected results, run the `bwdc sync` command to start a live sync operation. > [!NOTE] --pretty in bwdc > The `--pretty` flag can be included in bdwc commands to modify the output for readability. ## Commands reference ### login Use the `login` command to log in to Directory Connector with your [organization API key](https://bitwarden.com/help/public-api/#authentication/). If you don't have the API key, reach out to an [organization owner](https://bitwarden.com/help/user-types-access-control/). There are a few ways to use the `login` command: - By itself: ``` bwdc login ``` Passing `bwdc login` by itself will prompt you to subsequently enter `client_id` and `client_secret`. - With parameters: ``` bwdc login organization.b5351047-89b6-820f-ad21016b6222 yUMB4trbqV1bavhEHGqbuGpz4AlHm9 ``` - With saved environment variables: ``` BW_CLIENTID="organization.b5351047-89b6-820f-ad21016b6222" BW_CLIENTSECRET="yUMB4trbqV1bavhEHGqbuGpz4AlHm9" bwdc login ``` Saving the environment variables `BW_CLIENTID` and `BW_CLIENTSECRET` allows you to login to Directory Connector using only `bwdc login`, which will check for those variables and use them if present. If these environment variables aren't present, you will be prompted to enter your `client_id` and `client_secret`. ### logout Use the `logout` command to logout of the Directory Connector CLI. ``` bwdc logout ``` ### help The Bitwarden Directory Connector CLI is self-documented with `--help` content and examples for every command. List all available commands using the global `--help` option: ``` bwdc --help ``` Use the `--help` option on any specific command to learn more about that command: ``` bwdc test --help bwdc config --help ``` ### test The `test` command queries your directory and prints a JSON formatted array of groups and users that would be synced to your Bitwarden organization whenever you run a real sync operation. ``` bwdc test ``` Use the `--last` option to test only the changes since the last successful sync. ``` bwdc test --last ``` ### sync The `sync` command runs a live sync operation and pushes data to your Bitwarden organization. ``` bwdc sync ``` Synced users and groups will be immediately available in your Bitwarden organization. Newly added users will receive an email invite to your organization. > [!NOTE] Teams Starter + BWDC > If you're on the [Teams Starter](https://bitwarden.com/help/password-manager-plans/#teams-starter-organizations/) plan, you are limited to 10 members. Directory Connector will display an error and stop syncing if you try to sync more than 10 members. > > **This plan is no longer available for purchase**. This error does not apply to Teams plans. ### last-sync The `last-sync` command returns an [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) timestamp for the last sync operation that was performed for users or groups. You must specify either `users` or `groups` as an `` to run the command against: ``` bwdc last-sync ``` Returns an empty response if no sync has been performed for the given object. ### config The `config` command allows you to specify your directory settings: ``` bwdc config ``` Available options are: | **Option** | **Description** | |------|------| | `server ` | URL of your self-hosted installation (e.g. `https://business.bitwarden.com`) or EU server (`https://vault.bitwarden.eu`). | | `directory ` | Type of directory to use. See the following table for enumerated values. | | `ldap.password ` | Password for connection to the LDAP server. | | `azure.key ` | Azure AD secret key. | | `gsuite.key ` | Google Workspace/GSuite private key. | | `okta.token ` | Okta token. | | `onelogin.secret ` | OneLogin client secret. | #### `directory-type` values | **Source directory** | **Value** | |------|------| | Active Directory/LDAP | 0 | | Azure Active Directory | 1 | | Google Workspace/GSuite | 2 | | Okta | 3 | | OneLogin | 4 | ### data-file The `data-file` command returns an absolute path to the `data.json` configuration file used by the Directory Connector CLI: ``` bwdc data-file ``` Some configuration settings can be modified for the Directory Connector CLI by editing the `data.json` configuration file directly in your favorite text editor, however `ldap.password`, `azure.key`, `gsuite.key`, `okta.token`, and `onelogin.secret` can **only** be modified from the CLI using [`config`](https://bitwarden.com/help/directory-sync-cli/#config/)#config, or from the [desktop app](https://bitwarden.com/help/directory-sync-desktop/). ### clear-cache The `clear-cache` command allows you to clear cached data that the application stores while performing sync operations. For more information, see [Clear Sync Cache](https://bitwarden.com/help/clear-sync-cache/). ``` bwdc clear-cache ``` ### update The `update` command allows you to check if your Directory Connector CLI is up-to-date: ``` bwdc update ``` If a newer version is found, the command will return a URL to download a new version. **The Directory Connector CLI will not automatically update.** You will need to use this URL download the new version manually. > [!NOTE] BWDC desktop and CLI > If you using the CLI and desktop app together, it is important to ensure their versions match whenever in use. Running two different versions may cause unexpected issues. > > Check the version of the Directory Connector CLI using the `--version` global option. ## Troubleshooting ### libsecret missing If you receive an error message referring to the libsecret shared object `Error: libsecret-1.so.0: cannot open shared object file: No such file or directory`, you may need to install libsecret which is required to store things securely on the host. ### dbus Errors If you receive an error message referring to the dbus when using `bwdc config`, for example `Failed to execute child process "dbus-launch" (No such file or directory)` or `Cannot autolaunch D-Bus without X11`, assign the following environment variable to allow plaintext storage of secrets in `data.json`: ``` export BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS=true ``` ### Debug The debug environment variable can be added for troubleshooting information. ```plain text export BITWARDENCLI_CONNECTOR_DEBUG=true ``` ### Unable to get local issuer certificate If you receive an error message that states `unable to get local issuer certificate`, set the `NODE_EXTRA_CA_CERTS` variable to your `root.pem`, for example: ``` export NODE_EXTRA_CA_CERTS="absolute/path/to/your/certificates.pem" ``` If you're using the desktop app, this may also manifest as the following error: `Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.` ### Failing to set private key If you are receiving error `Object does not exist at path "/org/freedesktop/secrets/collection/login" `while configuring your private key, see the following steps to correct the issue. The Bitwarden Directory Connector uses Linux's keyring, check that the following dependancies have been installed: ```bash sudo apt install dbus-x11 gnome-keyring ``` Next, run the following commands to start the daemon: ```bash export $(dbus-launch) dbus-launch gnome-keyring-daemon --start --daemonize --components=secrets echo '' | gnome-keyring-daemon -r -d --unlock ``` Following these commands, try to run the key again, for example: ```bash bwdc config gsuite.key /path/to/key/ ``` --- URL: https://bitwarden.com/help/directory-sync-desktop/ --- # Directory Connector Desktop App The Directory Connector desktop app is a standalone desktop application that can be used to sync users, groups, and group associations from a selection of directory services. ![Directory Connector Desktop App ](https://bitwarden.com/assets/7r6eylncijFasEUrKXe2Hk/b6eec60c8a6452a300eeba5272c46ea4/app.png) Directory Connector is also available as a [CLI tool](https://bitwarden.com/help/directory-sync-cli/). The desktop app and CLI [share a database and configurations](https://bitwarden.com/help/directory-sync-shared/), so **simultaneous** use on a single machine is not recommended. The recommended path is to complete configuration and testing using the [desktop app](https://bitwarden.com/help/directory-sync-desktop/), and subsequently using the [CLI](https://bitwarden.com/help/directory-sync-cli/) to [schedule automatic syncing](https://bitwarden.com/help/schedule-directory-sync/) to your production organization. ## Getting started To get started using the Directory Connector desktop app: 1. Download the latest version of the app from our [GitHub releases page](https://github.com/bitwarden/directory-connector/releases) or by using one of the following official links: - 🪟 [Windows Installer (.exe)](https://bitwarden.com/download/?app=connector&platform=windows/) - 🪟 [Windows Portable (.exe)](https://bitwarden.com/download/?app=connector&platform=windows&variant=portable/) - 🍎 [macOS (.dmg)](https://bitwarden.com/download/?app=connector&platform=macos/) - 🐧 [Linux (.AppImage)](https://bitwarden.com/download/?app=connector&platform=linux/) 2. Set the server URL used by Directory Connector before logging in. This is required if you are self-hosting Bitwarden or using the [EU server](https://bitwarden.com/help/server-geographies/): 1. On the Login screen, select **Settings**. 2. In the **Server URL** field, enter the domain name for Bitwarden instance with `https://`. For example, `https://vault.bitwarden.eu` or `https://your.domain.bitwarden.com`. 3. Select **Save**. 3. Log in to Directory Connector using your [organization API key](https://bitwarden.com/help/public-api/#authentication/). If you don't have the API key, reach out to an [organization owner](https://bitwarden.com/help/user-types-access-control/). 4. On the ⚙️ **Settings** tab, connect to your directory and configure [sync options](https://bitwarden.com/help/user-group-filters/). This procedure will vary based on the directory in use, so refer to one of the following articles for instruction: - [Sync with Active Directory or LDAP](https://bitwarden.com/help/ldap-directory/) - [Sync with Azure Active Directory](https://bitwarden.com/help/microsoft-entra-id/) - [Sync with G Suite (Google)](https://bitwarden.com/help/workspace-directory/) - [Sync with Okta](https://bitwarden.com/help/okta-directory/) - [Sync with OneLogin](https://bitwarden.com/help/onelogin-directory/) > [!NOTE] Clear sync cache > If you are re-configuring sync options, rather than setting them for the first time, navigate to the **More** tab and select the **Clear Sync Cache** button to prevent potential conflicts with prior sync operations ([learn more](https://bitwarden.com/help/clear-sync-cache/)). 5. On the ⚙️ **Settings** tab, select your organization from the organization dropdown. 6. **Perform a Test Sync**. To check that your directory connection and sync options are successfully configured and working as expected: 1. Open the [dashboard] **Dashboard** tab. 2. Select the **Test Now** button. Sync testing will query the directory server and print the results to the dashboard. Results will include: - A list of users that will be synced from the directory. - A list of groups that will be synced from the directory. - A list of users that will be disabled based on their status in the directory. - A list of users that will be deleted from your organization based on their status in the directory. ![Directory Connector test sync](https://bitwarden.com/assets/6HK5d7qPL22HYTHbgRS1tp/42127d0fde4fea4f645ea7ce807ebadc/Screenshot_2024-08-19_at_1.44.23_PM.png) *Directory Connector test sync* If the printed results match your expectations, you're ready to [start syncing](https://bitwarden.com/help/directory-sync-desktop/#sync-with-directory-connector/). ## Sync with Directory Connector Directory Connector can be used to run a one-time [manual sync](https://bitwarden.com/help/directory-sync-desktop/#manual-sync/) or [automatic sync polling](https://bitwarden.com/help/directory-sync-desktop/#automatic-sync/): ### Manual sync To run a one-time manual sync from your directory to your Bitwarden organization, open the [dashboard] **Dashboard** tab and select the [generate] **Sync Now** button. Synced users will be invited to your organization, and groups will be immediately created. ### Automatic sync Automatic syncing will poll your directory based on the **Interval** specified in your [sync options](https://bitwarden.com/help/user-group-filters/) as long as the application is open. If you exit or close the application, automatic sync polling will stop. To start automatic sync polling with Directory Connector, open the [dashboard] **Dashboard** tab and select the [play] **Start Sync** button. > [!NOTE] Teams Starter + BWDC > If you're on the [Teams Starter](https://bitwarden.com/help/password-manager-plans/#teams-starter-organizations/) plan, you are limited to 10 members. Directory Connector will display an error and stop syncing if you try to sync more than 10 members. > > **This plan is no longer available for purchase**. This error does not apply to Teams plans. --- URL: https://bitwarden.com/help/directory-sync-shared/ --- # Directory Connector File Storage The desktop app and CLI [share a database and configurations](https://bitwarden.com/help/directory-sync-shared/), so **simultaneous** use on a single machine is not recommended. The recommended path is to complete configuration and testing using the [desktop app](https://bitwarden.com/help/directory-sync-desktop/), and subsequently using the [CLI](https://bitwarden.com/help/directory-sync-cli/) to [schedule automatic syncing](https://bitwarden.com/help/schedule-directory-sync/) to your production organization. > [!NOTE] Desktop and CLI configuration > We recommend using the desktop app or CLI prior to conditioning the Directory Connector configuration file, as **it is not possible to setup the entirety of Directory Connector from this file**. Authentication values, like keys or secrets, must be set from either the [desktop app](https://bitwarden.com/help/directory-sync-desktop/) or [CLI](https://bitwarden.com/help/directory-sync-cli/). ## Config file The Directory Connector configuration file (`data.json`) contains objects you may directly edit in order to: - Set the connection to your directory - Configure sync options It is not possible to setup the entirety of Directory Connector from `data.json`. Authentication values, like keys or secrets, must be set from either the [desktop app](https://bitwarden.com/help/directory-sync-desktop/) or [CLI](https://bitwarden.com/help/directory-sync-cli/). ⬇️ [Download a sample configuration file](https://bitwarden.com/assets/1Bkzdf50jZRPq0MRJ85FPi/68b92adf2f5399dc50df1b897a0c0729/data.json) > [!NOTE] Modifying BWDC data.json > Avoid opening or modifying `data.json` while the Directory Connector desktop app or CLI executable is running. ### Location The location of `data.json` depends on which platform is in use: - Windows : `%AppData%\Bitwarden Directory Connector` - Portable: `.\bitwarden-connector-appdata` - macOS: `~/Library/Application Support/Bitwarden Directory Connector` - Linux: `~/.config/Bitwarden Directory Connector` > [!NOTE] > Using the Directory Connector [CLI](https://bitwarden.com/help/directory-sync-cli/), run the `data-file` command to discover the absolute path to the `data.json`. ## Secret storage By default, the Directory Connector [desktop app](https://bitwarden.com/help/directory-sync-desktop/) and [CLI](https://bitwarden.com/help/directory-sync-desktop/) both use a secure method for persisting sensitive data (such as your directory account password, API keys, and so on). On Linux systems this requires [GNOME Keyring](https://wiki.archlinux.org/index.php/GNOME/Keyring) and [X11](https://en.wikipedia.org/wiki/X_Window_System), which are usually reserved for desktop environments. If you are using a headless Linux environment you may encounter errors such as: ``` Cannot autolaunch D-Bus without X11 $DISPLAY ``` ### Secret storage in headless environments If a secure storage environment is not available, you can configure the Directory Connector CLI to use plaintext storage of secrets. To do so, set the following environment variable to override secure storage, for example by running `sudo -H gedit /etc/environment`: ``` BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS=true ``` With plaintext storage enabled, you can then configure all settings directly, in plaintext, from the `data.json` configuration file. > [!NOTE] Plaintext storage not compatible with BWDC desktop app > Plaintext storage of secrets is not compatible with the Directory Connector desktop app. You should only use the Directory Connector CLI with plaintext storage of secrets. --- URL: https://bitwarden.com/help/directory-sync/ --- # About Directory Connector The Bitwarden Directory Connector app automatically provisions users, groups, and group associations in your Bitwarden organization by pulling from a selection of source directory services. Provisioned users will be issued invitations to join the organization, and can subsequently complete the normal [onboarding procedure](https://bitwarden.com/help/managing-users/#onboard-users/). Directory Connector can be configured to remove users from your Bitwarden organization when they are disabled from the source directory. This won't delete their Bitwarden accounts, but they will lose all access to your organization. > [!NOTE] Directory connector teams and enterprises > Directory Connector functionality is available to **Teams** and **Enterprise** organizations. To use Directory Connector, you must have access to your [organization API key](https://bitwarden.com/help/public-api/#authentication/) which can only be retrieved by an [organization owner](https://bitwarden.com/help/user-types-access-control/) and securely shared using [Bitwarden Send](https://bitwarden.com/help/about-send/). ![Directory Connector Diagram](https://bitwarden.com/assets/6RFsU5sJGDLMPawg64sBqM/85c9e9f6e7758944d76c8ecb79ca4af9/Marketing_Diagram_2024__1_.png) A Directory Connector sync operation can be run on-demand or automatically on a configured interval. Directory Connector applications can be installed as an agent on the server that hosts your directory, an administrator's workstation, or any other desktop device that can access the source directory. Directory Connector supports sync from the following sources: - [Active Directory](https://bitwarden.com/help/ldap-directory/) - [Any LDAP-based directory](https://bitwarden.com/help/ldap-directory/) - [Microsoft Entra ID](https://bitwarden.com/help/microsoft-entra-id/) - [Google Workspace](https://bitwarden.com/help/workspace-directory/) - [Okta](https://bitwarden.com/help/okta-directory/) - [OneLogin](https://bitwarden.com/help/onelogin-directory/) ## Directory Connector applications Directory Connector is available as a cross-platform [desktop app](https://bitwarden.com/help/directory-sync-desktop/) and as a [command line interface (CLI)](https://bitwarden.com/help/directory-sync-cli/). The desktop app and CLI [share a database and configurations](https://bitwarden.com/help/directory-sync-shared/), so **simultaneous** use on a single machine is not recommended. The recommended path is to complete configuration and testing using the [desktop app](https://bitwarden.com/help/directory-sync-desktop/), and subsequently using the [CLI](https://bitwarden.com/help/directory-sync-cli/) to [schedule automatic syncing](https://bitwarden.com/help/schedule-directory-sync/) to your production organization. ![Directory Connector Desktop App ](https://bitwarden.com/assets/7r6eylncijFasEUrKXe2Hk/b6eec60c8a6452a300eeba5272c46ea4/app.png) ### Download Directory Connector Use the following links to download Directory Connector: ### Desktop app Download the latest version of the Directory Connector desktop app from our [GitHub releases page](https://github.com/bitwarden/directory-connector/releases) or by using one of the following official links: - 🪟 [Windows Installer (.exe)](https://bitwarden.com/download/?app=connector&platform=windows/) - 🪟 [Windows Portable (.exe)](https://bitwarden.com/download/?app=connector&platform=windows&variant=portable/) - 🍎 [macOS (.dmg)](https://bitwarden.com/download/?app=connector&platform=macos/) - 🐧 [Linux (.AppImage)](https://bitwarden.com/download/?app=connector&platform=linux/) ### CLI Download the latest version of the Directory Connector CLI from one of the following links: - 🪟 [Windows CLI (.exe)](https://bitwarden.com/download/?app=connector&platform=windows&variant=cli-zip/) - 🍎 [macOS CLI](https://bitwarden.com/download/?app=connector&platform=macos&variant=cli-zip/) - 🐧 [Linux CLI](https://bitwarden.com/download/?app=connector&platform=linux&variant=cli-zip/) ## Source code As with everything at Bitwarden, Directory Connector is open source and hosted on GitHub at [github.com/bitwarden/directory-connector](https://github.com/bitwarden/directory-connector). --- URL: https://bitwarden.com/help/disable-browser-autofill/ --- # Deactivate My Browser's Built-in Password Manager If you're new to Bitwarden, your web browser likely saves and autofills your passwords. Most web browsers enable this by default, even though experts generally agree that [built-in password managers are more vulnerable](https://www.wired.com/2016/08/browser-password-manager-probably-isnt-enough/) than dedicated solutions like Bitwarden. We recommend turning off your browser's built-in password manager to improve your security and prevent interference with Bitwarden. > [!NOTE] Deploying Browser across organization > The Bitwarden browser extension can be deployed across managed endpoints. Learn more about [deploying the Bitwarden browser extension to managed devices](https://bitwarden.com/help/browserext-deploy/). ## Manually disable a browser's built-in password manager Learn how to disable the built-in password manager for major browsers. > [!NOTE] Chromium instructions > Several modern browsers, including Edge, Opera, and Brave, use a Google Chrome framework called "Chromium". If you are using one of those browsers, use the **Chrome/Chromium** instructions. ### Chrome/Chromium In Chrome or any Chromium-based browser (Edge, Opera, and Brave), navigate to the **Passwords** page by entering `chrome://password-manager/settings` in the address bar, substituting `chrome` for your browser name (for example, `brave://password-manager/settings`). For Edge users, navigate to `edge://wallet/settings`. On this page, toggle off both the **Offer to save passwords** option and the **Auto Sign-in** option: ![Chrome Password Options ](https://bitwarden.com/assets/6bpi4fkyZhnkhW5RBtugDW/d8e2de4536d6a34f092fd9d5975fd04a/chrome-disable-autofill.png) This page will also list any **Saved Passwords** that are being stored by the browser: ![Chrome Saved Passwords ](https://bitwarden.com/assets/4P5alfndwwNgCpTYrSCg61/b3545839a8429f28ee7b6ac66559c3ce/chrome-delete-passwords.png) If you haven't already saved these passwords in Bitwarden, [export them](https://bitwarden.com/help/import-from-chrome/#export-from-chrome/) to prepare for future import to Bitwarden. Once exported, you should delete these passwords from the browser's storage. ### Firefox In Firefox, navigate to **Settings** → **Privacy & Security** and scroll down to the **Passwords** and **Autofill**sections. In this section, uncheck all the pre-checked options: ![Firefox Password Options ](https://bitwarden.com/assets/72yK5CCMKa9pcfCcdvUZqL/459febc76765636f28465ae4875998bd/2025-08-06_16-51-03.png) > [!TIP] Bitwarden has more reporting than Firefox, duh. > Bitwarden Password Manager offers a variety of [reports](https://bitwarden.com/help/reports/) for premium users, like the Exposed Passwords and Reused Passwords reports, and a **free Data Breach report for all users**. You may also review any logins Firefox has already saved by selecting the **Saved Passwords** button: ![Firefox Saved Logins ](https://bitwarden.com/assets/5UrQ6bGCjV0VdHvy6rzece/a2148eaa8dcaaf4f7158e8d806dcb97b/2025-08-06_16-53-15.png) If you haven't already saved these passwords in Bitwarden, [export them](https://bitwarden.com/help/import-from-firefox/) for future import to Bitwarden. Once exported, you should 🗑️ **Remove** these passwords from Firefox. ### Safari In Safari, open **Settings** from the menu bar and navigate to the **AutoFill** tab. On this tab, uncheck all the pre-checked options: ![Safari Password Options ](https://bitwarden.com/assets/4nuEz911vsIAUegHVL0Zec/7d663935c4f9e65297c14598f1037b72/safari-disable.png) You should also find out which passwords Safari has already saved by navigating to the **Passwords** tab. If you have passwords saved, this tab will lead you to the Apple Passwords app. ![Safari Saved Passwords ](https://bitwarden.com/assets/6eZMZC98Grc7sbdHbBfXtK/4c72d19c26e56ad7dfb3267f466bd119/safari-delete.png) If you haven't already saved these passwords in Bitwarden, create login items in Bitwarden for these passwords. Once all saved passwords are in Bitwarden, **Remove** these passwords from Safari. ### Vivaldi In Vivaldi, open the ⚙️ **Vivaldi Settings** window and select [eye] **Privacy** from the left-hand navigation. Scroll down to the Passwords section and uncheck the **Save Webpage Passwords** option: ![Vivaldi Password Options ](https://bitwarden.com/assets/6nk9FVDeg8XaUz22Xahr8T/ee0f597cc264da5a30853588d541f074/vivaldi-disable.png) You should also find out which passwords Vivaldi has already saved by selecting the **Show Saved Passwords** button: ![Vivaldi Saved Passwords ](https://bitwarden.com/assets/1j5qvcTAVsXficByKFewec/fd6f86731a9e15d38e0cbc39f4f64197/vivaldi-delete.png) If you haven't already saved these passwords in Bitwarden, create login items in Bitwarden for these passwords. Once all saved passwords are in Bitwarden, remove these passwords from Vivaldi. [Learn how](https://help.vivaldi.com/desktop/privacy/password-management/#Deleting_passwords). ### Tor Despite sharing roots with Firefox, Tor is unique in that it doesn't save your logins by default. If you haven't manually configured Tor to save and autofill logins, you are already all set. If you did, navigate to the **Passwords** page by entering `about:preferences#privacy` in the address bar, and scroll down to the Logins and Passwords section. Toggle off all the options that you had checked: ![Tor Password Option ](https://bitwarden.com/assets/4FcJnbhCUhDNITJjiy9ciD/d0f83af69188afaf619788c7e60c9a1b/tor-disable.png) You should also find out which logins Tor has already saved by selecting the **Saved Logins...** button: ![Tor Saved Passwords ](https://bitwarden.com/assets/3NHOIo5RIwTjVecqRPeT5Y/6c1e26dc5385006a498b77c48e1048c2/tor-delete.png) If you haven't already saved these passwords in Bitwarden, create login items in Bitwarden for these passwords. Once all saved passwords are in Bitwarden, 🗑️ **Remove** these passwords from Tor. ### DuckDuckGo In DuckDuckGo, navigate to **Settings → Autofill**. From this screen, uncheck the box for **Usernames and passwords**. ![Disable DuckDuckGo Password Manager](https://bitwarden.com/assets/6kAbV4w8EiJX20O9VZOQyl/c6df545c4bc464122b250527b80494d3/Screenshot_2023-11-03_at_11.06.54_AM.png) You can create a backup of your existing data by selecting **Export Passwords**. Once you have created a backup file, select **View Autofill Content...**and delete the stored autofill data to remove previously saved suggestions. In the Password Manager section, macOS users can choose to use Bitwarden. Learn more about the Bitwarden DuckDuckGo macOS browser integration [here](https://bitwarden.com/help/duckduckgo-macos-browser-integration/). ## Make Bitwarden your default password manager in Chrome > [!NOTE] Make Bitwarden default is exclusive to chrome > The **Make Bitwarden your default password manager** option is only available for the Chrome browser extension. For other browsers, [manually disable their built-in password manager](https://bitwarden.com/help/disable-browser-autofill/#manually-disable-a-browsers-built-in-password-manager/). The Bitwarden browser extension on Chrome has a built-in setting to disable your browser's default password manager. To use this setting: 1. Navigate to the ⚙️ **settings** tab in the Bitwarden browser extension and then select **Autofill**. 2. Click to enable the **Make Bitwarden your default password manager**. ![Make Bitwarden default password manager](https://bitwarden.com/assets/5fyBdu5X6JCLu2UsaqYUO0/abfb44cb460314112805bfd0312c1f8f/2025-10-14_12-44-35.png) 3. A dialogue will appear on screen, select **allow** to give Bitwarden permission to make changes to your browser settings. --- URL: https://bitwarden.com/help/duckduckgo-macos-browser-integration/ --- # DuckDuckGo macOS Browser Integration > [!TIP] Use DDG download, not app store > In order to use the DuckDuckGo macOS app integration with Bitwarden, you'll need to download the DuckDuckGo macOS browser from [https://duckduckgo.com/mac](https://duckduckgo.com/mac) instead of from the macOS App Store. Bitwarden and DuckDuckGo have partnered to offer Bitwarden functionality inside the DuckDuckGo macOS browser! The integration allows for seamless autofilling, creating, and updating of credentials in your Bitwarden vault while using login forms in DuckDuckGo: ![Bitwarden in DuckDuckGo](https://bitwarden.com/assets/4bfRWX1qSH0NK9HG2bBDTb/bfe35d198efed114e64ef1b97d6f9508/ddg_macos.png) The integration requires the Bitwarden [desktop app](https://bitwarden.com/help/getting-started-desktop/) to be installed on your machine and unlocked in order to access vault items from DuckDuckGo. ## Set up the integration To set up the integration between the DuckDuckGo macOS browser and Bitwarden: 1. Open DuckDuckGo's **Settings**screen and select **Passwords & Autofill**from the menu. 2. In the Password Manager section, select **Bitwarden**. A wizard will help you through integration setup, but we'll outline the remaining steps here as well. 3. Install the Bitwarden desktop app if it isn't already on your machine. 4. Open the Bitwarden desktop app and log in or unlock your vault. 5. Select **Bitwarden > Settings**from the macOS menu bar. 6. Scroll to find the **App Settings (All Accounts)** section. 7. Check **Allow DuckDuckGo browser integration**. 8. In DuckDuckGo select **Connect** when the browser detects Bitwarden is ready. 9. In Bitwarden, select **Yes**to approve DuckDuckGo's request to connect. > [!TIP] DDG Integration Vault Status > Once Bitwarden is connected, you can return to the **Settings** > **Autofill** page in DuckDuckGo to see the current status of the integration (for example, whether you need to unlock Bitwarden to autofill, create, or update credentials). ## Use the integration ### Autofill credentials To autofill credentials from Bitwarden, select login form input boxes. If credentials are detected, they'll be offered for autofill: ![DuckDuckGo Auto-fill](https://bitwarden.com/assets/34RVEdeI6m5IiMXxEBmYJb/5fa66cccef09aed7ef03011a522ad3a3/Screen_Shot_2022-11-14_at_9.25.24_AM.png) ### Add or update credentials If a set of credentials you use is not detected in or different from what's stored in Bitwarden, you'll be prompted to add or update: ![DuckDuckGo Add or Update](https://bitwarden.com/assets/4YmcbgoaQ92Lhj2wBS8g0R/f74b7ead6f4711cf6a3dac46d73b3f71/ddg_macos_copy.png) --- URL: https://bitwarden.com/help/elastic-siem/ --- # Elastic SIEM Elastic is a solution that can provide search and observability options for monitoring your Bitwarden organization. Elastic Agent provides the capability to monitor `collection`, `event`, `group`, and `policy` information with the [Elastic Bitwarden integration](https://www.elastic.co/docs/reference/integrations/bitwarden). ## Setup ### Create a Elastic account To begin, start by [creating an Elastic account](https://www.elastic.co/). This step is required in order to set up a dashboard to monitor data with Elastic's cloud hosted service (recommended), or on-premise service. ### Add Bitwarden integration Monitoring data will require the use of Elastic Search as well as Kibana to visualize data. 1. On the Elastic home screen, scroll down and locate **Add Integrations**. ![Add Elastic Integration](https://bitwarden.com/assets/3Ka8ZepztzAq9YiGJO7pSM/879c6c6719eac019f4eb53f5383b3e92/2023-09-08_10-15-52.png) 2. Once you are on the integrations catalogue, enter **Bitwarden**into the search field and select Bitwarden. ![Bitwarden Elastic Integration](https://bitwarden.com/assets/5mlMtswqip5Fbc9Z3u6zFX/1d202883452499e85a852fb9ac01e70a/2023-09-08_10-21-12.png) 3. Select the **Add Bitwarden** button to install the integration. 4. If this is your first Elastic integration, you will be required to install Elastic Agent. On the following screen, select **Install Elastic Agent**and follow the installation instructions. ![Install Elastic Agent](https://bitwarden.com/assets/2v3y1bfqiFdk2H9aLElJ26/f86ba44de90afcc37e38c06233ad0f70/2023-09-08_10-24-05.png) 5. In order to run the Bitwarden integration, Elastic Agent is required to maintain the integration data. Once the installation is complete, Elastic will detect the successful installation. After the agent has been successfully setup, select **Add the integration**. ![Elastic setup](https://bitwarden.com/assets/25pXseQDpZp8jly8kFKIub/22257e4116e67f12647a2e33071ba37f/2023-11-07_11-55-35.png) ### Connect Integration to Bitwarden Once you have added the Bitwarden integration, you will be brought to the setup screen to configure the integration. Keep this screen open, on another tab, log in to the Bitwarden web app and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) Navigate to your organization's **Settings** → Organization info screen and select the **View API key**button. You will be asked to re-enter your master password in order to access your API key information. ![Organization api info](https://bitwarden.com/assets/6gHjAyqgeqDj6UPT6agsBK/3a614e043cb3836a41bd68f226835e53/2024-12-04_09-51-07.png) Input the following information into the corresponding fields: | Elastic Field | Value | |------|------| | URL | For Bitwarden cloud users, the default url will be `https://api.bitwarden.com`. For self-hosted Bitwarden users, input your self-hosted URL. Be sure that the URL does not include any trailing forward slashes at the end of the URL "`/`" | | Client ID | Input the value for `client_id` from the Bitwarden organization API key window. | | Client Secret | Input the value for `client_secret` from the Bitwarden organization API key window. | > [!NOTE] Org API information sensitive > Your organization API key information is sensitive data. Do not share these values in nonsecure locations. Once you have completed the required fields, continue scrolling down the page to apply desired data collection settings. Select **Confirm incoming data** once you are finished. > [!NOTE] Elastic integration advanced settings > Additional **Advanced options** are available for configuration at this point. The minimum required fields are highlighted above to add the Bitwarden integration. To access the integration at a later point to edit the setup, go to the menu and select **Integrations**→ **Installed integrations**→ **Bitwarden**→ **Integration policies**. If all the data was entered correctly, Elastic will confirm incoming data and provide a preview of incoming data. Select **View assets** to monitor your data. ### Start monitoring data Once setup is completed you can begin reviewing your Bitwarden Organization data. Select any of the Bitwarden Dashboards to monitor data relative to the dashboard. Here is a brief overview of each dashboard's monitored data: | Log | Description | |------|------| | [Logs Bitwarden] Policy | Review policy changes for an organization such as enabling, disabling, or updating organizational policies. | | [Logs Bitwarden] Group and Collection | Monitor recorded event for groups and collections related to the organization. | | [Logs Bitwarden] Event | Monitor organizational event logs. Learn more about event logs [here](https://bitwarden.com/help/event-logs/). | ### Understanding the dashboards #### Queries Elastic data monitoring utilized the Kibana Query Language (KQL) for filtering data. To learn more about queries and searches, see the [Elastic query documentation](https://www.elastic.co/guide/en/kibana/current/kuery-query.html). --- URL: https://bitwarden.com/help/emails-from-bitwarden/ --- # Identify Legitimate Emails from Bitwarden Like using strong passwords, avoiding suspicious emails is an important tool in your online security toolkit. We recommend familiarizing yourself with these [FTC Guidelines](https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams) for spotting and avoiding phishing. Here are some guidelines to help you determine whether an email that looks like it's from Bitwarden is legitimate: ## Automated emails ### Product interaction emails Emails such as new device alerts, invitations to [join an organization](https://bitwarden.com/help/managing-users/), [request access to Secrets Manager](https://bitwarden.com/help/secrets-manager-quick-start/#getting-to-secrets-manager/), and [two-step login codes](https://bitwarden.com/help/setup-two-step-login-email/) will come from `no-reply@bitwarden.com` or `.eu` or, if you are self-hosting, a [configured domain](https://bitwarden.com/help/install-on-premise-linux/#install-bitwarden/) like `no-reply@my.domain.com`. > [!NOTE] Email Verification Email > Email verification requests, which as of 2024.9.2 are sent to cloud users during the account creation, are also issued from `no-reply@bitwarden.com`: > > > ![Email verification](https://bitwarden.com/assets/2QR4MYirRuYyMJnkx5ce6e/858d2d1fc23440e31ce87a8ff6efa4f5/2024-09-26_10-01-00.png) > *Email verification* These emails will **never contain attachments**. If you are prompted to download a file, please report the email to us. Some of these emails, such as organization invites, will contain buttons. Always check the validity of the hyperlink **before clicking on it**by confirming that it leads to `https://vault.bitwarden.com` or your organization's self-hosted domain. If you don't know your organization's domain, ask a member of your IT team or an administrator. ![Organization invitation](https://bitwarden.com/assets/4Fe96NuWb7yRe6muKf7UbZ/bcb1a8df0bc2ffdecbcd86b82d16c9a3/2025-09-03_10-41-25.png) ### Payments emails Automated payments emails for individual premium and paid organizations subscriptions will come from an `invoice+statements@bitwarden.com` address. These emails **will contain**attachments, specifically PDF invoices and receipts. ### Renewals emails Paid users will be reminded of upcoming renewals via emails for each Bitwarden subscription that is approaching its renewal date. These emails will come from `no-reply@bitwarden.com` or `.eu` and `upcoming-invoice@bitwarden.com` addresses. ## Opt-in emails While you will receive [automated emails](https://bitwarden.com/help/emails-from-bitwarden/#automated-emails/) as part of everyday use of Bitwarden, you might also receive emails from the following addresses if you have interacted with various parts of the Bitwarden ecosystem: - Support requests will be received from `support@bitwarden.com`. - Product announcements will be received from `productupdates@bitwarden.com`. - Trial information will be received from `trial@bitwarden.com`. - Marketing campaigns will be received from `marketing@bitwarden.com` and `care@bitwarden.com`. - Emails from members of the Bitwarden team will be received from `@bitwarden.com` email addresses. ## Alert emails Bitwarden will send an email alert for suspicious activities such as logging in from an unknown device, and failed login attempts from an unknown device. These emails will **never contain attachments**. If you are prompted to download a file or click an unknown link, please contact us. ### New device verification The first time you log in from a device you have not logged in to previously, if your account does not use two-step login, you will receive an email containing a verification code . Learn more [here](https://bitwarden.com/help/new-device-verification/). ### New device logged in If your account successfully logs in from an unknown device, you will receive an email containing information about the login. ![Login from unknown device email](https://bitwarden.com/assets/3BPGGp6Wvm3NzDopPbkkj2/b8ff436931e2791d366dda3ea8ed078e/Screenshot_2023-03-29_at_4.05.28_PM.png) The email will contain: - Date - IP Address - Device type If you do not recognize this login, see [here](https://bitwarden.com/help/security-faqs/#q-what-do-i-do-if-i-dont-recognize-a-new-device-logging-into-bitwarden/) and take immediate steps to protect your account. ### Trusted device request approved When a request to an organization administrator to [add a trusted device](https://bitwarden.com/help/add-a-trusted-device/) is approved, the requesting user is sent an email informing them they can continue logging in on that device. **The user must take action by logging in to the new device within 12 hours, or the approval will expire.** The email will contain: - Date - IP address - Device type ### Failed login attempts detected If an incorrect two-step login attempt, for example the entering of an incorrect TOTP code, is detected you will receive an email informing you of this: ![Failed login attempt email](https://bitwarden.com/assets/7oGzZ6B0WTuRKeKu7DBmAE/8a7b4517cab6b76fd474e05171be5fba/2025-08-28_11-07-13.png) If the attempt was you, you can safely ignore the message. If the attempt **was not you**, you should [change your master password](https://bitwarden.com/help/master-password/#change-master-password/) immediately. ## Announcement emails ### Subject: Upcoming login changes (Dec. 2024) This email, sent in December 2024 from `no-reply@bitwarden.com`, was sent to inform users of upcoming changes to new device verification. --- URL: https://bitwarden.com/help/emergency-access/ --- # Log In With Emergency Access Emergency access allows users to designate and manage [trusted emergency contacts](https://bitwarden.com/help/emergency-access/#trusted-emergency-contacts/), who can request access to their vault in cases of emergency. > [!NOTE] Who is emergency access available to. > Only premium users, including members of paid organizations (Families, Teams, or Enterprise) can designate trusted emergency contacts, however anyone with a Bitwarden account can be designated as a trusted emergency contact. > > **If your premium features are cancelled or lapse due to failed payment method**, your trusted emergency contacts will still be able to request and obtain access to your vault. You will, however, not be able to add new or edit existing trusted emergency contacts. ## Set up emergency access Setting up emergency access is a 3-step process in which you must **Invite**a user to become a trusted emergency contact, they must **Accept**the invitation, and finally you must **Confirm**their acceptance: ### Invite As someone who wants to grant emergency access to your vault, invite a trusted emergency contact: 1. In the Bitwarden web app, navigate to **Settings** → **Emergency access**: ![Emergency access page](https://bitwarden.com/assets/3gb0Zm4K935RUmzjd62eJq/d5ba9e65a6f5905fa39c8a601f207a0a/2024-12-02_11-29-43.png) 2. Select the + **Add emergency contact** button: ![Add emergency contact](https://bitwarden.com/assets/7vRyx6gsjm4H9ej6mw4mTv/6750adcecb6c00d740b61b85e7b20baf/2024-12-02_11-35-11.png) 3. Enter the **Email** of your trusted emergency contact. Trusted emergency contacts must have Bitwarden accounts of their own, but don't need to have premium. ![Emergency access dialogue ](https://bitwarden.com/assets/2IEldGj87MY2IMDQpty6Vr/1a8841c005dfc0a6baddcde9bf9e0476/Emergency_access.png) 4. Set a **User Access** level for the trusted emergency contact ([View-only or Takeover](https://bitwarden.com/help/emergency-access/#user-access/)). 5. Set a **Wait time** for vault access. Wait time dictates how long your trusted emergency contact must wait to access your vault after initiating an emergency access request if the access is not manually approved. 6. Select the **Save** button to send the invitation. Your trusted emergency contact **must now accept the invitation**. > [!NOTE] Emergency contact invite time > Invitations to become a trusted emergency contact are only valid for five days. ### Accept As someone who wants to receive emergency access to another vault, accept the issued email invitation: 1. In the received email invitation, select the **Become emergency contact** button in the email to open an emergency access page in your browser: ![Emergency access invitation ](https://bitwarden.com/assets/1S7YBbeECgEdl1v9r4E5BU/37c6c4207cb8c6df7f69a63ea12751fd/Screenshot_2024-02-27_at_9.23.46_AM.png) 2. Log in to your Bitwarden account to accept the invitation. If you don't already have a Bitwarden account, you will need to create one. Once you have accepted the invitation, the inviting user **must confirm your acceptance** before you can [initiate access requests](https://bitwarden.com/help/emergency-access/#use-emergency-access/). ### Confirm As someone who wants to grant emergency access to your vault, confirm your new trusted emergency contact: 1. In the Bitwarden web app, navigate to **Settings** → **Emergency access**: ![Emergency access page](https://bitwarden.com/assets/3gb0Zm4K935RUmzjd62eJq/d5ba9e65a6f5905fa39c8a601f207a0a/2024-12-02_11-29-43.png) 2. In the **Trusted emergency contacts** section, the invited user should appear with a `Needs Confirmation` status card. Using the ⋮ menu, select **Confirm** from the dropdown menu: ![Confirm emergency contact](https://bitwarden.com/assets/jEvLxG2nmFJRnlTbcpwRO/8b564a834758b744b5a2f86114393302/2024-12-02_11-38-53.png) To ensure the integrity of your encryption keys, verify the displayed fingerprint phrase with the grantee before completing confirmation. ## Use emergency access Once [setup](https://bitwarden.com/help/emergency-access/#set-up-emergency-access/), the following sections will help you **Initiate access** as a trusted emergency contact or **Manage access** as someone who has designated a trusted emergency contact: > [!TIP] Revoking emergency access > The following **Manage access**tab also contains information about what to do when you no longer want your trusted emergency contacts to have View or Takeover access to your vault. ### Initiate access ## Initiate emergency access Complete the following steps to initiate an emergency access request: 1. In the Bitwarden web app, navigate to **Settings** → **Emergency access**: ![Emergency access page](https://bitwarden.com/assets/3gb0Zm4K935RUmzjd62eJq/d5ba9e65a6f5905fa39c8a601f207a0a/2024-12-02_11-29-43.png) 2. In the **Designated as emergency contact** section, select the ⋮ menu icon and choose **Request Access**: ![Request emergency access](https://bitwarden.com/assets/6x38VldDaEOAqpuCQ4htRJ/25f126a7ae7cc932562fe62e7aac7bc2/2024-12-02_11-40-35.png) 3. In the confirmation window, select the **Request Access** button. An email is sent to the user telling them that access was requested. You will be provided access to the grantor's vault after the configured wait time, or when the grantor manually approves (see **Manage access** tab) the emergency access request. ### Access the vault Complete the following steps to access the vault once your request has been approved: 1. In the Bitwarden web app, navigate to **Settings** → **Emergency access**: ![Emergency access page](https://bitwarden.com/assets/3gb0Zm4K935RUmzjd62eJq/d5ba9e65a6f5905fa39c8a601f207a0a/2024-12-02_11-29-43.png) 2. In the **Designated as emergency contact** section, select the ⋮ menu icon and choose the option from the dropdown that corresponds with your [assigned access](https://bitwarden.com/help/emergency-access/#user-access/): - **View** - Selecting this option will display the grantor's vault items on this screen. - **Takeover** - Selecting this option will allow you to enter and confirm a new master password for the grantor's account. Once saved, log in to Bitwarden as normal, entering the grantor's email address and the new master password. ### Manage access ### Approve or reject emergency access You can manually approve or reject an emergency access request before the configured wait time lapses. Complete the following steps to approve or reject emergency access: 1. In the Bitwarden web app, navigate to **Settings** → **Emergency access**: ![Emergency access page](https://bitwarden.com/assets/3gb0Zm4K935RUmzjd62eJq/d5ba9e65a6f5905fa39c8a601f207a0a/2024-12-02_11-29-43.png) 2. In the **Trusted emergency contacts** section, use the ⋮ menu icon to select **Approve** or **Reject:** ![Approve or reject emergency access](https://bitwarden.com/assets/7iPFwb2NfsjeVywrwlZxSx/e7986fffd8b304d4bf8ae6734caba206/2024-12-02_11-42-09.png) ### Revoking access The steps to take to regain exclusive access to your vault after using emergency access depend on which [access level](https://bitwarden.com/help/emergency-access/#user-access/) was granted: #### Revoke view access Trusted emergency contacts who are given **View** access will be able to view your vault items once they are approved and until their access is manually revoked. To manually revoke access, use the ⋮ menu to [close] **Reject** access: ![Revoke Emergency Access ](https://bitwarden.com/assets/7dhQEDLZNKCwwspstJnhj0/148c5963b9b0e81c0e5e1e0803c45812/2024-12-02_11-44-01.png) #### Revoke a takeover Trusted emergency contacts who are given **Takeover** access will, once used, have created a new master password for your account. As a result, the only way to revoke access involves: 1. Obtaining the new master password they created for your account and using it to log in the [web vault](https://bitwarden.com/help/getting-started-webvault/). 2. [Changing your master password](https://bitwarden.com/help/master-password/#change-your-master-password/) to one that they do not know. ## More information ### Trusted emergency contacts Trusted emergency contacts must be existing Bitwarden users, or must create a Bitwarden account before they can accept an invitation. Accounts must be on the same [Bitwarden server](https://bitwarden.com/help/server-geographies/). Trusted emergency contacts do not need to have premium to be designated as such. A user's status as a trusted emergency contact is tied to a unique Bitwarden account ID, meaning that if a trusted emergency contact [changes their email address](https://bitwarden.com/help/product-faqs/) there is no reconfiguration required to maintain their emergency access. Likewise, if the emergency access grantor changes their email address, no reconfiguration is required. If a trusted emergency contact creates a new Bitwarden account and [deletes](https://bitwarden.com/help/delete-your-account/) the old account, they will automatically be removed as a trusted emergency contact and must be [re-invited](https://bitwarden.com/help/emergency-access/#set-up-emergency-access/). There is no limit to the number of trusted emergency contacts a user can have. > [!NOTE] > You can [reject](https://bitwarden.com/help/emergency-access/#use-emergency-access/) an emergency access request by your trusted emergency contact at any time before the configured wait time lapses. ### User access Trusted emergency contacts can be granted one of the following user access levels: - **View**: When an emergency access request is granted, this user is granted view/read access to all items in your individual vault, including passwords of login items and attachments. > [!NOTE] Revoke view access > You may [revoke access](https://bitwarden.com/help/emergency-access/#use-emergency-access/) to a trusted emergency contact with view access at any time. - **Takeover**: When an emergency access request is granted, this user must create a master password for permanent read/write access to your vault (this will **replace** your previous master password). Takeover disables any [two-step login methods](https://bitwarden.com/help/setup-two-step-login/) enabled for the account. **If the grantor is a member of an organization**, the grantor will be automatically removed from any organization(s) for which they are not an [owner](https://bitwarden.com/help/user-types-access-control/) on takeover. Owners will not be removed from or lose permissions to their organization(s), however the [master password requirements](https://bitwarden.com/help/policies/#master-password-requirements/) policy will be enforced on takeover if enabled. Policies that are not usually enforced on owners will not be enforced on takeover. ### How it works > [!NOTE] WP: See encryption section > The following information references encryption key names and processes that are covered in the [Hashing, key derivation, and encryption](https://bitwarden.com/help/bitwarden-security-white-paper/#hashing-key-derivation-and-encryption/) section. Consider reading that section first. Emergency access uses public key exchange and encryption/decryption to allow users to give a [trusted emergency contact](https://bitwarden.com/help/emergency-access/#trusted-emergency-contacts/) permission to [access vault data](https://bitwarden.com/help/emergency-access/#user-access/) in a zero knowledge encryption environment: 1. A Bitwarden user (the grantor) invites another Bitwarden user to become a trusted emergency contact (the grantee). The invitation (valid for only five days) specifies a user access level and includes a request for the grantee's **RSA Public Key**. 2. Grantee is notified of the invitation via email and accepts the invitation to become a trusted emergency contact. On acceptance, the grantee's **RSA Public Key** is stored with the user record. 3. Grantor is notified of the invitation's acceptance via email and confirms the grantee as their trusted emergency contact. On confirmation, the grantor's **User Symmetric Key** is encrypted using the grantee's **RSA Public Key** and stored with the invitation. Grantee is notified of confirmation. 4. An emergency occurs, resulting in grantee requiring access to grantor's vault. Grantee submits a request for emergency access. 5. Grantor is notified of the request via email. The grantor may manually approve the request at any time, otherwise the request is bound by a grantor-specified wait time. When the request is approved or the wait time lapses, the **Public Key-encrypted User Symmetric Key** is delivered to the grantee for decryption with the grantee's **RSA Private Key**. Alternatively, the grantor may reject the request, which will prevent the grantee gaining access as described in the next step. Rejecting a request will not remove the grantee from being a trusted emergency contact or prevent them from making access requests in the future. 6. Depending on the specified user access level, the grantee will either: - Obtain view/read access to items in the grantor's vault. - Be asked to create a new master password for the grantor's vault. --- URL: https://bitwarden.com/help/encrypted-export/ --- # Encrypted Exports Vault data can be exported in an encrypted `.json` file [for individuals](https://bitwarden.com/help/export-your-data/) and [for organizations](https://bitwarden.com/help/export-organization-items/). Two encrypted export types are available: - **Account restricted:** Export an encrypted file that can only be re-imported to the Bitwarden account or organization that generated the encrypted export file. This process utilizes the relative [account ](https://bitwarden.com/help/account-encryption-key/)or organization encryption key specific to the restricted export. - **Password protected:** Export an encrypted file protected with a password of your choosing. This file can be decrypted with the password and can be imported to any Bitwarden account. The specified password is salted, used to derive an encryption key using [your configured KDF settings](https://bitwarden.com/help/kdf-algorithms/#changing-kdf-algorithms/), and finally stretched with HDKF into a new encryption key, which encrypts your data, and message authentication code (MAC). > [!WARNING] Encryption Key Impact on Encrypted Exports > **Account restricted**exports can not be imported to a different account. Additionally, [rotating your account's encryption key](https://bitwarden.com/help/account-encryption-key/) will render an account restricted export impossible to decrypt. **If you rotate your account encryption key, replace any old files with new ones that use the new encryption key.** > > If you wish to import an encrypted `.json` file onto a different Bitwarden account, select the **Password protected**export type when creating an export. Encrypted exports will include items like logins, cards, secure notes, and identities. An encrypted export of the following plaintext login item: ``` { ... "login": { "username": "mylogin", "password": "mypassword", "totp": "otpauth://totp/my-secret-key" }, ... ``` Will look something like: ``` { ... "login": { "username": "9.dZwQ+b9Zasp98dnfp[g|dHZZ1p19783bn1KzkEsA=l52bcWB/w9unvCt2zE/kCwdpiubAOf104os}", "password": "1o8y3oqsp8n8986HmW7qA=oiCZo872b3dbp0nzT/Pw=|A2lgso87bfDBCys049ano278ebdmTe4:", "totp": "2CIUxtpo870B)*^GW2ta/xb0IYyepO(*&G(&BB84LZ5ByZxu0E9hTTs6PHg0=8q5DHEPU&bp9&*bns3EYgETXpiu9898sxO78l" }, ... ``` ## Next steps - Create an encrypted export [as an individual user](https://bitwarden.com/help/export-your-data/). - Create an encrypted export [of your organization data](https://bitwarden.com/help/export-organization-items/). - Re-import an encrypted export [as an individual user](https://bitwarden.com/help/import-data/). - Re-import an encrypted export [as an organization](https://bitwarden.com/help/import-to-org/). --- URL: https://bitwarden.com/help/end-user-adoption-emails/ --- # End-user Adoption Emails This page includes a series of emails that we send to Bitwarden Enterprise and Teams admins and owners in order to help them increase adoption of their new password manager within their team. Feel free to read them all at once below, or grab them and adapt them to your team's needs. ### Enterprise ### Program intro > [!NOTE] Email - Program 2, Email 1, Enterprise > **Subject**: Tips to get your team to use Bitwarden > > **Body**: > > Hi *[name]*, > > Getting the right start with password management can lead to a successful deployment for employees. > > You'll soon receive a six-day plan to help increase user adoption of your new password manager among your colleagues. > > These brief, actionable emails will cover essential strategies including: > > 1. Appoint an implementation champion > 2. Communicate your rollout plan > 3. Explain the top benefits of a password manager > 4. Use email templates for easy sharing > 5. Share get-started guides > > Also, remember that Bitwarden Enterprise plans include complimentary Families plans for personal use. Let your team know they can [redeem their free Bitwarden Families plan](https://bitwarden.com/learning/free-families-plan-for-enterprise/) to keep their data safe both at work and at home. > > You can use [this example email](https://bitwarden.com/resources/email-for-admin-to-users/) to share the free Families plan with your team. ### Appoint an implementation champion > [!NOTE] Email - Program 2, Email 2, Enterprise & Teams > **Subject**: Appoint an implementation champion > > **Body**: > > Hi *[name]*, > > A designated cybersecurity champion can accelerate password management adoption across your organization. This person will rally feedback, suggestions, and overall excitement for your new tool! By appointing an implementation champion, or even a bench of experts, you can ensure someone is always available to answer questions or provide guidance. > > Your implementation champion should be empowered to: > > - Host workshops or open office hours to review [Bitwarden Courses](https://bitwarden.com/help/courses/) material with users. > - Help teams [set up collections](https://bitwarden.com/help/about-collections/#create-a-collection/) through use of a [member role](https://bitwarden.com/help/user-types-access-control/#member-roles/) such as manager or the custom role. > - Assist users in downloading [Bitwarden clients](https://bitwarden.com/download/) to all their devices. > > An implementation champion can significantly increase user adoption, and will have your organization on the road to password security in no time! ### Communicate your rollout plan > [!NOTE] Email - Program 2, Email 3, Enterprise & Teams > **Subject**: Communicate your rollout plan > > **Body**: > > Hi *[name]*, > > Put end-users at ease by communicating the implementation plan for your new password manager far in advance. > > - Let employees know exactly what to expect. > - Communicate specific action items they will need to complete, and the due data. This will help ensure a smooth rollout for your employees. > > Here's a [sample implementation plan](https://bitwarden.com/help/prepare-your-org-for-prod/) you can use as a guide - just download them and customize them to work for your organization. ### Tout the benefits of a password manager > [!NOTE] Email - Program 2, Email 4, Enterprise & Teams > **Subject**: Promote the top benefits > > **Body**: > > Hi *[name]*, > > Make sure the end-users understand the value and benefits a password manager will bring to their work. > > To get your team excited about Bitwarden, here are three primary benefits to share with everyone: > > 1. Easily access all your passwords anytime, anywhere, on any device. > 2. Securely share credentials with others. > 3. Streamline logging into your accounts with auto-fill. > > **Here are a few resources on the benefits of a password manager that you can send to employees**: > > - Share this [password strength testing tool](https://bitwarden.com/password-strength/) - let the gamification begin! > - [Blog] [How a password manager adds productivity at the office](https://bitwarden.com/blog/how-a-password-manager-adds-to-productivity-at-the-office/) > - [Blog] [A better password workflow with Bitwarden](https://bitwarden.com/blog/a-better-password-workflow-with-bitwarden/) > - [Blog] [How to better manage your financial information in Bitwarden](https://bitwarden.com/blog/how-to-better-manage-your-financial-information-in-bitwarden/) > - [Blog] [7 steps to create a secure (and private) profile online](https://bitwarden.com/blog/7-steps-to-create-a-secure-and-private-profile-online/) ### Templates to share on internal messaging systems > [!NOTE] Email - Program 2, Email 5, Enterprise > **Subject**: Use these templates for easy sharing > > **Body**: > > Hi *[name]*, > > Here are a few pre-written posts to share on your organization's internal messaging systems. These can help boost enthusiasm and adoption of your new password manager. > > ***Template 1: Get started with Bitwarden*** > > ***Subject****: Introducing Bitwarden password manager for company-wide deployment* > > ***Body****: * > > *Hi team, we are happy to announce the company-wide deployment of Bitwarden Password Manager. Bitwarden is a respected, industry-leading company with a strong security record.* > > *You will find Bitwarden to be simple and easy to use.* > > *Here are three reasons we're excited to get you on Bitwarden:* > > 1. *Easily access all your passwords anytime, anywhere, on any device.* > 2. *Securely share credentials with others.* > 3. *Streamline logging into your accounts with auto-fill.* > > *You will receive an invite via email to join Bitwarden.* > > ***Template 2: Complimentary Bitwarden Families plan for all users*** > > ***Subject****: Your Bitwarden account comes with a free Families plan* > > ***Body****:* > > *Dear [company] employees,* > > *We use Bitwarden for secure password management and sharing secure information across teams and the organization. Proper password management is an important part of our security strategy and we're happy that together we can practice secure password habits.* > > *We can now share password management to you and your family. Through our Bitwarden Enterprise subscription, every employee connected to our Bitwarden instance can redeem a complimentary Bitwarden Families plan using a personal email address and invite five additional family members to join. Every user on the Families plan will have access to secure password sharing and premium features, such as advanced two-step login, emergency access, encrypted file attachments, and more.* > > *We hope that every employee will take advantage of this opportunity to protect themselves and their families. Internet and password security is important both in the office and at home, and staying secure across our personal and work lives is a shared responsibility.* > > *A walkthrough from Bitwarden is available *[*here*](https://bitwarden.com/learning/free-families-plan-for-enterprise/)*.* > > *Thank you,* > > *[IT admin name, title]* ### Share detailed guides on how to get started > [!NOTE] Email - Program 2, Email 6, Enterprise & Teams > **Subject**: Make it easy to get started with these guides > > **Body**: > > Hi *[name]*, > > Put together an email, internal message, or document with a list of useful resources about Bitwarden onboarding. Here's a quick template you can use: > > *Hi there,* > > *Here are three resources that will help you get started with your new password manager:* > > - *[Guide] *[*Get started with Bitwarden Password Manager*](https://bitwarden.com/learning/getting-started-password-manager/) > - *[Guide] *[*Get started with Bitwarden as an individual user*](https://bitwarden.com/learning/getting-started-as-an-individual-user/) > - *[Video series] *[*Password Manager 101*](https://bitwarden.com/learning/pm-101-getting-started-as-a-user/) > > *[Name] is the Bitwarden implementation champion, so feel free to reach out directly with any questions.* ### Teams ### Program intro > [!NOTE] Email - Program 2, Email 1, Teams > **Subject**: Tips to get your team to use Bitwarden > > **Body**: > > Hi *[name]*, > > Getting the right start with password management can lead to a successful deployment for employees. > > You'll soon receive a six-day plan to help increase user adoption of your new password manager among your colleagues. > > These brief, actionable emails will cover essential strategies including: > > 1. Appoint an implementation champion > 2. Communicate your rollout plan > 3. Explain the top benefits of a password manager > 4. Share get-started guides > 5. Use email templates for easy sharing > > Be on the lookout for the adoption program coming your way shortly. ### Appoint an implementation champion > [!NOTE] Email - Program 2, Email 2, Enterprise & Teams > **Subject**: Appoint an implementation champion > > **Body**: > > Hi *[name]*, > > A designated cybersecurity champion can accelerate password management adoption across your organization. This person will rally feedback, suggestions, and overall excitement for your new tool! By appointing an implementation champion, or even a bench of experts, you can ensure someone is always available to answer questions or provide guidance. > > Your implementation champion should be empowered to: > > - Host workshops or open office hours to review [Bitwarden Courses](https://bitwarden.com/help/courses/) material with users. > - Help teams [set up collections](https://bitwarden.com/help/about-collections/#create-a-collection/) through use of a [member role](https://bitwarden.com/help/user-types-access-control/#member-roles/) such as manager or the custom role. > - Assist users in downloading [Bitwarden clients](https://bitwarden.com/download/) to all their devices. > > An implementation champion can significantly increase user adoption, and will have your organization on the road to password security in no time! ### Communicate your rollout plan > [!NOTE] Email - Program 2, Email 3, Enterprise & Teams > **Subject**: Communicate your rollout plan > > **Body**: > > Hi *[name]*, > > Put end-users at ease by communicating the implementation plan for your new password manager far in advance. > > - Let employees know exactly what to expect. > - Communicate specific action items they will need to complete, and the due data. This will help ensure a smooth rollout for your employees. > > Here's a [sample implementation plan](https://bitwarden.com/help/prepare-your-org-for-prod/) you can use as a guide - just download them and customize them to work for your organization. ### Tout the benefits of a password manager > [!NOTE] Email - Program 2, Email 4, Enterprise & Teams > **Subject**: Promote the top benefits > > **Body**: > > Hi *[name]*, > > Make sure the end-users understand the value and benefits a password manager will bring to their work. > > To get your team excited about Bitwarden, here are three primary benefits to share with everyone: > > 1. Easily access all your passwords anytime, anywhere, on any device. > 2. Securely share credentials with others. > 3. Streamline logging into your accounts with auto-fill. > > **Here are a few resources on the benefits of a password manager that you can send to employees**: > > - Share this [password strength testing tool](https://bitwarden.com/password-strength/) - let the gamification begin! > - [Blog] [How a password manager adds productivity at the office](https://bitwarden.com/blog/how-a-password-manager-adds-to-productivity-at-the-office/) > - [Blog] [A better password workflow with Bitwarden](https://bitwarden.com/blog/a-better-password-workflow-with-bitwarden/) > - [Blog] [How to better manage your financial information in Bitwarden](https://bitwarden.com/blog/how-to-better-manage-your-financial-information-in-bitwarden/) > - [Blog] [7 steps to create a secure (and private) profile online](https://bitwarden.com/blog/7-steps-to-create-a-secure-and-private-profile-online/) ### Templates to share on internal messaging systems > [!NOTE] Email - Program 2, Email 5, Teams > **Subject**: Use this template for easy sharing > > **Body**: > > Hi *[name]*, > > Here is a pre-written post to share on your organization’s internal messaging systems and let employees know that you’re moving to Bitwarden. This post can help boost enthusiasm and adoption of your new password manager. > > ***Template: Get started with Bitwarden*** > > ***Subject****: Introducing Bitwarden password manager for company-wide deployment* > > ***Body****: * > > *Hi team, we are happy to announce the company-wide deployment of Bitwarden Password Manager. Bitwarden is a respected, industry-leading company with a strong security record.* > > *You will find Bitwarden to be simple and easy to use.* > > *Here are three reasons we're excited to get you on Bitwarden:* > > 1. *Easily access all your passwords anytime, anywhere, on any device.* > 2. *Securely share credentials with others.* > 3. *Streamline logging into your accounts with auto-fill.* > > *You will receive an invite via email to join Bitwarden.* ### Share detailed guides on how to get started > [!NOTE] Email - Program 2, Email 6, Enterprise & Teams > **Subject**: Make it easy to get started with these guides > > **Body**: > > Hi *[name]*, > > Put together an email, internal message, or document with a list of useful resources about Bitwarden onboarding. Here's a quick template you can use: > > *Hi there,* > > *Here are three resources that will help you get started with your new password manager:* > > - *[Guide] *[*Get started with Bitwarden Password Manager*](https://bitwarden.com/learning/getting-started-password-manager/) > - *[Guide] *[*Get started with Bitwarden as an individual user*](https://bitwarden.com/learning/getting-started-as-an-individual-user/) > - *[Video series] *[*Password Manager 101*](https://bitwarden.com/learning/pm-101-getting-started-as-a-user/) > > *[Name] is the Bitwarden implementation champion, so feel free to reach out directly with any questions.* --- URL: https://bitwarden.com/help/end-user-onboarding-emails/ --- # End User Onboarding Emails This article includes the onboarding emails sent to new Bitwarden Enterprise and Teams users from **care@bitwarden.com**. Read them all at once below, or copy/paste and adapt them to your team's needs. ## Get started: Install the Bitwarden browser extension (1/5) > [!NOTE] Example: User email 1 > **Subject**: Get started: Install the Bitwarden browser extension (1/5) > > **Body**: > > Hi there, > > Your organization is using Bitwarden to secure passwords and other sensitive data. You will receive five emails with tips on how to get started. > > Today's stop is to head over to the [download page](https://bitwarden.com/download/#downloads-web-browser/) and install the Bitwarden extension on your favorite browser. > > ![Download the browser extension](https://bitwarden.com/assets/7kZTVY6b76BSZqzPp8Cl3o/a486ba616fef768f0835d1d779d2f2b9/email1.png) > > The rest of your onboarding checklist: > > - [**Download the browser extension**](https://bitwarden.com/download/#downloads-web-browser/) > - [Add logins and passwords to your account](https://bitwarden.com/help/getting-started-webvault/#add-a-login/) > - [Learn how to autofill](https://bitwarden.com/help/auto-fill-browser/) > - [Learn how to share items with collections](https://bitwarden.com/learning/individual-and-organizational-vaults/) > > Stay secure, > > Team Bitwarden ## Add passwords and usernames to Bitwarden (2/5) > [!NOTE] Example: User email 2 > **Subject**: Add passwords and usernames to Bitwarden (2/5) > > **Body**: > > Hi there, > > Do you have passwords saved in a browser, like Chrome? Or are you coming to Bitwarden from another password manager? You can [import logins directly to Bitwarden](https://bitwarden.com/help/import-data/) to avoid copy-and-pasting. > > Another way is to directly [add items into your vault](https://bitwarden.com/help/getting-started-webvault/#first-steps/). > > ![Add an item](https://bitwarden.com/assets/2SLEEUhriP0KyLlGssGlC4/3aca88e134bf79dc4c55e8df5f249ec6/email2.gif) > > The rest of your onboarding checklist: > > - ✓ [Download the browser extension](https://bitwarden.com/download/#downloads-web-browser/) > - [**Add logins and passwords to your account**](https://bitwarden.com/help/getting-started-webvault/#add-a-login/) > - [Learn how to autofill](https://bitwarden.com/help/auto-fill-browser/) > - [Learn how to share items with collections](https://bitwarden.com/learning/individual-and-organizational-vaults/) > > Stay secure, > > Team Bitwarden ## Autofill is auto-AMAZING (3/5) > [!NOTE] Example: User email 3 > **Subject**: Autofill is auto-AMAZING (3/5) > > **Body**: > > Hi there, > > Now that you've [installed the browser extension](https://bitwarden.com/download/#downloads-web-browser/) and added a few items to your vault, learn how to autofill for one-click logins! > > Today's task is to get acquainted with the [autofill feature](https://bitwarden.com/help/auto-fill-browser/). Here's what it looks like: > > ![Autofill](https://bitwarden.com/assets/6ZkegsfKZ2OhVizNrXQ4zA/475d853b525c096ed33ac326cc7b2b64/email3.png) > > Head over to Help for [instructions](https://bitwarden.com/help/auto-fill-browser/). > > The rest of your onboarding checklist: > > - ✓ [Download the browser extension](https://bitwarden.com/download/#downloads-web-browser/) > - ✓ [Add logins and passwords to your account](https://bitwarden.com/help/getting-started-webvault/#add-a-login/) > - [**Learn how to autofill**](https://bitwarden.com/help/auto-fill-browser/) > - [Learn how to share items with collections](https://bitwarden.com/learning/individual-and-organizational-vaults/) > > Stay secure, > > Team Bitwarden ## Understand the power of collections (4/5) > [!NOTE] Example: User email 4 > **Subject**: Understand the power of collections (4/5) > > **Body**: > > Hi there, > > Share items and logins with team members using collections, which are like shared folders to which you can assign access for other members or groups - they allow you to share items between yourself and your team members. Today, [share a login](https://bitwarden.com/help/sharing/) with your team by adding it to a [shared collection](https://bitwarden.com/help/about-collections/). > > ![Share](https://bitwarden.com/assets/4LhwocsJ5hpLsU4lPguSUV/b84e87bdbc1b3b9c85ffd2ff2fc81e35/email4.gif) > > The rest of your onboarding checklist: > > - ✓ [Download the browser extension](https://bitwarden.com/download/#downloads-web-browser/) > - ✓ [Add logins and passwords to your account](https://bitwarden.com/help/getting-started-webvault/#add-a-login/) > - ✓ [Learn how to autofill](https://bitwarden.com/help/auto-fill-browser/) > - [**Learn how to share items with collections**](https://bitwarden.com/learning/individual-and-organizational-vaults/) > > Stay secure, > > Team Bitwarden ## More security goodness to come! (5/5) > [!NOTE] Example: User email 5 > **Subject**: More security goodness to come! (5/5) > > **Body**: > > Hi there, > > Here's a review of your onboarding accomplishments: > > - ✓ [Download the browser extension](https://bitwarden.com/download/#downloads-web-browser/) > - ✓ [Add logins and passwords to your account](https://bitwarden.com/help/getting-started-webvault/#add-a-login/) > - ✓ [Learn how to autofill](https://bitwarden.com/help/auto-fill-browser/) > - ✓ [Learn how to share items with collections](https://bitwarden.com/learning/individual-and-organizational-vaults/) > > What's next? > > - Check in with your colleagues and see if they completed onboarding. If not, will you lend a hand? > - Expect product updates, newsletters, and security tips to land in your email soon. > - Become your team's Bitwarden expert - the [Learning Center](https://bitwarden.com/help/learning-center/) has everything you need. > - Stay in touch with Bitwarden on social media (links to find Bitwarden below). > > Stay secure, > > Team Bitwarden > > [X](https://twitter.com/Bitwarden), [Reddit](https://www.reddit.com/r/Bitwarden/), [Community](https://community.bitwarden.com/), [GitHub](https://github.com/bitwarden/), [YouTube](https://www.youtube.com/bitwarden), [LinkedIn](https://www.linkedin.com/company/bitwarden1/) --- URL: https://bitwarden.com/help/enterprise-feature-list/ --- # Bitwarden for Enterprise Features Datasheet This document describes and references the features available to [Bitwarden Enterprise Organizations](https://bitwarden.com/products/business/) in several categories: #### Application Range and Ease-of-use | Enterprise Features | Description | |------|------| | Deployment Options | Cloud, Private Cloud, and Self-hosted. | | Web Application | Fully encrypted cloud web app at [https://vault.bitwarden.com](https://vault.bitwarden.com/), or on your self-hosted server | | Mobile Apps (with Mobile Login Controls) | Available for iOS and Android. [Learn more](https://bitwarden.com/help/getting-started-mobile/). | | Browser Extensions | Available for Chrome, Firefox, Opera, Edge, Vivaldi, Brave, Tor, and Safari. [Learn more](https://bitwarden.com/help/getting-started-browserext/). | | Desktop Applications | Available for Windows, Mac, and Linux. [Learn more](https://bitwarden.com/help/directory-sync-desktop/). | | Command-line Interface | Available for Windows, Mac, and Linux. [Learn More](https://bitwarden.com/help/cli/). | #### Administrative Features and Capabilities | Enterprise Features | Description | |------|------| | Simple user management | Add or remove seats and onboard or offboard users directly from the Web Vault. [Learn more](https://bitwarden.com/help/managing-users/). | | Role based access control | Assign role-based access for Organization users, including a custom role and granular permissions (e.g. Hide Passwords, Read-Only). [Learn more](https://bitwarden.com/help/user-types-access-control/). | | Directory sync | Synchronize your Bitwarden Organization with your existing user directory. Provision and deprovision users, groups, and group associations. [Learn more](https://bitwarden.com/help/directory-sync/). | | SCIM support | Use the SCIM protocol to manage and provision Bitwarden users, groups, and group associations from your Identity Provider or directory service for easy onboarding and employee succession. [Learn more](https://bitwarden.com/help/about-scim/). | | Account recovery administration | Designated administrators can reset Master Password of end-user accounts if an employee loses or forgets their Master Password. [Learn more](https://bitwarden.com/help/admin-reset/). | | Collections with curated access | Create an unlimited amount of password collections containing an unlimited amount of passwords. Collections can be assigned to groups or individual users. [Learn more](https://bitwarden.com/help/about-collections/). | | Enterprise policies | Enforce security rules for all users, for example mandating use of Two-step Login. [Learn more](https://bitwarden.com/help/policies/). | | Temporary password sharing and generation | Create and share ephemeral data using Bitwarden Send. [Learn more](https://bitwarden.com/help/about-send/). | | Complimentary Families plan for users | All enterprise users receive a complimentary family plan for personal use to practice good security habits outside of the workplace. [Learn more](https://bitwarden.com/help/families-for-enterprise/). | #### Reporting | Enterprise Features | Description | |------|------| | Vault health reports | Run reports for Exposed Passwords, Reused Passwords, Weak Passwords, and more. [Learn more](https://bitwarden.com/help/reports/). | | Data breach reports | Run reports for data compromised in known breaches (e.g. Email Addresses, Passwords, Credit Cards, DoB, etc.). [Learn more](https://bitwarden.com/help/reports/). | | Event logs | Get time stamped records of events that occur within your Organization Vault for easy use in the Web Vault or ingestion by other systems. [Learn more](https://bitwarden.com/help/event-logs/). | #### Authentication | Enterprise Features | Description | |------|------| | 2FA for individuals | A robust set of 2FA options for any Bitwarden user. [Learn more](https://bitwarden.com/help/setup-two-step-login/). | | 2FA at organization-level | Enable 2FA via Duo for your entire Organization. [Learn more](https://bitwarden.com/help/setup-two-step-login-duo/). | | Biometric authentication | Available for: -Android (fingerprint unlock or face unlock) and iOS (Touch ID and Face ID) -Windows Desktop Apps (Windows Hello using PIN, Facial Recognition, and more) and macOS Desktop Apps (Touch ID) -Chromium-based browsers, Firefox 87+, and Safari Browser Extensions [Learn more](https://bitwarden.com/help/biometrics/). | | SSO with trusted devices | SSO with trusted devices allows users to authenticate using SSO and decrypt their vault using a device-stored encryption key, eliminating the need to enter a master password. [Learn more.](https://bitwarden.com/help/about-trusted-devices/) | | Login with SSO | Leverage your existing Identity Provider to authenticate your Bitwarden Organization users via SAML 2.0 or OpenID Connect (OIDC). [Learn more](https://bitwarden.com/help/about-sso/). Using Login with SSO, you can use one of two decryption options to determine how users decrypt Vault data once authenticated. [Learn more](https://bitwarden.com/help/sso-decryption-options/). | | SSO with customer managed encryption | Employees use their SSO credentials to authenticate and decrypt all in a single step. This option shifts retention of the users master passwords to companies requiring the business to deploy a key connector to store the user keys. [Learn more. ](https://bitwarden.com/help/about-key-connector/) | #### Security | Enterprise Features | Description | |------|------| | Secure storage for Logins, Notes, Cards, and Identities | Bitwarden [Vault items](https://bitwarden.com/help/managing-items/) are encrypted before being stored anywhere. [Learn more](https://bitwarden.com/help/what-encryption-is-used/). | | Zero knowledge encryption | All Vault data is end-to-end encrypted. [Learn more](https://bitwarden.com/blog/bitwarden-network-security-assessment-2020/). | | Secure username and password Generator | Generate secure, random, and unique credentials for every Vault item. Available on web and in-app. [Learn more](https://bitwarden.com/help/generator/). | | Encrypted export | Download encrypted exports for secure storage of Vault data backups. [Learn more](https://bitwarden.com/help/encrypted-export/). | | Biometric authentication | Available for: -Android (fingerprint unlock or face unlock) and iOS (Touch ID and Face ID) -Windows Desktop Apps (Windows Hello using PIN, Facial Recognition, and more) and macOS Desktop Apps (Touch ID) -Chromium-based browsers, Firefox 87+, and Safari Browser Extensions [Learn more](https://bitwarden.com/help/biometrics/). | | Emergency access | Users can designate and manage trusted emergency contacts, who may request access to their Vault in case of emergency. [Learn more](https://bitwarden.com/help/emergency-access/). | | Account fingerprint phrase | Security measure that uniquely and securely identifies a Bitwarden user account when encryption-related or onboarding operations are performed. [Learn more](https://bitwarden.com/help/fingerprint-phrase/). | | Subprocessors | See our full list of subprocessors: [Bitwarden Subprocessors](https://bitwarden.com/help/subprocessors/). | #### Compliance, Audits, Certifications | Enterprise Features | Description | |------|------| | SOC 2 Type II and SOC 3 | [Read about our SOC Certifications](https://bitwarden.com/blog/bitwarden-achieves-soc-2-certification/). | | Security and compliance assessments | Bitwarden invests in annual third party audits, security assessments, and other compliance standards. All reports are available on the [Bitwarden compliance page](https://bitwarden.com/compliance/). | | GDPR, CCPA, & HIPAA | [Read about our compliance with various privacy frameworks](https://bitwarden.com/compliance/). | | White-box testing | Performed by unit tests and QA engineers. | | Black-box testing | Performed via automation and manual testing. | | Bug Bounty Program | Conducted through HackerOne. [Learn more](https://hackerone.com/bitwarden/?type=team). | #### APIs and Extensibility | Enterprise Features | Description | |------|------| | Programmatically accessible | Public and Private APIs for Organizations. [Learn more](https://bitwarden.com/help/public-api/). | | Command line interface | Fully featured and self-documented command-line tool. [Learn more](https://bitwarden.com/help/cli/). | | Extensibility support | Automate workflows by combining API and CLI. | #### Resiliency | Enterprise Features | Description | |------|------| | Local cache & offline access | [Learn more](https://bitwarden.com/help/security-faqs/). | --- URL: https://bitwarden.com/help/enterprise-free-trial/ --- # Start an Enterprise Trial ## New to Bitwarden? If you are new to Bitwarden, we would love to help you through the process of setting up an account and starting your 7-day free trial Enterprise organization with our dedicated signup page. [Start your Enterprise free trial](https://bitwarden.com/go/start-enterprise-trial/). Or, to learn more about the [Bitwarden enterprise offering](https://bitwarden.com/products/business/), see [Bitwarden Plans and Pricing](https://bitwarden.com/pricing/business/) or [Password Manager Plans](https://bitwarden.com/help/password-manager-plans/#enterprise-organizations/) and [Secrets Manager Plans](https://bitwarden.com/help/secrets-manager-plans/). ## Already a user? If you already have a Bitwarden account, complete the following steps to start your 7-day free trial of Bitwarden Enterprise: 1. Log in to the Bitwarden web app and select the **New organization**button: ![New organization](https://bitwarden.com/assets/3eSqWiTIuPSFxXdo5AAjT9/248b0fa7bb381add0d71682acd244a63/2024-12-03_13-57-58.png) 2. On the **New organization** screen, enter an **Organization name** for your new organization and the **Billing email** we can reach you at. > [!NOTE] Seven day trial charge > We won't charge you until your 7 day free trial of the Enterprise plan is over. You can cancel your subscription at any time in the **Settings** tab of your organization. 3. If you are trialing the Enterprise plan on behalf of a business: - Check the **This account is owned by a business** checkbox. - Provide your **Business name**. 4. Select the **Enterprise** plan option. Doing so will trigger additional enterprise-oriented fields to be displayed. 5. In the **Users** section, enter the number of **User seats** you need. Seats will be added if you exceed this number, unless you [specify a limit](https://bitwarden.com/help/managing-users/#set-a-seat-limit/). 6. In the **Addons** section, enter the amount of **Additional storage (GB)** you need. Your plan comes with 1 GB of shared encrypted file attachments, and you can add additional storage later if required. 7. In the **Summary** section, select whether you'd like to be billed **Annually** or **Monthly**. > [!TIP] Activate SM during org creation > If you want to use [Secrets Manager](https://bitwarden.com/help/secrets-manager-overview/), complete the following steps to add it to your plan: > > 1. In the More from Bitwarden section, select the **Add Secrets Manager**checkbox. > 2. In the **User seats** field, specify the number of seats to purchase for Secrets Manager. This must be lower than or equal to the number of seats specified for your Password Manager subscription. > 3. In the **Additional service accounts**field, specify the number of service accounts to add to Secrets Manager. Teams and Enterprise plans come pre-packaged with 50 and 200 service accounts, respectively. 8. Enter your **Payment information** and select **Submit**. ### Next steps Now that you have created your trial Enterprise organization, we recommend that you: - [Add users to your organization](https://bitwarden.com/help/managing-users/) - [Create a collection](https://bitwarden.com/help/about-collections/) - Set up [login with SSO](https://bitwarden.com/help/about-sso/) - See [self-hosting an organization](https://bitwarden.com/help/self-host-an-organization/) --- URL: https://bitwarden.com/help/environment-variables/ --- # Environment Variables Some features of Bitwarden are not configured by the `bitwarden.sh` installer. Configure these settings by editing the environment file, located at `./bwdata/env/global.override.env`. This `.env` file comes pre-baked with configurable variables (see [Included variables](https://bitwarden.com/help/environment-variables/#included-variables/)), however there are additional variables which can be manually added (see [Optional variables](https://bitwarden.com/help/environment-variables/#optional-variables/)). **Whenever you make changes to** `global.override.env`**, perform a** `./bitwarden.sh restart` **to apply your changes.** > [!NOTE] > This article will not define every environment variable, instead focusing on those used or configured by most installations. ## Included variables The following variables are among those that already exist in `global.override.env`: | **Variable** | **Description** | |------|------| | `globalSettings__baseServiceUri__vault=` | Enter the domain of your Bitwarden instance. If not configured, domain will default to localhost. Must not include a trailing slash. | | `globalSettings__sqlServer__connectionString=` | Use this field to [connect to an external MSSQL database](https://bitwarden.com/help/external-db/). | | `globalSettings__oidcIdentityClientKey=` | A randomly generated OpenID Connect client key. For more information, see [OpenID Documentation](https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationResponse). | | `globalSettings__duo__aKey=` | A randomly generated Duo akey. For more information, see [Duo's Documentation](https://duo.com/docs/duoweb-v2#1.-generate-an-akey). | | `globalSettings__yubico__clientId=` | Client ID for YubiCloud Validation Service or self-hosted Yubico Validation Server. If YubiCloud, get your client ID and secret key [here](https://upgrade.yubico.com/getapikey/). If self-hosted, see optional variable `globalSettings__yubico__validationUrls`. | | `globalSettings__yubico__key=` | Secret Key for YubiCloud Validation Service or self-hosted Yubico Validation Server. If YubiCloud, get your client ID and secret key [here](https://upgrade.yubico.com/getapikey/). If self-hosted, see optional variable `globalSettings__yubico__validationUrls`. | | `globalSettings__mail__replyToEmail=` | Email address used for invitations, typically `no_reply@smpt__host`. | | `globalSettings__mail__smtp__host=` | Your SMTP server hostname (recommended) or IP address. | | `globalSettings__mail__smtp__port=` | The SMTP port used by the SMTP server. | | `globalSettings__mail__smtp__ssl=` | (Boolean) Whether your SMTP server uses an encryption protocol: `true` = SSL `false` = TLS | | `globalSettings__mail__smtp__username=` | A valid username for the `smtp__host`. | | `globalSettings__mail__smtp__password=` | A valid password for the `smtp__host`. Dollar sign `$` characters are not supported in SMTP passwords. | | `globalSettings__disableUserRegistration=` | Specify `true` to disable new users signing up for an account on this instance via the registration page. | | `globalSettings__hibpApiKey=` | Your HaveIBeenPwned (HIBP) API Key, available [here](https://haveibeenpwned.com/API/Key). This key allows users to run the [Data Breach report](https://bitwarden.com/help/reports/#data-breach-report-individual-vaults-only/) and to check their master password for presence in breaches when they create an account. | | `adminSettings__admins=` | Email addresses which may access the [System Administrator Portal](https://bitwarden.com/help/system-administrator-portal/). | ## Optional variables The following variables do not already exist in `global.override.env`, and can be manually added: | Variable | Description | |------|------| | `globalSettings__logDirectory=` | Specifies the directory to save container log file output to. By default, `globalSettings__logDirectory=bwdata/logs`. | | `globalSettings__logRollBySizeLimit=` | Specify the size limit in bytes to use for container log files (for example, `globalSettings__logRollBySizeLimit=1073741824`). | | `globalSettings__syslog__destination=` | Specify a syslog server or endpoint to send container log output to (for example, `globalSettings__syslog__destination=udp://example.com:514`). | | `globalSettings__mail__smtp__trustServer=` | Specify `true `to explicitly trust the certificate presented by the SMTP server (**not recommended for production**). | | `globalSettings__mail__smtp__sslOverride=` | Specify `true `to use SSL (not TLS) on port 25. | | `globalSettings__mail__smtp__startTls=` | Specify `true `to force STARTTLS (Opportunistic TLS). | | `globalSettings__organizationInviteExpirationHours=` | Specify the number of hours after which an organization invite will expire (`120 `by default). | | `globalSettings__yubico__validationUrls__0=` | Primary URL for self-hosted Yubico Validation Server. For example: `=https://your.url.com/wsapi/2.0/verify` Add additional validation server URLs by creating incremented environment variables, for example  `globalSettings__yubico__validationUrls__1=`, `globalSettings__yubico__validationUrls__2=` | | `globalSettings__enableCloudCommunication=` | Set to `true `to allow communication between your server and our cloud system. Doing so [enables billing and license sync](https://bitwarden.com/help/self-host-an-organization/#step-4-setup-billing-and-license-sync/). | | `adminSettings__deleteTrashDaysAgo=` | Specify the number of days after which to permanently delete items from the trash. By default, `adminSettings__deleteTrashDaysAgo=30`. | | `globalSettings__sso__enforceSsoPolicyForAllUsers=` | Specify `true` to enforce the [Require SSO authentication](https://bitwarden.com/help/policies/#require-single-sign-on-authentication/) policy for owner and admin roles. | | `globalSettings__baseServiceUri__cloudRegion=` | Specify `US` or `EU` to designate [which cloud server](https://bitwarden.com/help/server-geographies/) your self-hosted server should hyperlink to. If you're using EU, you'll also need to setup a few other variables as documented [here](https://bitwarden.com/help/server-geographies/#connect-your-self-hosted-server/). | | `globalSettings__sqlServer__DisableDatabaseMaintenanceJobs=` | Specify `true` to skip application-side maintenance of the statistics and index rebuild tasks in the database. These tasks require elevated MSSQL privileges and should be reconfigured to run as a database user if this value is set to `true`. [Learn more](https://bitwarden.com/help/database-options/). | | `globalSettings__sqlServer__SkipDatabasePreparation=` | Specify `true` to skip application-side database preparation. If not specified, database preparation checks on installation whether a database with the name specified in `globalSettings__sqlServer__connectionString=` exists and, if not, creates one. This task requires elevated MSSQL privileges and, if this value is set to `true`, the named database must exist before initiating installation. [Learn more](https://bitwarden.com/help/database-options/). | ### Refresh token variables Refresh token variables allow you to change the timeout of tokens. Administrators can use these values, for example, to require users to log in every day. Use the following variables to configure the handling of refresh tokens by your server: | Variable | Description | |------|------| | `globalSettings__IdentityServer__ApplyAbsoluteExpirationOnRefreshToken=` | Specify `true` to use **only** a specified absolute lifetime for refresh tokens and ignore expiration sliding based on usage. When true, only `__AbsoluteRefreshTokenLifetimeSeconds=` will be considered to determine behavior. Specify `false` to allow refresh token expiration to slide (i.e. extend validity for a specified period of time) when they're used. When `false`, both of the following options will be considered to determine behavior. | | `globalSettings__IdentityServer__AbsoluteRefreshTokenLifetimeSeconds=` | Specify a integer. Refresh tokens will expire after the absolute lifetime of that integer in seconds, regardless of whether sliding is allowed or not. This variable may only be `0` if `__ApplyAbsoluteExpirationOnRefreshToken=true`, in which case refresh tokens are always rejected. | | `globalSettings__IdentityServer__SlidingRefreshTokenLifetimeSeconds=` | Specify a integer greater than `0`. Refresh tokens will extend their validity upon use by that integer, in seconds. Refresh tokens will always expire after their configured absolute lifetime, regardless of what's set here. | --- URL: https://bitwarden.com/help/event-logs/ --- # Event Logs Event logs are timestamped records of events that occur within your Teams or Enterprise organization. To access event logs: 1. Log in to the Bitwarden web app and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Select **Reporting** → **Event logs** from the navigation: ![Event logs](https://bitwarden.com/assets/2s5YQ3tIUHHI0UpTVXmUsJ/f0dfaf1d5b4f2cafa070238f435cdd8e/2024-12-04_09-48-02.png) Events logs are exportable, accessible from the `/events` endpoint of the [Bitwarden Public API](https://bitwarden.com/help/public-api/), and are retained indefinitely, however only 367 days worth of data may be viewed at a time (as dictated by the range selectors). Events are captured at both the Bitwarden client and server, with most events occurring at the client. While server event capture is instantaneous and quickly processed, clients push event data to the server every 60 seconds, so you may observe small delays in the reporting of recent events. Furthermore, client events data is communicated data an API call, and this is retried until success. As a result, if the client cannot communicate with the API or is somehow modified to not send events then they will not be received and therefore processed. ## Inspect events On the **Event logs** view in the web app, selecting a pink resource identifier (e.g. `1e685004`) will do two things: 1. Open a dialog box with a list of events associated with that resource. For example, selecting an item's identifier will open a list of times the item has been edited, viewed, etc., including which member took each action. 2. Navigate to a view where you access the resource. For example, selecting a member's identifier from **Event logs**will take you to the **Members** view and automatically filter the list down to that member. ## Events list Event logs record over 60 different types of events. The event logs screen captures a **Timestamp** for the event, client app information including application type and IP (accessed by hovering over the **Client** column's value or the client icon), the **User** connected to the event, and an **Event** description. > [!NOTE] Event capture > Each **Event** is associated with a type code (`1000`, `1001`, etc.) that identifies the action captured by the event. Type codes are used by the [Bitwarden Public API](https://bitwarden.com/help/public-api/) to identify the action documented by an event. All Event types are listed below, with their corresponding type codes: ### User events - Logged In. (`1000`) - Changed account password. (`1001`) - Enabled/updated two-step login. (`1002`) - Disabled two-step login. (`1003`) - Recovered account from two-step login. (`1004`) - Login attempted failed with incorrect password. (`1005`) - Login attempt failed with incorrect two-step login. (`1006`) - User exported their individual vault items. (`1007`) - User updated a password issued through [account recovery](https://bitwarden.com/help/account-recovery/). (`1008`) - User migrated their decryption key with [Key Connector](https://bitwarden.com/help/about-key-connector/). (`1009`) - User requested [device approval](https://bitwarden.com/help/approve-a-trusted-device/). (`1010`) ### Item events - Created item `item-identifier`. (`1100`) - Edited item `item-identifier`. (`1101`) - Permanently Deleted item `item-identifier`. (`1102`) - Created attachment for item `item-identifier`. (`1103`) - Deleted attachment for item `item-identifier`. (`1104`) - Moved item i`tem-identifier`* *to an organization. (`1105`) - Edited collections for item `item-identifier` (`1106`) - Viewed item `item-identifier`. (`1107`) - Viewed password for item `item-identifier`. (`1108`) - Viewed hidden field for item `item-identifier`. (`1109`) - Viewed security code for item `item-identifier`. (`1110`) - Copied password for item `item-identifier`. (`1111`) - Copied hidden field for item `item-identifier`. (`1112`) - Copied security code for item `item-identifier`. (`1113`) - Autofilled item `item-identifier`. (`1114`) - Sent item `item-identifier` to trash. (`1115`) - Restored item `item-identifier`. (`1116`) - Viewed Card Number for item `item-identifier`. (`1117`) ### Collection events - Created collection `collection-identifier`. (`1300`) - Edited collection `collection-identifier`. (`1301`) - Deleted collection `collection-identifier`. (`1302`) ### Group events - Created group `group-identifier`. (`1400`) - Edited group `group-identifier`. (`1401`) - Deleted group `group-identifier`. (`1402`) ### Organization events - Invited user `user-identifier`. (`1500`) - Confirmed user `user-identifier`. (`1501`) - Edited user `user-identifier`. (`1502`) - Removed user `user-identifier`. (`1503`) - Edited groups for user `user-identifier`. (`1504`) - Unlinked SSO for user `user-identifier`. (`1505`) - `user-identifier` enrolled in account recovery. (`1506`) - `user-identifier` withdrew from account recovery. (`1507`) - Master Password reset for `user-identifier`. (`1508`) - Reset SSO link for user `user-identifier`. (`1509`) - `user-identifier` logged in using SSO for the first time. (`1510`) - Revoked organization access for `user-identifier`*. *(`1511`) - Restored organization access for `user-identifier`*. *(`1512`) - Approved device for `user-identifier`. (`1513`) - Denied device for `user-identifier`. (`1514`) - Deleted user `user-identifier`. (`1515`) - User `user-identifier` left organization. (`1516`) - Edited organization settings. (`1600`) - Purged organization vault. (`1601`) - Exported organization vault. (`1602`) - Organization Vault access by a managing [Provider](https://bitwarden.com/help/providers/). (`1603`) - Organization enabled SSO. (`1604`) - Organization disabled SSO. (`1605`) - Organization enabled Key Connector. (`1606`) - Organization disabled Key Connector. (`1607`) - Families Sponsorships synced. (`1608`) - Modified collection management setting. (`1609`) - Turned on Restrict collection creation [setting](https://bitwarden.com/help/collection-management/) (`1610`) - Turned off Restrict collection creation [setting](https://bitwarden.com/help/collection-management/) (`1611`) - Turned on Restrict collection deletion [setting](https://bitwarden.com/help/collection-management/) (`1612`) - Turned off Restrict collection deletion [setting](https://bitwarden.com/help/collection-management/) (`1613`) - Turned on Restrict item deletion [setting](https://bitwarden.com/help/collection-management/) (`1614`) - Turned off Restrict item deletion [setting](https://bitwarden.com/help/collection-management/) (`1615`) - Turned on Allow owners and admins to manage all collections and items [setting](https://bitwarden.com/help/collection-management/) (`1616`) - Turned off Allow owners and admins to manage all collections and items [setting](https://bitwarden.com/help/collection-management/) (`1617`) - Modified policy `policy-identifier`. (`1700`) - Added domain `domain-name`. (`2000`) - Removed domain `domain-name`. (`2001`) - `domain-name` verified. (`2002`) - `domain-name `not verified. (`2003`) ### Secrets Manager events Secrets Manager events are available both from the **Reporting** tab of your organization vault and from the [machine account Event logs page](https://bitwarden.com/help/service-accounts/#service-account-events/). The following Secrets Manager events are captured: - Accessed a secret with identifier: `secret-identifier` (`2100`) - Created a new secret with identifier: `secret-identifier` (`2101`) - Edited a secret with with identifier: `secret-identifier`* *(`2102`) - Deleted a secret with identifier: `secret-identifier`* *(`2103`) - Accessed a project with identifier: `project-identifier`* *(`2200`) - Created a new project with identifier: `project-identifier`* *(`2201`) - Edited a project with identifier: `project-identifier` (`2202`) - Deleted a project with identifier: `project-identifier`* *(`2203`) - Added user: `user-identifier` to machine account with identifier: `machine-account-identifier` (`2300`) - Removed user: `user-identifier` from machine account with identifier: `machine-account-identifier` (`2301`) - Added group: `group-identifier` to machine account with identifier: `machine-account-identifier` (`2302`) - Removed group: `group-identifier` from machine account with identifier: `machine-account-identifier`* *(`2303`) - Created machine account with identifier: `machine-account-identifier` (`2304`) - Deleted machine account with identifier: `machine-account-identifier `(`2305`) ### Provider events When any of the above events is executed by a member of an [administering provider](https://bitwarden.com/help/providers/), the **User** column will record the name of the provider. Additionally, a provider-specific event will record whenever a member of an administering provider accesses your organization vault: ![Provider accessing events](https://bitwarden.com/assets/4e95ZWDt6ZBPfina42MZhP/d4653c6aebb2bcff6186e6d49415da61/2024-12-05_09-47-18.png) ## Export events Exporting event logs will create a `.csv` of all events within the specified date range: ![Export Event Logs ](https://bitwarden.com/assets/QL3nTOsAOsCPQtQTONOEw/53652d49e4bf8eaa67c972c1b55c12fc/2024-12-04_09-48-02.png) For example: ``` message,appIcon,appName,userId,userName,userEmail,date,ip,type Logged in.,fa-globe,Web Vault - Chrome,1234abcd-56de-78ef-91gh-abcdef123456,Alice,alice@bitwarden.com,2021-06-14T14:22:23.331751Z,111.11.111.111,User_LoggedIn Invited user zyxw9876.,fa-globe,Unknown,1234abcd-56de-78ef-91gh-abcdef123456,Alice,alice@bitwarden.com,2021-06-14T14:14:44.7566667Z,111.11.111.111,OrganizationUser_Invited Edited organization settings.,fa-globe,Web Vault - Chrome,9876dcba-65ed-87fe-19hg-654321fedcba,Bob,bob@bitwarden.com,2021-06-07T17:57:08.1866667Z,222.22.222.222,Organization_Updated ``` ## API responses Accessing event logs from the `/events` endpoint of the [Bitwarden Public API](https://bitwarden.com/help/public-api/) will return a JSON response such as the following: ``` { "object": "list", "data": [ { "object": "event", "type": 1000, "itemId": "string", "collectionId": "string", "groupId": "string", "policyId": "string", "memberId": "string", "actingUserId": "string", "date": "2020-11-04T15:01:21.698Z", "device": 0, "ipAddress": "xxx.xx.xxx.x" } ], "continuationToken": "string" } ``` ## SIEM and external systems integrations Bitwarden provides a comprehensive set of integrations with Security Information and Event Management (SIEM) platforms that leverage event logs: - [Elastic SIEM](https://bitwarden.com/help/elastic-siem/) - [Microsoft Sentinel SIEM](https://bitwarden.com/help/microsoft-sentinel-siem/) - [Panther SIEM](https://bitwarden.com/help/panther-siem/) - [Rapid7 SIEM](https://bitwarden.com/help/rapid7-siem/) - [Splunk SIEM](https://bitwarden.com/help/splunk-siem/) Bitwarden also provides multiple methods for accessing data that may be relevant to SIEM platforms for which there is not currently a specific integration. For help configuring a SIEM that isn't listed above, refer to [Non-native SIEM](https://bitwarden.com/help/non-native-siem/). --- URL: https://bitwarden.com/help/exclude-domains/ --- # Block Autosave on Specific Sites Bitwarden browser extensions can be configured to exclude specific sites from triggering [autosave notifications](https://bitwarden.com/help/autosave-from-browser-extensions/). When a domain is in the **Excluded domains** list, Bitwarden won't issue the notification any of the available notifications, including to save a new login, update an existing login, or to save or use a passkey: ![Ask to add login](https://bitwarden.com/assets/4vsurEuH5deik26BWn4n1p/82757186b081890fbe92b4d73baeae53/screenshot_7.png) To configure excluded domains, navigate to **Settings** → **Notification** → **Excluded domains**: ![Excluded Domains Configuration ](https://bitwarden.com/assets/qUGIVQR379ac3R2dXdoy8/06b4dec0b9e02911903052789c44723c/2024-12-03_11-00-24.png) Domain exclusion does not register "full" URLs, only the domain component. For example, `https://github.com/bitwarden/browser` would resolve to `github.com` when saved, meaning that the browser extension would explicitly not offer to save credentials for Github. --- URL: https://bitwarden.com/help/export-organization-items/ --- # Export Organization Items For organizations, exporting data and storing it in a secure location is a great way of ensuring access to a backup. Organizations can export data from the web app and CLI. Vault data is decrypted locally by the client before export, meaning no unencrypted data is transported over the internet when you create an export. There are two ways to export organization data: - Organization members with the [Manage collection permission](https://bitwarden.com/help/collection-permissions/) can export item data from collections for which they have that permission by following [this process](https://bitwarden.com/help/export-your-data/). - Organization [admins, owners, and custom users with the correct permissions](https://bitwarden.com/help/user-types-access-control/) can export all organization item data by using this instructions in this article. Exports can be made in a few different formats, however Bitwarden recommends using an [encrypted .json option](https://bitwarden.com/help/encrypted-export/) for best security and a more complete export, as `.csv` files won't currently export cards or identities, and only `.json` exports include [stored passkeys](https://bitwarden.com/help/storing-passkeys/) and [SSH keys](https://bitwarden.com/help/ssh-agent/). For a complete list of all the items and fields included in an organizations vault export, see this ⬇️ [JSON sample](https://bitwarden.com/assets/2oQPd5ZsY1N0hph4N6pBrY/b5fc7c05ac238d71d9a1902a58559cc6/Organization_vault_export.json). ### Web app To export your organization data from the web app: 1. Open the **Admin Console** using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Select **Export** → **Export vault** from the navigation: ![Export organization vault](https://bitwarden.com/assets/2UQyeVwsMcc1f7vcJOnnUO/4949e1a6b8422222865fdd7a6275aea5/2024-12-03_09-01-45.png) 3. On the vault export page, choose a **File format** (`.json`, `.csv`, or `.json (Encrypted)`) and select the **Confirm format**button. > [!WARNING] Careful w/ Exports > Unless you are using an [encrypted export](https://bitwarden.com/help/encrypted-export/), do not store or send the exported file over insecure channels, like email, and delete the file immediately after use. 4. Enter your master password and select the **Export vault** button. > [!NOTE] Exported Org data event > Exporting an organization's vault data will be captured by event logs. [Learn more](https://bitwarden.com/help/event-logs/). ### CLI > [!TIP] Sync before export on CLI > Sync your vault with `bw sync` before exporting to ensure the most up-to-date information is included. To export your organization data from the CLI, use the `export` command with the `--organizationid` option. By default, `export` will export your vault as a `.csv` and save the file to the working directory, however this behavior can be altered using options: ``` bw export my-master-password --organizationid 7063feab-4b10-472e-b64c-785e2b870b92 --output /users/me/documents/ --format json --session my-session-key ``` > [!TIP] Getting organizationid with bw list > If you don't know your `organizationid` value off-hand, you can access it at the command-line using `bw list organizations`. For more detail, see our [CLI documentation](https://bitwarden.com/help/cli/). > [!NOTE] Exported Org data event > Exporting an organization's vault data will be captured by event logs. [Learn more](https://bitwarden.com/help/event-logs/). --- URL: https://bitwarden.com/help/export-secrets-data/ --- # Export Data You can export your secrets data from the web app as a `.json` file. Exports will include [projects](https://bitwarden.com/help/projects/) and [secrets](https://bitwarden.com/help/secrets/), but not [machine accounts](https://bitwarden.com/help/machine-accounts/) or [access tokens](https://bitwarden.com/help/access-tokens/). Only the Secrets Manager data associated with organization currently selected from the organization selector will be exported. Items in other products or from other organizations will not be included. To export your data: [![Vimeo Video](https://vumbnail.com/846444688.jpg)](https://vimeo.com/846444688) *[Watch on Vimeo](https://vimeo.com/846444688)* **Video Chapters:** Learn more about exporting Secrets Manager data [here](https://bitwarden.com/help/export-secrets-data/). > [!NOTE] Secrets export role > To export Secrets Manager data, your user account must be an owner or admin within the organization. 1. Select **Settings**→ **Export data** from the left-hand navigation: ![Export data](https://bitwarden.com/assets/4UTBBbo0rrqRtsYSBmiCLy/0af1a1818c660f8baf24c46999a8a81d/2024-12-03_13-41-37.png) 2. Select the **Export data** button. When prompted, enter your master password. --- URL: https://bitwarden.com/help/export-your-data/ --- # Export Vault Data Export your vault data, including logins and notes, to back up important information or [transfer to a new Bitwarden vault](https://bitwarden.com/help/import-data/). No unencrypted data is transferred over the internet, because data is decrypted locally by the client before exporting. > [!TIP] Cloud-stored, no need for export > If you’re adding Bitwarden to a new device and your account is hosted on our cloud servers, you don’t need to create an export. Instead, [download Bitwarden](https://bitwarden.com/download/) on your new device and log in with your existing account. > [!WARNING] Careful w/ Exports > Unless you are using an [encrypted export](https://bitwarden.com/help/encrypted-export/), do not store or send the exported file over insecure channels, like email, and delete the file immediately after use. ## Export file types Exports can be downloaded in a few formats: - `.json` (plaintext) - `.csv` (plaintext) - [.json (Encrypted)](https://bitwarden.com/help/encrypted-export/)`` - `.zip (with attachments)` (includes a `.json` file and your attachments) > [!NOTE] .zip exports > `.zip` exports are currently only available for individual vault data. - (**iOS 26 only**) export directly to another app > [!NOTE] What is CXP > Exporting directly to another app requires that the target app supports the [Fido Credential Exchange Protocol (CXP)](https://fidoalliance.org/specifications-credential-exchange-specifications). Review [example .csv and .json files](https://bitwarden.com/help/condition-bitwarden-import/) to decide which format is best for you. We recommend the encrypted `.json` option for best security and most complete export. Only` .json` exports include: - Cards - Identities - [Stored passkeys](https://bitwarden.com/help/storing-passkeys/) - [SSH keys](https://bitwarden.com/help/ssh-agent/) No export formats include trash items or [Sends](https://bitwarden.com/help/about-send/). For a complete list of all items and fields included in an individual vault export, check out this ⬇️ [.json sample](https://bitwarden.com/assets/3klSoZBBd57skEvwFkcMJc/9dfe5d696c102cd32da88dc325706738/Individual_vault_export.json). ## Export an individual vault > [!NOTE] Exporting personal data; no org data > Individual vault exports do not include organization-owned data. Only admins, owners, and some custom roles can [export organization items](https://bitwarden.com/help/export-organization-items/) via the web app or CLI. Members with **Manage collection** [permission](https://bitwarden.com/help/collection-permissions/) can, however, export data from collections they can access. ### Web app To export vault data: 1. Select **Tools**. 2. Select **Export vault**: ![Export individual vault](https://bitwarden.com/assets/5PUGzasNsQnABG9gtso4o3/9be00b37afafd779c20fd9624dd9512d/2024-12-03_08-59-25.png) 3. From the **Export from** dropdown menu, select which data to download: - Select **My vault** for your individual vault’s items. - Select an organization vault’s name, which will include data from collections where you have [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission. 4. Select a **File Format**: `.json`, `.csv`, `.json (Encrypted)`, or `.zip (with attachments)`). 5. (Optional) If you choose `.json (Encrypted)`, select an **Export type**for the [encrypted file](https://bitwarden.com/help/encrypted-export/): - **Account restricted:** This file can only be imported to the current Bitwarden account that generated the encrypted export file. > [!WARNING] Encryption Key Impact on Encrypted Exports > **Account restricted**exports can not be imported to a different account. Additionally, [rotating your account's encryption key](https://bitwarden.com/help/account-encryption-key/) will render an account restricted export impossible to decrypt. **If you rotate your account encryption key, replace any old files with new ones that use the new encryption key.** > > If you wish to import an encrypted `.json` file onto a different Bitwarden account, select the **Password protected**export type when creating an export. - **Password protected:**This file can be imported to any Bitwarden account by utilizing the password set during the encrypted export process. > [!TIP] Password generator for export > Select [generate] to securely generate a unique password for the export. If you do, be sure to save that password in a safe place. 6. Select **Confirm format**. 7. Enter your master password or an email verification code to confirm. 8. Select **Export vault**. Export files will be saved **to the location set by your browser**. By default this is typically a Downloads folder, but you can change it within the web browser. ### Browser extension To export vault data: 1. Select the ⚙️ **Settings** icon. 2. Select **Vault options**. 3. Select **Export vault**. 4. From the **Export from** dropdown menu, select which data to download: - Select **My vault** for your individual vault’s items. - Select an organization vault’s name, which will include data from collections where you have [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission. 5. Select a **File Format**: `.json`, `.csv`, `.json (Encrypted)`, or `.zip (with attachments)`). 6. (Optional) If you choose `.json (Encrypted)`, select an **Export type**for the [encrypted file](https://bitwarden.com/help/encrypted-export/): - **Account restricted:** This file can only be imported to the current Bitwarden account that generated the encrypted export file. > [!WARNING] Encryption Key Impact on Encrypted Exports > **Account restricted**exports can not be imported to a different account. Additionally, [rotating your account's encryption key](https://bitwarden.com/help/account-encryption-key/) will render an account restricted export impossible to decrypt. **If you rotate your account encryption key, replace any old files with new ones that use the new encryption key.** > > If you wish to import an encrypted `.json` file onto a different Bitwarden account, select the **Password protected**export type when creating an export. - **Password protected:**This file can be imported to any Bitwarden account by utilizing the password set during the encrypted export process. > [!TIP] Password generator for export > Select [generate] to securely generate a unique password for the export. If you do, be sure to save that password in a safe place. 7. Select **Export vault**. 8. Enter your master password or an email verification code to confirm. 9. Select **Export vault**. Export files will be saved **to the location set by your browser**. By default this is typically a Downloads folder, but you can change it within the web browser. ### Desktop To export vault data: 1. Select **File**. 2. Select **Export vault**. 3. From the **Export from** dropdown menu, select which data to download: - Select **My vault** for your individual vault’s items. - Select an organization vault’s name, which will include data from collections where you have [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission. 4. Select a **File Format**: `.json`, `.csv`, `.json (Encrypted)`, or `.zip (with attachments)`). 5. (Optional) If you choose `.json (Encrypted)`, select an **Export type**for the [encrypted file](https://bitwarden.com/help/encrypted-export/): - **Account restricted:** This file can only be imported to the current Bitwarden account that generated the encrypted export file. > [!WARNING] Encryption Key Impact on Encrypted Exports > **Account restricted**exports can not be imported to a different account. Additionally, [rotating your account's encryption key](https://bitwarden.com/help/account-encryption-key/) will render an account restricted export impossible to decrypt. **If you rotate your account encryption key, replace any old files with new ones that use the new encryption key.** > > If you wish to import an encrypted `.json` file onto a different Bitwarden account, select the **Password protected**export type when creating an export. - **Password protected:**This file can be imported to any Bitwarden account by utilizing the password set during the encrypted export process. > [!TIP] Password generator for export > Select [generate] to securely generate a unique password for the export. If you do, be sure to save that password in a safe place. 6. Select **Export vault**. 7. Enter your master password or an email verification code to confirm. 8. Select **Export vault**. Export files will be saved **to the location set by your device**. By default this is typically a Downloads folder, but you can change it within the device settings. ### Mobile To export vault data: 1. Tap the ⚙️ **Settings** icon. 2. Tap **Vault**. 3. Tap **Export vault**. > [!NOTE] CXP on iOS > On iOS 26, you can choose between **Export vault to a file**and **Export vault to another app**. > > If you choose **Export vault to a file**, continue with these instructions. If you choose **Export vault to another app**, follow the simple on-screen process to export data directly to any other app that supports the [FIDO Credential Exchange Protocol](https://fidoalliance.org/specifications-credential-exchange-specifications). 4. Select a **File Format**: `.json`, `.csv`, or `.json (Password protected)`. ![Export vault on mobile](https://bitwarden.com/assets/6IvRA9oYfTvO9GxylX2MMh/528b65ca6d83f0f28c469b62078570d5/2025-01-22_09-51-29.png) 5. (Optional) If you choose `json (Password protected)`, enter a new password. If you import this file back into Bitwarden, you'll need to enter that password. 6. Enter your master password. 7. Select **Export**. Export files will be saved **to the location set by your device**. By default this is typically a Downloads folder, but you can change it within the device settings. ### CLI > [!TIP] Sync before export on CLI > Sync your vault with `bw sync` before exporting to ensure the most up-to-date information is included. To export your individual vault data from the [CLI](https://bitwarden.com/help/cli/), use the `export` command. By default, `export` will export your vault as a `.csv` and save the file to the working directory. This behavior can be altered using options: ``` bw export --output /users/me/documents/ --format json --password mYP@ssw0rd ``` The `--password` option can be used to specify a password to use to encrypt `encrypted_json` exports instead of your [account encryption key](https://bitwarden.com/help/account-encryption-key/). --- URL: https://bitwarden.com/help/external-db/ --- # Connect to an External MSSQL Database By default, self-hosted instances of Bitwarden will use a Microsoft SQL Server (MSSQL) database image created as a normal part of [installation setup](https://bitwarden.com/help/install-on-premise-linux/), however you configure Bitwarden to use an external MSSQL database. > [!NOTE] > Bitwarden only **supports and recommends SQL Server 2022**. Learn about the system requirements for SQL Server on [Windows](https://learn.microsoft.com/en-us/sql/sql-server/install/hardware-and-software-requirements-for-installing-sql-server-2022?view=sql-server-ver17#pmosr) and [Linux](https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-setup?view=sql-server-ver16#supported-platforms). > > At this time, Bitwarden does not support SQL Server 2025, and mainstream support ended for Server 2017 and Server 2019. Deprecation of support for a specific SQL server version will be noted here and in the [release notes](https://bitwarden.com/help/releasenotes/) for a given release if Bitwarden implements features that are not available on a specific version of SQL Server. ## Setup external database To setup your self-hosted instance with an external database: ### Docker 1. Create a new MSSQL database. 2. (**Recommended**) Create a dedicated DBO for your database. 3. In the `global.override.env` file for your server, edit the `globalSettings__sqlServer__connectionString=` value for the following information: - Replace `"Data Source=tcp:mssql,1433";` with your MSSQL server name, for example `"Data Source=protocol:server_url,port"`. - Replace the `vault` in `Initial Catalog=vault`; with your database name. - Replace the `sa` in `User ID=sa;` with your DBO User ID. - Replace the `` in `Password=;` with your DBO password. 4. Save your changes to `global.override.env`. 5. Start Bitwarden (`./bitwarden.sh start`). Once the above steps are complete, you can test the connection by creating a new user through the web vault and querying the external `vault` database for creation of the new user. ### Helm 1. Create a new MSSQL database. 2. (**Recommended**) Create a dedicated DBO for your database. 3. In your `my-values.yaml` configuration file, set the value `database.enabled: false` to stop the included SQL pod from being deployed. 4. In the Kubernetes secrets object used for deployment, set a `globalSettings__sqlServer__connectionString=` value with the following information: > [!NOTE] Different methods for K8S secret object > The method you use to configure your secrets object may depend on your deployment, for example [AWS deployments](https://bitwarden.com/help/aws-eks-deployment/) and [Azure deployments](https://bitwarden.com/help/azure-aks-deployment/) may use a CSI SecretProviderClass to do so. - `Data Source=tcp:,1433` where `` is your MSSQL server's name. - `Initial Catalog=` where `` is your database name. - `Persist Security Info=False`. - `User ID=` where `` is your DBO user ID. - `Password=` where `` is your DBO password. - `Multiple Active Result Sets=False`. - `Connect Timeout=30`. - `Encrypt=True`. - `Trust Server Certificate=true`. This value can be set to `false` if your require that the Bitwarden server validates your MSSQL server's certificate. ## Validate a server certificate To configure Bitwarden to validate your MSSQL database server's certificate: ### Docker 1. Copy your root CA certificate into `./bwdata/ca-certificates`. 2. Run the `./bitwarden.sh restart` command to apply the certificate to your containers and restart your server. ### Helm 1. In your `my-values.yaml` configuration file, set the value `caCertificate.enabled: true`. 2. Create a ConfigMap object that contains your certificate file. The simplest way to do this would be to add a `preInstall` [RawManifest](https://bitwarden.com/help/add-rawmanifest-files/) to your `my-values.yaml` file, as in the following example: ```bash rawManifests: preInstall: - kind: ConfigMap apiVersion: v1 metadata: name: cacert data: rootca.crt: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- postInstall: ``` --- URL: https://bitwarden.com/help/families-for-enterprise-self-hosted/ --- # Self-hosting Families Sponsorships Members of [enterprise organizations](https://bitwarden.com/help/about-organizations/#types-of-organizations/) are offered a **free Families organization** sponsorship that can be applied to a new or pre-existing Families organization and redeemed directly from the web vault. > [!NOTE] Families License > If you're looking for information on updating a license for a non-sponsored self-hosted Families organization, see [here](https://bitwarden.com/help/licensing-on-premise/#update-organization-license/). You will need to enable automatic billing sync to allow your self-hosted enterprise organization to issue sponsorships for cloud Families organizations. To set up automatic sync: ## Step 1: Enable cloud communication First, you'll need to configure your server to allow communication with our cloud systems. > [!TIP] Who can Enable Cloud Comms > This step must be completed by someone with access to your self-hosted instance's configuration files. In order to enable cloud communication, set the following line in `bwdata/env/global.override.env `to `true`: ``` globalSettings__enableCloudCommunication=true ``` If your cloud organization was created on EU servers, you'll also need to set the following values: ``` globalSettings__baseServiceUri__cloudRegion=EU globalSettings__installation__identityUri=https://identity.bitwarden.eu globalSettings__installation__apiUri=https://api.bitwarden.eu globalSettings__pushRelayBaseUri=https://push.bitwarden.eu ``` > [!NOTE] Installation id region > The value for `globalSettings__baseServiceUri__cloudRegion` must match the data region that was selected when retrieving your [Installation ID & Key](https://bitwarden.com/host/). Once you have set these values, apply your changes by running the `./bitwarden.sh restart `command. > [!NOTE] Self-hosting communication fire walls > Enabling automatic sync requires communication with Bitwarden's cloud systems. If your environment uses a firewall to block outbound traffic, you will need to allow `https://api.bitwarden.com` or `.eu` and `https://identity.bitwarden.com` or `.eu`. ## Step 2: Retrieve billing sync token Once cloud communication is enabled at the server-level, a sync token needs to be passed from the cloud organization you use for billing to your self-hosted organization. To retrieve your sync token from the cloud web vault you must be an organization owner. To retrieve the token: 1. Open the cloud web app and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Navigate to **Billing** → **Subscription**. 3. Scroll down to the Self-hosting section and select the **Set up billing sync **button. 4. Enter your master password and select **Generate token**. 5. Copy the generated token. ## Step 3: Apply billing sync token To apply the billing sync token to your self-hosted organization: > [!WARNING] F4E on Old Server Version > At this stage, if you're upgrading your self-hosted deployment from an earlier version, you may need to [manually update your license file](https://bitwarden.com/help/licensing-on-premise/#organization-license/) before proceeding. 1. Open the self-hosted Admin Console and navigate to **Billing** → **Subscription**. 2. In the License and billing management section, choose the **Automatic sync** option. 3. Select the **Manage billing sync** button. 4. Paste your generated **Billing sync token** and select **Save**. > [!NOTE] Sync Status `Never` > Sync for [Families for Enterprise](https://bitwarden.com/help/families-for-enterprise-self-hosted/) will occur once daily once you've triggered your first sync. The **Last sync** field in this section will report **Never** until you trigger your first sync. > > Sync for license updates must always be done manually by selecting the **Sync license** button (see the next section for details). ## Step 4: Trigger sync Trigger a sync once you've completed setup. Billing sync will occur **once daily**, however you can manually trigger a sync at any time. To trigger a sync: 1. Open the self-hosted [System Administrator Portal](https://bitwarden.com/help/system-administrator-portal/) and navigate to **Organization** and select the enterprise organization. 2. Locate the Connections section and select the **Manually Sync**button. > [!NOTE] organization license error > If you receive a `version not supported` error message, update your server and try uploading your license file again. To update your server, make a backup of the `bwdata` directory and follow [these instructions](https://bitwarden.com/help/updating-on-premise/). In between syncs, users may see the status `Awaiting Sync` after redeeming or changing a sponsorship. This indicates your self-hosted Bitwarden server is waiting to sync with the Bitwarden cloud before a sponsorship can be fully redeemed or changed. --- URL: https://bitwarden.com/help/families-for-enterprise/ --- # Sponsored Families for Members [![Vimeo Video](https://vumbnail.com/828094070.jpg)](https://vimeo.com/828094070) *[Watch on Vimeo](https://vimeo.com/828094070)* **Video Chapters:** Learn more about Enterprise-sponsored Families organizations [here](https://learning-center-update.bw-web.dev/help/families-for-enterprise/). Members of [Enterprise organizations](https://bitwarden.com/help/about-organizations/#types-of-organizations/) are offered a **free Families organization** sponsorship that can be applied to a new or pre-existing Families organization and redeemed directly from the web vault. > [!TIP] Can be turned off with a policy > This feature can be turned off by Enterprise organizations with a [policy](https://bitwarden.com/help/policies/). Using a **Families organization**, securely share vault data between yourself and up to five friends or family members. Families organizations include premium Bitwarden features for all six users, including [advanced two-step login methods](https://bitwarden.com/help/setup-two-step-login/), [encrypted file attachments](https://bitwarden.com/help/attachments/), [emergency access](https://bitwarden.com/help/emergency-access/), and [more](https://bitwarden.com/help/password-manager-plans/). This article will help organization members redeem their sponsorship, however if you are an admin of a self-hosted Bitwarden Enterprise organization, you'll need to [complete these steps](https://bitwarden.com/help/families-for-enterprise-self-hosted/) to enable Families sponsorships for your members. > [!NOTE] F4E ignore renewal emails > Users who have already redeemed a free Families organization sponsorship may still receive renewal reminder emails from Bitwarden. As long as you are an active member of the sponsoring Enterprise organization, you may ignore these emails. If you are no longer a member of the sponsoring Enterprise organization, navigate to **Billing** → **Payment method**, and check that the payment method is valid. ## Redeem your sponsorship > [!NOTE] F4E/EU > Families sponsorships must be based in the same region as the sponsoring Enterprise organization. Make sure you [select the correct region](https://bitwarden.com/help/server-geographies/#choose-your-cloud-server/) before logging in and redeeming a sponsorship. To redeem your sponsorship: 1. Log in to the Bitwarden web app as the account attached to the sponsoring organization. 2. Using the navigation, select **Settings**→ **Free Bitwarden Families**: ![Free Bitwarden Families](https://bitwarden.com/assets/4N84OPFobJYDw7pr05Ls1W/caf30220fd12b3635f6c3e420645b9bf/2024-12-04_10-20-37.png) 3. On this screen, provide a **personal email** you want to redeem the sponsorship with and select **Redeem.** > [!TIP] F4E account redemption. > If you already have a separate personal Bitwarden account, use the email address attached to that account. If you don't already have a separate personal Bitwarden account, you will need to create one with the personal email you enter here. **Do not** use the email address or Bitwarden account attached to the sponsoring organization. 4. In your inbox, you will receive an email from Bitwarden inviting you to accept the sponsorship offer. Select **Accept Offer** to continue: ![Accept Families for Enterprise Offer](https://bitwarden.com/assets/1G0VmQSY0lCTEgsetHc2cy/81347ce663fcfc717b6dd21295ada1a1/Screen_Shot_2022-05-23_at_9.38.42_AM.png) 5. If there is a Bitwarden account associated with the provided **personal email**, log in. If there is not an account associated with the personal email, you will be directed to the Create Account screen. > [!TIP] F4E Self-host as an end-user > Sponsored Families organizations must always be accessed from `https://vault.bitwarden.com` or `https://vault.bitwarden.eu`. Your work account might use a different URL, for example `https://company.bitwarden.com`, so you will need to remember to use the right URL to log in to the right account. > > **Tip**: Bitwarden mobile and desktop apps can [quickly swap between accounts](https://bitwarden.com/help/account-switching/) that use different URLs. 6. Once you have logged in, you will be directed to a screen where you can finish redeeming your sponsorship for a **New Families Organization** or an **Existing Families Organization**: ### New Families organization Select **New Families organization**from the dropdown: ![New Free Bitwarden Families](https://bitwarden.com/assets/3NnhjGPkYir4aMCLzvmJf1/db51c17a40db8d7a399ed49ec65d98f5/2024-12-04_10-24-32.png) Fill in the following information: - An **Organization name** - A **Billing email** - Whether you want to add **Additional storage (GB)**. Your sponsorship covers 1 GB free. - **Payment information** You won't have to make any payments for the Families organization as long as you are an active member of the sponsoring organization, unless you add **Additional storage**. When you are done filling in your information, select **Submit.** ### Existing Families organization Select the organization from the dropdown and select **Accept Offer:** ![Existing Free Bitwarden Families](https://bitwarden.com/assets/5HIpHzcAzTsBjE4UZhjCV0/1f3ce019f188b2a1be20cc1587534864/2024-12-04_10-24-53.png) When you accept the offer, your old subscription will be replaced by the Enterprise sponsorship. You won't have to make any payments for the Families organization, unless you add **Additional storage**, for as long as you are an active member of the sponsoring organization. > [!NOTE] F4E for 2019 Families > If you are on the [2019 Families plan](https://bitwarden.com/help/updates-to-plans/), you can still redeem a sponsorship but your organization will not automatically include all features released after 2020. To upgrade your current plan, navigate to the **Subscriptions**→ **Billing** page and select **Upgrade plan**. > [!NOTE] Completing Bitwarden organizations enrollment > **Congratulations!** If you are new to using Bitwarden Families organizations, we recommend checking out [this article](https://bitwarden.com/help/getting-started-organizations/#get-to-know-your-organization/) to learn the basics. ## Frequently asked questions #### Q: Can I redeem with the account that's a member of the sponsoring Enterprise? **A:** No. Upon redemption, you will be asked to enter a **personal email address** that you own. If you already have a personal Bitwarden account, enter that account's email address. If you don't, enter a personal email address for which you want to create a personal Bitwarden account. #### Q: Can I redeem for my existing Families organization? **A:** Yes! Redeeming a sponsorship for an active Families organization will immediately switch you to a sponsored subscription and add prorated account credit for the time remaining on the subscription you have paid for. #### Q: Can I add additional storage? **A:** Yes, however only 1 GB is included in your sponsorship. More storage can be added at any time and doing so will charge your payment method on file. #### Q: What happens if I leave the organization sponsoring me? **A:** If you leave or are removed from the sponsoring organization, or if you manually end your sponsorship, your payment method on file will be charged at the next billing interval. #### Q: What do I do if I received a renewal reminder in my email? **A**: If you're still a member of the Enterprise organization, typically an employer, that's sponsoring your free Families organization, you can safely ignore this email. If you're no longer a member of that Enterprise organization, ensure your organization will renew without interruption by opening your Families organization Admin Console, navigating to **Billing** → **Payment method**, and checking that the payment method is valid. #### Q: What does `Awaiting Sync` mean? **A:** The status `Awaiting Sync` indicates your self-hosted Bitwarden server is waiting to sync with the Bitwarden cloud before your sponsorship can be fully redeemed or changed. Sync happens once a day. If you try to redeem your sponsorship before the sync is complete, you will get an error message in the cloud web vault that reads `Cannot find an outstanding sponsorship offer for this organization.` #### Q: Can self-hosted Enterprise organizations issue sponsorships? **A:**Yes. There's a short setup procedure that must be completed by an administrator which you can learn more about [here](https://bitwarden.com/help/families-for-enterprise-self-hosted/). Please remind your users that their sponsored Families organization can be redeemed through our public cloud (`https://vault.bitwarden.com`). #### Q: Can a sponsored Families organization be on a self-hosted server? **A:** Yes, however there are a few steps to go through: 1. Redeem your sponsorship at `https://vault.bitwarden.com` [as described above](https://bitwarden.com/help/families-for-enterprise/#redeem-a-sponsorship/). 2. Still on `https://vault.bitwarden.com`, retrieve your Families organization's license file [as described here](https://bitwarden.com/help/licensing-on-premise/#organization-license/). 3. Log in to your self-hosted server and apply the license file to an organization [as described here](https://bitwarden.com/help/licensing-on-premise/#organization-license/). Please note, your self-hosted server will need to be connected to an SMTP mail server in order for invitations to your families organization to be sent to other members. #### Q: If my organization is on a US server, can I redeem a Families organization on the EU server? **A:**No, the Families plan sponsorship can only be redeemed on the same cloud server as the sponsoring Enterprise organization. If your Enterprise organization has migrated from one cloud server to another, a new Families organization will have to be sponsored on the correct cloud server. For more information on migrating organizations, see the Bitwarden [migration guide](https://bitwarden.com/help/teams-enterprise-migration-guide/). #### Q: How do I remove a Families organization? **A:**To remove a Families organization, log in to the account that is a member of the Enterprise organization and navigate to **Settings** → **Free Bitwarden Families**. Select the ⚙️ cog icon associated with the sponsored Families organization and select **Remove**. --- URL: https://bitwarden.com/help/favorites/ --- # Favorites Any item can be designated as a **Favorite** to allow quick access to your most used items. Even items [shared with you from an organization](https://bitwarden.com/help/sharing/) can be designated a favorite, but this will only impact how they appear in your individual vault (i.e. you won't make that item a favorite for other users with access to the organization or collection). > [!NOTE] > Items marked as a favorite will appear at the top of your 🔒 **Vault** view in browser extensions and mobile apps, and in the ⭐ **Favorites** filter in your web vault and desktop apps. ## Designating favorites Designate any vault item as a favorite when you initially create it, or at any time by editing the item: ### Web app On the Add or Edit screen, select the ⭐ **Star** icon in the top-right corner and **Save** the item: ![Favorite an item](https://bitwarden.com/assets/4XpFH5NFI6Lso21BpGNKsu/e90cd1d0d6c3e4e7296d2e0300ab3ab2/2024-12-02_16-26-17.png) ### Browser extension Select an item and open the Edit screen. Select the **Favorite** checkbox and **Save** the item: ![Favorite an item](https://bitwarden.com/assets/36QXVM3xcSN7vALkOWQPYr/fd82e56cb60b38e4ff6a96bfb7b5d54d/2024-10-29_11-53-27.png) ### Desktop On the Add Item or Edit Item screen, check the **Favorite** checkbox and **Save** the item: ![Favorite an Item](https://bitwarden.com/assets/2BtbpzNSnydUYBu92j1bCH/0021d6daf3e437a86d3236deb36d70e2/desktopfavorite.gif) ### Mobile On the Add Item or Edit Item screen, select the **Favorite** ⭐ and **Save** the item: ![Favorite an item on mobile](https://bitwarden.com/assets/1rvKA8zNjd1RktotXjBEUg/f25cc45f33b29b901ec8e1f3ddc96d7c/2025-01-22_09-46-54.png) --- URL: https://bitwarden.com/help/filter-your-vault/ --- # Filter your Vault Filtering your vault will control which items will be listed in the Vault or Vaults views. To control vault filtering: ### Web app Either: - Select a characteristic from the **Filter**column (in the following screenshot, **Login**). - Select one of the colored cards next to an item (in the following screenshot, either **Me**or **My Organization**). ![Web app filtering](https://bitwarden.com/assets/1UhfLlwmahJgbi0bcBtPLT/b4b1875602b0ea555626c98a388779b8/2024-12-02_14-23-39.png) ### Browser extension Use the **Vault**, **Collection**, **Folder**, or **Type** selectors at the top of the 🔒 **Vault** tab. You toggle the visibility of the filter dropdown menus with the 🎚️ button: ![Browser extension filters and suggestions](https://bitwarden.com/assets/12UsFuA2sxbUCBMIczJsxv/689221013fac56ddb555ed9dabddbdc9/screenshot_6.png) ### Mobile Choose a vault by selecting the **Vault**menu button (⋯ ) on the **Vaults**tab: ![Filter vaults on mobile](https://bitwarden.com/assets/44WqYfqzP9JOJPSZ4Yrzjb/9167f19bc2e27a158be5ed3fc29a5689/2025-01-21_15-38-59.png) ### Desktop Select a vault from the left-most column (in the following screenshot, **My Vault**or **My Organization**): ![Desktop Filtering](https://bitwarden.com/assets/2Lng0L2TRQ177CaU8EUQ1m/a2aecda54d121331c9933509474433cf/2025-08-13_14-23-17.png) ### CLI Use the `bw list` command with the `--organizationid` option, which can take either an organization identifier or `null`, to list items by vault. [Learn more](https://bitwarden.com/help/cli/#list/). --- URL: https://bitwarden.com/help/fingerprint-phrase/ --- # Account Fingerprint Phrase > [!NOTE] Fingerprints aren't fingerprints > Are you looking to unlock your vault with a fingerprint reader? If so, check out [this article](https://bitwarden.com/help/biometrics/) instead. Each Bitwarden account has a "fingerprint phrase" associated with it. Your account's fingerprint phrase is permanent and composed of five random english words that appear in a specific order, for example: ``` alligator-transfer-laziness-macaroni-blue ``` ## What is my fingerprint phrase used for? Your fingerprint phrase is an important security feature that helps securely identify a Bitwarden user when encryption-related operations, like sharing credentials, are performed. Some Bitwarden procedures, like adding a new user to an organization or confirming a [login with device request](https://bitwarden.com/help/log-in-with-device/), will ask you to verify that the fingerprint phrase matches your own or another user's. Verify your fingerprint during relevant operations by coordinating with the Bitwarden user using a secondary form of communication, such as phone or messaging. Validating fingerprint phrases ensures that end-to-end encryption is securely initiated and that the Bitwarden server you are communicating with has not been maliciously tampered with. ## Where can I find my fingerprint phrase? You can find your account's fingerprint phrase from any Bitwarden client application: - **Web app**: Settings → My account - **Desktop apps**: Account → Fingerprint Phrase - **Browser extensions**: Settings → Account Security → Fingerprint Phrase - **Mobile apps**: Settings → Account security → Account fingerprint Phrase - **CLI**: Using the command `bw get fingerprint me` ## Do I need to write down my fingerprint phrase? Not knowing your fingerprint phrase will never result in you being locked out of your vault, so it's not critical to write down or store your fingerprint phrase in a secure location, however some users may choose to do so. > [!NOTE] Recovery codes > [Recovery codes](https://bitwarden.com/help/two-step-recovery-code/), on the other hand, are used for two-step login and should **always** be stored outside of Bitwarden in a way that makes sense for you. This will ensure that you are not locked out of your account in the event that you [lose your two-step login secondary device](https://bitwarden.com/help/lost-two-step-device/). ## Can I change my fingerprint phrase? While you can't change your current account's fingerprint phrase, you can [delete the account](https://bitwarden.com/help/delete-your-account/) and start a new one to generate a new phrase. Our fingerprint phrases are generated from the [Electronic Frontier Foundation's long word list](https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases), which has been "manually checked and [the EFF has] attempted to remove as many profane, insulting, sensitive, or emotionally-charged words as possible". --- URL: https://bitwarden.com/help/first-steps-with-bitwarden/ --- # First Steps with Bitwarden Follow these video guides to quickly set up your Bitwarden account and prepare your devices for easy storage of passwords and sensitive information. ## Creating a Bitwarden account [![Vimeo Video](https://vumbnail.com/1086379394.jpg)](https://vimeo.com/1086379394) *[Watch on Vimeo](https://vimeo.com/1086379394)* Learn more about creating your Bitwarden account [here](https://bitwarden.com/help/create-bitwarden-account/), or jump to the following points in the video to learn about specific topics: - 0:06 Overview - 0:29 From the Bitwarden homepage - 1:26 From any Bitwarden client - 1:36 From an invitation / SSO ## Bitwarden for all devices [![Vimeo Video](https://vumbnail.com/796410440.jpg)](https://vimeo.com/796410440) *[Watch on Vimeo](https://vimeo.com/796410440)* Download Bitwarden apps for all your devices [here](https://bitwarden.com/download/). ## Setting up the Bitwarden browser extension [![Vimeo Video](https://vumbnail.com/1084695614.jpg)](https://vimeo.com/1084695614) *[Watch on Vimeo](https://vimeo.com/1084695614)* **Video Chapters:** Learn more about getting started with the browser extension [here](https://bitwarden.com/help/getting-started-browserext/). Learn more about getting started with the browser extension [here](https://bitwarden.com/help/getting-started-browserext/), or jump to the following points in the video to learn about specific topics: - 0:11 Install Bitwarden - 0:23 Pin the extension - 0:32 Log in or create an accout - 0:37 Disable your browser's built-in password manager - 0:5 Import items - 1:11 Create a new item - 1:42 Adding additional fields - 1:52 Using folders - 2:11 Favorite an item - 2:17 Autofill - 2:39 Auto-save pop-up - 2:45 PIN and biometrics - 2:58 Account switching - 3:07 Customize Bitwarden ## Disabling Built-in Browser Password Managers Learn more about disabling built-in browser password managers. Enable a smooth user experience by not having conflicting prompts and ensure all data is being saved in Bitwarden and not inadvertently within the browser. ### Chrome [![Vimeo Video](https://vumbnail.com/1077612510.jpg)](https://vimeo.com/1077612510) *[Watch on Vimeo](https://vimeo.com/1077612510)* ### Microsoft Edge [![Vimeo Video](https://vumbnail.com/1077612658.jpg)](https://vimeo.com/1077612658) *[Watch on Vimeo](https://vimeo.com/1077612658)* ## Activating two-step login for your Bitwarden account [![Vimeo Video](https://vumbnail.com/1060246387.jpg)](https://vimeo.com/1060246387) *[Watch on Vimeo](https://vimeo.com/1060246387)* Learn more about your two-step login options [here](https://bitwarden.com/help/setup-two-step-login/), or jump to the following points in the video to learn about specific topics: - [**0:40**](https://bitwarden.com/help/first-steps-with-bitwarden/#vimeo_chapter_1060246387=17142651/): Setup two-step login using email. - [**0:57**](https://bitwarden.com/help/first-steps-with-bitwarden/#vimeo_chapter_1060246387=17175281/): Setup two-step login using an authenticator app. - [**1:25**](https://bitwarden.com/help/first-steps-with-bitwarden/#vimeo_chapter_1060246387=17142654/): Setup two-step login using a passkey. - [**1:54**](https://bitwarden.com/help/first-steps-with-bitwarden/#vimeo_chapter_1060246387=17175355/): Setup two-step login using Yubico OTP. - [**2:14**](https://bitwarden.com/help/first-steps-with-bitwarden/#vimeo_chapter_1060246387=17142655/): Setup two-step login using Duo. - [**2:27**](https://bitwarden.com/help/first-steps-with-bitwarden/#vimeo_chapter_1060246387=17175282/): Get your recovery code. - [**3:00**](https://bitwarden.com/help/first-steps-with-bitwarden/#vimeo_chapter_1060246387=17175280/): Using multiple methods. --- URL: https://bitwarden.com/help/flight-recorder/ --- # Troubleshoot Mobile with Bitwarden Support On Bitwarden mobile apps, you can activate **Flight Recorder** to capture additional log activity for troubleshooting unexpected behaviors. This can be particularly useful when you're working with Bitwarden Support. Flight Recorder is a lightweight, temporary event logger that captures recent app activity like user interactions and key system events. You're in control of this information, it is only ever stored on your device and can be exported to share with the Bitwarden Support team if you wish. Flight Recorder **does not** log sensitive information like your master password or vault data. ## Using Flight Recorder > [!TIP] When to use Flight Recorder > You may be asked to activate Flight Recorder when working with Bitwarden Support if you're experiencing an issue that's difficult to reproduce or if you've encountered a crash or unexpected behavior. Flight Recorder is deactivated by default. To activate Flight Recorder: 1. In the Bitwarden mobile app, tap **Settings**→ **About**. 2. Scroll down and tap **Flight Recorder**. 3. Go through the tasks or workflow that caused the issue you want to report to Support. > [!NOTE] Flight Recorder limited time > Flight Recorder only stores a short window of recent activity, so Bitwarden recommends trying to reproduce the issue you're experiencing immediately after activating Flight Recorder. Once Flight Recorder has captured the issue you're experiencing: 1. Deactivate logging by toggling **Flight Recorder** off from the same menu. 2. Tap **Settings**→ **About** → **View recorded logs** to download your log file. Each log will be available to you until you delete it or until it expires 30 days after creation. 3. Include your log file in future communications with Bitwarden Support on the topic of your unexpected app behavior, issue, or potential bug. ## Data captured by Flight Recorder Bitwarden prioritizes your security. Flight Recorder is designed such that: - Logs are only stored on your device and never transmitted automatically. - Logs can only be started, stopped, or shared by you. - Logs do not include sensitive user data like master passwords or vault data. The following data may be captured while Flight Recorder is active: | Category | Data | |------|------| | User events | Screen navigations and navigation timestamps, key button taps and user interactions, transitions into and out of modals, sheets or overlaps. | | App & build information | Bitwarden app version, built type, device platform, device model, OS version | | Crash & exception reporting | Exception messages, exception types, exception-specific metadata, stack traces | | Flight Recorder metadata | Start time of logging session, logging session duration, log file size | --- URL: https://bitwarden.com/help/folders/ --- # Folders Folders are structures used to organize your individual vault by gathering together logins, cards, identities, and secure notes. Using folders is a great way to make your vault items easy to find and are listed in alphabetical order in Bitwarden apps. Any vault item can be added to a folder, including [items shared with you from an organization](https://bitwarden.com/help/sharing/). > [!NOTE] Folders deleted items > Items added to a folder will still appear in your vault when **All vaults** is selected from the filter menu, and deleting a folder **will not** delete the items in that folder. Deleting a folder is permanent, and the folder cannot be recovered once deleted. ## Create a folder Folders can be created, renamed, and deleted from any Bitwarden client application ### Web vault To create a folder, select the **New** [angle-down] button and choose **Folder**from the dropdown: ![New folder](https://bitwarden.com/assets/3BvTWidqL4xWQvFqBSiJIR/d68bc851d44df1b571eed16366159e0c/2024-12-02_13-50-55.png) Once created, you can rename or delete a folder at any time by selecting the folder and clicking the [pencil] **Pencil** icon: ![Edit or Delete a Folder](https://bitwarden.com/assets/1aG4313JkmkBvot45gZvEr/a7dc45d314407131948216acc2b2444d/2024-12-02_16-15-07.png) ### Browser extension To create a folder, select the **New** [angle-down] button and choose **Folder**from the dropdown: ![Browser extension new folder](https://bitwarden.com/assets/1aPQBd9bT7uUf20Y1fZwSB/506e7010284c1e0d83b75204bac22eaa/2024-12-02_16-13-10.png) Once created, you can rename or delete a folder at any time from the **Settings** → **Vault** → **Folders** menu. ### Desktop To create a folder, select the + **Add** icon in the folders list: ![Add a folder ](https://bitwarden.com/assets/5aN4a0qkKkJDJSVAzTy3Ix/46feed3969c6c684f3e5855db28692e7/folders.png) Once created, you can rename or delete a folder at any time using the hover-over [pencil] **Pencil** icon: ![Edit or Delete a Folder](https://bitwarden.com/assets/6t2aoywIMdBPMuJktnhEqA/442a316b41ff9eab213a2bbb13a6cff4/edit_folder.png) ### Mobile To create a folder, tap the ⚙️ **Settings** menu, tap the **Vault**option, and tap the **Folders** option. Tap the + **Add** icon to add a folder. Once created, you can rename a folder from the same menu by tapping the folder, or delete the folder using the ⋮ menu: ![Folders on mobile](https://bitwarden.com/assets/6IwzXSJHGmSeU7oIy4z8kZ/95620b58758e50fa0e8e22a65f2bfa15/2025-01-21_15-26-07.png) ### CLI To create a folder, use the command: ``` bw create folder ``` You can edit an existing folder using `bw edit ` and delete one using `bw delete folder `. For more information, please refer the the Bitwarden [CLI documentation](https://bitwarden.com/help/cli/). Deleting a folder will not delete any vault items included in it and will not delete other folders that are nested into it or their contents. > [!NOTE] Collections and folders difference > If you are a member of an organization, collections will be shown below your folders in the **Filters** menu. > > There are similarities between folders and collections. **Folders organize your individual vault** (but can include [shared items](https://bitwarden.com/help/sharing/)) and are unique to you, where collections are shared between members of organizations. ### Nested folders Folders can be "nested" in order to logically organize them within your vault. There is no limit to the depth with which you can nest folders, but creating too many levels may interfere with your vault's interface. > [!NOTE] Searching inside folders > Searching inside a "parent" folder will not include items in folders nested inside it as potential search results. For more information, see [search your vault](https://bitwarden.com/help/searching-vault/). ![Nested folders ](https://bitwarden.com/assets/5blNMg0hJ9XW3Ts2qPRzF5/7a2bdfb7672c04a1a1fbae1068b8b422/2024-12-02_16-18-48.png) To create a nested folder, give a new folder a name that includes the "parent" folder following by a forward slash (`/`) delimiter, for example `Socials/Forums`. You can also rename existing folders in the same way to nest them under other existing folders. If there is no folder with the corresponding "parent" name, the folder won't nest and its title will be displayed in-full. ## Move items to a folder Once you have created a folder in your vault, there are a few ways to move items to it: ### Web vault From the web vault, you can either: - Navigate to the **Add**item or **Edit**item screen, select your new folder from the **Folder** dropdown and **Save** your item: ![Move item to a Folder](https://bitwarden.com/assets/4VfciDIbEZZFAG1AXbRf3S/275100f866612da15b4714adea8f1944/2024-12-02_16-20-15.png) - Navigate to the **Vaults** view, select the items you want to move and use the top-level ⋮ options menu to select the 📁 **Add to folder** button. On the move selected dialog box, choose the folder you want to move the item(s) to: ![Move items to a folder ](https://bitwarden.com/assets/7zQPzdrcVIbPeX5E8LqTq/ce8e8bf7188626093a675eb844d5002a/2024-12-02_16-22-24.png) ### Browser extension Open the vault item you want to move, select the **Edit** button, use the **Folder** dropdown to choose a folder, and select **Save**when you're done: ![Move item to a folder ](https://bitwarden.com/assets/6b8EOCtuuHmulnNQNJmWWk/f24c97777972b15ee5000e575f2b242c/2024-10-29_11-48-18.png) ### Desktop Open the vault item you want to move, select the **Folders** dropdown, and choose the folder to move the item to: ![Move item to a folder ](https://bitwarden.com/assets/63jzyM75IRzhAbw5nNzMHx/4b96693883100a971a9df20618f7e86a/select_folder.png) ### Mobile Open the vault item you want to move, tap the **Folders** dropdown, and choose the folder to move the item to: ![Move item to a folder on mobile](https://bitwarden.com/assets/169hAtd0PhW3BcYlSPy6vn/2618596e36941b06dabcb766327b664b/2025-01-22_09-44-03.png) ### CLI Use the `bw edit` command to manipulate the `folderId` attribute of the vault item JSON object, as in the following example: ``` bw get item 7ac9cae8-5067-4faf-b6ab-acfd00e2c328 bw edit item 7ac9cae8-5067-4faf-b6ab-acfd00e2c328 ``` > [!NOTE] Cli folders tip > Using `edit` will require you to: > > - Use the `get` command with the exact `id` of the item you want to edit. > - Know the exact `folderId` of the folder you want to move it to. > - Manipulate the JSON object (specifically, the `folderId` attribute) with a [command-line JSON processor like jq](https://stedolan.github.io/jq/). > - Use the `encode` command to encode changes to the JSON object. > > If you are unfamiliar with using any of these parts, please refer to the Bitwarden [CLI documentation](https://bitwarden.com/help/cli/). > [!NOTE] Organization sharing and folders > Items [shared with you from an organization](https://bitwarden.com/help/sharing/) can be added to your folders, and doing so will only impact how the item appears in your individual vault (for example adding an item to a folder won't give anyone access to that folder, or change whether it's in a folder in their individual vaults). --- URL: https://bitwarden.com/help/forgot-master-password/ --- # Forgot My Master Password Bitwarden operates with zero-knowledge encryption. This means that Bitwarden has zero knowledge of, way to retrieve, or way to reset your master password. There are, however, a few steps you can take to try to regain access to your account: 1. Check that you have the [right server selected](https://bitwarden.com/help/server-geographies/#choose-your-cloud-server/) when you try to log in. Bitwarden data regions are separate, and your account only exists in the region where it was first created. Selecting your server is necessary before trying the following steps. 2. Try logging in on another device. 3. Get a master password hint by visiting [https://vault.bitwarden.com/#/hint](https://vault.bitwarden.com/#/hint) or [https://vault.bitwarden.eu/#/hint](https://vault.bitwarden.eu/#/hint). If you have one setup, a hint will be emailed to your inbox. If you don't have a hint setup, you'll get an email reporting this. 4. If you have [emergency access](https://bitwarden.com/help/emergency-access/) enabled, contact your trusted emergency contact to regain read or takeover access to your account. 5. If your organization uses [account recovery](https://bitwarden.com/help/account-recovery/), reach out to your administrator to reset your master password. 6. If the browser you are using to access the web app is a known device (has been registered with [Log in with Device](https://bitwarden.com/help/log-in-with-device/)), the account can be accessed on the web app. 7. If an encryption-enabled (PRF) [Log in Passkey](https://bitwarden.com/help/login-with-passkeys/) has been registered with your Bitwarden account, you can log in with that. If none of these options get you access to your account, you will need to delete your account and start a new one: > [!WARNING] Check whether client apps are logged in. > Deleting your account will delete all individually-owned items stored in it, this will include any saved attachments. > > Before deleting your account, check to see if you are actively logged in to any Bitwarden mobile apps, browser extensions, or desktop apps. If you are, you should manually catalogue your data so that you can add it back in to the new account. 1. Navigate to [vault.bitwarden.com/#/recover-delete](https://vault.bitwarden.com/#/recover-delete) or [vault.bitwarden.eu/#/recover-delete](https://vault.bitwarden.eu/#/recover-delete). 2. Enter the email address associated with your account and select **Submit**. 3. In your inbox, open the email from Bitwarden and verify that you would like to delete the account. > [!NOTE] Contact support if owner of org > If you are the sole owner of an organization, attempting to delete your account will result in an error message. Please contact [support](https://bitwarden.com/contact/) for assistance to delete the organization. ## Next steps - If you start a new account, Bitwarden recommends using the [security readiness kit](https://bitwarden.com/resources/bitwarden-security-readiness-kit/) to prepare for events like the forgetting of a master password. - If you had to delete a Bitwarden account with a premium subscription, please [contact us](https://bitwarden.com/contact/) in order to reapply your existing subscription to the new account. --- URL: https://bitwarden.com/help/generator/ --- # Username & Password Generator Use the Bitwarden generator tool to easily create strong passwords and unique usernames. The password generator is available in all Bitwarden apps and the username generator is available in the web vault, browser extension, desktop app, and mobile app. If you are not a current Bitwarden user, you can also test our free password generator at [https://bitwarden.com/password-generator/](https://bitwarden.com/password-generator/). ## Generate a password To generate a strong password: ### Web app Select **Tools** → **Generator**from the navigation: ![Web app password generator](https://bitwarden.com/assets/70bx0hWvxAvkz5RJdIj04n/63febc4043e13292461c768d910cd450/2025-02-14_11-00-10.png) The [options you specify](https://bitwarden.com/help/generator/#password-types/) on this page will be saved until you log out of the web app. You can also quickly generate a strong password using those same options directly from the Add or Edit Item screens using the [generate] **Generate**button: ![In-item password generator](https://bitwarden.com/assets/5ZVBOSK13MaXJ2S8iJTOMX/1324db87fd867667cbb6e8c1c1f4539a/2024-12-02_14-44-30.png) > [!NOTE] Generator history > Select [**Generator history**](https://bitwarden.com/help/password-and-generator-history/#generator-history/) to access passwords and usernames created in either location with that specific client—even if you don't save them to an item. This history is cleared when you log out. ### Browser extension Select the [generate] **Generator** tab: ![Browser extension password generator](https://bitwarden.com/assets/6eOmI3kZOdnfw9i5JinfUD/f1a7129244f49c7d904664632e329076/2024-10-29_10-34-01.png) You can also generate a strong password from the Edit screen using the [generate] **Generate**button: ![Browser extension password generator](https://bitwarden.com/assets/2Cbja6OBxW2S6GVxLOqlYh/b71de03b37f5a4f4960e344a5b17cc01/2024-10-29_10-35-25.png) If you're creating an account that isn't stored in Bitwarden, you can also use the inline autofill menu to generate and autofill a password using the **Fill generated password** prompt: ![Fill generated password](https://bitwarden.com/assets/2JcceqWgFbk4ViLCMe6qm5/ce116e8ff337f90fbbd57b52aa15fdcd/2024-11-05_10-07-08.png) When using inline, use the [generate] generate button to generate a new password until you're satisfied with it. Inline password generation uses the settings from the browser extension's **Generator** tab. Make sure you select **New login** when prompted to save the login to Bitwarden. [Learn more](https://bitwarden.com/help/auto-fill-browser/#use-the-inline-autofill-menu/). > [!NOTE] Generator history > Select [**Generator history**](https://bitwarden.com/help/password-and-generator-history/#generator-history/) to access passwords and usernames created in either location with that specific client—even if you don't save them to an item. This history is cleared when you log out. ### Desktop Select **View** → **Generator** from the menu bar: ![Desktop App Password Generator](https://bitwarden.com/assets/6cFQ3iojZXLy1ZIdIXp6Zr/f69517b01aa7f370f91dc823e7a403b5/2025-01-13_16-26-13.png) You can also generate a strong password from the Add/Edit Item screen using the [generate] **Generate**button: ![Desktop App Password Generator](https://bitwarden.com/assets/6VInVRr9tZBOndfe4VrpXf/4e08f8a8bc6227ddc8e2fcb7a008434b/Desktop_app_password_generator_2.png) > [!NOTE] Generator history > Select [**Generator history**](https://bitwarden.com/help/password-and-generator-history/#generator-history/) to access passwords and usernames created in either location with that specific client—even if you don't save them to an item. This history is cleared when you log out. ### Mobile Select the [generate] **Generator** tab: ![Password generator on mobile](https://bitwarden.com/assets/Cqrt6OGquQLRJvZDuqtCk/5b42dad11498bc5c62a749c4fc096fc9/2025-01-21_15-49-19.png) You can also generate a strong password from the Add/Edit Item screen, as well as from the iOS app extension accessible by tapping the Share icon, using the [generate] **Generate**button: ![Password generator on mobile](https://bitwarden.com/assets/4NeVmiRcKfedg6Fzwp0N1Y/f91ad1097dcd379925cedee724dc7592/2025-01-21_15-51-01.png) > [!NOTE] Generator history > Select [**Generator history**](https://bitwarden.com/help/password-and-generator-history/#generator-history/) to access passwords and usernames created in either location with that specific client—even if you don't save them to an item. This history is cleared when you log out. ### CLI Use the generate command to generate a password: ``` bw generate -uln --length 14 ``` Additional options flags for generated passwords include: - `--minNumber` - `--minSpecial` - `--ambiguous` For more information, please refer to the Bitwarden [CLI documentation](https://bitwarden.com/help/cli/). ### Password types #### Password Passwords are randomly generated strings of a customizable set of character types. Options for passwords include: - **Length**: Number of characters in your password. - **Minimum numbers**: Minimum number of numbers in your password if **0-9**is enabled. - **Minimum special**: Minimum number of special characters in your password if **!@#$%^&*** is enabled. - **A-Z**: Include uppercase letters in your password. - **a-z**: Include lowercase letters in your password. - **0-9**: Include numbers in your password. - **!@#$%^&***: Include special characters in your password. - **Avoid ambiguous characters**: Prevent your passwords from having both a `1` and `l` or both a `0` and `o`. > [!WARNING] PW Generator Options & Entropy > Unless you need to satisfy a site's specific password requirements, we recommend keeping **Minimum Numbers** and **Minimum Special**as low as possible (0-1) as over-constraint limits the strength of generated passwords. #### Passphrase Passphrases are randomly generated groups of words, for example `panda-lunchroom-uplifting-resisting`. Options for passphrases include: - **Number of words**: Number of words in your passphrase. - **Word separator**: Character to use to separate words in your passphrase (`-` in the above example). - **Capitalize**: Capitalize the first letter of each word in your passphrase. - **Include number**: Include a single numerical character in your passphrase. ## Generate a username To generate a username: ### Web app Select **Tools** → **Generator**from the navigation: ![Web app username generator](https://bitwarden.com/assets/2862v5xPV5qQM7XfdUvNlI/0f8fe47b6d9efb0a6d77b245a1f63cdf/2025-02-14_11-02-02.png) You can also generate a username from the Edit screen using the [generate] **Generate**button: ![Web app username generator](https://bitwarden.com/assets/1zpNFR8fu9DBo2krqln5hr/e893f1f3e8d85d58d20c8e316f247666/2024-12-02_14-44-30.png) > [!NOTE] Generator history > Select [**Generator history**](https://bitwarden.com/help/password-and-generator-history/#generator-history/) to access passwords and usernames created in either location with that specific client—even if you don't save them to an item. This history is cleared when you log out. ### Browser extension Select the [generate] **Generator** tab and choose **Username**: ![Browser extension username generator](https://bitwarden.com/assets/3WEaJYUplgEdjgoSxlQ842/40d3eed8347cb6b0a600d06f42cc1941/2024-10-29_10-39-00.png) You can also generate a username from the Edit screen using the [generate] **Generate**button: ![Browser extension username generator](https://bitwarden.com/assets/23CDvd3ErFQIZNYwgh000F/c19c373ecb6ca2d6aad2587a1b16dd12/2024-10-29_10-39-56.png) > [!NOTE] Generator history > Select [**Generator history**](https://bitwarden.com/help/password-and-generator-history/#generator-history/) to access passwords and usernames created in either location with that specific client—even if you don't save them to an item. This history is cleared when you log out. ### Desktop Select **View** → **Generator** from the menu bar: ![Desktop App Username Generator](https://bitwarden.com/assets/2VGPd4WOwydbovDJdyVT51/7978eb9934404198e94c030e2633dc3f/2025-01-13_16-28-11.png) You can also generate a username from the Add/Edit Item screen using the [generate] **Generate**button: ![Desktop App Username Generator](https://bitwarden.com/assets/7xTg7VVE7CgTZhBl5LlYui/b614960692c19725bbd69bc86e01c1c3/Desktop_app_username_generator_2.png) > [!NOTE] Generator history > Select [**Generator history**](https://bitwarden.com/help/password-and-generator-history/#generator-history/) to access passwords and usernames created in either location with that specific client—even if you don't save them to an item. This history is cleared when you log out. ### Mobile Select the [generate]**Generator** tab: ![Username generator on mobile](https://bitwarden.com/assets/6nfsTiHypQvXrfz7qI7AKI/6e41b1fedea81895497268b0fd825215/2025-01-21_15-56-24.png) You can also generate a username from the Add/Edit item screen, as well as from the iOS app extension accessible by tapping the Share icon, using the [generate]**Generate**button: ![Username generator on mobile](https://bitwarden.com/assets/2Obfpm7UdBizkwASepMS6j/998c1448556484b867160f7412aa984c/2025-01-21_15-51-01.png) ### Username types #### Plus Addressed Email Select this type to use your email provider's sub-addressing (aka "plus addressing" or "aliasing") capabilities. This will generate a plus addressed (named for the `+` and random string of characters) username based on your specified email address. On the Add/Edit Item screen of browser extensions and desktop apps, you can select between generating username with a **Random**(for example, `alice+gsd4aqqe@bitwarden.com`) string or one based on the item's **email address** (for example, `alice+github.com@bitwarden.com`). **Email address** is limited to browser and desktop as it requires knowledge of the login's [URI](https://bitwarden.com/help/uri-match-detection/), in other locations the username generator will default to **Random.** > [!NOTE] Why use plus addressing? > **Why use plus addressed email?** > > Plus addressed emails allow you to filter your email for all the junk mail you get when signing up for a new service. Signing up for a service with the username `alice+rnok6xsh@bitwarden.com` will still send emails to `alice@bitwarden.com`, but you can easily filter emails that include `+rnok6xsh` to prevent them from clogging up your inbox. #### Catch-all email Select this type to use your domain's configured catch-all inbox. This will generate a random email address at your specified **Domain.** On the Add/Edit Item screen of browser extensions and desktop apps, you can select between generating username with a **Random**(for example, `bqzjlero@gardenllc.com`) string or one based on the item's **Domain Name** (for example, `Instagram.com@gardenllc.com`). **Domain Name** is limited to browser and desktop as it requires knowledge of the login's [URI](https://bitwarden.com/help/uri-match-detection/), in other locations the username generator will default to **Random.** > [!NOTE] Why use catch-all email > **Why use catch-all email?** > > In some cases, catch-all inboxes are used by companies with their own domain (for example, `@bitwarden.com`) to prevent emails from going to your personal inbox and instead route them to a shared (and sometimes unchecked) company inbox in case record of them is needed in the future. > > In other cases, individuals with their own domain (for example, `@gardenllc.com`) use catch-all setups to route email from accounts with privacy-oriented usernames (for example `Instagram.com@gardenllc.com)` to their actual inbox. #### Forwarded email alias Select this type to integrate the username generator with your external aliasing service. Most Bitwarden apps support integration with SimpleLogin, AnonAddy, Firefox Relay, Fastmail, Forward Email, and DuckDuckGo. The mobile app currently supports integration with SimpleLogin, AnonAddy, Forward Email, and Firefox Relay. > [!NOTE] Why use Forwarded Email Alias? > **Why use forwarded email alias?** > > Using email aliasing services such as [SimpleLogin](https://simplelogin.io/) and [Addy.io](https://addy.io/), you can sign up for web accounts using an anonymous address (for example, `nobody-knows-its-me.d0p0r@slmail.me`) that will forward mail to your actual inbox (for example, `alice@bitwarden.com`). This will prevent the website or service from collecting personal information (in this example, the name Alice and the fact that she works at Bitwarden) when you sign up. To set up your email alias integration: ### SimpleLogin 1. Log in to your SimpleLogin account. 2. Select the profile icon and choose **API Keys**from the dropdown. SimpleLogin may require you to enter your password to create an API key. 3. In the New API Key section, enter a name that indicates the new key will be used by Bitwarden and select **Create**. ![SimpleLogin API Keys](https://bitwarden.com/assets/6ie1Qpk8LYapG6JRX3X1dD/06c1083c6e146c2822f0e4a47b507785/Screen_Shot_2022-06-30_at_3.17.59_PM.png) 4. **Copy**the API key and paste it in the **API Key**field in the Bitwarden username generator. 5. Password Manager browser extensions, mobile apps, and desktop apps can connect to a self-hosted SimpleLogin server. If you're self-hosting SimpleLogin, enter a **Server URL**. 6. Select **Regenerate Username **to generate a username and automatically create the corresponding alias in SimpleLogin. ### Addy.io 1. Log in to your Addy.io account. 2. In Addy.io, select **Settings**from the navigation menu. ![AnonAddy Settings](https://bitwarden.com/assets/18PUguJXkABllufHgtNEJi/564febbfe28d3f0cd491c3216d62db9e/addy_settings.png) 3. On the **General** tab of the settings screen, scroll down to **Update Default Alias Domain**. Select the default domain you wish to use for your alias. > [!NOTE] addy.io domain > The default domain selected here must match the Domain name used in the Bitwarden Username generator. 4. Select the **API Keys** tab and click the **Create New API Key** button. 5. In the Create New API Key dialog, enter a **Name**that indicates the new token will be used by Bitwarden, an **Expiration,** and Confirm your Addy.io account password**.**Once you have completed the required fields, select**Create API Key**. ![AnonAddy Generate Token](https://bitwarden.com/assets/6o8021KYChu6jzEGvUbXDH/b56977c26a44b431486796cb4965f23d/create_new_api_key.png) 6. Copy the Personal Access Key and paste it in the **API Access Token**field in the Bitwarden username generator. > [!NOTE] Addy.io Save Credential > We also recommend adding this Personal Access Token to your Addy.io vault item in Bitwarden, since this is the only time the token will be displayed in Addy.io. 7. In the **Domain Name** field, enter the Addy.io domain name you selected in **Step 3**. As a free user of Addy.io, your options are `anonaddy.me`, `.anonaddy.me` or `.anonaddy.com`. 8. Password Manager browser extensions, mobile apps, and desktop apps can connect to a self-hosted Addy.io server. If you're self-hosting Addy.io, enter a **Server URL**. 9. Select **Regenerate Username**to generate a username and automatically create the corresponding alias in Addy.io. ### Firefox Relay 1. Log in to your Firefox Relay account. 2. Select the profile icon and choose **Settings**from the dropdown: ![Firefox Relay Settings Menu](https://bitwarden.com/assets/3jK0OhlASgzDZo1Xu2c97O/f24ae0b64e7fe7736e757b33a89510c6/Screen_Shot_2022-06-01_at_3.38.56_PM.png) 3. Copy **API Key**into the **API Access Token**field of the Bitwarden username generator. 4. Select **Regenerate Username**to generate a username and automatically create the corresponding mask in Firefox Relay. ### Fastmail 1. Log in to your Fastmail account. 2. Select the profile icon and choose **Settings**from the dropdown. 3. From the navigation menu, select**Privacy & Security**and then **Manage API tokens**: ![Fastmail API token](https://bitwarden.com/assets/J1fPSFIIO7FgPyAyBgpbh/d4dd85f7f7201731936de872ff4a5134/2024-12-23_15-17-17.png) 4. Select **New API token** to generate an API token. ![New API token](https://bitwarden.com/assets/1FieLCzKTItKNqDIhWBrbH/2816de1ec7580e2e90cf80e38d311993/2024-12-23_15-18-50.png) Include to following settings: - **Read-only access** **disabled**. - **Masked Email enabled.** 5. Copy **API Key**into the **API Access Token**field of the Bitwarden username generator. 6. Select **Regenerate Username**to generate a username and automatically create the corresponding alias in Fastmail. ### Forward Email 1. Log in to your [Forward Email](https://forwardemail.net/) account. 2. Forward Email uses the default domain `hideaddress.net`, however if you have a registered domain you can connect it to the service. For more information, refer to the [Forward Email setup guides](https://forwardemail.net/en/guides). 3. In Forward Email, navigate to the **My Account** → **Security** page and copy the Developer Access API token: ![Copy Forward Email API token](https://bitwarden.com/assets/0bYzljpbdqH7AdFqDh7sr/f43a225e5614a00b1dd391f17fbd916d/Screen_Shot_2023-06-30_at_1.06.04_PM.png) 4. In the Bitwarden username generator, paste the copied token in the **API access token**and enter `hideaddress.net` or your registered **Domain name**. 5. Select **Regenerate Username**to generate a username and automatically create the corresponding alias in Forward Email. ### DuckDuckGo 1. Follow the [DuckDuckGo instructions](https://duckduckgo.com/email/) to setup your Duck Address. 2. Once your Duck Address has been setup, select the **Autofill** tab on the DuckDuckGo email protection page, and open your web browser's developer tools. 3. Click the **Generate Private Duck Address**button and view the **Network** tab on your developer tools window. Select the "Addresses" call for the API POST request, and locate the API authorization item. The item will look like this: `authorization: Bearer .`   ![Generate DuckDuckGo email alias](https://bitwarden.com/assets/5Rj9xrPrgp13Pl9KGuap7Z/855fa2f0defc41a68b512b92027bf540/DDG_generate_private_address.png) 4. Copy the API authorization token value and paste it into the API key field on the Bitwarden generator feature. 5. Select **Regenerate Username**to generate a username and automatically create the corresponding alias in DuckDuckGo. #### Random word Select this type to generate a random word for your username. Options for random words include: - **Capitalize**: Capitalize your username. - **Include Number**: Include a 4-digit number in your username. --- URL: https://bitwarden.com/help/get-to-know-password-manager/ --- # Get to know Password Manager This article and video guides are designed to help you get up and running with your Bitwarden vault. Learn how to navigate the vault, personalize your view, import and create new items, and autofill. ## Getting to know the Bitwarden vault [![Vimeo Video](https://vumbnail.com/797787072.jpg)](https://vimeo.com/797787072) *[Watch on Vimeo](https://vimeo.com/797787072)* Learn more about your vault [here](https://bitwarden.com/help/managing-items/), or jump to the following points in the video to learn about specific topics: - **0:09**: Vault items. - **0:50**: Individual and organization vaults. - **2:09**: Favorites and folders. ## How to use the Bitwarden Password Manager [![Vimeo Video](https://vumbnail.com/797837257.jpg)](https://vimeo.com/797837257) *[Watch on Vimeo](https://vimeo.com/797837257)* Learn more about getting started with Bitwarden Password Manager [here](https://bitwarden.com/help/getting-started-webvault/), or jump to the following points in the video to learn about specific topics: - 0:09 Importing to My Vault - 1:08 Creating new items - 7:19 Using Autofill - 9:03 Unlock with biometrics --- URL: https://bitwarden.com/help/getting-started-browserext/ --- # Password Manager Browser Extensions Bitwarden browser extensions integrate password management directly into your favorite browser. Download a Bitwarden browser extension from your browser's marketplace or app store, or from the [Bitwarden Downloads](https://bitwarden.com/download/) page. The Browser extension is supported for the two most recent versions of: - Google Chrome - Mozilla Firefox - Opera - Microsoft Edge - Safari And the most recent versions of: - Vivaldi - Brave - Tor > [!TIP] Safari Extension > The Safari browser extension is packaged with the desktop app, available for download from the macOS App Store. [Learn more](https://bitwarden.com/help/install-safari-app-extension/). ## First steps Let's start your Bitwarden browser extension journey by adding a new login item to your vault: ### Add a login To create a new login item: 1. Navigate to the 🔒 **Vault**tab and select the + **New**icon. 2. Choose which type of item to create (in this case, select **Login**). 3. Enter the basic information for this login. For now, give the item: - An **Item name**to help you easily recognize it (for example, Instagram `Account`). - Your **Username**. - Your current **Password**(we will replace this with a stronger password soon). 4. You may select a folder from the [Folders](https://bitwarden.com/help/folders/) dropdown. > [!TIP] Selecting Owner if creating an item for an org (browser extension). > If you're using Bitwarden in your workplace, you can use the **Owner**dropdown to create this item within your [organization](https://bitwarden.com/help/about-organizations/) instead of in your individual vault. 5. In the **Website (URI)**field, enter the URL where you log in to the account (for example, `https://instagram.com/login`). 6. Nice work! Select **Save**to continue. ### Generate a strong password Now that you have saved a new login, let's improve its security by replacing your password with a stronger one: 1. In your web browser, login to the account with your existing username and password. We're going to be replacing your existing password with a stronger one, but this is a great opportunity to practice autofill! To autofill, open the Bitwarden browser extension while you're on the website's login page and, in the 🔒 **Vault**tab, select the **Fill** button for the suggested item: ![Autofill via browser extension](https://bitwarden.com/assets/1pamjhdWn7obh8UBxXcIPF/1841242fa5299a780d53f3ae70e546b3/screenshot_5.png) *Autofill via browser extension* 2. Once logged in, find where you can change your password. 3. On the website's change password form, enter your **Current Password**, which you can copy and paste from Bitwarden using the [clone] **Copy**icon: ![Copy a password](https://bitwarden.com/assets/40l7cU1a0jzaTNUJXd5jPD/97b9ed67c0b255384ce84fa53fad2015/screenshot_2.png) *Copy a password* 4. Once your old password is filled in, open the login item in Bitwarden and select **Edit**. 5. In the **Password** box, select [generate] **Generate**and tweak your password settings to your liking. You can use to [generate] icon until you get a password you like and, once you do, select **Use this password**. Moving from `Fido1234` to `X@Ln@x9J@&u@5n##B` can stop a hacker in their tracks. 6. Select **Save**. 7. Copy your new password and paste it into the New Password and Confirm Password fields back on the website. Congratulations! Your login is now saved in Bitwarden for secure and easy use! ### Pin the extension Pinning the browser extension will ensure that it's easily accessible each time you open your browser. The procedure differs based on which browser you are using: ### Chrome Select the [puzzle] **Extensions**icon next to the address bar and select the **Pin**icon next to Bitwarden: ![Pin in Chrome](https://bitwarden.com/assets/4cwP0QDHWh01v1K8nMV0ma/88b4b36c5b3e9d1fccffe7552880c485/chrome_pin.png) *Pin in Chrome* ### Firefox Select the [puzzle] **Extensions**icon next to the address bar , right-click the Bitwarden browser extension, and choose **Pin to Toolbar:** ![Pin on Firefox](https://bitwarden.com/assets/2O0RQxs4fr6tTKBAMOQcGy/a54ea16b59f933a209db9458c92358e6/firefox_pin.png) *Pin on Firefox* You can also activate a persistent Bitwarden sidebar by selecting **View** → **Sidebar** → **Bitwarden** from the Firefox menu. > [!NOTE] Disable Bitwarden sidebar > If you do not want the Bitwarden sidebar to open on browser startup, select **Close Sidebar** from the Bitwarden tab on the Firefox sidebar. Users may be required to select **Close Sidebar** on each active Firefox tab and restart Firefox. ### Safari Right-click anywhere in the tool bar and select **Customize Toolbar**to open a drag-and-drop interface that lets you move or remove icons in your toolbar: ![Pin in Safari](https://bitwarden.com/assets/3mD3G3rNMEUu24XBh6a3Kt/5217730380fe6ee6cd49f7c3820574ee/safari_pin.png) *Pin in Safari* ## Add a second account Do you have multiple Bitwarden accounts, perhaps one for personal use and one for work? The browser extension can be logged in to five accounts at once! To login to an additional account, select the currently logged-in account from the top-right corner of the browser extension: ![Browser extension account switching](https://bitwarden.com/assets/7xbbMZ89zcTHz6ee0cA1MK/8d8972a6b995b3fd7367f248c9c60d69/screenshot_3.png) *Browser extension account switching* Once you have opened the account switching menu, select + **Add account**: ![Browser extension Add account](https://bitwarden.com/assets/343trVk3zLCF7Z12uA5wjO/ac2f56fc907372335f30d1dbf68116a1/screenshot_4.png) *Browser extension Add account* Once you log in to your second account, you can quickly swap between them from the same menu, which will also show the current status of each account's vault (*locked or unlocked*). If you log out of one of these accounts, it will be removed from this list. > [!NOTE] Account switching not available on Safari > Account switching on the browser extension is not available on Safari at this time. ## Next steps Now that you have mastered the basics let's dig into one more action that you will take regularly, **Autofill** and **Auto-save**, and three recommended setup steps; easier vault **unlocking**, **pinning** the extension to your browser, and **disabling the browser's built-in** password manager: ### Disable a built-in password manager Most web browsers will automatically save your passwords by default, but experts generally agree that [built-in password managers are more vulnerable](https://www.wired.com/2016/08/browser-password-manager-probably-isnt-enough/) than dedicated solutions such as Bitwarden. Learn more about [manually disabling a browser's built-in password manager](https://bitwarden.com/help/disable-browser-autofill/#manually-disable-a-browsers-built-in-password-manager/). ### Autofill a login There are lots of ways to autofill credentials with Bitwarden browser extensions! The basic method is to open the Bitwarden browser extension while you're on the website's login page and, in the 🔒 **Vault**tab, select the **Fill** button for the suggested item: ![Autofill via browser extension](https://bitwarden.com/assets/1pamjhdWn7obh8UBxXcIPF/1841242fa5299a780d53f3ae70e546b3/screenshot_5.png) *Autofill via browser extension* Note that, when you have logins saved for a website you're trying to log in to, Bitwarden browser extensions will overlay a notification bubble reporting the number of logins you have for that website. Those items will appear at the top of your **Autofill suggestions.** You can filter what will appear in the suggestions and what's displayed in the **All items** list using the filter dropdown menus, which can be shown or hidden using the 🎚️ button: ![Browser extension filters and suggestions](https://bitwarden.com/assets/12UsFuA2sxbUCBMIczJsxv/689221013fac56ddb555ed9dabddbdc9/screenshot_6.png) *Browser extension filters and suggestions* There are plenty of other methods and ways of customizing autofill from your browser extension, including [context menus and keyboard shortcuts](https://bitwarden.com/help/auto-fill-browser/). Learn more. ### Autosave a login Bitwarden browser extensions offer an array of [in-browser notifications](https://bitwarden.com/help/autosave-from-browser-extensions/) that compare your decrypted data with data that you enter into login, registration, and similar web forms. When you see this banner, select **Save** to add a new or updated login item with the username, password, and URI. You can also choose to **Select folder...** for the item if it's new, or **Edit** the item before saving: ![Ask to add login](https://bitwarden.com/assets/4vsurEuH5deik26BWn4n1p/82757186b081890fbe92b4d73baeae53/screenshot_7.png) *Ask to add login* Learn more about [Autosave with the browser extension](https://bitwarden.com/help/autosave-from-browser-extensions/). > [!NOTE] Passkeys on browser ext > Did you know that you can save and autofill passkeys with the Bitwarden browser extension? Learn more about passkeys [here](https://bitwarden.com/help/storing-passkeys/). ### Unlock with PIN or biometrics For fast access to your credentials, setup a [PIN](https://bitwarden.com/help/unlock-with-pin/) or [biometrics](https://bitwarden.com/help/biometrics/) to unlock your vault. To setup a PIN, for example: 1. Open the ⚙️ **Settings** tab. 2. In the **Account security** section, check the **Unlock with PIN** checkbox. 3. Enter the desired PIN code in the input box. PIN codes can be any combination of characters (a-z, 0-9, $, #, etc.) > [!TIP] Ask for biometrics on launch > **Optional:** The pre-checked option **Ask for biometrics on launch** will require you to enter your master password instead of a PIN when your browser restarts. If you want to be able to unlock with a PIN when you browser restarts, uncheck this option. ### Browser Pop-out The Bitwarden browser extension has a pop-out feature that will allow you to reposition the client while using your internet browser. To pop-out the browser extension, select the icon shown in the following screenshot: ![Browser extension pop-out](https://bitwarden.com/assets/1cbJy0jLBmSQmRumvYzVwp/a9e43f4c154686249056924eb3e56323/pop_out_screenshot.png) *Browser extension pop-out* The browser extension will not observe to your chosen [vault timeout](https://bitwarden.com/help/vault-timeout/) settings when popped-out. #### Make Bitwarden your default password manager The Bitwarden browser extension has a built-in setting to disable your browser's default password manager. To use this setting: 1. Navigate to the ⚙️ **settings** tab in the Bitwarden browser extension and then select **Autofill**. 2. Click to enable the **Make Bitwarden your default password manager**. ![Make Bitwarden default password manager](https://bitwarden.com/assets/5fyBdu5X6JCLu2UsaqYUO0/abfb44cb460314112805bfd0312c1f8f/2025-10-14_12-44-35.png) *Make Bitwarden default password manager* 3. A dialogue will appear on screen, select **allow** to give Bitwarden permission to make changes to your browser settings. --- URL: https://bitwarden.com/help/getting-started-desktop/ --- # Password Manager Desktop Apps The Bitwarden desktop app brings a full vault experience straight out of your browser and into your desktop. The desktop app supports up to five logged-in accounts at a time, making it easy to switch between personal and work accounts at any moment ([learn more](https://bitwarden.com/help/account-switching/)). In the 🔒 **My** **Vault** view, you can browse all your items, including items owned by an organization that you are a member of. Use the Vaults dropdown to filter for items in **All Vaults**, **My Vault,**and any organization vaults. ![Bitwarden Desktop App](https://bitwarden.com/assets/79qrrbQ4Oi7ZGUnSrE3VpZ/f8875d8251750c257f32043c091d1116/geting-started-desktop_1.png) ## First steps Let's start your desktop app journey by adding a new login item to your vault and making sure it's secure and easy to find: ### Create a folder [Folders](https://bitwarden.com/help/folders/) are a great way to make sure you can always find vault items when you need to use them. To create a folder: 1. In the first column of the desktop app, select + **Add** next to **Folders**. 2. Give you folder a name (for example `Social Media`) and select [save] **Save.** ### Add a login Now, let's add a login to your new folder. To create a new login item: 1. In the middle column, select + **Add**. An Add Item panel will be displayed in the third column. 2. Choose which type of item to create (in this case, select **Login**). 3. Enter the basic information for this login. For now, give the item: 1. A **Name** to help you easily recognize it (for example, `X.com Account`). 2. Your **Username**. 3. Your current **Password** (we'll replace this with a strong one soon). 4. Select the + **New URI**button and enter the URL where you login to the account (for example, `https://x.com/i/flow/login`). ![X.com Login URI](https://bitwarden.com/assets/5jf74Y0xH5LXouxuBLfER0/02aca3fb33feb85d0a05ecbd06e00ba5/x.comlogin_close_up.png) 5. Select a folder from the Folder dropdown. If you are following our example, choose the Social Media folder we just created! 6. Nice work! Select [save] **Save**to finish. > [!TIP] Import from desktop app > You can also import data directly to Bitwarden from your desktop app. [Learn how](https://bitwarden.com/help/import-data/#tab-desktop-app-5ALQx9afSqWXX9jfXsY5sb/). ### Generate a strong password Now that you have saved a new login, let's improve its security by replacing your password with a strong one: 1. Open a web browser and login to the account with your existing username and password. In that account, find where you can **Change your password**. 2. On the **Change your password** form, enter your **Current password**, which you can copy and paste from Bitwarden using the [clone] **Copy** icon. 3. In Bitwarden, select [pencil] **Edit**on your item. 4. In the Password box, select [generate] **Generate** and confirm **Yes**to overwrite your old password. This will replace your password with a randomly-generated strong password. Moving from `Fido1234` to `X@Ln@x9J@&u@5n##B` can stop a would-be hacker in their tracks. 5. Select [save] **Save.** 6. Copy your new password with the [clone] **Copy** icon you used earlier, and paste your new password in the **New Password**and **Confirm New Password**fields back in your web browser. 7. Once you are done, select **Save**in the web browser. Congratulations! Your login is now saved in Bitwarden for secure and easy use! ### Add a second account Do you have multiple Bitwarden accounts, perhaps one for personal use and one for work? The desktop app can be logged in to five accounts at once! To login to an additional account, select the currently logged-in account from the top-right of the desktop app and select + **Add Account:** ![Desktop App Account Switching](https://bitwarden.com/assets/7fpUmakpNIByzoWQa1cU8L/3673552e2fcc77ea3c0a8cae7fbd2b83/Screen_Shot_2022-05-18_at_3.33.08_PM.png) Once you log in to your second account, you can quickly swap between them from the same menu, which will also show the current status of each account's vault (*locked *or *unlocked*). If you log out of one of these accounts, it will be removed from this list. ## Next steps Now that you have mastered the basics, you can customize your desktop app to work exactly the way you want it to: ### 🪟 Windows ### Set your preferences To set your preferences, select **File** → **Settings**from the menu bar. You'll notice three sections; **Security**, **Preferences**, and **App Settings**. > [!TIP] Desktop Preferences > **Security** and **Preferences** apply to the [active account](https://bitwarden.com/help/getting-started-desktop/#add-a-second-account/) and should be set separately for each account, but **App Settings** apply to all accounts. #### Unlock with biometrics One of the most popular desktop app settings is [unlock with biometrics](https://bitwarden.com/help/biometrics/), which allows for seamless access using [Windows Hello](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello) with PIN, facial recognition, or [other hardware that meets Windows Hello biometric requirements](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements). To setup biometric unlock: > [!TIP] Biometrics C++ Redistributable > Windows users may need to install the [Microsoft Visual C++ Redistributable](https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170) before Windows Hello can be turned on in desktop preferences. 1. Enable Windows Hello on your computer. 2. In the Security section, an **Unlock with Windows Hello** option will appear if Windows Hello is supported and enabled on your computer: ![Windows unlock options ](https://bitwarden.com/assets/HQYTF4l5WyPbeTMHhhDnN/fe4ddb713557443e7836f3737534ca1e/windows.png) Check the **Unlock with Windows Hello** option to proceed. Your computer will prompt you to input your biometric. 3. Once enabled, use the **Unlock with Windows Hello**button on the unlock screen to unlock your vault. ![Unlock desktop with biometric](https://bitwarden.com/assets/JSmueUxWjUGxQK0bA716O/f6bcfa6ec4523b8080a77e418e1eae8e/2025-08-13_11-20-59.png) **Security**settings are set per-account, so if you want to enable biometric unlock for another account you'll need to go through these steps again! #### Start Bitwarden automatically Another helpful feature is to always start Bitwarden when you boot up your computer. To enable this, navigate to the **App Settings** section and check the **Start automatically on login** checkbox. Unlike biometrics, this setting applies globally to all logged-in accounts! ### 🍎 macOS ### Set your preferences To set your preferences, select **Bitwarden** → **Settings**from the menu bar. You'll notice three sections, **Security**, **Preferences**, and **App Settings**. > [!TIP] Desktop Preferences > **Security** and **Preferences** apply to the [active account](https://bitwarden.com/help/getting-started-desktop/#add-a-second-account/) and should be set separately for each account, but **App Settings** apply to all accounts. #### Unlock with biometrics One of the most popular desktop app settings is [unlock with biometrics](https://bitwarden.com/help/biometrics/), which allows seamless access to your desktop app using [Touch ID](https://support.apple.com/en-us/HT207054) technology. To setup biometric unlock: 1. Enable Touch ID on your computer. See Apple's [Touch ID Documentation](https://support.apple.com/en-us/HT207054) for help. 2. In the Security section, an **Unlock with Touch ID** option will appear if Touch ID is supported and enabled on your computer: ![macOS unlock options](https://bitwarden.com/assets/3O1If6IchE83Qb8ee0mYqx/9c61afb380d8479eb4e55e97c2e628c6/macos-bio1.png) Check the **Unlock with Touch ID** checkbox to proceed. Your computer will prompt you to input your fingerprint to confirm. 3. Once enabled, use the **Unlock with Touch ID**button on the Unlock screen to unlock your vault. ![Unlock with Touch ID ](https://bitwarden.com/assets/MPQwBfgcoTZJvan99sZCZ/e7a2305ffdc24af1fc08adf466463841/mac_unlock_with_touch_id.png) **Security**settings are set per-account, so if you want to enable biometric unlock for another account you'll need to go through these steps again! #### Start Bitwarden Automatically Another helpful feature is to always start Bitwarden when you boot up your computer. To enable this, navigate to the **App Settings** section and check the **Start automatically on login** checkbox. Unlike biometrics, this setting applies globally to all logged-in accounts! ### 🐧 Linux ### Snap post-installation instructions The Bitwarden Password Manager desktop app uses secure storage for persisting authentication tokens while you are logged in to the application. **If you use Snap to install the desktop app**, you will need to allow the app to access secure storage by: 1. On all distributions, run the command `sudo snap connect bitwarden:password-manager-service`. 2. If you've already logged in to the Password Manager desktop app, log out of all accounts and log back in. ### Set your preferences To set your preferences, select File → Settings from the menu bar. You'll notice three sections; **Security**, **Preferences**, and **App Settings**. > [!TIP] Desktop Preferences > **Security** and **Preferences** apply to the [active account](https://bitwarden.com/help/getting-started-desktop/#add-a-second-account/) and should be set separately for each account, but **App Settings** apply to all accounts. #### Unlock with biometrics One of the most popular desktop app settings is [unlock with biometrics](https://bitwarden.com/help/biometrics/), which allows seamless access to your desktop app. Bitwarden desktop apps from `AppImage`, `Deb`, and `.rpm` package types are supported`.` Additionally, confirm that your system has a polkit agent and secret service (such as GNOME-Keyring). To enable biometric unlock: 1. Enable System Authentication on your machine. 2. In the Security section of your Bitwarden desktop app, an enable **Unlock with system authentication** option will appear if system authentication is supported and enabled on your machine: ![Unlock with system authentication](https://bitwarden.com/assets/2AMdLd9zqVZwkDMfS1ZW00/bfe0b4bd4b93541fed04563e55722358/Aug_15_Screenshot_from_Bitwarden.png) Check the **Unlock with system authentication**checkbox to proceed. You machine will prompt you to input your verification to confirm. 3. Once enabled, use **Unlock with system authentication** button on the unlock screen to unlock your vault. ![Unlock vault system authentication](https://bitwarden.com/assets/6UIFh90LrxZzgrbacuMw3o/ef9b39a24775d098f1ad9825094206f0/Aug_15_Screenshot_from_Bitwarden__1_.png) Security settings are set per-account, so if you want to enable biometric unlock for another account you'll need to go through these steps again! ### Start Bitwarden automatically One helpful feature is to always start Bitwarden when you boot up your computer. To enable this, navigate to the **App Settings** section and check the **Start automatically on login** checkbox. Remember that this setting applies globally to all logged-in accounts! --- URL: https://bitwarden.com/help/getting-started-mobile/ --- # Password Manager Mobile Apps Bitwarden mobile apps let you take your password manager on the go. Download Bitwarden from the [iOS App ](https://bitwarden.com/download/apple-iphone-password-manager/)Store or Google Play Store, or by navigating to [get.bitwarden.com](https://get.bitwarden.com) on any device. ![Bitwarden on iOS and Android](https://bitwarden.com/assets/53OzJZ4klYWemxUepHMtq4/5ab47331f033259bd2e82817a99e992f/2025-01-21_15-22-10.png) ## First steps Let's start your Bitwarden mobile journey by adding a new login item to your vault and make sure it's secure and easy to find: ### Create a folder Folders are a great way to make sure you can always find vault items when you need to use them. To create a folder: 1. Select the ⚙️ **Settings**tab. 2. Select **Vault**and, in the settings list, tap **Folders**: ![Folders on mobile](https://bitwarden.com/assets/6IwzXSJHGmSeU7oIy4z8kZ/95620b58758e50fa0e8e22a65f2bfa15/2025-01-21_15-26-07.png) 3. Select the + **Add** icon. 4. Give your folder a name, (for example, `Social Media`), and select **Save.** ### Add a login Now, let's add a login to your new folder. To create a new login item: 1. Navigate to the 🔒 **My Vault** tab and select the + **Add** icon. 2. Choose which type of item to create (in this case, select **Login**): ![Add a login on mobile](https://bitwarden.com/assets/4QMufMJAsQn5qN9XY3syyL/decdef6cfc89e8af57c30e17ddeae864/2025-01-21_15-27-28.png) 3. Enter the basic information for this login. For now, give the item: 1. A **Name** to help you easily recognize it (for example, `Instagram Account`). 2. Your **Username**. 3. Your current **Password**(we'll replace this with a strong one soon). 4. Select the + **New URI**button and enter the URL where you log in to the account (for example, `https://www.instagram.com/accounts/login/`) 5. Select a folder from the **Folder** dropdown. If you are following our example, choose the Social Media folder you just created. 6. Nice work! Select **Save**to continue. ### Generate a strong password Now that you have saved a new login, let's improve its security by replacing your password with a stronger one: 1. Open a web browser or the mobile app for your account and login with your existing username and password. Once you are logged in, find the **Change your password** page. 2. On the **Change your password**page, enter your current password. You can copy and paste this from Bitwarden! 3. Back in Bitwarden, select the login item and tap **Edit**on iOS or the [pencil] on Android. 4. In the Password box, select [generate] **Generate**and confirm **Yes**to overwrite your old password. This will replace your password with a randomly-generated strong password. Moving from `Fido1234` to `X@Ln@x9J@&u@5n##B` can stop a hacker. 5. Select **Save**. 6. Copy your new password and paste it into the **New Password**and**Confirm** **Password** fields back in the other app. Congratulations! Your login is now saved in Bitwarden for secure and easy use! ### Add a second account Do you have multiple Bitwarden accounts, like one for personal use and one for work? The mobile app can be logged in to five accounts at once! To login to a second account, select the currently logged-in account from the top menu bar of the app and select + **Add Account:** ![Account switching on mobile](https://bitwarden.com/assets/56xAZhiS6wZqKktMlFwbVn/9af5d0ce782af44fc48ebfd8057ddc4c/2025-01-21_14-58-15.png) Once you log in to your second account, you can quickly switch between them from the same menu, which will also show the current status of each account's vault (locked or unlocked). If you log out of one of these accounts, it will be removed from this list. ## Next steps Now that you have mastered the basics, let's dig into some of the more powerful features of Bitwarden mobile apps: ### 🤖 Android ### Setup autofill Setup auto-fill to automatically enter logins from your Android device to a web browser (such as Chrome) or other app. To enable autofill: 1. Open your Bitwarden Android app and tap the ⚙️  **Settings** tab. 2. Tap the **Autofill **option: ![Android autofill options](https://bitwarden.com/assets/5Othw4YuSWmQbV1pmkvVxd/1d8fcf282bee1d729abe88570e7e650f/2025-01-21_15-29-52.png) 3. Toggle the **Autofill Services** option. You'll be automatically redirected to an Android Settings screen. 4. From the Autofill Services list, tap **Bitwarden**. You'll be prompted to confirm you trust Bitwarden. Tapping **OK** will let Bitwarden read content on the screen to know when to offer autofill. For more information, see [Autofill logins on Android](https://bitwarden.com/help/auto-fill-android/). ### Launch from mobile apps You can launch a website directly from Bitwarden by selecting the [share-square] **Launch** button in any vault item with a valid URI. If you are unfamiliar with using URIs, see [Using URIs](https://bitwarden.com/help/uri-match-detection/). ![Launch from mobile](https://bitwarden.com/assets/2PsCaLjOAe6WEfnwMkYG0P/be1fde317404835cba1e600244922d98/2025-01-21_15-32-37.png) ### Unlock with biometrics Unlocking Bitwarden with biometrics allows for seamless access to your vault. If you haven't setup [fingerprint unlock](https://support.google.com/nexus/answer/6285273?hl=en) or [face unlock](https://support.google.com/pixelphone/answer/9517039?hl=en) on your Android device, you will need to do that first from the Android ⚙️ **Settings** app. 1. In Bitwarden, tap the ⚙️ **Settings** tab located at the bottom of your screen. 2. Tap **Account security**. 3. Tap **Unlock with biometrics**: ![Biometric unlock on mobile](https://bitwarden.com/assets/7FDRtrf7LkC22dzf3ErsR4/3c176fd1ddb2a3d188817d7e1f795adf/2025-01-21_15-16-44.png) 4. You will be asked to verify with your fingerprint or face depending on your selection. Once enabled, you will be able to open Bitwarden or autofill logins using just your biometric method of choice. ### Login using autofill Once you have setup [autofill](https://bitwarden.com/help/getting-started-mobile/#setup-auto-fill/) and [biometrics](https://bitwarden.com/help/getting-started-mobile/#unlock-with-biometrics/), logging into an app or website using Bitwarden is simple. 1. Tap the email/username or password input box in the app or website. 2. Depending on which auto-fill option your device uses, tap the available overlay: ![Android Auto-fill varieties ](https://bitwarden.com/assets/3xbRUA76m4qpEyQ1b7msLo/b294ddfaae21f0e24d5e923266092df0/autofill-android-2.png) 3. You will be prompted for your face authentication or fingerprint. If you aren't using [biometrics](https://bitwarden.com/help/getting-started-mobile/#unlock-with-biometrics/), enter your master password. 4. If you have connected a login to this website or app using the [URI field](https://bitwarden.com/help/getting-started-mobile/#create-items/), that login will appear in this window. If you haven't, tap 🔍 **Search** to find it. Tap the login to automatically enter your email/username and password into the boxes, and sign in. ### 🍎 iOS ### Setup AutoFill Setup AutoFill to automatically enter logins from your iOS device to a web browser (like Safari) or other app. 1. On the iOS home screen, tap the ⚙️ **Settings** app. 2. From the Settings menu, tap **General**and then**AutoFill & Passwords**. 3. Tap the **AutoFill Passwords** **and Passkeys**toggle. Green indicates that AutoFill is active. 4. In the **AutoFill From:** list, select the **Bitwarden**toggle. Green indicates that AutoFill is active. When you create new logins, make sure you enter a website in the [URI field](https://bitwarden.com/help/getting-started-mobile/#add-a-login/) to surface them for AutoFill. For more information, see [Autofill Logins on iOS](https://bitwarden.com/help/auto-fill-ios/). ### Launch from mobile apps You can launch a website directly from Bitwarden by selecting the [share-square] **Launch** button in any vault item with a valid URI. If you're unfamiliar with using URIs, see [Using URIs](https://bitwarden.com/help/uri-match-detection/). ![Launch from mobile](https://bitwarden.com/assets/2PsCaLjOAe6WEfnwMkYG0P/be1fde317404835cba1e600244922d98/2025-01-21_15-32-37.png) ### Unlock with biometrics Unlocking Bitwarden with biometrics allows for seamless access to your vault. If you haven't setup Touch ID or Face ID on your iOS device, you'll need to do that first from the iOS ⚙️ **Settings** app. 1. In your Bitwarden iOS app, tap the ⚙️ **Settings** tab located at the bottom of your screen. 2. Tap **Account security**: ![Biometric unlock on mobile](https://bitwarden.com/assets/7FDRtrf7LkC22dzf3ErsR4/3c176fd1ddb2a3d188817d7e1f795adf/2025-01-21_15-16-44.png) 3. Depending on what your device has available, tap: - **Unlock with Touch ID** - **Unlock with Face ID** 4. You will be asked to verify with your fingerprint or face depending on your selection. The toggle will fill to indicate that an option is active. Once enabled, you will be able to open Bitwarden or AutoFill logins using just your biometric method of choice. ### Login using AutoFill Once you've setup [Auto-fill](https://bitwarden.com/help/getting-started-mobile/#setup-auto-fill/) and [biometrics](https://bitwarden.com/help/getting-started-mobile/#unlock-with-biometrics/), logging into an app or website using Bitwarden is simple. 1. Tap the email/username or password input box in the app or website. 2. Above your keyboard, tap **Passwords**. ![Tap Passwords in iOS](https://bitwarden.com/assets/4DNAawWIUOKKVUN0cMdqLI/6fd8e01e004fdefcb72b60380ff8ee64/autofill-ios.png) 3. You will be prompted for your Face ID or Touch ID. If you aren't using [biometrics](https://bitwarden.com/help/getting-started-mobile/#unlock-with-biometrics/), enter your master password. 4. If you have connected a login to this website or app using the [URI field](https://bitwarden.com/help/getting-started-mobile/#create-items/), that login will appear in this window. If you haven't, tap 🔍 **Search** to find it. Tap the login to automatically enter your email/username and password into the boxes, and sign in. --- URL: https://bitwarden.com/help/getting-started-organizations/ --- # Organizations Quick Start Password managers such as Bitwarden make it easy to store and access unique and secure passwords across all of your devices, keeping your online accounts safer than ever! Using Bitwarden, you won't need to dangerously repeat simple passwords or leave them exposed in unencrypted formats such as spreadsheets, documents, or sticky notes. Bitwarden organizations will add a layer of collaboration and sharing to password management for your family, team, or enterprise, allowing you to securely share common information such as office wifi passwords, online credentials, or shared company credit cards. Secure sharing of organization-owned credentials is **safe** and **easy**. This article will help you get started with a **free two-person organization** so you can experience secure sharing in no time. ## What are organizations? Bitwarden organizations relate users and vault items together for [secure sharing](https://bitwarden.com/help/sharing/) of logins, notes, cards, and identities owned by the organization. Organizations could be a family, team, company or any group of people that requires secure shared data. Organizations have a unique view, the Admin Console, where [administrators](https://bitwarden.com/help/user-types-access-control/) can manage the organization's items and users, run reports, and configure organization settings: ![Free organization Admin Console](https://bitwarden.com/assets/hzBuypc5ISzqC3jUmYbea/edcb03ce3d3071cea4f9afb6c7f8eca9/2024-12-03_13-46-09.png) Unless an organization you're a member of uses [policies](https://bitwarden.com/help/policies/#single-organization/) to restrict you to membership in a single organization, you can be a member of as many as you'd like. #### Comparing organizations with premium The key feature to know is that organizations enables **secure sharing from organizations to users**. [Premium individual](https://bitwarden.com/help/password-manager-plans/#premium-individual/) accounts unlock premium password security and management features, including advanced two-factor authentication (2FA) options, the Bitwarden Authenticator (TOTP), encrypted file attachments, and more, but Premium **doesn't include secure data sharing**itself**.**However, every Bitwarden account comes with the option to launch a free two-person organization for secure sharing. Paid organizations (Families, Teams, or Enterprise) automatically include these premium features (advanced 2FA options, Bitwarden Authenticator (TOTP), and more) for **every** user enrolled in the organization. ## Setup Bitwarden accounts Free Bitwarden organizations allow for two users to securely share organization-owned credentials. You might use a free organization to share with friend or partner, or to test organizations before [upgrading to a different plan](https://bitwarden.com/help/password-manager-plans/). Bitwarden provides applications on a variety of devices, including browser extensions, mobile apps, desktop apps, and a CLI, but for the purposes of this guide we'll focus on the [web app](https://bitwarden.com/help/getting-started-webvault/). The web app provides the richest Bitwarden experience for administering your organization. ### Sign up for Bitwarden [Create a Bitwarden account](https://bitwarden.com/go/start-free/), and make sure that you pick a strong and memorable [master password](https://bitwarden.com/help/master-password/). We even recommend writing down your master password and storing it in a safe location. > [!NOTE] Master password reminder > **Don't forget your Master Password!** Bitwarden is a zero-knowledge encryption solution, meaning that the team at Bitwarden, as well as Bitwarden systems themselves, have no knowledge of, way to retrieve, or way to reset your master password. Once your account is created, log in to the [web app](https://bitwarden.com/help/getting-started-webvault/) and verify your account's email address to unlock access to all features: ![Send verification email](https://bitwarden.com/assets/7bJkgn3Qjoon9c1h68WmgW/035a83d213860b7c5b92a29502fc315f/2024-12-03_13-54-17.png) ### Sign up for Bitwarden again In order to use your free two-person organization for secure sharing, you'll need to have two Bitwarden accounts. Once your first Bitwarden account is setup, follow the same procedure (or help your friend or partner to do so) to setup the other account. > [!NOTE] Organization owner setup > Bitwarden organizations have a deep level of [member-level permissions customization](https://bitwarden.com/help/user-types-access-control/). Whichever member you proceed to [setup your organization](https://bitwarden.com/help/getting-started-organizations/#setup-your-organization/) with will be the **Owner**. ## Setup your organization To setup your organization: 1. In the Bitwarden [web app](https://bitwarden.com/help/getting-started-webvault/), select the + **New organization** button: ![New organization](https://bitwarden.com/assets/3eSqWiTIuPSFxXdo5AAjT9/248b0fa7bb381add0d71682acd244a63/2024-12-03_13-57-58.png) 2. Enter an **Organization name** and a **Billing email** we can reach you at. In this guide we are setting up a free organization, so you won't be billed for anything! 3. **Choose your plan**. Bitwarden offers organizations suited to any need, but in this case select **Free**. 4. Scroll down and select **Submit** to finish creating your organization. ### Get to know your organization Once created, you'll land in the Admin Console, which is the central hub for all things sharing and organization administration. As the [organization owner](https://bitwarden.com/help/user-types-access-control/), you'll be able to see your **Vault**items and [collections](https://bitwarden.com/help/getting-started-organizations/#get-to-know-collections/), to manage **Members,** run **Reports**, change **Billing**settings, and configure other organization **Settings**: ![Free organization Admin Console](https://bitwarden.com/assets/hzBuypc5ISzqC3jUmYbea/edcb03ce3d3071cea4f9afb6c7f8eca9/2024-12-03_13-46-09.png) Users with access to the Admin Console can get to it from any time in the web app using the left-hand navigation: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) ### Get to know collections Collections are an important part of a Bitwarden organization, they represent the logical grouping of organization-owned vault items that [belong to your organization](https://bitwarden.com/help/getting-started-organizations/#shared-items/). Your organization comes pre-loaded with a **Default Collection** and an **Unassigned** tag. With a free organization, you can create up to two collections from the Vaults view or from the Admin Console: ![Create new collection](https://bitwarden.com/assets/3rq5lVSQlvNT9gu2M2bCbk/8741dc155e8f2fa83d2caeb69218ce64/2024-12-02_15-35-48.png) > [!NOTE] Organizations require collections > In a lot of ways, collections are like the [folders](https://bitwarden.com/help/folders/) you might use to organize your individual vault. A key difference is that items that [belong to your organization](https://bitwarden.com/help/getting-started-organizations/#shared-items/) **must be included in at least one collection**. ## Add a user to your organization Now that you are familiar with your organization, it's a good time to add the other organization member you'll be sharing with. To ensure the security of your organization, Bitwarden applies a three-step process for onboarding a new member, [Invite](https://bitwarden.com/help/getting-started-organizations/#invite/) → [Accept](https://bitwarden.com/help/getting-started-organizations/#accept/) → [Confirm](https://bitwarden.com/help/getting-started-organizations/#confirm/). > [!NOTE] invite accept confirm workflow req > Completing the full [Invite](https://bitwarden.com/help/getting-started-organizations/#invite/) → [Accept](https://bitwarden.com/help/getting-started-organizations/#accept/) → [Confirm](https://bitwarden.com/help/getting-started-organizations/#confirm/) process is required to ensure that members receive full access to shared organization items. ### Invite As the organization owner, invite a new member: 1. In the Admin Console, select **Members** from the navigation and use the + **Invite member** button: ![Invite member to an organization](https://bitwarden.com/assets/7AJjR4oqEnCH3A89YYoWpH/a4bd30d71a74ead44e13768dab8c5dff/2024-12-03_14-02-20.png) 2. In the **Role**tab, enter the **Email** of your second member, which should match the email they [signed up for Bitwarden](https://bitwarden.com/help/getting-started-organizations/#sign-up-for-bitwarden-again/) with. Then, select a [Member role](https://bitwarden.com/help/user-types-access-control/#user-types/). In many cases, it's a good idea to add a second user with the **Owner** role to the organization. 3. In the **Collections**tab, select which collections to allow this user access to, as well as what the level of [permission](https://bitwarden.com/help/user-types-access-control/#access-control/) for each to give them. 4. Select **Save** to send the invitation to the designated email address. Once your invitation is sent, inform your new member and help them [accept the invitation](https://bitwarden.com/help/getting-started-organizations/#accept/). ### Accept As the newly invited member, open your email inbox and look for an email from Bitwarden inviting you to join an organization. Clicking the link in the email will open an invitation window: ![Bitwarden Invitation ](https://bitwarden.com/assets/6ZzHPswxQoqTbjkSWodwxw/9381e27fdee50d5cfe062473633ef7ed/Screen_Shot_2023-04-28_at_10.40.35_AM.png) Since you have already [signed up for Bitwarden](https://bitwarden.com/help/getting-started-organizations/#sign-up-for-bitwarden-again/), simply log in. Fully logging in to Bitwarden will accept the invitation. > [!NOTE] Invitations expiration > Invitations expire after five days. Make sure you accept the invitation within that window, otherwise the organization Owner will have to [re-invite you](https://bitwarden.com/help/getting-started-organizations/#invite/). ### Confirm Confirming accepted members to your organization is the last step to grant members access to shared items. To complete the loop: 1. In the Admin Console, select **Members** from the navigation. 2. Select any `Accepted` users and use the ⋮ Options menu to ✓ **Confirm selected**: ![Confirm member to an organization](https://bitwarden.com/assets/5eRDRAooRSGqRWJYZB5fgz/95422412e2a27069ca903f4a6ec1a8a7/2024-12-03_14-04-59.png) 3. Verify that the [fingerprint phrase](https://bitwarden.com/help/fingerprint-phrase/) on your screen matches the one your new member can find in **Settings** → **My account**: ![Sample Fingerprint Phrase ](https://bitwarden.com/assets/6sWPBv5GFAyMcULNxfCCJG/b3115a77e0d8d8d48fcc1f9e24e42d70/fingerprint-phrase.png) Each fingerprint phrase is unique to its account, and ensures a final layer of oversight in securely adding users. If they match, select **Submit**. ## Get to know your vault Part of the magic of Bitwarden organizations is that items that belong to you and items that [belong to the organization](https://bitwarden.com/help/getting-started-organizations/#shared-items/) are accessible side-by-side from your **Vaults** view. You can filter between your individual items (**My vault**) and organization items (**My Organization**): ![Organization-enabled vault](https://bitwarden.com/assets/4D2tlh9YKPzDY20SYGVKcG/dff56b66549d29405b1af211860f698e/2024-12-03_14-07-28.png) ### Items shared from an organization You might not have a [item shared from an organization](https://bitwarden.com/help/getting-started-organizations/#share-a-login/) yet, but when you do it will be displayed in your vault with a card indicating where the item is from: ![Shared item badge](https://bitwarden.com/assets/6tnBV4hUxUNtWvGNAp8eua/215f54e0a26f5a1b2d41e18119fdcd71/2024-12-02_15-31-38.png) Shared items are **owned** by the organization. This means that anyone with permission can alter the item or delete it, which would remove it from your vault as well. ## Move an item to the organization The last step on the road to secure sharing is to create an item and move it to the organization so it can be shared. An existing [vault item](https://bitwarden.com/help/managing-items/#add-a-vault-item/) can be moved to the organization after it's created, but for this guide, we'll focus on creating a new login from your individual vault: 1. On the **Vaults** page, select the + **New** button and select **Login**. 2. Fill in all the relevant information for your new login item (for example, username and password). The item can be anything you want both yourself and the other organization user to have access to, for example a family streaming account. 3. In the **Ownership** section at the top of the **Add item**panel, select your organization to designate the item for sharing. 4. Select one or more collections to put this item into. Generally, users of two-person organizations setup access for both users for all collections. In larger or more complex organizations, which collection you put the item into will determine who can access it. 5. Select the **Save** button to finishing creating the organization-owned item. This new item will be accessible to both yourself and the other organization user! As long as both users can access the collection it's in, it will appear for both in the organization vault and in the **All vaults** view alongside other vault items. ## Unshare an item from an organization If you have shared an item with an organization, there are two options to unshare the item with the organization. 1. Clone the item back to your individual vault by using the product switcher to open the Admin Console and selecting **Clone** from the Options menu for the item you want to clone. Only users with user type admin or higher can clone items into their individual vault by changing the **Ownership** setting. 2. Delete the item from the organization vault by selecting **Delete** from the same menu. Alternatively, you can unshare items by moving them to a different collection with higher access control restrictions. ## Congratulations! You have setup your new Bitwarden accounts, created an organization, learned a bit about your vaults, and shared an item! Nice work! If you want to upgrade to a paid organization to unlock [lots of additional features](https://bitwarden.com/help/password-manager-plans/), navigate to your organization's **Billing** → **Subscription** view and select the **Upgrade plan** button: ![Upgrade a free org](https://bitwarden.com/assets/c7MRk3qA3cxcVZHC2gBBs/4128a414a194af6e446ac39d9c250990/2024-12-03_14-09-22.png) --- URL: https://bitwarden.com/help/getting-started-providers/ --- # Provider Portal Quick Start > [!TIP] Provider Requirements > Interested in becoming a Provider? To get started, we ask that: > > - Your business has an active Enterprise organization. > - Your business has a client ready to be onboarded under your Provider. > > [Become a partner](https://bitwarden.com/partners/) ## Why Bitwarden Providers? Managed service providers (MSPs) often need a way to quickly create and easily administer Bitwarden organizations on behalf of business customers. **Providers** are administration entities that allow those businesses to create and manage [client organizations](https://bitwarden.com/help/getting-started-providers/#client-organization/) through the **Provider Portal**. With the Provider Portal: - View all clients under MSP management, onboard new and existing clients, access client organizations' collections, and administer services for teams and enterprise organizations. - Add internal staff as members, assign proper user roles, and delegate administrative duties. - View time-stamped actions made by users in the Provider Portal, including creation of new client organizations, invitation of new provider users, and when provider users access client organizations. The Provider Portal is an all-in-one management experience that enables Providers to manage customers’ Bitwarden organizations at scale. The Provider Portal streamlines administration tasks by centralizing a dedicated space to access and support each client, or to create a new one: ![Provider Portal](https://bitwarden.com/assets/7AoSHeZgJJTBXQmpZ13UBr/56ca464fe6987c8c5fc8e7099235d640/2025-02-25_15-17-46.png) ### Start a Provider [Contact us](https://bitwarden.com/contact/) to sign up for the Provider program. After you register, a member of the Bitwarden team will contact you and issue an invitation to start a Provider: ![Provider Invitation ](https://bitwarden.com/assets/3zxOwQqwIYO3hte6htfbiv/7e55c649273467fadb6d87bbd229a209/provider-invitation.png) Selecting the **Setup Provider Now** button will prompt you to log in to Bitwarden and fill out some Provider details. ### Onboard users As the creator of the Provider, you will be automatically given [Provider admin](https://bitwarden.com/help/provider-users/#provider-user-types/) status, allowing you to fully manage all aspects of the Provider and all [client organizations](https://bitwarden.com/help/getting-started-providers/#client-organizations/). Bitwarden strongly recommends that you provision a second Provider admin for failover purposes. Now, begin adding your employees as [service users](https://bitwarden.com/help/provider-users/#provider-user-types/), which will allow them to administer all client organizations and create new ones or manage the Provider itself: 1. **Invite Users**. From the Provider Portal 🎚️ **Manage** → **Members** tab, invite users as service users (or invite additional Provider admins): ![Add a provider user](https://bitwarden.com/assets/6E5GA111xdiHHkA0gb5LtG/5e5b5fddb5911e1b2ed468c1d49134ad/2024-12-05_09-27-45.png) 2. **Instruct users to accept invites**. Invited users will receive an email from Bitwarden inviting them to join the provider. Inform users that they should expect an invitation and that they will need to **Log In** with an existing Bitwarden account or **Create Account** to proceed: ![Provider Invitation](https://bitwarden.com/assets/0FRQnrWufrfnbc8Q2GymX/ffcb260e1d90ff1a25d0f67ac9bc6c7a/provider-accept-invite.png) 3. **Confirm accepted invitations**. To complete the secure onboarding of your provider users, confirm accepted invitations from the Provider Portal **People** tab: ![Confirm invited provider user](https://bitwarden.com/assets/IxUeScxNYYmI4y8jceC5v/ebdf3fa89abbd69fbb028e0cff8c99aa/2024-12-05_09-29-04.png) With an assembled team of service users, you're ready to start setting up [client organizations](https://bitwarden.com/help/getting-started-providers/#client-organizations/). ## Client organizations Client organizations are any [organization](https://bitwarden.com/help/about-organizations/) that is attached to or administered by a Provider. To your customers, there's no difference between a "client" organization and a "regular" organization except for who is conducting administration. Organizations relate Bitwarden users and vault items together for [secure sharing](https://bitwarden.com/help/sharing/) of logins, cards, notes, and identities. Organizations have a view, the Admin Console, where Provider service users can manage the organization's collections, manage members and groups, run reporting, import data, and configure organization settings: ![Client organization vault ](https://bitwarden.com/assets/5fXREt9aHmnVgLLRPBs8yg/dbecd580231e8ea2f4eec2be224a1e64/2025-02-25_15-20-08.png) Members of a client organization (your customer's end-users) will find shared items in their **Vaults** view alongside individually-owned items, as well as several methods for filtering the item list to only organization items or items in particular [collections](https://bitwarden.com/help/about-collections/): ![Organization-enabled vault](https://bitwarden.com/assets/4D2tlh9YKPzDY20SYGVKcG/dff56b66549d29405b1af211860f698e/2024-12-03_14-07-28.png) ### Create a client organization To create a new client organization, you must be a [Provider Admin](https://bitwarden.com/help/provider-users/#provider-user-types/). Navigate to the [bank] **Clients** tab of the Provider Portal and select the + **Add** button → [business] **New Client**: ![New client organization](https://bitwarden.com/assets/5WjBETB0YFm7TS1zpIHeSC/a22563b9172036b1c90bfb61d9ab310b/new_client_org_1.png) ### Add an existing organization To add an existing organization, you must be an active provider user and the owner of the organization you wish to add. > [!NOTE] Add existing org subscription seat limit > A service user can add members to client organizations, or add client organizations to the provider, as long as the number of users added is within the provider's seat minimum. Only provider admins can increase the seat minimum. 1. Navigate to the [bank] **Clients** tab of the Provider Portal and select the + **New** button → [sitemap] **Existing organization**: ![Admin Console add Existing Organization](https://bitwarden.com/assets/mA88mJFGTc9w6MEcisaME/af9d5d7d413cb01d9d18df783fd934fc/Existing_client_org.png) 2. The Add existing organization dialogue will appear. Select the organization you wish to add: ![Select Existing Organization](https://bitwarden.com/assets/19Ugi6eUIMQgcliZvxwuf3/9992b070d0dab4defa04639bef8baf01/2025-02-25_15-45-02.png) 3. You will be prompted to confirm the subscription and billing changes to your provider subscription. Once complete, select **Add organization**. ### Setup the client organization With your newly-created client organization, start building the perfect solution for your customer. Exact setup will be different for each client organization based on your customers' needs, but will typically involve: 1. **Create collections**. A good first step is to [create a set of collections](https://bitwarden.com/help/about-collections/#create-a-collection/), which provide an organizing structure for the vault items you will add to the vault in the next step. Common collections patterns include **Collections by Department** (for example, users in the client's Marketing Team are assigned to a **Marketing** collection) or **Collections by Function** (for example, users from the client's Marketing Team are assigned to a **Social Media** collection): ![Collections](https://bitwarden.com/assets/6kJ7wMESirqmkfZ8KlfK09/9210ef5cf3cd2442b429760edb98001f/collections-graphic-1.png) 2. **Import data**. Once the structure of how you will store vault items is in place, you can begin i[mporting data to the organization](https://bitwarden.com/help/import-to-org/). > [!NOTE] Provider restricted access > Note that, as a provider user, you will not be able to directly view, create, or manage individual items. 3. **Configure enterprise policies**. Before beginning the user management portion of setup, [configure enterprise policies](https://bitwarden.com/help/policies/) in order to set rules-of-use for things such as [master password complexity](https://bitwarden.com/help/policies/#master-password-requirements/), [use of two-step login](https://bitwarden.com/help/policies/#require-two-step-login/), and [admin password reset](https://bitwarden.com/help/account-recovery/#master-password-reset/). > [!NOTE] Enterprise policy > Enterprise policies are **only available to Enterprise organizations**. 4. **Setup login with SSO**. If your customer uses single sign-on (SSO) to authenticate with other applications, [connect Bitwarden with their IdP](https://bitwarden.com/help/about-sso/) to allow authentication with Bitwarden using end-users' SSO credentials. 5. **Create user groups**. For teams and enterprise organizations, [create a set of groups](https://bitwarden.com/help/about-groups/#create-a-group/) for scalable permissions assignment. When you start adding users, add them to groups to have each user automatically inherit the group's configured permissions (for example, access to which collections). One common group-collection pattern is to create **Groups by Department** and **Collections by Function**, for example: ![Collections](https://bitwarden.com/assets/6qodHGqBPABEFv3XJxaOUe/780cd4624a5d0a5fe315677968003e2d/collections-graphic-2.png) ### Invite client users With the infrastructure for secure and scalable sharing of credentials in place, you can begin inviting users to the organization. Onboarding users to Bitwarden can be accomplished in three ways, depending on the size of your customer: 1. **For smaller customers**, you can send email invitations to users from the Admin Console 🎚️ **Members** view: ![Invite members as a provider](https://bitwarden.com/assets/4wUO7i6w8y4sqAvwuMVZyd/070a5b36b242b1e4871cc0f58e0b8f83/2024-12-05_09-31-35.png) 2. **For larger customers**who leverage an IdP such as Azure AD, Okta, OneLogin, or JumpCloud, use [SCIM](https://bitwarden.com/help/about-scim/) to automatically provision users. 3. **For larger customers** who leverage a directory service (Active Directory, LDAP, Okta, and more), use [Directory Connector](https://bitwarden.com/help/directory-sync/) to sync organization users from the source directory and automatically issue invitations. Regardless of whether you have invited users from the organization vault, using SCIM, or using Directory Connector, the same three-step process (Invite → Accept → Confirm) that you followed when [onboarding provider users](https://bitwarden.com/help/getting-started-providers/#onboard-users/) will apply here as well. ## Managing self-hosted organizations MSPs can provide admin support for Bitwarden self-hosted instances as well. Provider Portal access to managed customers is currently available for cloud-hosted environments only. To provide administrative services for a self-hosted instance, an additional service seat will need to be purchased to manage the self-hosted instance. ### Enabling the self-hosted instances 1. Create a new Bitwarden user as a service account. This user will be granted access to manage a customer as an owner during the initial installation. > [!NOTE] New Bitwarden user service account > If your client organizations are hosted on the same server, this service account could be a single user that is granted access to all organizations. Otherwise, create a separate service account for each customer or server. 2. Save the newly created user's credentials in your internal Bitwarden vault. Next, access the **Provider Portal** located on the main navigation bar. [Create a new enterprise organization](https://bitwarden.com/help/getting-started-providers/#create-a-client-organization/) from the Provider Portal. > [!NOTE] New credential account > The purpose of this step is to save the credentials, you are not required to invite the user to your organization. 3. During the creation of the enterprise organization, add the service user account that was created in **step 1.** 4. Access the client via the Provider Portal to download the organization license. 5. Deploy the Bitwarden self-hosted instance and [apply the organization license](https://bitwarden.com/help/licensing-on-premise/#apply-organization-license/). 6. Promote a user as the new owner at your managed customer. > [!NOTE] provider portal custom user > Optionally, once the new user has been promoted to manager of the customer organization, your service account user can be downgraded to a custom admin role. --- URL: https://bitwarden.com/help/getting-started-webvault/ --- # Password Manager Web App The Bitwarden web app provides the richest Bitwarden experience for personal users and organizations. Many important functions such as setting up [two-step login](https://bitwarden.com/help/setup-two-step-login/) or administering an [organization](https://bitwarden.com/help/about-organizations/) must be done from the web app. > [!TIP] vault.bitwarden.com vs. configured domain > The web app is accessible from any modern web browser at [vault.bitwarden.com](https://vault.bitwarden.com) and [vault.bitwarden.eu](https://vault.bitwarden.eu). If you are**self-hosting**Bitwarden, access to the web app will be located at your [configured domain](https://bitwarden.com/help/install-on-premise-linux/), for example `https://my.bitwarden.server.com`. ![Password Manager web app](https://bitwarden.com/assets/2xTpSA11EOCzx8VIuVffcF/d3bc18e7fc3c3cb0bf1779fad9262cd3/2024-12-02_13-42-14.png) When you first log in to your web app, you'll land on the **All vaults** view. This space will list all vault items, including [logins, cards, identities, and secure notes](https://bitwarden.com/help/managing-items/). ## First steps In the previous screenshot, the **All vaults** view is displaying [filter] **All Items** in all vaults. Members of [organizations](https://bitwarden.com/help/about-organizations/) will have other vaults listed here. Using the **Filters** column, you can organize your vault into **Favorites** and **Folders**. Let's start by setting up a new folder and adding a new login to it: ### Create a folder To create a folder: 1. Select the + **New** button and choose **Folder**from the dropdown: ![New folder](https://bitwarden.com/assets/3BvTWidqL4xWQvFqBSiJIR/d68bc851d44df1b571eed16366159e0c/2024-12-02_13-50-55.png) 2. Enter a name (for example, `Important Logins`) for your folder and select **Save**. > [!TIP] nesting folders > For a cleaner vault, you can [nest folders inside other folders](https://bitwarden.com/help/folders/#nested-folders/). ### Add a login To add a new login item: 1. Select the + **New** button and choose **Login**from the dropdown. 2. Enter an **Item name**. Names will help you easily identify items in your vault, so give this item a recognizable one (for example, `My Gmail Account`). 3. From the **Folder** dropdown, select the name of the folder you want to add this item to (for example, the `Important Logins` folder we created earlier). 4. Enter your **Username** and **Password**. For now, enter your existing password. We will help you [replace it with a stronger password](https://bitwarden.com/help/getting-started-webvault/#generate-a-strong-password/) later. 5. In the **Website (URI)** field, enter the URL of the website (for example, `https://accounts.google.com`). If you don't know what URL to use, navigate to the website's login screen and copy it from your address bar. ![Locating URLs](https://bitwarden.com/assets/62IycEwbVrumSyPjB9n5XS/0df14e819c0881be3d813e235271acaf/2025-06-02_14-31-28.png) 6. Select the ⭐ **Favorite** icon to add this item to your favorites. The icon will fill-in (⭐ → ⭐ ) when it is a favorite. 7. Nice work! Select the **Save** button to finish adding this item. ### Generate a strong password Now that a new login is saved in your vault, improve its security by replacing the existing password with a stronger one: 1. In your vault, select the item you want to secure to open it and select the**Edit** button. 2. In a new tab or window, open the corresponding website and login to your account. > [!TIP] launch from web vault > If you entered something in the **URI 1** field, click the [share-square] **Launch** icon to open it directly from your vault. 3. On that website, navigate to the area where you can **Change your password**. Typically, you can find this in a **Your Account**, **Security**, **Sign in Settings**, or **Login Settings** section. 4. Most websites require you to enter your **Current password** first. Return to your vault and select the [clone] **Copy** icon next to the **Password** field. Then, return to the website and paste it into the **Current password** field. You might have the old password memorized, but it's a good idea to get in the habit of copying and pasting your password. This is how you will be logging in once your password is replaced with a stronger one. 5. Return to your vault and click the [generate] **Generate** icon next to the **Password** field. You will be asked whether you want to overwrite the current password, so select **Yes** to proceed. This will replace your **Password** with a randomly generated strong password. Moving from a password like `Fido1234` to `X@Ln@x9J@&u@5n##B` can stop a hacker. 6. Copy your new password with the same [clone] **Copy** icon you used earlier, and select the **Save** button. > [!TIP] password history > Don't worry about overwriting your existing password! If something goes wrong, Bitwarden stores a [**Password history**](https://bitwarden.com/help/password-and-generator-history/#password-history/) of the last five passwords for every login. 7. Return to the other website and paste your strong password in the **New Password** and **Confirm new password** fields. 8. Once you **Save** the password change, you are finished! ### Import your data Good news! You don't need to repeat this process for every login if you have usernames and passwords saved in a web browser or other password manager. Use one of our specialized import guides for help transferring your data from: - [LastPass](https://bitwarden.com/help/import-from-lastpass/) - [1Password](https://bitwarden.com/help/import-from-1password/) - [Dashlane](https://bitwarden.com/help/import-from-dashlane/) - [macOS & Safari](https://bitwarden.com/help/import-from-safari/) - [Google Chrome](https://bitwarden.com/help/import-from-chrome/) - [Firefox](https://bitwarden.com/help/import-from-firefox/) ## Secure your vault Now that your vault is full of data, let's take some steps to protect it by setting up two-step login. Two-step login requires you to verify your identity when logging in using an additional token, usually retrieved from a different device. There are many [available methods](https://bitwarden.com/help/setup-two-step-login/) for two-step login, but the recommended method for a free Bitwarden account is using a mobile device authenticator app such as [Bitwarden Authenticator](https://bitwarden.com/help/bitwarden-authenticator/): 1. Download Bitwarden Authenticator on your mobile device. 2. In the Bitwarden web app, select **Settings**→ **Security**→ **Two-step login**from the navigation: ![Two-step login](https://bitwarden.com/assets/2BsKs83g4cmiCUwxf2ad83/b2a90e85355f3d937aeb46139203737e/2024-12-02_10-54-31.png) 3. Locate the **Authenticator App** option and select **Manage**: ![Two-step login providers](https://bitwarden.com/assets/5GqQynIX94PhzJQ0tVW1aE/5dcea8d04c8a543daa7f96989f220756/2024-12-02_10-55-22.png) You'll be prompted to enter your master password to continue. 4. On your mobile device, open Bitwarden Authenticator and tap the + button. 5. Scan the QR code located in your web app using Bitwarden Authenticator. Once scanned, Bitwarden Authenticator will display a six-digit verification code. 6. Enter the six-digit verification code into the dialog box in your web app, and select the **Enable** button. 7. Select the **Close** button to return to the Two-step login screen, and select the **View Recovery Code** button. Your recovery code can be used in the event that you lose your mobile device. **This is a critical step to ensure you don't ever get locked out of your vault**, so don't skip it! 8. Enter your master password and select the **Continue** button to get your recovery code. ![Sample Recovery Code ](https://bitwarden.com/assets/64piqJsX7vN25To16iRFIp/09e977fae9485c0764f832c6bb4b4b04/2024-12-02_11-24-35.png) Save your recovery code in the way that makes the most sense for you. Believe it or not, printing your recovery code and keeping it somewhere safe is one of the best ways to make sure that the code is not vulnerable to theft or inadvertent deletion. ## Next steps Congratulations on mastering the basics of Bitwarden! We want everyone to be safe online, so we are proud to offer everything you have learned about here for free. ### Signup for premium For personal users, we offer a premium subscription for $10 / year that unlocks advanced capabilities including: - Advanced two-step login options, like [Duo](https://bitwarden.com/help/setup-two-step-login-duo/) and [YubiKey security keys](https://bitwarden.com/help/setup-two-step-login-yubikey/) - Storage space for [encrypted file attachments](https://bitwarden.com/help/attachments/) - An integration [temporary one-time password (TOTP) authenticator](https://bitwarden.com/help/integrated-authenticator/) - [Emergency access](https://bitwarden.com/help/emergency-access/) to your vault by trusted emergency contacts - [Vault health reports](https://bitwarden.com/help/reports/) that report on password and security hygiene To start a premium subscription, select the **Go Premium**button from your **Vaults**view! ### Start an organization Do you need to share passwords or other vault items with your friends, family, team, or entire business? Bitwarden organizations let you do just that. We recommend trying out the functionality of password-sharing from organizations by [starting a free two-person organization.](https://bitwarden.com/help/getting-started-organizations/) Once you have tested an organization, check out our [Bitwarden pricing](https://bitwarden.com/pricing/business/) page to learn about the different organization types you might consider. --- URL: https://bitwarden.com/help/github-actions-integration/ --- # GitHub Actions Bitwarden provides an integration with [GitHub Actions](https://docs.github.com/en/actions) to retrieve secrets from Secrets Manager and inject them into GitHub Actions workflows. The integration will inject retrieved secrets as masked environment variables inside an action. To setup the integration: ## Save an access token In this step, we're going to save an [access token](https://bitwarden.com/help/access-tokens/) as a [GitHub encrypted secret](https://docs.github.com/en/actions/security-guides/encrypted-secrets). Encrypted secrets can be created for an organization, repository, or repository environment and are made available for use in GitHub Actions workflows: 1. In GitHub, navigate to your the repository and select the **Settings**tab. 2. In the Security section of the left navigation, select **Secrets and variables**→ **Actions.** 3. Open the **Secrets**tab and select the **New repository secret**button. 4. In another tab, open the Secrets Manager web vault and [create an access token](https://bitwarden.com/help/machine-accounts/). 5. Back in GitHub, give your secret a **Name** like `BW_ACCESS_TOKEN` and paste the access token value from step 4 into the **Secret**input. 6. Select the **Add secret**button. ## Add to your workflow file Next, we're going to add a few steps to your GitHub Actions workflow file. ### Get secrets To get secrets in your workflow, add a step with the following information to your workflow YAML file: ``` - name: Get Secrets uses: bitwarden/sm-action@v2 with: access_token: ${{ secrets.BW_ACCESS_TOKEN }} base_url: https://vault.bitwarden.com secrets: | fc3a93f4-2a16-445b-b0c4-aeaf0102f0ff > SECRET_NAME_1 bdbb16bc-0b9b-472e-99fa-af4101309076 > SECRET_NAME_2 ``` Where: - `${{ secrets.BW_ACCESS_TOKEN }}` references your previously saved repository secret. Change accordingly if you didn't name the secret `BW_ACCESS_TOKEN`. - `base_url `For self-hosted instances, provide your `https://your.domain.com.` If this optional parameter is provided, the parameters `identity_url` and `api_url` are not required. The GitHub action will use `BASE_URL/identity` and `BASE_URL/api` for the identity and api endpoints. - `fc3a93f4-2a16-445b-b0c4-aeaf0102f0ff` and `bdbb16bc-0b9b-472e-99fa-af4101309076` reference identifiers for secrets stored in Secrets Manager. The [machine account](https://bitwarden.com/help/machine-accounts/) that your access token belongs to **must be able to access these specific secrets**. - `SECRET_NAME_1` and `SECRET_NAME_2` are the names you'll use to reference the injected secret values in the next step. ### Use secrets Finally, you can complete the pathway by referencing the specified secret names (`SECRET_NAME_1` and `SECRET_NAME_2`) as parameters in a subsequent action, for example: ``` - name: Use Secret run: SQLCMD -S MYSQLSERVER -U "$SECRET_NAME_1" -P "$SECRET_NAME_2" ``` ## Example workflow The following example is a Github Actions workflow file using `get secrets`: ```plain text - name: Get Secrets uses: bitwarden/sm-action@v2 with: access_token: ${{ secrets.BW_ACCESS_TOKEN }} secrets: | fc3a93f4-2a16-445b-b0c4-aeaf0102f0ff > GITHUB_GPG_PRIVATE_KEY bdbb16bc-0b9b-472e-99fa-af4101309076 > GITHUB_GPG_PRIVATE_KEY_PASSPHRASE - name: Import GPG key uses: crazy-max/ghaction-import-gpg@v6 with: gpg_private_key: ${{ env.GITHUB_GPG_PRIVATE_KEY }} passphrase: ${{ env.GITHUB_GPG_PRIVATE_KEY_PASSPHRASE }} git_user_signingkey: true git_commit_gpgsign: true ``` --- URL: https://bitwarden.com/help/gitlab-integration/ --- # GitLab CI/CD Bitwarden provides a way to inject secrets into your [GitLab CI/CD](https://docs.gitlab.com/ee/ci/) pipelines using the Bitwarden [Secrets Manager CLI](https://bitwarden.com/help/secrets-manager-cli/). This allows your to securely store and use secrets in your CI/CD workflows. To get started: ## Save an access token In this step, we're going to save an [access token](https://bitwarden.com/help/access-tokens/) as a GitLab CI/CD variable. This token will be used to authenticate with the Bitwarden Secrets Manager API and retrieve [secrets](https://bitwarden.com/help/secrets/). 1. In GitLab, navigate to your project's **Settings** > **CI/CD** page. 2. Select **Expand** in the **Variables**section. 3. Select **Add variable**. 4. Check the **Mask variable**flag. 5. Name the key `BWS_ACCESS_TOKEN`. This is the variable that the Secrets Manager CLI looks for to [authenticate](https://bitwarden.com/help/secrets-manager-cli/#authentication/). Alternatively, if you need to name the key something else, specify `--access-token NAME_OF_VAR` on the `bws secret get` line later. 6. In another tab, open the Secrets Manager web app and [create an access token](https://bitwarden.com/help/access-tokens/). 7. Back in GitLab, paste the newly-created access token into the **Value**field. 8. Select **Add variable** to save. ![Add a variable in GitLab](https://bitwarden.com/assets/5oaev7YcHn7ndLaofLb8Uw/2c653506fca3ca2300ce93e226e163e8/gitlab_variables.png) ## Add to your workflow file Next, we're going to write a rudimentary GitLab CI/CD workflow. Create a file called `.gitlab-ci.yml` in the root of your repository with the following contents: ```bash stages: - default_runner image: ubuntu build: stage: default_runner script: - | # install bws apt-get update && apt-get install -y curl git jq unzip export BWS_VER="1.0.0" curl -LO \ "https://github.com/bitwarden/sdk/releases/download/bws-v$BWS_VER/bws-x86_64-unknown-linux-gnu-$BWS_VER.zip" unzip -o bws-x86_64-unknown-linux-gnu-$BWS_VER.zip -d /usr/local/bin # use the `bws run` command to inject secrets into your commands - bws run -- 'npm run start' ``` Where: - `BWS_VER` is the version of the Bitwarden Secrets Manager CLI to install. You can pin the version being installed by changing this to a specific version, for example `BWS_VER="0.3.1"`. > [!WARNING] Don't use command that output in logs. > Secrets are stored as environment variables. It is important to [avoid running commands that would output these secrets to the logs](https://docs.gitlab.com/ee/ci/variables/#cicd-variable-security). ## Run the CI/CD pipeline On the left, select **Build** > **Pipelines** and select **Run pipeline** at the top-right of the pace. Select **Run pipeline**on the page to run the newly-created pipeline. --- URL: https://bitwarden.com/help/hosting-faqs/ --- # Self-host FAQs This article contains Frequently Asked Questions (FAQs) regarding self-hosting. ## General ### Q: What platforms can I host on? **A:** Bitwarden is a cross-platform application that is deployed using Docker Linux containers. This means that Bitwarden can be hosted on Linux, macOS, and Windows machines. Docker Desktop on Windows may require a license depending on whether your company meets [Docker's requirements for licenses](https://www.docker.com/pricing/), however Docker on Linux is free. You can read more about Docker and container technologies at the [Docker website](https://www.docker.com/why-docker). ### Q: Do Bitwarden client apps support non-official servers? **A**: While we expect most client functionality to work with non-official servers, such as Vaultwarden, Bitwarden cannot guarantee that official clients will work perfectly with non-official servers. If you're using a non-official server, we recommend that you keep it as up-to-date as possible to take advantage of compatibility updates written by its maintainers. Bitwarden Customer Support may be limited in their ability to assist you with client issues if you're using a non-official server. As an example, Vaultwarden introduced support for native mobile apps in version 1.31.0. If you’re using native mobile apps and a version of vaultwarden prior to 1.31.0, you will receive an error and should ugrade your server. ### Q: How do I deploy Bitwarden on AWS, Azure, GCP, or VMware vCenter? **A:** Bitwarden is generally deployed as either a single Windows or Linux VM, or a cluster of machines. At this time, Bitwarden does not publish pre-built images for these platforms, but you can find instructions on how to configure a VM on all of the above platforms and more [here](https://bitwarden.com/help/self-host-an-organization/). ### Q: How should I achieve high availability? **A:** Deploying with Helm is currently the recommended option for achieving high availability. However, increasing replicas for Bitwarden containers may result in unexpected behavior. Learn more about Bitwarden self-hosting with Helm [here](https://bitwarden.com/help/self-host-with-helm/). ### Q: Do I need to allow any URLs? **A:** When installing a standard self-hosted Bitwarden server deployment, your server will make outbound connections for functionality such as updates, pushing notifications to clients, and syncing Families for Enterprise sponsorships. If you do not wish to use these features, deploy with one of the offline guides so that the server does not make any outbound connections outside your infrastructure. To allow the standard outbound functionality, you will need to allow the following URLs through your firewall: - The **Bitwarden server install/update** URLs listed [here](https://bitwarden.com/help/bitwarden-addresses/#bitwarden-applications/). - The **Application endpoints** listed [here](https://bitwarden.com/help/bitwarden-addresses/#application-endpoints/). ### Q: How do I backup and restore my self-hosted instance? **A:** Bitwarden takes automated nightly backups of the `bitwarden-mssql` database container in order to protect your stored credentials. For help with manual backups, or help restoring a backup, see [Backup your Hosted Data](https://bitwarden.com/help/backup-on-premise/). ### Q: What are my installation id and installation key used for? **A:** Installation ids keys are used when installing Bitwarden on-premises in order to: - Register your installation and contain email so that we can contact you for important security updates. - Authenticate to push relay servers for push notifications to Bitwarden client applications. - Validate licensing of paid features. Retrieve an installation id and key from [https://bitwarden.com/host](https://bitwarden.com/host/). > [!NOTE] Installation key and id specific to server region > While retrieving your installation Id and Key, be sure to select the server region that corresponds to your Bitwarden client. Learn how to apply the proper self-hosted server region [here](https://bitwarden.com/help/server-geographies/#connect-your-self-hosted-server/). **You should not share your installation id or installation key across multiple Bitwarden installations.** They should be treated as secrets. ### Q: How do I change the name of my server? **A:** Configure the `url:` in the `./bwdata/config.yml` with your new server name and the run the `./bitwarden.sh` rebuild command to rebuild `bwdata` assets. Check that your server name or FQDN has been proliferated to all `globalSettings_baseServiceUri__*` variables in `./bwdata/env/global.override.env`, and that your certificate contains a Subject Alternative Name (SAN) with the new server FQDN If you are using Let's Encrypt certificate, you will need to [manually update your certificate](https://bitwarden.com/help/certificates/#manually-update-a-lets-encrypt-certificate/). ### Q: How do I change the name of my self-hosted organization? **A:** First, change the name of the organization in the cloud using the web app. Once the cloud organization has been changed, you can re-download the license file and upload the new license file to your self-hosted organization as seen [here](https://bitwarden.com/help/licensing-on-premise/#organization-license/). ### Q: Why does the System Administrator Portal show an update available when update commands show I'm on the latest version? **A:** The System Administrator Portal will show an available update as soon as we release our cloud server, however as mentioned in the [release notes](https://bitwarden.com/help/releasenotes/), self-hosted server updates typically are made available a few days following cloud. Please wait a few days and try [updating your instance](https://bitwarden.com/help/updating-on-premise/) again. ### Q: Can I run Bitwarden under a domain subfolder? A: Running Bitwarden under a domain subfolder (for example, `https://mydomain.com/bitwarden` instead of `https://mydomain.com`) is not supported. It must run under a host, as a subdomain, or with an additional port. ## SMTP configuration ### Q: How do I set up an SMTP mail server? **A:** Connect your self-hosted instance to an existing SMTP mail server by editing all `globalSettings__mail__smtp__*` values in `./bwdata/env/global.override.env`. For more information, see [Configure Environment Variables](https://bitwarden.com/help/environment-variables/). If you don't yet have an existing SMTP mail server from which you can relay emails, consider services like [Mailgun](https://www.mailgun.com/) or [SparkPost](https://www.sparkpost.com). ### Q: How do I use Gmail as an SMTP mail server? > [!WARNING] Gmail SMTP > Starting in autumn of 2024, apps like Bitwarden using Gmail for SMTP will be required to use [app passwords](https://support.google.com/mail/answer/185833?hl=en&sjid=9696547978374724481-NA#zippy=) for authentication as basic authentication (username and password) support will be deprecated. > > We recommend migrating your SMTP configuration to an app password as soon as possible. [Learn more about the change](https://support.google.com/a/answer/14114704). **A:** Configure the following variables in `./bwdata/env/global.override.env`: ``` globalSettings__mail__replyToEmail=no-reply@your.domain globalSettings__mail__smtp__host=smtp.gmail.com globalSettings__mail__smtp__port=587 globalSettings__mail__smtp__ssl=false globalSettings__mail__smtp__username= globalSettings__mail__smtp__password= ``` You will also need to enable SMTP relay from within Google. For more information, see [Google's documentation](https://support.google.com/a/answer/176600?hl=en). ## Advanced configuration ### Q: How do I use custom server ports? **A:** To use custom ports, instead of 80 and 443, edit the `http_port=` and `https_port=` values in `./bwdata/config.yml` and run `./bitwarden.sh rebuild` to rebuild your server assets. Check that the custom port values have been proliferated to `./bwdata/env/global.override.env`. ### Q: How do I enable logging to syslog? **A**: Docker's `syslog` logging [drivers](https://docs.docker.com/engine/logging/drivers/syslog/#usage) work with Bitwarden's containers. In order to log to `syslog`, users may setup the `syslog` logging driver system-wide with Docker's `daemon.json` file (located [here](https://docs.docker.com/engine/logging/drivers/syslog/#usage)). Alternatively, you may configure it just for Bitwarden containers by configuring it in our `bwdata/docker/docker-compose.override.yml` file like so: ```yaml services: admin: logging: driver: syslog options: syslog-address: tcp://192.168.0.42:123 sso: logging: driver: syslog options: syslog-address: tcp://192.168.0.42:123 identity: logging: driver: syslog options: syslog-address: tcp://192.168.0.42:123 api: logging: driver: syslog options: syslog-address: tcp://192.168.0.42:123 events: logging: driver: syslog options: syslog-address: tcp://192.168.0.42:123 ``` --- URL: https://bitwarden.com/help/import-data-from-myki/ --- # Import Data from Myki Use this article for help exporting data from Myki and importing into Bitwarden. Myki data exports are available as `.csv` files. ## Export from Myki The process for exporting data from Myki is different depending on which platform you are using. Whenever possible, we recommend exporting from the Myki web app for the smoothest experience importing to Bitwarden. For help exporting from Myki, refer to [these Myki articles](https://support.myki.com/en/articles/6007957-how-to-export-my-myki-vault). ### Condition your CSVs **If you exported from a Myki mobile app**, you will be required to condition your `.csv` files for import into Bitwarden. This will primarily involve renaming column headers and, in some cases, re-ordering columns in the `.csv`. Each of the following sections will document first the format exported by Myki and second the format expected by Bitwarden. #### UserAccount.csv Exported: ``` Nickname,Url,Username,Password,Additional Info,Two Factor Secret,Status ``` Expected: ``` nickname,url,username,password,additionalInfo,twofaSecret,status,tags ``` #### CreditCard.csv Exported: ``` Nickname,Card Number,CardName,Exp Month,Exp Year,CVV,Additional Info,Status ``` Expected: ``` nickname,status,tags,cardNumber,cardName,exp_month,exp_year,cvv,additionalInfo ``` #### IdCard.csv Exported: ``` Nickname,Id Type,Id Number,Id Name,Id Issuance Date,Id Expiration Date,Id Country,Additional Info,Status ``` Expected: ``` nickname,status,tags,idType,idNumber,idName,idIssuanceDate,idExpirationDate,idCountry,additionalInfo ``` #### Address.csv Exported: ``` Nickname,First Name,Middle Name,Last Name,Email,First Address Line,Second Address Line,Title,Gender,Number,City,Country,Zip Code,Additional Info,Status ``` Expected: ``` nickname,status,tags,firstName,middleName,lastName,email,firstAddressLine,secondAddressLine,title,gender,number,city,country,zipCode,additionalInfo ``` #### Note.csv Exported: ``` Title,Content,Status ``` Expected: ``` nickname,status,content ``` #### User2FA.csv Exported: ``` Nickname,Additional Info,Two Factor Secret,Status ``` Expected: ``` nickname,status,tags,authToken,additionalInfo ``` ## Import to Bitwarden Data can be imported to Bitwarden from the web app, browser extension, desktop app, and CLI. Data is [encrypted](https://bitwarden.com/help/what-encryption-is-used/) locally before being sent to the server for storage. > [!NOTE] Items not imported > While some item types cannot be imported, you can still add them to a vault: > > - Upload [file attachments](https://bitwarden.com/help/attachments/) to the new vault individually. > - Re-create [Sends](https://bitwarden.com/help/about-send/) in the new vault. ### Web app To import data to your vault: 1. Select **Tools**. 2. Select **Import data**: ![Import data](https://bitwarden.com/assets/1NbyPb9dN545ZqKGRZYB3x/7ed2e5650e9988bf7595bccebe8a5114/2024-12-03_08-52-08.png) 3. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (The [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission is required.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### Browser extension To import data to your vault: 1. Select **Settings**. 2. Select **Vault options.** 3. Select **Import items**. A new window will appear**.** 4. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 5. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 6. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 7. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 8. After your data is imported, delete the import source file from your device. This will protect you in the event your device is compromised. ### Mobile app In most cases, importing data on a mobile device requires that you do so in via the web app opened in a mobile browser. You can reach this location quickly from Password Manager by navigating to **Settings** → **Vault** → **Import items**. On iOS 26, Bitwarden supports import using the [Fido Credential Exchange Protocol (CXP)](https://fidoalliance.org/specifications-credential-exchange-specifications) for direct and easy migration of credentials into your vault. The app you're importing from must also support CXP and steps will vary by application. For example, on the iOS Passwords app, use the ⋯ options menu to select **Export Data to Another App** and choose Bitwarden. ### Desktop app To import data to your vault: 1. Select **File.** 2. Select **Import data**. 3. From the **Vault** dropdown menu, select where to save the data: 1. **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. 2. **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**can manage**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### CLI To import data to your vault, use the following [CLI](https://bitwarden.com/help/cli/) command: ``` bw import ``` `bw import` requires a format (use `bw import --formats` to retrieve a list of formats) and a path, for example: ``` bw import /Users/myaccount/Documents/mydata.csv ``` After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. If an “Import error” message appears, no data was added to your vault. [Fix the import file issue](https://bitwarden.com/help/import-data/#troubleshoot-import-errors/) and try again. --- URL: https://bitwarden.com/help/import-data/ --- # Import Data to Individual Vaults & Collections Import logins and data from different password managers, other Bitwarden vaults, or [encrypted exports](https://bitwarden.com/help/encrypted-export/) to instantly transfer your information and skip manual entry. You can import data from any password management solution that allows exports. ## Common password manager & file type imports Bitwarden supports data imports from many common password management solutions, including: - [Import from LastPass](https://bitwarden.com/help/import-from-lastpass/) - [Import from 1Password](https://bitwarden.com/help/import-from-1password/) - [Import from Firefox](https://bitwarden.com/help/import-from-firefox/) - [Import from Google Chrome, Edge, or Chromium](https://bitwarden.com/help/import-from-chrome/) - [Import from Password Safe](https://bitwarden.com/help/import-from-passwordsafe/) - [Import from another Bitwarden vault](https://bitwarden.com/help/export-your-data/) [Additional file types](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/) from other password managers are compatible with Bitwarden. If your solution isn’t listed but can export data, edit the file to match a [supported format](https://bitwarden.com/help/condition-bitwarden-import/). > [!TIP] Import to org instead of individual > [Import data to an organization](https://bitwarden.com/help/import-to-org/) for large team sharing. For smaller teams, [import to a collection](https://bitwarden.com/help/import-data/#import-to-a-collection/). ## Import to your individual vault Data can be imported to Bitwarden from the web app, browser extension, desktop app, and CLI. Data is [encrypted](https://bitwarden.com/help/what-encryption-is-used/) locally before being sent to the server for storage. > [!NOTE] Items not imported > While some item types cannot be imported, you can still add them to a vault: > > - Upload [file attachments](https://bitwarden.com/help/attachments/) to the new vault individually. > - Re-create [Sends](https://bitwarden.com/help/about-send/) in the new vault. ### Web app To import data to your vault: 1. Select **Tools**. 2. Select **Import data**: ![Import data](https://bitwarden.com/assets/1NbyPb9dN545ZqKGRZYB3x/7ed2e5650e9988bf7595bccebe8a5114/2024-12-03_08-52-08.png) 3. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (The [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission is required.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### Browser extension To import data to your vault: 1. Select **Settings**. 2. Select **Vault options.** 3. Select **Import items**. A new window will appear**.** 4. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 5. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 6. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 7. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 8. After your data is imported, delete the import source file from your device. This will protect you in the event your device is compromised. ### Mobile app In most cases, importing data on a mobile device requires that you do so in via the web app opened in a mobile browser. You can reach this location quickly from Password Manager by navigating to **Settings** → **Vault** → **Import items**. On iOS 26, Bitwarden supports import using the [Fido Credential Exchange Protocol (CXP)](https://fidoalliance.org/specifications-credential-exchange-specifications) for direct and easy migration of credentials into your vault. The app you're importing from must also support CXP and steps will vary by application. For example, on the iOS Passwords app, use the ⋯ options menu to select **Export Data to Another App** and choose Bitwarden. ### Desktop app To import data to your vault: 1. Select **File.** 2. Select **Import data**. 3. From the **Vault** dropdown menu, select where to save the data: 1. **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. 2. **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**can manage**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### CLI To import data to your vault, use the following [CLI](https://bitwarden.com/help/cli/) command: ``` bw import ``` `bw import` requires a format (use `bw import --formats` to retrieve a list of formats) and a path, for example: ``` bw import /Users/myaccount/Documents/mydata.csv ``` After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ## Import to a collection Import data to a [collection](https://bitwarden.com/help/create-collections/) to organize and share items with small teams, like your family or immediate teammates. (For larger teams, [import data to an organization](https://bitwarden.com/help/import-to-org/).) Individual collections are a great option when your organization's [data ownership policy](https://bitwarden.com/help/policies/#enforce-organization-data-ownership/) restricts individual vaults. When on the **Import data** page, select your organization’s **Vault** and the **Collection**: ![Import to individual vault](https://bitwarden.com/assets/5i5K8TyWXdbpJLNlsfyd3v/2856adec442a941dfb67f58afb262da9/2025-05-07_13-14-59.png) ## Troubleshoot import errors If a limit is exceeded or the file contains unassigned items, you will see an “Import error” message. No data is added to your vault when an import is rejected. ### File limits Imported files can contain up to: - 40,000 items - 2,000 folders - 2,000 collections - 7,000 item-folder relationships (For example, a single item in three folders is counted as three item-folder relationships.) - 80,000 item-collection relationships (For example, a single item in three collections is counted as three item-collection relationships.) If your file is too large, split it into smaller ones and import each separately. ### Field length limits If an item in your file (typically a `.csv`) exceeds a field’s **encrypted** character limit, Bitwarden will not import any of its contents. The “Import error” message will appear with details identifying the specific issue(s). > [!TIP] Character counts when encryption > Bitwarden's encryption process expands text 30-50% during import, which may push your field(s) beyond the character limit. For example, a `Notes `field—the most common offender—can increase from 8,000 to over 10,000 characters, exceeding the limit and triggering the error. To fix this error and upload your data: 1. Open your `.csv` file in a text editor or spreadsheet program. 2. Review the error message details to find the item(s) causing the issue. For example, here’s how to interpret the following error: `[2] [Login] “My New Item”: The field Notes exceeds the maximum encrypted value length of 10000 characters.` - `[2]` is the index number where the offending item is located, adjusted to match row numbering in most spreadsheet programs. - `[Login]` is the vault item `type` of the offending item. - `"My New Item"` is the name of the offending item. - `Notes` is the specific field that exceeds the character limit. - `10000` is the character limit allowed for that field. 3. Reduce the character count or delete the offending item(s). 4. Save the file. 5. Go back to Bitwarden and [import the updated file](https://bitwarden.com/help/import-data/#import-to-your-individual-vault/). ### File contains unassigned items Organization users (not [admins or owners](https://bitwarden.com/help/user-types-access-control/#member-roles/)) must assign all imported credentials to at least one collection. There are two ways to fix this import error: - Assign an existing collection where you have the **Manage collection** permission. - Create a new collection for the unassigned items. [Customize your import file](https://bitwarden.com/help/condition-bitwarden-import/) by entering a new collection name. This will automatically create that collection and add the items to it. > [!NOTE] File contains unassigned items error > To minimize this error, turn on the [Restrict collection creation to owners and admins setting](https://bitwarden.com/help/collection-management/#collection-management-settings/) to prevent users from creating collections. ### Organization can only have a maximum of two collections Free organizations can have up to two [collections](https://bitwarden.com/help/about-collections/). If you try importing a file that specifies more than two collections, an import error will appear. There are a few options to correct this: - If you are trying to import a `.csv` or `.json`, [edit the file](https://bitwarden.com/help/condition-bitwarden-import/) to remove the additional collections. - Upgrade your plan so you can create more collections and import your file as-is. --- URL: https://bitwarden.com/help/import-faqs/ --- # Import & Export FAQs This article contains frequently asked questions (FAQs) regarding import & export. ### Q: How do I import my data if I don’t see my service on the import options list? **A:** If we don't have official support for the service you are using, manually condition a `.csv` or `.json` for import into Bitwarden. For more information about how to do this, see [Condition a Bitwarden .csv or .json](https://bitwarden.com/help/condition-bitwarden-import/). ### Q: How do I import items directly to collections? **A:** You can import items into existing collections by appropriately conditioning a `.json` before before importing, or you can define new collections within your import file in order to create new collections when you upload the file. [Learn how](https://bitwarden.com/help/condition-bitwarden-import/). ### Q: Why did importing create duplicate vault items? **A:** Every import operation creates every new record as an item in your vault, regardless of whether matching vault items already exist in your vault. Prior to import, we recommend either: - Editing your import file to only include net-new vault Items. - Purging your vault before an import operation. Individual vaults can be purged from the **Settings** → **My account** page. Organization vaults can be purged from the Organization**Settings** → **Organization info** page. ### Q: What file formats does Bitwarden support for import? **A:** The following formats are supported out-of-the-box: > [!TIP] If import format isn't listed. > If your format is not listed below, manually [create a Bitwarden .csv or .json](https://bitwarden.com/help/condition-bitwarden-import/). - [1Password (1pif)](https://bitwarden.com/help/import-from-1password/) - [1Password 6 & 7 Windows (.sv)](https://bitwarden.com/help/import-from-1password/) - [1Password 6 & 7 Mac (csv)](https://bitwarden.com/help/import-from-1password/) - 1Password (1pux) - Ascendo DataVault (csv) - Avast Passwords (csv) - Avast Passwords (json) - Avira (json) - BlackBerry Password Keeper (csv) - Blur (csv) - [Brave (csv)](https://bitwarden.com/help/import-from-chrome/)(select **Chrome**) - Buttercup (csv) - [Chrome (csv)](https://bitwarden.com/help/import-from-chrome/) - Clipperz (html) - Codebook (csv) - Dashlane (json) - Dashlane (csv) - Edge (csv) - Encryptr (csv) - Enpass (csv) - Enpass (json) - [Firefox (csv)](https://bitwarden.com/help/import-from-firefox/) - F-Secure KEY (fsk) - GNOME Passwords and Keys/Seahorse (json) - Kaspersky Password Manager (txt) - KeePass 2 (xml) - KeePassX (csv) - Keeper (csv) - [LastPass (csv)](https://bitwarden.com/help/import-from-lastpass/) - LogMeOnce (csv) - Meldium (csv) - mSecure (csv) - Myki (csv) - [Microsoft Edge (csv)](https://bitwarden.com/help/import-from-chrome/)(select **Chrome**) - Netwrix Password Secure (csv) - Nordpass (csv) - [Opera (csv)](https://bitwarden.com/help/import-from-chrome/)(select **Chrome**) - Padlock (csv) - Passbolt (csv) - PassKeep (csv) - Passky (json) - Passman (json) - Passpack (csv) - Password Agent (csv) - Password Boss (json) - Password Dragon (xml) - Password Depot 17 (xml) - Password Safe (xml) - PasswordWallet (txt) - PasswordXP (csv) - ProtonPass (json) - Psono (json) - RememBear (csv) - RoboForm (csv) - Safari and macOS (csv) - SafeInCloud (xml) - SaferPass (csv) - SecureSafe (csv) - SplashID (csv) - Sticky Password (xml) - True Key (csv) - Universal Password Manager (csv) - [Vivaldi (csv)](https://bitwarden.com/help/import-from-chrome/) - Yoti (csv) - Zoho Vault (csv) --- URL: https://bitwarden.com/help/import-from-1password/ --- # Import Data from 1Password Use this article for help exporting data from 1Password and importing into Bitwarden. 1Password data exports are available as `.1pux` (requires 1Password v8.5+), `.1pif,` and `.csv` files depending on which client version and operating system you are using. Learn [what data 1Password exports include](https://support.1password.com/export/?mac#get-help). ## Export from 1Password Complete the following steps to export data from the 1Password desktop app: > [!TIP] 1Password Export Version Differences > Currently, only 1Password 8 allows you to export multiple vaults at once. If you are using 1Password 8, skip to **Step 3**. 1. Navigate to the vault you'd like to export. 2. In your vault, select the items you would like to export. Hold Ctrl/Cmd to select multiple vault items, or select everything by pressing Ctrl/Cmd + A. 3. Depending on your device: - On Windows, select **File** → **Export** or right-click and select **Export**. - On macOS, select **File** → **Export** → **All Items..**. > [!NOTE] 1password csv export > When exporting a `**.csv**` from macOS, you must also select **All Fields** and check **Include Column Labels**. 4. In the export window, specify a location and file format. ## Import to Bitwarden Data can be imported to Bitwarden from the web app, browser extension, desktop app, and CLI. Data is [encrypted](https://bitwarden.com/help/what-encryption-is-used/) locally before being sent to the server for storage. > [!NOTE] Items not imported > While some item types cannot be imported, you can still add them to a vault: > > - Upload [file attachments](https://bitwarden.com/help/attachments/) to the new vault individually. > - Re-create [Sends](https://bitwarden.com/help/about-send/) in the new vault. ### Web app To import data to your vault: 1. Select **Tools**. 2. Select **Import data**: ![Import data](https://bitwarden.com/assets/1NbyPb9dN545ZqKGRZYB3x/7ed2e5650e9988bf7595bccebe8a5114/2024-12-03_08-52-08.png) 3. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (The [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission is required.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### Browser extension To import data to your vault: 1. Select **Settings**. 2. Select **Vault options.** 3. Select **Import items**. A new window will appear**.** 4. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 5. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 6. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 7. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 8. After your data is imported, delete the import source file from your device. This will protect you in the event your device is compromised. ### Mobile app In most cases, importing data on a mobile device requires that you do so in via the web app opened in a mobile browser. You can reach this location quickly from Password Manager by navigating to **Settings** → **Vault** → **Import items**. On iOS 26, Bitwarden supports import using the [Fido Credential Exchange Protocol (CXP)](https://fidoalliance.org/specifications-credential-exchange-specifications) for direct and easy migration of credentials into your vault. The app you're importing from must also support CXP and steps will vary by application. For example, on the iOS Passwords app, use the ⋯ options menu to select **Export Data to Another App** and choose Bitwarden. ### Desktop app To import data to your vault: 1. Select **File.** 2. Select **Import data**. 3. From the **Vault** dropdown menu, select where to save the data: 1. **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. 2. **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**can manage**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### CLI To import data to your vault, use the following [CLI](https://bitwarden.com/help/cli/) command: ``` bw import ``` `bw import` requires a format (use `bw import --formats` to retrieve a list of formats) and a path, for example: ``` bw import /Users/myaccount/Documents/mydata.csv ``` After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. If an “Import error” message appears, no data was added to your vault. [Fix the import file issue](https://bitwarden.com/help/import-data/#troubleshoot-import-errors/) and try again. --- URL: https://bitwarden.com/help/import-from-chrome/ --- # Import from Chrome, Edge, & Chromium Browsers Quickly transfer your saved passwords in Chromium-based browsers, like Google Chrome, Microsoft Edge, and Opera, to your Bitwarden vault. There are two methods: - [Export your browser data](https://bitwarden.com/help/import-from-chrome/#export-from-your-browser/) and import it into Bitwarden - [Import directly from your browser](https://bitwarden.com/help/import-from-chrome/#import-directly-from-browser/) (desktop app only) ## Export & import a file from your browser ### Export from your browser Export your data from a desktop or mobile browser. ### Desktop browser To export passwords from Chrome or Edge on your desktop: 1. Open your browser's settings and navigate to the password settings, for example `chrome://password-manager/settings` or `edge://wallet/passwords`. 2. Locate **Export Passwords** and click **Download file**. You may be prompted to enter your computer's password for authorization. For Microsoft Edge, this may be hidden behind a ⋯ menu in the Saved passwords section. 3. Specify a location to save your export to, and verify that the format is **comma-separated values** (**CSV**). 4. Select **Save** to finish exporting. ### Mobile browser To export passwords from Chrome or Edge on your mobile device: 1. Tap the ⋯ menu button and tap **Password Manager**. 2. Tap **Settings**. 3. Tap **Export Passwords...**. You may be prompted to enter your device PIN or a biometric for authorization. 4. Specify a location to save your export to. ### Import to Bitwarden Data can be imported to Bitwarden from the web app, browser extension, desktop app, and CLI. Data is [encrypted](https://bitwarden.com/help/what-encryption-is-used/) locally before being sent to the server for storage. > [!NOTE] Items not imported > While some item types cannot be imported, you can still add them to a vault: > > - Upload [file attachments](https://bitwarden.com/help/attachments/) to the new vault individually. > - Re-create [Sends](https://bitwarden.com/help/about-send/) in the new vault. ### Web app To import data to your vault: 1. Select **Tools**. 2. Select **Import data**: ![Import data](https://bitwarden.com/assets/1NbyPb9dN545ZqKGRZYB3x/7ed2e5650e9988bf7595bccebe8a5114/2024-12-03_08-52-08.png) 3. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (The [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission is required.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### Browser extension To import data to your vault: 1. Select **Settings**. 2. Select **Vault options.** 3. Select **Import items**. A new window will appear**.** 4. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 5. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 6. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 7. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 8. After your data is imported, delete the import source file from your device. This will protect you in the event your device is compromised. ### Mobile app In most cases, importing data on a mobile device requires that you do so in via the web app opened in a mobile browser. You can reach this location quickly from Password Manager by navigating to **Settings** → **Vault** → **Import items**. On iOS 26, Bitwarden supports import using the [Fido Credential Exchange Protocol (CXP)](https://fidoalliance.org/specifications-credential-exchange-specifications) for direct and easy migration of credentials into your vault. The app you're importing from must also support CXP and steps will vary by application. For example, on the iOS Passwords app, use the ⋯ options menu to select **Export Data to Another App** and choose Bitwarden. ### Desktop app To import data to your vault: 1. Select **File.** 2. Select **Import data**. 3. From the **Vault** dropdown menu, select where to save the data: 1. **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. 2. **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**can manage**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### CLI To import data to your vault, use the following [CLI](https://bitwarden.com/help/cli/) command: ``` bw import ``` `bw import` requires a format (use `bw import --formats` to retrieve a list of formats) and a path, for example: ``` bw import /Users/myaccount/Documents/mydata.csv ``` After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. If an “Import error” message appears, no data was added to your vault. Fix the import file issue and try again. ## Import directly from browser You can import passwords from Microsoft Edge, Opera, and Vivaldi into Bitwarden without manually exporting a file. This method is not available for Google Chrome at this time. All Bitwarden desktop apps are compatible, except those installed from the Mac App Store. > [!NOTE] Antivirus may pop-up. > The **Import directly from browser option** in versions `2025.11.0` and higher is known to be flagged by some EDR software when it pulls credentials from chromium browser storage. If you're prompted during this process to allow the app to make changes your device, select **Yes** to proceed with the import. Learn more about the [direct importer implementation](https://github.com/bitwarden/clients/blob/main/apps/desktop/desktop_native/chromium_importer/README.md). To import your data: 1. Log into the Bitwarden desktop app. 2. Select **File.** 3. Select **Import data**. 4. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to move the items. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (The [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission is required.) 5. From the **File format** dropdown menu, select your browser. Two options will appear below. 6. Select **Import directly from browser**: ![Import directly from browser](https://bitwarden.com/assets/1dZKYVPQpd1TVDcmUuwLq2/23e9b222768964108ade8c02e52134ee/Directly_import_with_Chromium.png) 7. Select the **Browser Profile** that contains your passwords. 8. Select **Import data**. 9. Enter your computer's password to confirm. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. --- URL: https://bitwarden.com/help/import-from-dashlane/ --- # Import Data from Dashlane Use this article for help exporting data from Dashlane and importing into Bitwarden. Dashlane data exports are primarily available as `.csv` files available for download from the web app that can be imported directly to Bitwarden. If you have a `.json` export from a legacy Dashlane application, that can be imported to Bitwarden as well. ## Export from Dashlane web app To export data from the Dashlane web app: 1. Select the **My account** dropdown and choose **Settings**. ![Export from Dashlane](https://bitwarden.com/assets/5JMQiiNRcMkyPjzC3lsvBp/ef2a9492c16bbeaa7f9eedecf9a11764/Screen_Shot_2022-03-10_at_2.57.56_PM.png) 2. From the settings list, select **Export Data.** ![Export from Dashlane](https://bitwarden.com/assets/wOZOD6rm3nmVJf3xy4DKY/3ed0a6daaf4a518ebe48906c644f7211/Screen_Shot_2022-03-10_at_2.58.08_PM.png) 3. Select the **Export to CSV**button and save the file. Dashlane exports data as a `.zip` that unpacks to multiple `.csv` files. For each `.csv` (`credentials.csv`, `ids.csv`, and so on) follow the import process separately. ## Import to Bitwarden Data can be imported to Bitwarden from the web app, browser extension, desktop app, and CLI. Data is [encrypted](https://bitwarden.com/help/what-encryption-is-used/) locally before being sent to the server for storage. > [!NOTE] Items not imported > While some item types cannot be imported, you can still add them to a vault: > > - Upload [file attachments](https://bitwarden.com/help/attachments/) to the new vault individually. > - Re-create [Sends](https://bitwarden.com/help/about-send/) in the new vault. ### Web app To import data to your vault: 1. Select **Tools**. 2. Select **Import data**: ![Import data](https://bitwarden.com/assets/1NbyPb9dN545ZqKGRZYB3x/7ed2e5650e9988bf7595bccebe8a5114/2024-12-03_08-52-08.png) 3. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (The [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission is required.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### Browser extension To import data to your vault: 1. Select **Settings**. 2. Select **Vault options.** 3. Select **Import items**. A new window will appear**.** 4. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 5. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 6. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 7. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 8. After your data is imported, delete the import source file from your device. This will protect you in the event your device is compromised. ### Mobile app In most cases, importing data on a mobile device requires that you do so in via the web app opened in a mobile browser. You can reach this location quickly from Password Manager by navigating to **Settings** → **Vault** → **Import items**. On iOS 26, Bitwarden supports import using the [Fido Credential Exchange Protocol (CXP)](https://fidoalliance.org/specifications-credential-exchange-specifications) for direct and easy migration of credentials into your vault. The app you're importing from must also support CXP and steps will vary by application. For example, on the iOS Passwords app, use the ⋯ options menu to select **Export Data to Another App** and choose Bitwarden. ### Desktop app To import data to your vault: 1. Select **File.** 2. Select **Import data**. 3. From the **Vault** dropdown menu, select where to save the data: 1. **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. 2. **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**can manage**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### CLI To import data to your vault, use the following [CLI](https://bitwarden.com/help/cli/) command: ``` bw import ``` `bw import` requires a format (use `bw import --formats` to retrieve a list of formats) and a path, for example: ``` bw import /Users/myaccount/Documents/mydata.csv ``` After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. If an “Import error” message appears, no data was added to your vault. [Fix the import file issue](https://bitwarden.com/help/import-data/#troubleshoot-import-errors/) and try again. --- URL: https://bitwarden.com/help/import-from-firefox/ --- # Import Data from Firefox Use this article for help exporting data from Firefox and importing into Bitwarden. ## Export from Firefox Exporting from Firefox can look a little different depending on which version you are using, or if you are using a Firefox-based browser like Tor Browser or Waterfox: ### Latest version To export logins from the latest version of Firefox: 1. Using the address bar, navigate to `about:logins`. 2. Select the ⋯ menu button from the top right and select **Export Passwords...** from the dropdown menu. You will be prompted to specify a location to save your password export to. Firefox will export your credentials as a `.csv`. ### Older versions Some older versions of Firefox do not support native export. Complete the following steps to export using FF Password Exporter. 1. [Download](https://github.com/kspearrin/ff-password-exporter), install, and open the FF Password Exporter. 2. Select a user profile from the Detected Firefox User Profiles, or from a specified custom profile directory. If you have set a master password for the user profile, enter it: ![Firefox Exporter](https://bitwarden.com/assets/7roVmndD8pbSSBawXTrl1r/ecbf9ac6492e7c77109c76216490780a/ff-password-exporter.png) 3. Select the **Export Passwords** button. 4. Choose `.csv` for the file format, and save the file to your device. ### Firefox-based Some Firefox-based browsers offer login export in a different location than vanilla Firefox. If the steps to import from the **Latest Version** don't work, try the following: 1. Using the address bar, navigate to `about:preferences#privacy`. 2. Click the **Saved Logins** button. 3. Click the ⋯ menu button from the top right and select **Export Logins** from the dropdown. You will be prompted to specify a location to save your login export. Most Firefox-based browsers will export your logins as a `.csv`. ## Import to Bitwarden Data can be imported to Bitwarden from the web app, browser extension, desktop app, and CLI. Data is [encrypted](https://bitwarden.com/help/what-encryption-is-used/) locally before being sent to the server for storage. > [!NOTE] Items not imported > While some item types cannot be imported, you can still add them to a vault: > > - Upload [file attachments](https://bitwarden.com/help/attachments/) to the new vault individually. > - Re-create [Sends](https://bitwarden.com/help/about-send/) in the new vault. ### Web app To import data to your vault: 1. Select **Tools**. 2. Select **Import data**: ![Import data](https://bitwarden.com/assets/1NbyPb9dN545ZqKGRZYB3x/7ed2e5650e9988bf7595bccebe8a5114/2024-12-03_08-52-08.png) 3. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (The [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission is required.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### Browser extension To import data to your vault: 1. Select **Settings**. 2. Select **Vault options.** 3. Select **Import items**. A new window will appear**.** 4. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 5. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 6. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 7. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 8. After your data is imported, delete the import source file from your device. This will protect you in the event your device is compromised. ### Mobile app In most cases, importing data on a mobile device requires that you do so in via the web app opened in a mobile browser. You can reach this location quickly from Password Manager by navigating to **Settings** → **Vault** → **Import items**. On iOS 26, Bitwarden supports import using the [Fido Credential Exchange Protocol (CXP)](https://fidoalliance.org/specifications-credential-exchange-specifications) for direct and easy migration of credentials into your vault. The app you're importing from must also support CXP and steps will vary by application. For example, on the iOS Passwords app, use the ⋯ options menu to select **Export Data to Another App** and choose Bitwarden. ### Desktop app To import data to your vault: 1. Select **File.** 2. Select **Import data**. 3. From the **Vault** dropdown menu, select where to save the data: 1. **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. 2. **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**can manage**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### CLI To import data to your vault, use the following [CLI](https://bitwarden.com/help/cli/) command: ``` bw import ``` `bw import` requires a format (use `bw import --formats` to retrieve a list of formats) and a path, for example: ``` bw import /Users/myaccount/Documents/mydata.csv ``` After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. If an “Import error” message appears, no data was added to your vault. [Fix the import file issue](https://bitwarden.com/help/import-data/#troubleshoot-import-errors/) and try again. --- URL: https://bitwarden.com/help/import-from-keeper/ --- # Import Data from Keeper Use this article for help exporting data from Keeper and importing into Bitwarden. Bitwarden supports import of Keeper data that is exported as a `.csv` file. ## Export from Keeper To export data from the Keeper web app: 1. Select your account email in the top corner of the web app and select Settings from the dropdown: ![Export from Keeper](https://bitwarden.com/assets/37IrIjwTCvp8aeNOYgVINt/b5520f293391b24fa825eaa2e944788b/2025-01-06_09-30-34.png) 2. From the Settings pop out, select **Export**. 3. Choose the **CSV**export file type, and select **Export**. You'll be required to confirm your master password in order to finish the export. ## Import to Bitwarden Data can be imported to Bitwarden from the web app, browser extension, desktop app, and CLI. Data is [encrypted](https://bitwarden.com/help/what-encryption-is-used/) locally before being sent to the server for storage. > [!NOTE] Items not imported > While some item types cannot be imported, you can still add them to a vault: > > - Upload [file attachments](https://bitwarden.com/help/attachments/) to the new vault individually. > - Re-create [Sends](https://bitwarden.com/help/about-send/) in the new vault. ### Web app To import data to your vault: 1. Select **Tools**. 2. Select **Import data**: ![Import data](https://bitwarden.com/assets/1NbyPb9dN545ZqKGRZYB3x/7ed2e5650e9988bf7595bccebe8a5114/2024-12-03_08-52-08.png) 3. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (The [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission is required.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### Browser extension To import data to your vault: 1. Select **Settings**. 2. Select **Vault options.** 3. Select **Import items**. A new window will appear**.** 4. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 5. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 6. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 7. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 8. After your data is imported, delete the import source file from your device. This will protect you in the event your device is compromised. ### Mobile app In most cases, importing data on a mobile device requires that you do so in via the web app opened in a mobile browser. You can reach this location quickly from Password Manager by navigating to **Settings** → **Vault** → **Import items**. On iOS 26, Bitwarden supports import using the [Fido Credential Exchange Protocol (CXP)](https://fidoalliance.org/specifications-credential-exchange-specifications) for direct and easy migration of credentials into your vault. The app you're importing from must also support CXP and steps will vary by application. For example, on the iOS Passwords app, use the ⋯ options menu to select **Export Data to Another App** and choose Bitwarden. ### Desktop app To import data to your vault: 1. Select **File.** 2. Select **Import data**. 3. From the **Vault** dropdown menu, select where to save the data: 1. **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. 2. **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**can manage**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### CLI To import data to your vault, use the following [CLI](https://bitwarden.com/help/cli/) command: ``` bw import ``` `bw import` requires a format (use `bw import --formats` to retrieve a list of formats) and a path, for example: ``` bw import /Users/myaccount/Documents/mydata.csv ``` After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. If an “Import error” message appears, no data was added to your vault. [Fix the import file issue](https://bitwarden.com/help/import-data/#troubleshoot-import-errors/) and try again. --- URL: https://bitwarden.com/help/import-from-lastpass/ --- # Import Data from LastPass Use this article for help exporting data from LastPass and importing into Bitwarden. ## Export from LastPass You can [export your data from LastPass](https://support.lastpass.com/help/export-your-passwords-and-secure-notes-lp040004) from their web vault or from a LastPass browser extension: > [!TIP] Skip LastPass export for direct > You can skip this step and immediately start importing to Bitwarden using the [Direct import option](https://bitwarden.com/help/import-from-lastpass/#import-to-bitwarden/), available only on Bitwarden browser extensions and desktop apps. ### LastPass web vault To export your data from the LastPass web vault: 1. Select the [rocket] **Advanced Options** option on the left sidebar: ![Export from web vault ](https://bitwarden.com/assets/5uCdlKvfGTjYIEJvKtpbQw/14cd0e6bfb36a53b1f1d6f88d3808a90/lastpassadvancedoptions.png) 2. From the Manage your Vault section, select the **Export** option. At this stage, LastPass will send you an email to confirm the export. 3. In your inbox, confirm the export, return to your LastPass web vault, and select the **Export** option again to complete export. Depending on your browser, your data will either be automatically saved as a `.csv` or printed to the screen in a `.csv` format: ![LastPass export ](https://bitwarden.com/assets/6TIRhpByBC4coLrP58zG8a/fb2da8df01a2e0f56e87f45612182e86/lastpass-copy.png) 4. If your data was printed to the screen, highlight the text and copy and paste it into a new `export.csv` file. > [!WARNING] Lastpass Export Bug > Some users have reported a bug which changes special characters in your passwords (`&`, `<`, `>`, and so on) to their HTML-encoded values (for example, `&`) in the printed export. > > If you observe this bug in your exported data, use a text editor to find and replace all altered values before importing into Bitwarden. ### LastPass browser extension To export your data from a LastPass browser extension: 1. In the browser extension, navigate to **Account** → **Fix a problem yourself** → **Export vault items** → **Export data for use anywhere**. > [!NOTE] Old LP Export Proc > If you're using an old version of the LastPass browser extension, you may instead need to navigate to **Account Options** → **Advanced** → **Export** → **LastPass CSV File**. 2. Enter your master password to validate the export attempt. Depending on your browser, your data will either be automatically saved as a `.csv` or printed to the screen in a `.csv` format: ![LastPass export ](https://bitwarden.com/assets/6TIRhpByBC4coLrP58zG8a/fb2da8df01a2e0f56e87f45612182e86/lastpass-copy.png) 3. If your data was printed to the screen, highlight the text and copy and paste it into a new `export.csv` file. ## Import to Bitwarden Import directly from LastPass or use an [exported file](https://bitwarden.com/help/import-from-lastpass/#export-from-lastpass/) from LastPass. If you're a member of a team using SSO with LastPass, a LastPass administrator will need to complete a short setup procedure before you can use the [**Direct import**](https://bitwarden.com/help/import-from-lastpass/#direct-import-with-sso/) option to import your personal data. In all cases, data is [encrypted](https://bitwarden.com/help/what-encryption-is-used/) locally before being sent to the server for storage. > [!NOTE] Items not imported > While some item types cannot be imported, you can still add them to a vault: > > - Upload [file attachments](https://bitwarden.com/help/attachments/) to the new vault individually. > - Re-create [Sends](https://bitwarden.com/help/about-send/) in the new vault. ### Direct import > [!TIP] Setup SSO for LP Direct Import > If you're a member of a team using SSO with LastPass, a LastPass administrator will need to complete a short setup procedure before you can use the **Direct import** option ([learn more](https://bitwarden.com/help/import-from-lastpass/#direct-import-with-sso/)). Password Manager **browser extensions and desktop apps** can import individual vault data directly from your LastPass account, without requiring you to upload a file. To do a direct import: 1. Log in to the Password Manager browser extension or desktop app. 2. In the browser extension, select the **Settings** tab and choose **Vault** and then the **Import items** option**.** Or, in the desktop app, select **File**> **Import data**. 3. Complete the following fields from the drop down menus: - **Vault** or **Import destination:**Select the import destination such as your individual vault or an organizational vault that you have access to. - **Folder** or **Collection:** Select if you would like the imported content moved to a specific folder or organization collection that you have access to. - [**File format**](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/)**:** Select **LastPass**. - In the LastPass Instructions box, choose the **Import directly from LastPass** option. - Enter your **LastPass email**. If you're importing on behalf of your business, we recommend using the credentials of a LastPass [admin](https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/uac_admin_roles.html&_LANG=enus). Using super admin credentials may cause import to fail. 4. Select the **Import data**button to trigger the import. 5. You will be prompted for your LastPass master password or, if your LastPass account uses SSO, to log in to your IdP. In either case, follow the prompts to log in to your LastPass account. > [!TIP] Direct import w/ LastPass MFA > If your LastPass account has multi-factor authentication activated, you will be prompted to enter a one-time passcode from your authenticator app. If you use Duo for MFA, only in-app approval is supported to fulfill your MFA requirement. Additional items such as [file attachments](https://bitwarden.com/help/attachments/) and trash will need to be manually uploaded to your vault. ### File import Files can be imported to Bitwarden from most Password Manager apps (learn how to [export a file from LastPass](https://bitwarden.com/help/import-from-lastpass/#export-from-lastpass/)). In this section, we'll focus on importing using the web app: 1. Log in to the web vault at [https://vault.bitwarden.com](https://vault.bitwarden.com), [https://vault.bitwarden.eu](https://vault.bitwarden.eu), or `https://your.bitwarden.domain.com` if self-hosting. 2. Select **Tools** → **Import data** from the navigation: ![Import data](https://bitwarden.com/assets/1NbyPb9dN545ZqKGRZYB3x/7ed2e5650e9988bf7595bccebe8a5114/2024-12-03_08-52-08.png) 3. Complete the following fields from the drop down menus: - **Import destination:**Select the import destination such as your individual vault or an organizational vault that you have access to. - **Folder or Collection:** Select if you would like the imported content moved to a specific folder or organization collection that you have access to. - [**File format**](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/)**:** Select the import file format. 4. Select **Choose File**and add the file to import or copy/paste the contents of your file into the input box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 5. Select **Import data** to trigger the import. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that will appear. 6. After successful import, delete the import source file from your computer. This will protect you in the event your computer is compromised. Additional items such as [file attachments](https://bitwarden.com/help/attachments/), and trash will need to be manually uploaded to your vault. ### CLI To import data to your vault from the CLI, use the following command: ``` bw import ``` `bw import` requires a format (use `bw import --formats` to retrieve a list of formats) and a path, for example: ``` bw import /Users/myaccount/Documents/mydata.csv ``` After successful import, delete the import source file from your computer. This will protect you in the event your computer is compromised. ## Direct import with SSO > [!NOTE] Supported IdP for LastPass direct import > The following IdPs are not supported for direct import by LastPass accounts using SSO: > > - Google Workspace > - ADFS If you're an administrator of a team using SSO with LastPass, you will need to complete the following before your team can use the **Direct import** option: - Add `bitwarden://sso-callback-lp` and `bitwarden://import-callback-lp` as permitted callback URLs (in some IdPs, "Reply URLs" or "Redirect URLs") in your IdP's LastPass application. If your users will use the Password Manager browser extension, add: - Add `https://vault.bitwarden.com/sso-connector.html?lp=1, ` `https://vault.bitwarden.eu/sso-connector.html?lp=1`, or `https://your.server.com/sso-connector.html?lp=1` as a permitted callback URL (in some IdPs, "Reply URL" or "Redirect URL") in your IdP's LastPass application. - Add `chrome-extension://nngceckbapebfimnlniiiahkandclblb`, `chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh`, and/or `moz-extension://23462205-0e62-4cc8-80c4-910cf54b82c2` as a permitted callback URL (in some IdPs, "Reply URL" or "Redirect URL") in your IdP's LastPass application. ## Troubleshoot import errors If an "Import error" message appears, no data was added to your vault. [Fix the import file issue](https://bitwarden.com/help/import-data/#troubleshoot-import-errors/) and try again. ### Organization can only have a maximum of two collections Free Bitwarden organizations can have up to two [collections](https://bitwarden.com/help/about-collections/) to organize items. When importing data, Bitwarden treats LastPass `grouping` values like collections. If your LastPass export contains three or more `grouping` values and you're part of a [free Bitwarden organization](https://bitwarden.com/help/password-manager-plans/), you'll receive a "This organization can only have a maximum of two collections" import error. The following `.csv`, for example, would cause this error: ``` url,username,password,totp,extra,name,grouping,fav https://www.facebook.com/login.php,username,password,,,Facebook,Social,0 https://twitter.com/login,username,password,,,Twitter,Social,0 https://asana.com/,login,password,,,Asana,Productivity Tools,0 https://github.com/login,username,password,,,Github,Productivity Tools,0 https://www.paypal.com/login,username,password,,,Paypal,Finance,0 https://www.bankofamerica.com/,username,password,,,Bankofamerica,Finance,0 ``` To solve this issue, delete the `grouping` column and the `grouping` datum for each item, including the trailing comma, for example edit: ``` https://github.com/login,username,password,,,Github,Productivity Tools,0 ``` down to: ``` https://github.com/login,username,password,,,Github,0 ``` --- URL: https://bitwarden.com/help/import-from-passwordsafe/ --- # Import Data from Password Safe Use this article for help exporting data from Password Safe and importing into Bitwarden. Password Safe (V8) currently only supports exporting as `.csv` file. Older versions are also supported `.xml`. ## Export from Password Safe To export data from the Password Safe desktop app: 1. Open Password Safe 8 and open the **Extras** menu from the upper left corner. 2. Locate the **Export** option on the left-hand side and then choose **Passwords**. 3. For the type please select `CSV` and enter a path to save the exported file. Leave the encoding at UTF-8. ![Export from Desktop App ](https://bitwarden.com/assets/26qcwkrIZzv8l6n1OkaNEd/195eab889c39b8783523dbc38bfe2f93/passwordsafeV8-export.png) 4. Click on the big gray arrow on the right to proceed to the export settings screen. 5. Set the separating character to **Semicolon.** 6. Set the text qualifier to `**"**`(double quote). 7. Check the checkbox to keep the column headers. ![Export settings screen from Desktop App ](https://bitwarden.com/assets/2wnAE5NRWB76CL43QgOLz3/28cd5a175a779294a774ad9ed6cf2cbc/passwordsafeV8-exportsettings.png) 8. Click **Finish** to start the export. > [!WARNING] PWSafe Export > Please note that Password Safe will export a `.csv` for **every** category you have and not just a single `.csv`. ## Prepare exported file Currently, Bitwarden do not offer a specific importer for this type of file. To prepare the exported file for import, please follow [these instructions](https://bitwarden.com/help/condition-bitwarden-import/). ## Import to Bitwarden Data can be imported to Bitwarden from the web app, browser extension, desktop app, and CLI. Data is [encrypted](https://bitwarden.com/help/what-encryption-is-used/) locally before being sent to the server for storage. > [!NOTE] Items not imported > While some item types cannot be imported, you can still add them to a vault: > > - Upload [file attachments](https://bitwarden.com/help/attachments/) to the new vault individually. > - Re-create [Sends](https://bitwarden.com/help/about-send/) in the new vault. ### Web app To import data to your vault: 1. Select **Tools**. 2. Select **Import data**: ![Import data](https://bitwarden.com/assets/1NbyPb9dN545ZqKGRZYB3x/7ed2e5650e9988bf7595bccebe8a5114/2024-12-03_08-52-08.png) 3. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (The [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission is required.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### Browser extension To import data to your vault: 1. Select **Settings**. 2. Select **Vault options.** 3. Select **Import items**. A new window will appear**.** 4. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 5. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 6. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 7. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 8. After your data is imported, delete the import source file from your device. This will protect you in the event your device is compromised. ### Mobile app In most cases, importing data on a mobile device requires that you do so in via the web app opened in a mobile browser. You can reach this location quickly from Password Manager by navigating to **Settings** → **Vault** → **Import items**. On iOS 26, Bitwarden supports import using the [Fido Credential Exchange Protocol (CXP)](https://fidoalliance.org/specifications-credential-exchange-specifications) for direct and easy migration of credentials into your vault. The app you're importing from must also support CXP and steps will vary by application. For example, on the iOS Passwords app, use the ⋯ options menu to select **Export Data to Another App** and choose Bitwarden. ### Desktop app To import data to your vault: 1. Select **File.** 2. Select **Import data**. 3. From the **Vault** dropdown menu, select where to save the data: 1. **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. 2. **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**can manage**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### CLI To import data to your vault, use the following [CLI](https://bitwarden.com/help/cli/) command: ``` bw import ``` `bw import` requires a format (use `bw import --formats` to retrieve a list of formats) and a path, for example: ``` bw import /Users/myaccount/Documents/mydata.csv ``` After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. If an “Import error” message appears, no data was added to your vault. [Fix the import file issue](https://bitwarden.com/help/import-data/#troubleshoot-import-errors/) and try again. --- URL: https://bitwarden.com/help/import-from-safari/ --- # Import Data from macOS & Safari Use this article for help exporting data from the following platforms, and importing into Bitwarden. - Safari (macOS and iOS) - Passwords app (macOS) > [!TIP] Safari/macOS Export Version > Exporting passwords requires **Safari 15.0+** or **macOS Monterey (12.0)+**. ## Export from Safari or macOS You can export your passwords directly from Safari on your mac computer or from macOS Passwords: ### Safari ## From your desktop To export your data from Safari: 1. Select **File** → **Export browsing data to file** from the macOS menu bar, choose passwords, and select **Download**: ![Export from Safari](https://bitwarden.com/assets/3j4W80s3G7wqFtVrbzKMO4/36308c2c647912bf204739f2bc5f80f2/2024-12-30_12-58-55.png) 2. Save your export to any location and use Touch ID or your macOS password to complete the export. ## From an iPhone To export data from Safari: 1. Open the **Settings** app on your iPhone and navigate to **Apps** → **Safari**. 2. Scroll down to the History and Website Data section and tap **Export**. 3. Choose the **Passwords** option and tap **Save to Downloads**. Your data will be saved without encryption into your iCloud Drive. As always, make sure you delete export files once your data is imported to Bitwarden. ### macOS Passwords app To export data from the macOS Passwords app: 1. Locate and open the macOS **Passwords** app. You'll be prompted to use Touch ID or your password to continue. 2. Once your app is unlocked, select **File** and then **Export All Passwords to File...**. ![Export macOS Passwords](https://bitwarden.com/assets/6r88eOsL7rY2f6KJj4U79x/3fbfbc41456deaf86a48e85173190405/2025-03-11_09-47-02.png) 3. You will be prompted with a dialog confirming that you want to export saved passwords. Select **Export Passwords...** to continue. 4. Save your export to any location and use Touch ID or your password to complete the export. ## Import to Bitwarden Data can be imported to Bitwarden from the web app, browser extension, desktop app, and CLI. Data is [encrypted](https://bitwarden.com/help/what-encryption-is-used/) locally before being sent to the server for storage. > [!NOTE] Items not imported > While some item types cannot be imported, you can still add them to a vault: > > - Upload [file attachments](https://bitwarden.com/help/attachments/) to the new vault individually. > - Re-create [Sends](https://bitwarden.com/help/about-send/) in the new vault. ### Web app To import data to your vault: 1. Select **Tools**. 2. Select **Import data**: ![Import data](https://bitwarden.com/assets/1NbyPb9dN545ZqKGRZYB3x/7ed2e5650e9988bf7595bccebe8a5114/2024-12-03_08-52-08.png) 3. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (The [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission is required.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### Browser extension To import data to your vault: 1. Select **Settings**. 2. Select **Vault options.** 3. Select **Import items**. A new window will appear**.** 4. From the **Vault** dropdown menu, select where to save the data: - **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. - **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**Manage collection**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 5. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 6. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 7. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 8. After your data is imported, delete the import source file from your device. This will protect you in the event your device is compromised. ### Mobile app In most cases, importing data on a mobile device requires that you do so in via the web app opened in a mobile browser. You can reach this location quickly from Password Manager by navigating to **Settings** → **Vault** → **Import items**. On iOS 26, Bitwarden supports import using the [Fido Credential Exchange Protocol (CXP)](https://fidoalliance.org/specifications-credential-exchange-specifications) for direct and easy migration of credentials into your vault. The app you're importing from must also support CXP and steps will vary by application. For example, on the iOS Passwords app, use the ⋯ options menu to select **Export Data to Another App** and choose Bitwarden. ### Desktop app To import data to your vault: 1. Select **File.** 2. Select **Import data**. 3. From the **Vault** dropdown menu, select where to save the data: 1. **Individual vault**: Select **My vault** and (optional) choose a **Folder** to put the items in. > [!TIP] Choosing a folder with a folder defined in the import. > If you select a **Folder** here, any folders defined in your import file will be nested inside it when when they're created. 2. **Organization vault**: Select the organization vault’s name and choose a **Collection**. (You need the [**can manage**](https://bitwarden.com/help/about-collections/#collections-permissions/) permission.) 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). 5. Select **Choose File** and pick the file or copy and paste your file’s contents into the text box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data**. If you are importing a password protected `.json `file, enter the password into the **Confirm vault import** window that appears. 7. After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ### CLI To import data to your vault, use the following [CLI](https://bitwarden.com/help/cli/) command: ``` bw import ``` `bw import` requires a format (use `bw import --formats` to retrieve a list of formats) and a path, for example: ``` bw import /Users/myaccount/Documents/mydata.csv ``` After your data is imported, delete the import source file from your computer. This will protect you in the event your computer is compromised. ## Troubleshoot import errors If an “Import error” message appears, no data was added to your vault. [Fix the import file issue](https://bitwarden.com/help/import-data/#troubleshoot-import-errors/) and try again. ### iCloud/Mac Keychain/Safari import issues As of Safari 15.0, you can export passwords from Safari in a `.csv` file. After downloading the file, [condition your .csv](https://bitwarden.com/help/condition-bitwarden-import/) to match Bitwarden's format and import your data. --- URL: https://bitwarden.com/help/import-secrets-data/ --- # Import Data Import data to Secrets Manager for easy migration from another organization or secrets management solution. Secrets Manager supports direct import of both [secrets](https://bitwarden.com/help/secrets/) and [projects](https://bitwarden.com/help/projects/). [Machine accounts](https://bitwarden.com/help/machine-accounts/) and [access tokens](https://bitwarden.com/help/access-tokens/) cannot be imported. [![Vimeo Video](https://vumbnail.com/854758635.jpg)](https://vimeo.com/854758635) *[Watch on Vimeo](https://vimeo.com/854758635)* **Video Chapters:** Learn more about secrets [here](https://bitwarden.com/help/secrets/). ## Condition an import file Secrets Manager currently supports direct import of secrets and project as a `.json` file. Your import file should be conditioned according to the following schema and rules: - Even if you're only importing secrets, you must include a `"projects" :` object containing an empty array, for example: ``` { "projects": [], "secrets": [ { "key": "Secret for Import 1", "value": "this-is-my-value", "note": "These are some notes.", "id": "00000000-0000-0000-0000-000000000001", "projectIds": [] }, { "key": "Secret for Import 2", "value": "this-is-my-value", "note": "These are some notes.", "id": "00000000-0000-0000-0000-000000000002", "projectIds": [] } ] } ``` - For now, each secret can only be associated with a single project. - All objects must have a non-empty `"id": ""` attribute that matches an expected format. We recommend using `"00000000-0000-0000-0000-000000000001"` for the first object and incrementing with each subsequent object. On import, new randomly generated identifiers will be generated for each object: ``` { "projects": [ { "id": "00000000-0000-0000-0000-000000000001", "name": "New Project" }, { "id": "00000000-0000-0000-0000-000000000002", "name": "Second New Project" } ], "secrets": [ { "key": "Secret for Import", "value": "this-is-my-value", "note": "These are some notes.", "id": "00000000-0000-0000-0000-000000000003", "projectIds": [] }, { "key": "Second Secret for Import 2", "value": "this-is-my-value", "note": "These are some notes.", "id": "00000000-0000-0000-0000-000000000004", "projectIds": [] } ] } ``` - You can use the `"projectIds": ""` attributes to associate imported secrets with a newly imported project: ``` { "projects": [ { "id": "00000000-0000-0000-0000-000000000001", "name": "New Project" } ], "secrets": [ { "key": "New Secret", "value": "this-is-my-value", "note": "This secret will go in the new project.", "id": "00000000-0000-0000-0000-000000000003", "projectIds": [ "00000000-0000-0000-0000-000000000001" ] } ] } ``` ## Import to Secrets Manager To import your `.json` file to Secrets Manager: > [!NOTE] Secrets Import Role > To import to Secrets Manager, your user account must be an owner or admin within the organization. 1. Select **Settings**→ **Import data** from the left-hand navigation: ![Import data](https://bitwarden.com/assets/1YQuiYqXIuYYG1TpXoSJoU/f76b3ee08dda7b470f96da9ebbe4f9b1/2024-12-03_11-28-29.png) 2. Select **Choose File**and choose a `.json` file for import, or **Copy & paste import contents** into the input box. 3. Select the **Import data** button. When prompted, enter your master password. > [!WARNING] Secrets import duplicates > Importing does not check whether objects in the file to import already exist in Secrets Manager. If you import multiple files or import files with objects already in Secrets Manager, **this will create duplicates**. --- URL: https://bitwarden.com/help/import-to-org/ --- # Import to an Organization Vault Import data directly to your organization for easy migration to Bitwarden from any password management solution. Bitwarden supports many [import file formats](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/) and, if your's is not supported, you can manually create a [compatible .csv or .json file](https://bitwarden.com/help/condition-bitwarden-import/). There are two methods for importing data directly to your organization: - Organization [owners, admins, and custom role users with the correct permission](https://bitwarden.com/help/user-types-access-control/) can import items with the organization Admin Console using the instructions in this article. - Organization members with the [Manage collection permission](https://bitwarden.com/help/collection-permissions/) can import data directly to any collection for which they have that permission by following [this process](https://bitwarden.com/help/import-data/). ## Import to an organization vault Data can only be imported to an organization using the web app. Data is [encrypted](https://bitwarden.com/help/what-encryption-is-used/) locally before being sent to the server for storage. > [!NOTE] Items not imported > While some item types cannot be imported, you can still add them to a vault: > > - Upload [file attachments](https://bitwarden.com/help/attachments/) to the new vault individually. > - Re-create [Sends](https://bitwarden.com/help/about-send/) in the new vault. To import data to an organization: 1. Log in to the Bitwarden web app and open the Admin Console: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Go to **Settings** → **Import data**: ![Admin Console import](https://bitwarden.com/assets/12fA17Iq9LdCXdhPsPYQyq/6fb380ff6165058fefe6fd311e038364/2024-12-03_15-42-21.png) 3. (Optional) To import data to a specific collection, select it from the **Collection** dropdown menu. This can be helpful when importing data in batches for one segment of users at a time. 4. From the **File format** dropdown menu, select the [import file format](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). > [!NOTE] Encrypted imports > If you're importing an [encrypted export](https://bitwarden.com/help/encrypted-export/), there isn't a separate option. Select `.json` and a handler will determine that the file is encrypted and attempt to decrypt the file using your [account's encryption key](https://bitwarden.com/help/account-encryption-key/) or encrypted export password. 5. Select **Choose file** and add the file to import, or copy/paste the contents of your file into the input box. > [!WARNING] Duplicative Imports > Importing does not check for duplicates. If you import the same file more than once or import items already in your vault, duplicate items will be created. 6. Select **Import data** to trigger the import. If you are importing a password protected `.json `file, enter the password into the **Confirm Vault Import** window that appears. ## Troubleshoot import errors If an "Import error" message appears, no data was added to your vault. [Fix the import file issue](https://bitwarden.com/help/import-data/#troubleshoot-import-errors/) and try again. Some import errors are specific to organizations: - **File contains unassigned items**: Ensure all [items are assigned to at least one collection](https://bitwarden.com/help/import-data/#file-contains-unassigned-items/) before trying to upload the file again. > [!NOTE] File contains unassigned items error > To minimize this error, turn on the [Restrict collection creation to owners and admins setting](https://bitwarden.com/help/collection-management/#collection-management-settings/) to prevent users from creating collections. - **Organization can only have a maximum of two collections**: Free organizations support up to two collections. If your import file exceeds this limit, [reduce the number of collections](https://bitwarden.com/help/import-data/#organization-can-only-have-a-maximum-of-two-collections/) in the file or upgrade to import more. --- URL: https://bitwarden.com/help/install-and-deploy-lite/ --- # Lite Deployment > [!TIP] Who is Lite for? > Bitwarden lite is intended for personal use and home-labs, not for use in business contexts. Businesses should use one of the [standard deployment options](https://bitwarden.com/help/self-host-bitwarden/). This article will walk you through installing and launching [Bitwarden lite](https://github.com/bitwarden/self-host/tree/main/bitwarden-lite). Use this deployment method to: - Simplify configuration and optimize resource usage (CPU, memory) by deploying Bitwarden with a single Docker image. - Utilize different database solutions such as MSSQL, PostgreSQL, SQLite, and MySQL/MariaDB. **Only** lite deployments can currently leverage these databases, standard deployments require MSSQL. - Run on ARM architecture for alternative systems such as Raspberry Pi and NAS servers. ## System requirements Bitwarden lite requires: - RAM: At least 200 MB - Storage: At least 1GB - Docker Engine: Version 26+ ## Setup Before running a Bitwarden lite server, install Docker, setup your `settings.env` file, and decide on your database configuration: ### Install Docker Bitwarden lite will run on your machine using a [Docker container](https://docs.docker.com/get-started/). Lite can be run with any Docker edition or plan, but you must **install Docker on your machine before proceeding with installation.** Refer to the following Docker documentation for help: - [Install Docker Engine](https://docs.docker.com/engine/installation/) ### Required environment variables Environment variables can be specified by creating a `settings.env` file, which you can find an example of in our [GitHub](https://github.com/bitwarden/self-host/blob/main/bitwarden-lite/settings.env) repository, or by using the `--env` flag if you're using the `docker run` method. At a minimum, set values for the variables that fall under the `# Required Settings #` section of the example `.env` file: > [!TIP] More Lite environment variables. > More optional environment variables are available than those listed in this table. | Variable | Description | |------|------| | BW_DOMAIN | Replace `bitwarden.yourdomain.com` with the domain where Bitwarden will be accessed. | | BW_DB_PROVIDER | The database provider you will be using for your Bitwarden server. Available options are `sqlserver`, `postgresql`, `sqlite`, or `mysql`/`mariadb`. | | BW_DB_SERVER | The name of the server on which your database is running. | | BW_DB_DATABASE | The name of your Bitwarden database. | | BW_DB_USERNAME | The username for accessing the Bitwarden database. | | BW_DB_PASSWORD | The password for accessing the Bitwarden database. | | BW_DB_FILE | Only required for `sqlite` if you would like to specify the path to your database file. If not specified, `sqlite` will automatically create a `vault.db` file under the `/etc/bitwarden` volume. | | BW_INSTALLATION_ID | A valid installation ID generated from [https://bitwarden.com/host/](https://bitwarden.com/host/). | | BW_INSTALLATION_KEY | A valid installation key generated from [https://bitwarden.com/host/](https://bitwarden.com/host/). | ### Database examples Unlike standard Bitwarden deployments, lite does not come out-of-the-box with a database. You can use an existing database, or create a new one. Which `# Required Settings #` you'll be required to include in your `settings.env` file or `--env` flags will depend on which supported database provider you're using: ### MySQL/MariaDB The following variables are required for a MySQL or MariaDB database: ``` # Database BW_DB_PROVIDER=mysql BW_DB_SERVER=db BW_DB_DATABASE=bitwarden_vault BW_DB_USERNAME=bitwarden BW_DB_PASSWORD=super_strong_password ``` ### MSSQL The following variables are required for an MSSQL database: ``` # Database BW_DB_PROVIDER=sqlserver BW_DB_SERVER=db BW_DB_DATABASE=bitwarden_vault BW_DB_USERNAME=bitwarden BW_DB_PASSWORD=super_strong_password ``` ### SQLite The following variables are required for an SQLite database: ``` # Database BW_DB_PROVIDER=sqlite BW_DB_FILE=/path/to/.db ``` Assigning the `sqlite `value will create a `vault.db `file in the `/etc/bitwarden` volume automatically. `BW_DB_FILE` is only required if you would like to specify the path to a different database file. ### PostgreSQL The following variables are required for an PostgreSQL database: ``` # Database BW_DB_PROVIDER=postgresql BW_DB_SERVER=db BW_DB_DATABASE=bitwarden_vault BW_DB_USERNAME=bitwarden BW_DB_PASSWORD=super_strong_password ``` ## Run the server The lite deployment can be run using the `docker run` command or using Docker Compose. In either case, make sure that you've set your environment variables and made your database available before proceeding. ### Docker run The lite deployment can be run with the `docker run` command, as in the following example: ``` docker run -d --name bitwarden -v /$(pwd)/bwdata/:/etc/bitwarden -p 80:8080 --env-file settings.env ghcr.io/bitwarden/lite ``` Running the server with the `docker run` command has several **required** options, including: | **Name, shorthand** | **Description** | |------|------| | --detach , -d | Run the container in the background and print container ID. | | --name | Provide a name for the container. `bitwarden` is used in the example. | | --volume , -v | Bind mount a volume. At a minimum, mount `/etc/bitwarden`. | | --publish , -p | Map container ports to the host. The example shows the port `80:8080` mapped. Port 8443 is required when configuring SSL. | | --env-file | Path of the [file to read environment variables from](https://bitwarden.com/help/install-and-deploy-unified-beta/#specify-environment-variables/). Alternatively, use the `--env `flag to declare environment variables inline ([learn more](https://docs.docker.com/engine/reference/commandline/run/#set-environment-variables--e---env---env-file)). | Once you run the command, verify that the container is running and healthy with: ``` docker ps ``` Congratulations! Bitwarden lite is now up and running at `https://your.domain.com`. Visit the web vault in your browser to confirm that it's working. You may now register a new account and log in. ### Docker Compose Running the lite deployment with Docker Compose will require Docker Compose version 1.24+. To run the lite deployment with Docker compose, create a `docker-compose.yml` file, for example: ``` --- version: "3.8" services: bitwarden: depends_on: - db env_file: - settings.env image: ghcr.io/bitwarden/lite restart: always ports: - "80:8080" volumes: - bitwarden:/etc/bitwarden db: environment: MARIADB_USER: "bitwarden" MARIADB_PASSWORD: "super_strong_password" MARIADB_DATABASE: "bitwarden_vault" MARIADB_RANDOM_ROOT_PASSWORD: "true" image: mariadb:10 restart: always volumes: - data:/var/lib/mysql volumes: bitwarden: data: ``` In the `docker-compose.yml` file, make any desired configurations including: - Mapping volumes for logs and Bitwarden data. - Mapping ports. - Configuring a database image.`ª` `ª`Only setup a database in `docker-compose.yml`, as in the above example, if you want to **create a new database server** to use with Bitwarden. Sample configurations for MySQL, MSSQL, and PostgreSQL are included in our [example file](https://github.com/bitwarden/self-host/blob/main/bitwarden-lite/docker-compose.yml). Once your `docker-compose.yml` and `settings.env` file are created, start your lite server by running: ``` docker compose up -d ``` Verify that all containers are running correctly: ``` docker ps ``` Congratulations! Your lite deployment is now up and running at `https://your.domain.com`. Visit the web vault in your browser to confirm that it's working. You may now register a new account and log in. ### Update or restart the server It's important to keep your Bitwarden lite server up to date. Like running the server, you can update it using either `docker run` commands or Docker Compose: ### Docker run > [!TIP] Lite, if you're restarting instead of updating > If you're restarting instead of updating the server, for example after making environment variable changes, skip the step that requires you to pull the most recent Bitwarden lite image. To update the server: 1. Stop the running Docker container: ``` docker stop bitwarden ``` 2. Remove the Docker container: ``` docker rm bitwarden ``` 3. Pull the most recent Bitwarden lite image: ``` docker pull ghcr.io/bitwarden/lite ``` 4. Restart the server: ``` docker run -d --name bitwarden -v /$(pwd)/bwdata/:/etc/bitwarden -p 80:8080 --env-file settings.env ghcr.io/bitwarden/lite ``` ### Docker Compose > [!TIP] Lite, if you're restarting instead of updating > If you're restarting instead of updating the server, for example after making environment variable changes, skip the step that requires you to pull the most recent Bitwarden lite image. To update the server: 1. Stop the running Docker container: ``` docker compose down ``` 2. Pull the most recent Bitwarden lite image: ``` docker compose pull ``` 3. Restart the server: ``` docker compose up -d ``` ## Optional environment variables Bitwarden lite works, by default, with some available services deactivated. These services, and many other server characteristics, can optionally be activated and customized with your `settings.env` file or `--env` flags: > [!WARNING] When editing Lite environment variables > Whenever you change an environment variable, you will need to restart your server in order for changes to take effect. #### Services Additional services can be activated or deactivated using the following variables: | Variable | Description | |------|------| | BW_ENABLE_ADMIN | **Do not disable this service.** Learn more about Admin panel capabilities [here](https://bitwarden.com/help/system-administrator-portal/). Default `true`. | | BW_ENABLE_API | **Do not disable this service.** Default `true`. | | BW_ENABLE_EVENTS | Enable or disable Bitwarden events logs for teams and enterprise event monitoring. Default `false`. | | BW_ENABLE_ICONS | Enable or disable Bitwarden brand icons that are set with the login item URI's. Learn more [here](https://bitwarden.com/help/website-icons/). Default `true`. | | BW_ENABLE_IDENTITY | **Do not disable this service.** Default `true`. | | BW_ENABLE_NOTIFICATIONS | Enable or disable notification services for receiving push notifications to mobile devices, using login with device, mobile vault sync, and more. Default `true`. | | BW_ENABLE_SCIM | Enable or disable SCIM for Enterprise organizations. Default `false`. | | BW_ENABLE_SSO | Enable or disable SSO services for Enterprise organizations. Default `false`. | | BW_ICONS_PROXY_TO_CLOUD | Enabling this service will proxy icon service requests to operate through cloud services in order to lower system memory load. If choosing to use this setting, `BW_ENABLE_ICONS` should be set to `false` in order to reduce container load. Default `false`. | #### Certificates Use these variables to change certificate settings: | **Variable** | **Description** | |------|------| | BW_ENABLE_SSL | Use SSL/TLS. `true`/`false`. Default `false`. SSL is required for Bitwarden to function properly. If you are not using SSL configured in the Bitwarden container you should front Bitwarden with a SSL proxy. | | BW_SSL_CERT | The name of your SSL certificate file. The file must be located in the `/etc/bitwarden `directory within the container. Default `ssl.crt`. | | BW_SSL_KEY | The name of your SSL key file. The file must be located in the `/etc/bitwarden `directory within the container. Default `ssl.key`. | | BW_ENABLE_SSL_CA | Use SSL with certificate authority(CA) backed service. `true`/`false`. Default `false`. | | BW_SSL_CA_CERT | The name of your SSL CA certificate. The file must be located in the `/etc/bitwarden `directory within the container. Default `ca.crt`. | | BW_ENABLE_SSL_DH | Use SSL with Diffie-Hellman key exchange. `true`/`false`. Default `false`. | | BW_SSL_DH_CERT | The name of your Diffie-Hellman parameters file. The file must be located in the `/etc/bitwarden `directory within the container. Default `dh.pem`. | | BW_SSL_PROTOCOLS | SSL version used by NGINX. Leave empty for recommended default. [Learn more](https://wiki.mozilla.org/Security/Server_Side_TLS). | | BW_SSL_CIPHERS | SSL ciphersuites used by NGINX. Leave empty for recommended default. [Learn more](https://wiki.mozilla.org/Security/Server_Side_TLS). | > [!NOTE] Using existing SSL with Lite. > If you are using an existing SSL certificate, you will have to enable the appropriate SSL options in `settings.env`. SSL files must be stored in `/etc/bitwarden`, which can be referenced in the the `docker-compose.yml` file. These files must match the names configured in `settings.env`. > > The default behavior is to generate a self-signed certificate if SSL is enabled and no existing certificate files are in the expected location (`/etc/bitwarden`). #### SMTP Use these variables to setup or change an SMTP provider for your server: | **Variable** | **Description** | |------|------| | globalSettings__mail__replyToEmail | Enter the reply email for your server. | | globalSettings__mail__smtp__host | Enter host domain for your SMTP server. | | globalSettings__mail__smtp__port | Enter the port number from the SMTP host. | | globalSettings__mail__smtp__ssl | If your SMTP host uses SSL enter `true`. Set value to `false` if your host uses TLS service. | | globalSettings__mail__smtp__username | Enter the SMTP username. | | globalSettings__mail__smtp__password | Enter the SMTP password. | #### Ports Use these variables to configure the ports used for traffic: | **Variable** | **Description** | |------|------| | BW_PORT_HTTP | Change the port used for HTTP traffic. By default, `8080`. | | BW_PORT_HTTPS | Change the port used for HTTPS traffic. By default, `844` | #### Yubico API Use these variables to connect with Yubico Web Services: | **Variable** | **Description** | |------|------| | globalSettings__yubico__clientId | Replace value with ID received from your Yubico Key. Sign up for Yubico Key [here](https://upgrade.yubico.com/getapikey/). | | globalSettings__yubico__key | Input the key value received from Yubico. | #### Miscellaneous Use these variables to configure other characteristics of your Bitwarden lite server: | **Variable** | **Description** | |------|------| | globalSettings__disableUserRegistration | Enable or disable user account registration capabilities. | | globalSettings__hibpApiKey | Enter the API key provided by Have I Been Pwnd. Register to receive the API key [here](https://haveibeenpwned.com/API/Key). | | adminSettings__admins | Enter admin email addresses. | | BW_REAL_IPS | Define real IPs in `nginx.conf `in a comma seperated list. Useful for defining proxy servers that forward the client IP address. [Learn more](https://nginx.org/en/docs/http/ngx_http_realip_module.html). | | BW_CSP | Content-Security-Policy parameter. Reconfiguring this parameter may break features. By changing this parameter, you become responsible for maintaining this value. | | BW_DB_PORT | Specify a custom port for database traffic. If unspecified, the default will depend on your chosen database provider. | ## Troubleshooting ### Memory usage By default, the Bitwarden container will consume memory that is available to it, often being more than the minimum needed to run. For memory conscious environments, you can use docker `-m` or `--memory= `to limit the Bitwarden container's memory usage. | **Name, shorthand** | **Description** | |------|------| | --memory=, -m | The maximum amount of memory the container can use. Bitwarden requires at least 200m. See the [Docker documentation](https://docs.docker.com/config/containers/resource_constraints/#limit-a-containers-access-to-memory) to learn more. | To control memory usage with Docker Compose, use the `mem_limit` key: ``` services: bitwarden: env_file: - settings.env image: ghcr.io/bitwarden/lite restart: always mem_limit: 200m ``` --- URL: https://bitwarden.com/help/install-and-deploy-offline-windows/ --- # Windows Offline Deployment This article will walk you through the procedure to install and deploy Bitwarden to your own Windows server in an **offline or air-gapped**environment. Please review Bitwarden [software release support](https://bitwarden.com/help/bitwarden-software-release-support/#release-support-at-bitwarden/) documentation. > [!WARNING] Manual Server Setup > **Manual installations should be conducted by advanced users only.** Only proceed if you are very familiar with Docker technologies and desire more control over your Bitwarden installation. > > Manual installations lack the ability to automatically update certain dependencies of the Bitwarden installation. As you upgrade from one version of Bitwarden to the next you will be responsible for changes to required environment variables, changes to nginx `default.conf`, changes to `docker-compose.yml`, and so on. > > We will try to highlight these in the [release notes on GitHub](https://github.com/bitwarden/server/releases). You can also monitor changes to the [dependency templates](https://github.com/bitwarden/server/tree/master/util/Setup/Templates) used by the Bitwarden installation script on GitHub. ## Requirements | | **Minimum** | **Recommended** | |------|------|------| | Processor | x64, 1.4GHz | x64, 2GHz Dual Core | | Memory | 6GB RAM | 8+ GB RAM | | Storage | 76GB | 90GB | | Docker Version | Engine 26+ and Compose`ª` | Engine 26+ and Compose`ª` | `ª` - Docker Compose can be installed via Docker Desktop, which includes Engine and Compose. [Install Docker Desktop for Engine and Compose](https://docs.docker.com/desktop/install/windows-install/). During this setup, you must **uncheck** the **Use WSL2 instead of Hyper-V (recommended)** option. Additionally, ensure the following requirements are met: - Using a machine with internet access, you have downloaded the latest `docker-stub-US.zip` or `docker-stub-EU.zip` file from the Bitwarden Server repository's releases page and transferred this file to your server. - An offline SMTP server is setup and active in your environment. - (**Optional**) [OpenSSL Windows binaries](https://wiki.openssl.org/index.php/Binaries) are installed and ready to use on your server. You may use a self-signed certificate instead of OpenSSL if you wish. ### Nested virtualization Running Bitwarden on a Windows Server requires use of nested virtualization. Please check your Hypervisor's documentation to find out if nested virtualization is supported and how to enable it. > [!NOTE] microsoft azure vm > If you are running Windows Server as an Azure VM, we recommend a **Standard D2s v3 Virtual Machine running Windows Server 2022**, which meets all [system requirements](https://bitwarden.com/help/install-on-premise-windows/#system-specifications/) including support for nested virtualization. You will also need to select **Security Type**: **Standard** rather than the default **Trusted launch virtual machines**. ## Installation procedure ### Configure your domain By default, Bitwarden will be served through ports 80 (`http`) and 443 (`https`) on the host machine. Open these ports so that Bitwarden can be accessed from within and/or outside the network. You may opt to choose different ports during installation. > [!NOTE] windows fire wall docker > **If you are using Windows Firewall**, Docker Desktop for Windows will not automatically add an exception for itself in Windows Firewall. Add exceptions for TCP ports 80 and 443 (or chosen alternative ports) to prevent related errors. We recommend configuring a domain name with DNS records that point to your host machine (for example, `server.example.com`), especially if you are serving Bitwarden over the internet. We recommend not including Bitwarden in your hostname to keep the server identity or type concealed. ### Create Bitwarden local user & directory Open PowerShell and create a Bitwarden local user by running the following command: ``` PS C:\> $Password = Read-Host -AsSecureString ``` After running the above command, enter the desired password in the text input dialog. After specifying a password, run the following command: ``` New-LocalUser "Bitwarden" -Password $Password -Description "Bitwarden Local Admin" ``` As the newly created user, create a Bitwarden folder under `C:\`: ``` PS C:\> mkdir Bitwarden ``` Once you install Docker Desktop, navigate to **Settings** → **Resources** → **File Sharing** and add the created directory (`C:\Bitwarden`) to the Resources list. Select **Apply & Restart** to apply your changes. Log in as the newly created user before completing all subsequent procedures in this document. ### Configure your machine To configure your machine with the assets required for your Bitwarden server: > [!NOTE] already created bitwarden user and directory > Once you have [created a Bitwarden user & directory](https://bitwarden.com/help/install-on-premise-windows/#create-bitwarden-local-user--directory/), complete the following as the `Bitwarden` user. 1. Create a new directory in `C:\Bitwarden` named `bwdata` and extract `docker-stub-US.zip` (or `docker-stub-EU.zip`) to it. Once unzipped, the `bwdata` directory will match what the `docker-compose.yml` file's volume mapping expects. You may, if you wish, change the location of these mappings on the host machine. 2. In `bwdata\env\global.override.env`, edit the following environment variables: - `globalSettings__baseServiceUri__vault=`: Enter the domain of your Bitwarden instance. - `globalSettings__sqlServer__ConnectionString=`: Replace the `RANDOM_DATABASE_PASSWORD` with a secure password for use in a later step. - `globalSettings__identityServer__certificatePassword=`: Set a secure certificate password for use in a later step. - `globalSettings__internalIdentityKey=`: Replace `RANDOM_IDENTITY_KEY` with a random alphanumeric string. - `globalSettings__oidcIdentityClientKey=`: Replace `RANDOM_IDENTITY_KEY` with a random alphanumeric string. - `globalSettings__duo__aKey=`: Replace `RANDOM_DUO_AKEY` with a random alphanumeric string. - `globalSettings__installation__id=`: Enter an installation id retrieved from [https://bitwarden.com/host](https://bitwarden.com/host/). - `globalSettings__installation__key=`: Enter an installation key retrieved from [https://bitwarden.com/host](https://bitwarden.com/host/). - `globalSettings__pushRelayBaseUri=`: This variable should be blank. See[ Configure Push Relay](https://bitwarden.com/help/configure-push-relay/) for more information. > [!TIP] Manual Install Environment Variables > At this time, consider also setting values for all `globalSettings__mail__smtp__` variables and for `adminSettings__admins`. Doing so will configure the SMTP mail server used to send invitations to new organization members and provision access to the [System Administrator Portal](https://bitwarden.com/help/system-administrator-portal/). > > [Learn more about environment variables](https://bitwarden.com/help/environment-variables/). 3. Generate a `identity.pfx` certificate for the identity container. You can do using OpenSSL or using any tool to generate a self-signed certificate. If you're using OpenSSL, run the following commands: ``` openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key -out identity.crt -subj "/CN=Bitwarden IdentityServer" -days 10950 ``` and ``` openssl pkcs12 -export -out ./identity/identity.pfx -inkey identity.key -in identity.crt -passout pass:IDENTITY_CERT_PASSWORD ``` In the above command, replace `IDENTITY_CERT_PASSWORD` with the certificate password created and used in **Step 2**. 4. Move `identity.pfx` to the mapped volume directory (by default, `.\bwdata\identity`). 5. Copy `identity.pfx` to the `.\bwdata\ssl` directory. 6. Create a subdirectory in `.\bwdata\ssl` named for your domain. 7. Provider a trusted SSL certificate and private key in the newly created `.\bwdata\ssl\bitwarden.example.com` subdirectory. > [!NOTE] Windows Certs > This directory is mapped to the NGINX container at `\etc\ssl`. If you can't provide a trusted SSL certificate, front the installation with a proxy that provides an HTTPS endpoint to Bitwarden client applications. 8. In `.\bwdata\nginx\default.conf`: 1. Replace all instances of `bitwarden.example.com` with your domain, including in the `Content-Security-Policy` header. 2. Set the `ssl_certificate` and `ssl_certificate_key` variables to the paths of the certificate and private key provided in **Step 6**. 3. Take one of the following actions, depending on your certificate setup: - If using a trusted SSL certificate, set the `ssl_trusted_certificate` variable to the path to your certificate. - If using a self-signed certificate, comment out the `ssl_trusted_certificate` variables. 9. In `.\bwdata\env\mssql.override.env`, replace `RANDOM_DATABASE_PASSWORD` with the password created in **Step 2**. 10. In `.\bwdata\web\app-id.json`, replace `bitwarden.example.com` with your domain. ### Download & transfer images To get docker images for use on your offline machine: 1. From an internet-connected machine, download all `ghcr.io/bitwarden/image_name:latest` docker images, as listed in the `docker-compose.yml` file in `docker-stub.zip`. 2. Save each image to a `.img` file, for example: ``` docker image save -o mssql.img ghcr.io/bitwarden/mssql:latest ``` 3. Transfer all `.img` files to your offline machine. 4. On your offline machine, load each `.img` file to create your local docker images, for example: ``` docker image load -i mssql.img ``` ### Start your server Start your Bitwarden server with the following command: ``` docker compose -f ./docker/docker-compose.yml up -d ``` Verify that all containers are running correctly: ``` docker ps ``` ![List showing Healthy Containers ](https://bitwarden.com/assets/3kcV9CFkWJrw5qCmKZsyBg/5cd5030d96352e6b1f5f20d1ffb79654/docker-ps-win.png) Congratulations! Bitwarden is now up and running at `https://your.domain.com`. Visit the web vault in your browser to confirm that it's working. You may now register a new account and log in. You will need to have configured SMTP environment variables (see [Environment Variables](https://bitwarden.com/help/environment-variables/)) in order to verify the email for your new account. ## Next Steps: - If you are planning to self-host a Bitwarden organization, see [self-host an organization](https://bitwarden.com/help/self-host-an-organization/) to get started. - For additional information see [self hosting FAQs](https://bitwarden.com/help/hosting-faqs/). ## Update your server Updating a self-hosted server that has been installed and deployed manually is different from the [standard update procedure](https://bitwarden.com/help/updating-on-premise/). To update your manually-installed server: 1. Download the latest `docker-stub.zip` archive from the [releases pages on GitHub](https://github.com/bitwarden/server/releases). 2. Unzip the new `docker-stub.zip` archive and compare its contents with what's currently in your `bwdata` directory, copying anything new to the pre-existing files in `bwdata`. **Do not** overwrite your pre-existing `bwdata` directory with the contents of the newer `docker-stub.zip` archive, as this would overwrite any custom configuration work you've done. 3. Download the latest container images and transfer them to your offline machine [as documented above](https://bitwarden.com/help/install-and-deploy-offline-windows/#download-&-transfer-images/). 4. Run the following command to restart your server with your updated configuration and the latest containers: ``` docker compose -f ./docker/docker-compose.yml down && docker compose -f ./docker/docker-compose.yml up -d ``` --- URL: https://bitwarden.com/help/install-and-deploy-offline/ --- # Linux Offline Deployment This article will walk you through the procedure to install and deploy Bitwarden to your own server in an **offline or air-gapped environment**. Please review Bitwarden [software release support](https://bitwarden.com/help/bitwarden-software-release-support/#release-support-at-bitwarden/) documentation. > [!WARNING] Manual Server Setup > **Manual installations should be conducted by advanced users only.** Only proceed if you are very familiar with Docker technologies and desire more control over your Bitwarden installation. > > Manual installations lack the ability to automatically update certain dependencies of the Bitwarden installation. As you upgrade from one version of Bitwarden to the next you will be responsible for changes to required environment variables, changes to nginx `default.conf`, changes to `docker-compose.yml`, and so on. > > We will try to highlight these in the [release notes on GitHub](https://github.com/bitwarden/server/releases). You can also monitor changes to the [dependency templates](https://github.com/bitwarden/server/tree/master/util/Setup/Templates) used by the Bitwarden installation script on GitHub. ## Requirements | | **Minimum** | **Recommended** | |------|------|------| | Processor | x64, 1.4GHz | x64, 2GHz dual core | | Memory | 2GB RAM | 4GB RAM | | Storage | 12GB | 25GB | | Docker Version | Engine 26+ and Compose`ª` | Engine 26+ and Compose`ª` | `ª` - Docker Compose is automatically installed as a plugin when you download Docker Engine. [Download Docker Engine for Linux](https://docs.docker.com/engine/install/#supported-platforms). Additionally, ensure the following requirements are met: - Using a machine with internet access, you have downloaded the latest `docker-stub-US.zip` or `docker-stub-EU.zip` file from the Bitwarden Server repository's [releases page](https://github.com/bitwarden/server/releases) and transferred this file to your server. - An offline SMTP Server is setup and active in your environment. The server your Bitwarden deployment runs on will not be required to allow outbound traffic to any addresses outside of your network, however client applications must be configured to access the server's fully qualified domain name (FQDN) on, by default, ports `80` and `443`. You may opt to choose different ports during installation, but whichever ports you choose these must be opened for client access. ## Installation procedure ### Configure your domain By default, Bitwarden will be served through ports 80 (`http`) and 443 (`https`) on the host machine. Open these ports so that Bitwarden can be accessed from within and/or outside of the network. You may opt to choose different ports during installation. We recommend configuring a domain name with DNS records that point to your host machine (for example, `server.example.com`), especially if you are serving Bitwarden over the internet. We recommend not including Bitwarden in your hostname to keep the server identity or type concealed. ### Create Bitwarden local user and directory Configure your Linux server with a dedicated `bitwarden` service account, from which to install and run Bitwarden. Doing so will isolate your Bitwarden instance from other applications running on your server. For more information, see Docker's [Post-installation steps for Linux](https://docs.docker.com/engine/install/linux-postinstall/) documentation. 1. Create a bitwarden user: ``` sudo adduser bitwarden ``` 2. Set a password for the bitwarden user: ``` sudo passwd bitwarden ``` 3. Create a docker group (if it doesn't already exist): ``` sudo groupadd docker ``` 4. Add the bitwarden user to the docker group: ``` sudo usermod -aG docker bitwarden ``` 5. Create a bitwarden directory: ``` sudo mkdir /opt/bitwarden ``` 6. Set permissions for the `/opt/bitwarden` directory: ``` sudo chmod -R 700 /opt/bitwarden ``` 7. Set the bitwarden user ownership of the `/opt/bitwarden` directory: ``` sudo chown -R bitwarden:bitwarden /opt/bitwarden ``` ### Configure your machine > [!TIP] If you've setup self-host local user and directory. > Once you have [created a Bitwarden user & directory](https://bitwarden.com/help/install-on-premise-manual/#create-bitwarden-local-user--directory/), complete the following as the `bitwarden` user from the `/opt/bitwarden` directory. **Do not install Bitwarden as root**, as you will encounter issues during installation. To configure your machine with the assets required for your Bitwarden server: 1. Create a new directory named `bwdata` and extract `docker-stub-US.zip` (or `docker-stub-EU.zip`) to it, for example: ``` unzip docker-stub-US.zip -d bwdata ``` Once unzipped, the `bwdata` directory will match what the `docker-compose.yml` file's volume mapping expects. You may, if you wish, change the location of these mappings on the host machine. 2. In `./bwdata/env/global.override.env`, edit the following environment variables: - `globalSettings__baseServiceUri__vault=`: Enter the domain of your Bitwarden instance. - `globalSettings__sqlServer__ConnectionString=`: Replace the `RANDOM_DATABASE_PASSWORD` with a secure password for use in a later step. - `globalSettings__identityServer__certificatePassword`: Set a secure certificate password for use in a later step. - `globalSettings__internalIdentityKey=`: Replace `RANDOM_IDENTITY_KEY` with a random alphanumeric string. - `globalSettings__oidcIdentityClientKey=`: Replace `RANDOM_IDENTITY_KEY` with a random alphanumeric string. - `globalSettings__duo__aKey=`: Replace `RANDOM_DUO_AKEY` with a random alphanumeric string. - `globalSettings__installation__id=`: Enter an installation id retrieved from [https://bitwarden.com/host](https://bitwarden.com/host/). - `globalSettings__installation__key=`: Enter an installation key retrieved from [https://bitwarden.com/host](https://bitwarden.com/host/). - `globalSettings__pushRelayBaseUri=`: This variable should be blank. See[ Configure Push Relay](https://bitwarden.com/help/configure-push-relay/) for more information. > [!TIP] Manual Install Environment Variables > At this time, consider also setting values for all `globalSettings__mail__smtp__` variables and for `adminSettings__admins`. Doing so will configure the SMTP mail server used to send invitations to new organization members and provision access to the [System Administrator Portal](https://bitwarden.com/help/system-administrator-portal/). > > [Learn more about environment variables](https://bitwarden.com/help/environment-variables/). 3. From `./bwdata`, generate a `.pfx` certificate file for the identity container and move it to the mapped volume directory (by default, `./bwdata/identity/`). For example, run the following commands: ``` openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key -out identity.crt -subj "/CN=Bitwarden IdentityServer" -days 10950 ``` and ``` openssl pkcs12 -export -out ./identity/identity.pfx -inkey identity.key -in identity.crt -passout pass:IDENTITY_CERT_PASSWORD ``` In the above command, replace `IDENTITY_CERT_PASSWORD` with the certificate password created and used in **Step 2**. 4. Create a subdirectory in `./bwdata/ssl` named for your domain, for example: ``` mkdir ./ssl/bitwarden.example.com ``` 5. Provide a trusted SSL certificate and private key in the newly created `./bwdata/ssl/bitwarden.example.com` subdirectory. > [!NOTE] SSL Directory to Volume Mapping > This directory is mapped to the NGINX container at `/etc/ssl`. If you can't provide a trusted SSL certificate, front the installation with a proxy that provides an HTTPS endpoint to Bitwarden client applications. 6. In `./bwdata/nginx/default.conf:` 1. Replace all instances of `bitwarden.example.com` with your domain, including in the `Content-Security-Policy` header. 2. Set the `ssl_certificate` and `ssl_certificate_key` variables to the paths of the certificate and private key provided in **Step 6**. 3. Take one of the following actions, depending on your certificate setup: - If using a trusted SSL certificate, set the `ssl_trusted_certificate` variable to the path to your certificate. - If using a self-signed certificate, comment out the `ssl_trusted_certificate` variable. 7. In `./bwdata/env/mssql.override.env`, replace `RANDOM_DATABASE_PASSWORD` with the password created in **Step 2**. 8. In `./bwdata/web/app-id.json`, replace `bitwarden.example.com` with your domain. 9. In `./bwdata/env/uid.env`, set the UID and GID of the `bitwarden` users and group you [created earlier](https://bitwarden.com/help/install-on-premise-manual/#create-bitwarden-local-user-and-directory/) so the containers run under them, for example: ``` LOCAL_UID=1001 LOCAL_GID=1001 ``` ### Download and transfer images To get docker images for use on your offline machine: 1. From an internet-connected machine, download all `ghcr.io/bitwarden/image_name:latest` docker images, as listed in the `docker-compose.yml` file in `docker-stub.zip`. For example: ```plain text docker image pull ghcr.io/bitwarden/mssql:latest ``` 2. Save each image to a `.img` file, for example: ``` docker image save -o mssql.img ghcr.io/bitwarden/mssql:latest ``` 3. Transfer all `.img` files to your offline machine. 4. On your offline machine, load each `.img` file to create your local docker images, for example: ``` docker image load -i mssql.img ``` ### Start your server Start your Bitwarden server with the following command: ``` docker compose -f ./docker/docker-compose.yml up -d ``` Verify that all containers are running correctly: ``` docker ps ``` ![Docker healthy](https://bitwarden.com/assets/3Sq7MaJZ1jaEJUCW44wmwj/008be5ee5e43c20c8c840e71617e57eb/2025-05-05_15-34-44.png) Congratulations! Bitwarden is now up and running at `https://your.domain.com`. Visit the web vault in your browser to confirm that it's working. You may now register a new account and log in. Your will need to have configured SMTP environment variables (see [environment variables](https://bitwarden.com/help/environment-variables/)) in order to verify the email for your new account. ## Next Steps: - If you are planning to self-host a Bitwarden organization, see [self-host an organization](https://bitwarden.com/help/self-host-an-organization/) to get started. - For additional information see [self hosting FAQs](https://bitwarden.com/help/hosting-faqs/). ## Update your server Updating a self-hosted server that has been installed and deployed manually is different from the [standard update procedure](https://bitwarden.com/help/updating-on-premise/). To update your manually-installed server: 1. Download the latest `docker-stub.zip` archive from the [releases pages on GitHub](https://github.com/bitwarden/server/releases). 2. Unzip the new `docker-stub.zip` archive and compare its contents with what's currently in your `bwdata` directory, copying anything new to the pre-existing files in `bwdata`. **Do not** overwrite your pre-existing `bwdata` directory with the contents of the newer `docker-stub.zip` archive, as this would overwrite any custom configuration work you've done. 3. Download the latest container images and transfer them to your offline machine [as documented above](https://bitwarden.com/help/install-and-deploy-offline/#download-transfer-images/). 4. Run the following command to restart your server with your updated configuration and the latest containers: ``` docker compose -f ./docker/docker-compose.yml down && docker compose -f ./docker/docker-compose.yml up -d ``` --- URL: https://bitwarden.com/help/install-and-deploy-unified-beta/ --- # Unified Deployment beta > [!NOTE] Bitwarden unified beta warning > Bitwarden Unified is not intended for Enterprise users. This solution is in beta and intended for personal use. Business plans should use the officially-supported, standard deployment option. > > While the Bitwarden unified self-hosted deployment is in beta, those installing unified **should not** setup automatic upgrade procedures that pull the latest images available. Bitwarden recommends allowing some time for stabilization of a release before upgrading. > > [Learn how to report issues](https://bitwarden.com/help/install-and-deploy-unified-beta/#reporting-issues/). This article will walk you through installing and launching the [Bitwarden unified self-hosted deployment](https://github.com/bitwarden/self-host/tree/main/bitwarden-lite). Use this deployment method to: - Simplify configuration and optimize resource usage (CPU, memory) by deploying Bitwarden with a single Docker image. - Utilize different database solutions such as MSSQL, PostgreSQL, SQLite, and MySQL/MariaDB. **Only** Unified deployments can currently leverage these databases, standard deployments require MSSQL. - Run on ARM architecture for alternative systems such as Raspberry Pi and NAS servers. ## System requirements Bitwarden unified deployment requires: - At least 200 MB RAM - Storage 1GB - Docker Engine 26+ ### Install Docker The unified deployment will run on your machine using a [Docker container](https://docs.docker.com/get-started/). The unified deployment can be run with any Docker edition or plan. Evaluate which edition is best for your installation. **Install Docker on your machine before proceeding with installation.** Refer to the following Docker documentation for help: - [Install Docker Engine](https://docs.docker.com/engine/installation/) ## Run Bitwarden unified The unified deployment can be run using the `docker run` command (see [here](https://bitwarden.com/help/install-and-deploy-unified-beta/#using-docker-run/)) or using Docker Compose (see [here](https://bitwarden.com/help/install-and-deploy-unified-beta/#using-docker-compose/)). In either case, you'll need to specify environment variables for the container. ### Quick start guide Use `docker run` to launch Bitwarden on a Raspberry Pi: [![Vimeo Video](https://vumbnail.com/799236723.jpg)](https://vimeo.com/799236723) *[Watch on Vimeo](https://vimeo.com/799236723)* ### Specify environment variables Running the unified deployment will require environment variables to be set for the container. Environment variables can be specified by creating a `settings.env` file, which you can find an example of in our [GitHub](https://github.com/bitwarden/self-host/blob/main/bitwarden-lite/settings.env) repository, or by using the `--env` flag if you're using the `docker run` method. Several optional variables are available for use for a more personalized unified deployment experience. Additional details on these variables can be located [here](https://bitwarden.com/help/install-and-deploy-unified-beta/#environment-variables/). At a minimum, set values for the variables that fall under the `# Required Settings #` section of the example `.env` file: | Variable | Description | |------|------| | BW_DOMAIN | Replace `bitwarden.yourdomain.com `with the domain where Bitwarden will be accessed. | | BW_DB_PROVIDER | The database provider you will be using for your Bitwarden server. Available options are `sqlserver`, `postgresql`, `sqlite`, or `mysql`/`mariadb`. | | BW_DB_SERVER | The name of the server on which your database is running. | | BW_DB_DATABASE | The name of your Bitwarden database. | | BW_DB_USERNAME | The username for accessing the Bitwarden database. | | BW_DB_PASSWORD | The password for accessing the Bitwarden database. | | BW_DB_FILE | Only required for `sqlite` if you would like to specify the path to your database file. If not specified, `sqlite` will automatically create a `vault.db` file under the `/etc/bitwarden` volume. | | BW_INSTALLATION_ID | A valid installation ID generated from [https://bitwarden.com/host/](https://bitwarden.com/host/). | | BW_INSTALLATION_KEY | A valid installation key generated from [https://bitwarden.com/host/](https://bitwarden.com/host/). | > [!NOTE] Bitwarden Unified DB Note > Unlike the Bitwarden standard deployment, unified deployment does not come out-of-the-box with a database. You can use an existing database, or create a new one as documented in [this example](https://bitwarden.com/help/install-and-deploy-unified-beta/#using-docker-compose/), and in both cases you must enter valid information in the `BW_DB_...` variables documented here. > > Using non-MSSQL database providers may result in performance issues, as support for these platforms continues to be worked on throughout the beta. Please use [this issue template](https://github.com/bitwarden/server/issues/new?assignees=&labels=bug%2Cbw-unified-deploy&template=bw-unified.yml) to report anything related to your Bitwarden unified deployment and check out [this page](https://github.com/bitwarden/server/issues/2480) to track known issues or join the discussion. ### Using docker run The unified deployment can be run with the `docker run` command, as in the following example: ``` docker run -d --name bitwarden -v /$(pwd)/bwdata/:/etc/bitwarden -p 80:8080 --env-file settings.env ghcr.io/bitwarden/lite ``` The command featured above has several required options for the `docker run` command, including: | **Name, shorthand** | **Description** | |------|------| | --detach , -d | Run the container in the background and print container ID. | | --name | Provide a name for the container. `bitwarden `is used in the example. | | --volume , -v | Bind mount a volume. At a minimum, mount `/etc/bitwarden`. | | --publish , -p | Map container ports to the host. The example shows the port `80:8080 `mapped. Port 8443 is required when configuring SSL. | | --env-file | Path of the [file to read environment variables from](https://bitwarden.com/help/install-and-deploy-unified-beta/#specify-environment-variables/). Alternatively, use the `--env `flag to declare environment variables inline ([learn more](https://docs.docker.com/engine/reference/commandline/run/#set-environment-variables--e---env---env-file)). | Once you run the command, verify that the container is running and healthy with: ``` docker ps ``` Congratulations! Your unified deployment is now up and running at `https://your.domain.com`. Visit the web vault in your browser to confirm that it's working. You may now register a new account and log in. ### Using Docker Compose Running the unified deployment with Docker Compose will require Docker Compose version 1.24+. To run the unified deployment with Docker compose, create a `docker-compose.yml` file, for example: ``` --- version: "3.8" services: bitwarden: depends_on: - db env_file: - settings.env image: ghcr.io/bitwarden/lite restart: always ports: - "80:8080" volumes: - bitwarden:/etc/bitwarden db: environment: MARIADB_USER: "bitwarden" MARIADB_PASSWORD: "super_strong_password" MARIADB_DATABASE: "bitwarden_vault" MARIADB_RANDOM_ROOT_PASSWORD: "true" image: mariadb:10 restart: always volumes: - data:/var/lib/mysql volumes: bitwarden: data: ``` In the `docker-compose.yml` file, make any desired configurations including: - Mapping volumes for logs and Bitwarden data. - Mapping ports. - Configuring a database image.`ª` `ª`Only setup a database in `docker-compose.yml`, as in the above example, if you want to **create a new database server** to use with Bitwarden. Sample configurations for MySQL, MSSQL, and PostgreSQL are included in our [example file](https://github.com/bitwarden/self-host/blob/main/bitwarden-lite/docker-compose.yml). Once your `docker-compose.yml` and `settings.env` file are created, start your unified server by running: ``` docker compose up -d ``` Verify that all containers are running correctly: ``` docker ps ``` Congratulations! Your unified deployment is now up and running at `https://your.domain.com`. Visit the web vault in your browser to confirm that it's working. You may now register a new account and log in. ## Update your server To update your unified deployment: ### Docker run update 1. Stop the running Docker container: ``` docker stop bitwarden ``` 2. Remove the Docker container: ``` docker rm bitwarden ``` 3. Run the following command to pull the most recent Bitwarden unified image: ``` docker pull ghcr.io/bitwarden/lite ``` 4. Run the Docker container again: ``` docker run -d --name bitwarden -v /$(pwd)/bwdata/:/etc/bitwarden -p 80:8080 --env-file settings.env ghcr.io/bitwarden/lite ``` ### Docker Compose update 1. Stop the running Docker container: ``` docker compose down ``` 2. Run the following command to pull the most recent Bitwarden unified image: ``` docker compose pull ``` 3. Recreate any containers that need to be updated: ``` docker compose up -d ``` 4. Verify that the containers are running: ``` docker compose ps ``` ## Environment variables The unified deployment will operate by default without several of the standard Bitwarden services. This allows for increased customization and optimization of your unified deployment. Configure these services, and more optional settings, by editing various environment variables. > [!NOTE] Unified Environment Variables > Whenever you change an environment variable, the Docker container will need to be recreated. Learn more [here](https://bitwarden.com/help/install-and-deploy-unified-beta/#restart-the-container/). #### Webserver ports | **Variable** | **Description** | |------|------| | BW_PORT_HTTP | Change the port used for HTTP traffic. By default, `8080`. | | BW_PORT_HTTPS | Change the port used for HTTPS traffic. By default, `8443`. | #### SSL Use these values to change certificate settings. | **Variable** | **Description** | |------|------| | BW_ENABLE_SSL | Use SSL/TLS. `true`/`false`. Default `false`. SSL is required for Bitwarden to function properly. If you are not using SSL configured in the Bitwarden container you should front Bitwarden with a SSL proxy. | | BW_SSL_CERT | The name of your SSL certificate file. The file must be located in the `/etc/bitwarden `directory within the container. Default `ssl.crt`. | | BW_SSL_KEY | The name of your SSL key file. The file must be located in the `/etc/bitwarden `directory within the container. Default `ssl.key`. | | BW_ENABLE_SSL_CA | Use SSL with certificate authority(CA) backed service. `true`/`false`. Default `false`. | | BW_SSL_CA_CERT | The name of your SSL CA certificate. The file must be located in the `/etc/bitwarden `directory within the container. Default `ca.crt`. | | BW_ENABLE_SSL_DH | Use SSL with Diffie-Hellman key exchange. `true`/`false`. Default `false`. | | BW_SSL_DH_CERT | The name of your Diffie-Hellman parameters file. The file must be located in the `/etc/bitwarden `directory within the container. Default `dh.pem`. | | BW_SSL_PROTOCOLS | SSL version used by NGINX. Leave empty for recommended default. [Learn more](https://wiki.mozilla.org/Security/Server_Side_TLS). | | BW_SSL_CIPHERS | SSL ciphersuites used by NGINX. Leave empty for recommended default. [Learn more](https://wiki.mozilla.org/Security/Server_Side_TLS). | > [!NOTE] Using existing SSL with Unified > If you are using an existing SSL certificate, you will have to enable the appropriate SSL options in `settings.env`. SSL files must be stored in `/etc/bitwarden`, which can be referenced in the the `docker-compose.yml` file. These files must match the names configured in `settings.env`. > > The default behavior is to generate a self-signed certificate if SSL is enabled and no existing certificate files are in the expected location (`/etc/bitwarden`). #### Services Additional services can be enabled or disabled for specific use cases, such as enterprise or team needs, by changing the following values: | Variable | Description | |------|------| | BW_ENABLE_ADMIN | **Do not disable this service.** Learn more about Admin panel capabilities [here](https://bitwarden.com/help/system-administrator-portal/). Default `true`. | | BW_ENABLE_API | **Do not disable this service.** Default `true`. | | BW_ENABLE_EVENTS | Enable or disable Bitwarden events logs for teams and enterprise event monitoring. Default `false`. | | BW_ENABLE_ICONS | Enable or disable Bitwarden brand icons that are set with the login item URI's. Learn more [here](https://bitwarden.com/help/website-icons/). Default `true`. | | BW_ENABLE_IDENTITY | **Do not disable this service.** Default `true`. | | BW_ENABLE_NOTIFICATIONS | Enable or disable notification services for receiving push notifications to mobile devices, using login with device, mobile vault sync, and more. Default `true`. | | BW_ENABLE_SCIM | Enable or disable SCIM for Enterprise organizations. Default `false`. | | BW_ENABLE_SSO | Enable or disable SSO services for Enterprise organizations. Default `false`. | | BW_ICONS_PROXY_TO_CLOUD | Enabling this service will proxy icon service requests to operate through cloud services in order to lower system memory load. If choosing to use this setting, `BW_ENABLE_ICONS `should be set to `false `in order to reduce container load. Default `false`. | #### Mail Configure SMTP settings for your unified deployment. Copy information from your chosen mail SMTP provider into the following fields: | **Variable** | **Description** | |------|------| | globalSettings__mail__replyToEmail | Enter the reply email for your server. | | globalSettings__mail__smtp__host | Enter host domain for your SMTP server. | | globalSettings__mail__smtp__port | Enter the port number from the SMTP host. | | globalSettings__mail__smtp__ssl | If your SMTP host uses SSL enter `true`. Set value to `false` if your host uses TLS service. | | globalSettings__mail__smtp__username | Enter the SMTP username. | | globalSettings__mail__smtp__password | Enter the SMTP password. | #### Yubico API (YubiKey) | **Variable** | **Description** | |------|------| | globalSettings__yubico__clientId | Replace value with ID received from your Yubico Key. Sign up for Yubico Key [here](https://upgrade.yubico.com/getapikey/). | | globalSettings__yubico__key | Input the key value received from Yubico. | ### Database configurations Utilizing the variety of database options that are compatible with the unified deployment will require additional `.env` configurations. ### MySQL/MariaDB In `settings.env`: ``` # Database BW_DB_PROVIDER=mysql BW_DB_SERVER=db BW_DB_DATABASE=bitwarden_vault BW_DB_USERNAME=bitwarden BW_DB_PASSWORD=super_strong_password ``` `` ### MSSQL In `settings.env`: ``` # Database BW_DB_PROVIDER=sqlserver BW_DB_SERVER=db BW_DB_DATABASE=bitwarden_vault BW_DB_USERNAME=bitwarden BW_DB_PASSWORD=super_strong_password ``` ### SQLite In `settings.env`: ``` # Database BW_DB_PROVIDER=sqlite BW_DB_FILE=/path/to/.db ``` Assigning the `sqlite `value will create a `vault.db `file in the `/etc/bitwarden` volume automatically. `BW_DB_FILE` is only required if you would like to specify the path to a different database file. ### PostgreSQL In `settings.env`: ``` # Database BW_DB_PROVIDER=postgresql BW_DB_SERVER=db BW_DB_DATABASE=bitwarden_vault BW_DB_USERNAME=bitwarden BW_DB_PASSWORD=super_strong_password ``` #### Other | **Variable** | **Description** | |------|------| | globalSettings__disableUserRegistration | Enable or disable user account registration capabilities. | | globalSettings__hibpApiKey | Enter the API key provided by Have I Been Pwnd. Register to receive the API key [here](https://haveibeenpwned.com/API/Key). | | adminSettings__admins | Enter admin email addresses. | | BW_REAL_IPS | Define real IPs in `nginx.conf `in a comma seperated list. Useful for defining proxy servers that forward the client IP address. [Learn more](https://nginx.org/en/docs/http/ngx_http_realip_module.html). | | BW_CSP | Content-Security-Policy parameter. Reconfiguring this parameter may break features. By changing this parameter, you become responsible for maintaining this value. | | BW_DB_PORT | Specify a custom port for database traffic. If unspecified, the default will depend on your chosen database provider. | ### Restart the container To restart your Docker container after changing environment variables, run the following commands from the Bitwarden unified deployment directory: ### Docker run 1. Stop the running Docker container: ``` docker stop bitwarden ``` 2. Remove the Docker container: ``` docker rm bitwarden ``` 3. Run the Docker container again: ``` docker run -d --name bitwarden -v /$(pwd)/bwdata/:/etc/bitwarden -p 80:8080 --env-file settings.env ghcr.io/bitwarden/lite ``` ### Docker Compose 1. Stop the running Docker container: ``` docker compose down ``` 2. Recreate the containers: ``` docker compose up -d ``` 3. Ensure that the containers are running properly with: ``` docker compose ps ``` ## Memory usage By default, the Bitwarden container will consume memory that is available to it, often being more than the minimum needed to run. For memory conscious environments, you can use docker `-m` or `--memory= `to limit the Bitwarden container's memory usage. | **Name, shorthand** | **Description** | |------|------| | --memory=, -m | The maximum amount of memory the container can use. Bitwarden requires at least 200m. See the [Docker documentation](https://docs.docker.com/config/containers/resource_constraints/#limit-a-containers-access-to-memory) to learn more. | To control memory usage with Docker Compose, use the `mem_limit` key: ``` services: bitwarden: env_file: - settings.env image: ghcr.io/bitwarden/lite restart: always mem_limit: 200m ``` ## Reporting issues While the Bitwarden unified deployment remains in beta release, we encourage you to report issues and give feedback via GitHub. Please use [this issue template](https://github.com/bitwarden/server/issues/new?assignees=&labels=bug%2Cbw-unified-deploy&template=bw-unified.yml) to report anything related to your Bitwarden unified deployment and check out [this page](https://github.com/bitwarden/server/issues/2480) to track known issues or join the discussion. ## Additional resources - If you are planning to self-host a Bitwarden organization, see [self-host an organization](https://bitwarden.com/help/self-host-an-organization/) to get started. For more information on Bitwarden's standard self-hosted deployment see: - [Install and Deploy - Linux](https://bitwarden.com/help/install-on-premise-linux/) - [Install and Deploy - Windows](https://bitwarden.com/help/install-on-premise-windows/) - [Install and Deploy - Manual](https://bitwarden.com/help/install-on-premise-manual/) --- URL: https://bitwarden.com/help/install-on-premise-linux/ --- # Linux Standard Deployment This article will walk you through the procedure to install and deploy Bitwarden to your own Linux server. Bitwarden can also be installed and deployed on [Windows](https://bitwarden.com/help/install-on-premise-windows/) machines. Please review Bitwarden [software release support](https://bitwarden.com/help/bitwarden-software-release-support/#release-support-at-bitwarden/) documentation. ## System specifications | | **Minimum** | **Recommended** | |------|------|------| | Processor | x64, 1.4GHz | x64, 2GHz dual core | | Memory | 2GB RAM | 4GB RAM | | Storage | 12GB | 25GB | | Docker Version | Engine 26+ and Compose`ª` | Engine 26+ and Compose`ª` | `ª` - Docker Compose is automatically installed as a plugin when you download Docker Engine. Standard self-hosted server deployments ship with an **MSSQL Express** image by default, however you have the option to use an [external database](https://bitwarden.com/help/external-db/). The default database has a 10GB [maximum relational database size](https://learn.microsoft.com/en-us/sql/sql-server/editions-and-components-of-sql-server-2022?view=sql-server-ver17#scale-limits) but does not require additional licensing. > [!NOTE] Digital Ocean Link > If you are looking for a quality provider with affordable prices, we recommend DigitalOcean. [Get started today](https://marketplace.digitalocean.com/apps/bitwarden) or read our [blog post about Bitwarden on DigitalOcean](https://bitwarden.com/blog/digitalocean-marketplace/). ## TL;DR The following is a summary of the installation procedure in this article. Links in this section will jump to detailed **Installation procedure** sections: 1. [**Configure your domain**](https://bitwarden.com/help/install-on-premise-linux/#configure-your-domain/). Set DNS records for a domain name pointing to your machine, and open ports 80 and 443 on the machine. 2. [**Install Docker and Docker Compose**](https://bitwarden.com/help/install-on-premise-linux/#install-docker-and-docker-compose/) on your machine. 3. [**Create a Bitwarden user & directory**](https://bitwarden.com/help/install-on-premise-linux/#create-bitwarden-local-user-directory/) from which to complete installation. 4. Retrieve an installation id and key from [**https://bitwarden.com/host**](https://bitwarden.com/host/) for use in installation. For more information, see [What are my installation id and installation key used for?](https://bitwarden.com/help/hosting-faqs/#q-what-are-my-installation-id-and-installation-key-used-for/) 5. [**Install Bitwarden**](https://bitwarden.com/help/install-on-premise-linux/#install-bitwarden/) on your machine. 6. [**Configure your environment**](https://bitwarden.com/help/install-on-premise-linux/#post-install-configuration/) by adjusting settings in `./bwdata/env/global.override.env`. > [!NOTE] > At a minimum, configure the `globalSettings__mail__smtp...` variables to setup an email server for inviting and verifying users. 7. [**Start your instance**](https://bitwarden.com/help/install-on-premise-linux/#start-bitwarden/). 8. Test your installation by opening your configured domain in a web browser. 9. Once deployed, we recommend regularly [backing up your server](https://bitwarden.com/help/backup-on-premise/) and [checking for system updates](https://bitwarden.com/help/updating-on-premise/). ## Installation procedure ### Configure your domain By default, Bitwarden will be served through ports 80 (`http`) and 443 (`https`) on the host machine. Open these ports so that Bitwarden can be accessed from within and/or outside of the network. You may opt to choose different ports during installation. We recommend configuring a domain name with DNS records that point to your host machine (for example, `server.example.com`), especially if you are serving Bitwarden over the internet. We recommend not including Bitwarden in your hostname to keep the server identity or type concealed. ### Install Docker and Docker Compose Bitwarden will be deployed and run on your machine using an array of [Docker containers](https://docs.docker.com/get-started/). Bitwarden can be run with any Docker edition or plan. Evaluate which edition is best for your installation. Deployment of containers is orchestrated using [Docker Compose](https://docs.docker.com/compose/). Docker Compose is automatically installed as a plugin when you download Docker Engine. [Download Docker Engine for Linux](https://docs.docker.com/engine/install/#supported-platforms). ### Create Bitwarden local user & directory Configure your Linux server with a dedicated `bitwarden` service account, from which to install and run Bitwarden. Doing so will isolate your Bitwarden instance from other applications running on your server. For more information, see Docker's [Post-installation steps for Linux](https://docs.docker.com/engine/install/linux-postinstall/) documentation. 1. Create a bitwarden user: ``` sudo adduser bitwarden ``` 2. Set password for bitwarden user (strong password): ``` sudo passwd bitwarden ``` 3. Create a docker group (if it doesn’t already exist): ``` sudo groupadd docker ``` 4. Add the bitwarden user to the docker group: ``` sudo usermod -aG docker bitwarden ``` 5. Create a bitwarden directory: ``` sudo mkdir /opt/bitwarden ``` 6. Set permissions for the `/opt/bitwarden` directory: ``` sudo chmod -R 700 /opt/bitwarden ``` 7. Set the bitwarden user as owner of the `/opt/bitwarden` directory: ``` sudo chown -R bitwarden:bitwarden /opt/bitwarden ``` ### Install Bitwarden > [!TIP] If you've setup self-host local user and directory. > Once you have [created a Bitwarden user & directory](https://bitwarden.com/help/install-on-premise-manual/#create-bitwarden-local-user--directory/), complete the following as the `bitwarden` user from the `/opt/bitwarden` directory. **Do not install Bitwarden as root**, as you will encounter issues during installation. Bitwarden provides a shell script for easy installation on Linux and Windows (PowerShell). Complete the following steps to install Bitwarden using the shell script: 1. Download the Bitwarden installation script (`bitwarden.sh`) to your machine: ``` curl -Lso bitwarden.sh "https://func.bitwarden.com/api/dl/?app=self-host&platform=linux" && chmod 700 bitwarden.sh ``` 2. Run the installer script. A `./bwdata` directory will be created relative to the location of `bitwarden.sh`. ``` ./bitwarden.sh install ``` 3. Complete the prompts in the installer: - **Enter the domain name for your Bitwarden instance:** Typically, this value should be the configured DNS record. - **Do you want to use Let's Encrypt to generate a free SSL certificate? (y/n):** Specify `y` to generate a trusted SSL certificate using Let's Encrypt. You will be prompted to enter an email address for expiration reminders from Let's Encrypt. For more information, see [Certificate Options](https://bitwarden.com/help/certificates/). Alternatively, specify `n` and use the **Do you have a SSL certificate to use?** option. - **Enter your installation id:** Retrieve an installation id using a valid email at [https://bitwarden.com/host](https://bitwarden.com/host/). For more information, see [what are my installation id and installation key used for?](https://bitwarden.com/help/hosting-faqs/#general/) - **Enter your installation key:** Retrieve an installation key using a valid email at [https://bitwarden.com/host](https://bitwarden.com/host/). For more information, see [What are my installation id and installation key used for?](https://bitwarden.com/help/hosting-faqs/#general/) - **Enter your region (US/EU):**Enter US or EU depending on the [cloud server](https://bitwarden.com/help/server-geographies/) you will use to [license paid features](https://bitwarden.com/help/licensing-on-premise/), only applicable if you're connecting a self-hosted account or organization to a paid subscription. - **Do you have a SSL certificate to use? (y/n):** (Only if `n` selected for **Do you want to use Let's Encrypt to generate a free SSL certificate?**) If you already have your own SSL certificate, specify `y` and place the necessary files in the `./bwdata/ssl/your.domain` directory. You will be asked whether it is a trusted SSL certificate (y/n). For more information, see [Certificate Options](https://bitwarden.com/help/certificates/). Alternatively, specify `n` and use the **self-signed SSL certificate?** option, which is only recommended for testing purposes. - **Do you want to generate a self-signed SSL certificate? (y/n):** (Only if `n` selected for **Do you have a SSL certificate to use?**) Specify `y` to have Bitwarden generate a self-signed certificate for you. This option is only recommended for testing. For more information, see [Certificate Options](https://bitwarden.com/help/certificates/). If you specify `n`, your instance will not use an SSL certificate and you will be required to front your installation with a HTTPS proxy, or else Bitwarden applications will not function properly. ### Post-install configuration Configuring your environment can involve making changes to two files; an environment variables file and an installation file: #### Environment variables (*required*) Some features of Bitwarden are not configured by the `bitwarden.sh` script. Configure these settings by editing the environment file, located at `./bwdata/env/global.override.env`. **At a minimum, you should replace the values for:** ``` ... globalSettings__mail__smtp__host= globalSettings__mail__smtp__port= globalSettings__mail__smtp__ssl= globalSettings__mail__smtp__username= globalSettings__mail__smtp__password= ... adminSettings__admins= ... ``` Replace `globalSettings__mail__smtp...=` placeholders to connect to the SMTP mail server that will be used to send verification emails to new users and invitations to organizations. Adding an email address to `adminSettings__admins=` will provision access to the System Administrator Portal. After editing `global.override.env`, run the following command to apply your changes: ``` ./bitwarden.sh restart ``` #### Installation file The Bitwarden installation script uses settings in `./bwdata/config.yml` to generate the necessary assets for installation. Some installation scenarios (such as installations behind a proxy with alternate ports) may require adjustments to `config.yml` that were not provided during standard installation. Edit `config.yml` as necessary and apply your changes by running: ``` ./bitwarden.sh rebuild ``` ### Start Bitwarden Once you have completed all previous steps, start your Bitwarden instance: ``` ./bitwarden.sh start ``` > [!NOTE] > The first time you start Bitwarden it may take some time as it downloads all of the images from GitHub Container Registry. Verify that all containers are running correctly: ``` docker ps ``` ![Docker healthy](https://bitwarden.com/assets/3Sq7MaJZ1jaEJUCW44wmwj/008be5ee5e43c20c8c840e71617e57eb/2025-05-05_15-34-44.png) Congratulations! Bitwarden is now up and running at your specified domain (in the above example, `https://bitwarden.example.com)`. Visit the web vault in your web browser to confirm that it's working. You may now register a new account and log in. You will need to have configured `smtp` environment variables (see [Environment Variables](https://bitwarden.com/help/environment-variables/)) in order to verify the email for your new account. > [!TIP] Backup and Update your Server > Once deployed, we recommend regularly [backing up your server](https://bitwarden.com/help/backup-on-premise/) and [checking for system updates](https://bitwarden.com/help/updating-on-premise/). ## Script commands reference The Bitwarden installation script (`bitwarden.sh` or `bitwarden.ps1`) has the following commands available: > [!NOTE] > PowerShell users will run the commands with a prefixed `-` (switch). For example `.\bitwarden.ps1 -start`. | **Command** | **Description** | |------|------| | install | Start the installer. | | start | Start all containers. | | restart | Restart all containers (same as start). | | stop | Stop all containers. | | update | Update all containers and the database. | | updatedb | Update/initialize the database. | | updaterun | Update the `run.sh `file. | | updateself | Update this main script. | | updateconf | Update all containers without restarting the running instance. | | uninstall | Before this command executes, you will be prompted to save database files. `y `will create a tarfile of your database including the most recent backup. Stops containers, deletes the `bwdata `directory and all its contents, and removes ephemeral volumes. After executing, you will be asked whether you also want to purge all Bitwarden images. | | compresslogs | Download a tarball of all server logs, or of server logs in a specified date range, to the current directory. For example, use `./bitwarden.sh compresslogs 20240304 20240305` to download logs from March 4th, 2024 to March 5th, 2024. | | renewcert | Renew certificates. | | rebuild | Rebuild generated installation assets from `config.yml`. | | help | List all commands. | ## Next steps - If you are planning to self-host a Bitwarden organization, see [self-host an organization](https://bitwarden.com/help/self-host-an-organization/) to get started. - For additional information see [self hosting FAQs](https://bitwarden.com/help/hosting-faqs/). --- URL: https://bitwarden.com/help/install-on-premise-manual/ --- # Linux Manual Deployment This article will walk you through the procedure to manually install and deploy Bitwarden to your own server. Please review Bitwarden [software release support](https://bitwarden.com/help/bitwarden-software-release-support/#release-support-at-bitwarden/) documentation. > [!WARNING] Manual Server Setup > **Manual installations should be conducted by advanced users only.** Only proceed if you are very familiar with Docker technologies and desire more control over your Bitwarden installation. > > Manual installations lack the ability to automatically update certain dependencies of the Bitwarden installation. As you upgrade from one version of Bitwarden to the next you will be responsible for changes to required environment variables, changes to nginx `default.conf`, changes to `docker-compose.yml`, and so on. > > We will try to highlight these in the [release notes on GitHub](https://github.com/bitwarden/server/releases). You can also monitor changes to the [dependency templates](https://github.com/bitwarden/server/tree/master/util/Setup/Templates) used by the Bitwarden installation script on GitHub. ## Requirements | | Minimum | Recommended | |------|------|------| | Processor | x64, 1.4GHz | x64, 2GHz dual core | | Memory | 2GB RAM | 4GB RAM | | Storage | 12GB | 25GB | | Docker Version | Engine 26+ and Compose`ª` | Engine 26+ and Compose`ª` | `ª` - Docker Compose is automatically installed as a plugin when you download Docker Engine. [Download Docker Engine for Linux](https://docs.docker.com/engine/install/#supported-platforms). ## Installation procedure ### Create Bitwarden local user & directory Configure your Linux server with a dedicated `bitwarden` service account, from which to install and run Bitwarden. Doing so will isolate your Bitwarden instance from other applications running on your server. For more information, see Docker's [Post-installation steps for Linux](https://docs.docker.com/engine/install/linux-postinstall/) documentation. 1. Create a bitwarden user: ``` sudo adduser bitwarden ``` 2. Set a password for the bitwarden user: ``` sudo passwd bitwarden ``` 3. Create a docker group (if it doesn't already exist): ``` sudo groupadd docker ``` 4. Add the bitwarden user to the docker group: ``` sudo usermod -aG docker bitwarden ``` 5. Create a bitwarden directory: ``` sudo mkdir /opt/bitwarden ``` 6. Set permissions for the `/opt/bitwarden` directory: ``` sudo chmod -R 700 /opt/bitwarden ``` 7. Set the bitwarden user ownership of the `/opt/bitwarden` directory: ``` sudo chown -R bitwarden:bitwarden /opt/bitwarden ``` ### Download & configure > [!TIP] If you've setup self-host local user and directory. > Once you have [created a Bitwarden user & directory](https://bitwarden.com/help/install-on-premise-manual/#create-bitwarden-local-user--directory/), complete the following as the `bitwarden` user from the `/opt/bitwarden` directory. **Do not install Bitwarden as root**, as you will encounter issues during installation. To download Bitwarden and configure Bitwarden server assets: 1. Download a stubbed version of Bitwarden's dependencies (`docker-stub-US.zip` or `docker-stub-EU.zip`) from the [releases pages on GitHub](https://github.com/bitwarden/server/releases). For example: ``` curl -L https://github.com/bitwarden/server/releases/download/v/docker-stub-US.zip \ -o docker-stub-US.zip ``` 2. Create a new directory named `bwdata` and extract `docker-stub.zip` to it, for example: ``` unzip docker-stub-US.zip -d bwdata ``` Once unzipped, the `bwdata` directory will match what the `docker-compose.yml` file's volume mapping expects. You may, if you wish, change the location of these mappings on the host machine. 3. In `./bwdata/env/global.override.env`, edit the following environment variables: - `globalSettings__baseServiceUri__vault=`: Enter the domain of your Bitwarden instance. - `globalSettings__sqlServer__ConnectionString=`: Replace the `RANDOM_DATABASE_PASSWORD` with a secure password for use in a later step. - `globalSettings__identityServer__certificatePassword`: Set a secure certificate password for use in a later step. - `globalSettings__internalIdentityKey=`: Replace `RANDOM_IDENTITY_KEY` with a random alphanumeric string. - `globalSettings__oidcIdentityClientKey=`: Replace `RANDOM_IDENTITY_KEY` with a random alphanumeric string. - `globalSettings__duo__aKey=`: Replace `RANDOM_DUO_AKEY` with a random alphanumeric string. - `globalSettings__installation__id=`: Enter an installation id retrieved from [https://bitwarden.com/host](https://bitwarden.com/host/). - `globalSettings__installation__key=`: Enter an installation key retrieved from [https://bitwarden.com/host](https://bitwarden.com/host/). > [!TIP] Manual Install Environment Variables > At this time, consider also setting values for all `globalSettings__mail__smtp__` variables and for `adminSettings__admins`. Doing so will configure the SMTP mail server used to send invitations to new organization members and provision access to the [System Administrator Portal](https://bitwarden.com/help/system-administrator-portal/). > > [Learn more about environment variables](https://bitwarden.com/help/environment-variables/). 4. From `./bwdata`, generate a `.pfx` certificate file for the identity container and move it to the mapped volume directory (by default, `./bwdata/identity/`). For example, run the following commands: ``` openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key -out identity.crt -subj "/CN=Bitwarden IdentityServer" -days 10950 ``` and ``` openssl pkcs12 -export -out ./identity/identity.pfx -inkey identity.key -in identity.crt -passout pass:IDENTITY_CERT_PASSWORD ``` In the above command, replace `IDENTITY_CERT_PASSWORD` with the certificate password created and used in **Step 3**. 5. Create a subdirectory in `./bwdata/ssl` named for your domain, for example: ``` mkdir ./ssl/bitwarden.example.com ``` 6. Provide a trusted SSL certificate and private key in the newly created `./bwdata/ssl/bitwarden.example.com` subdirectory. > [!NOTE] SSL Directory to Volume Mapping > This directory is mapped to the NGINX container at `/etc/ssl`. If you can't provide a trusted SSL certificate, front the installation with a proxy that provides an HTTPS endpoint to Bitwarden client applications. 7. In `./bwdata/nginx/default.conf`: 1. Replace all instances of `bitwarden.example.com` with your domain, including in the `Content-Security-Policy` header. 2. Set the `ssl_certificate` and `ssl_certificate_key` variables to the paths of the certificate and private key provided in **Step 7**. 3. Take one of the following actions, depending on your certificate setup: - If using a trusted SSL certificate, set the `ssl_trusted_certificate` variable to the path to your certificate. - If using a self-signed certificate, comment out the `ssl_trusted_certificate` variable. 8. In `./bwdata/env/mssql.override.env`, replace `RANDOM_DATABASE_PASSWORD` with the password created in **Step 3**. 9. In `./bwdata/web/app-id.json`, replace `bitwarden.example.com` with your domain. 10. In `./bwdata/env/uid.env`, set the UID and GID of the `bitwarden` users and group you [created earlier](https://bitwarden.com/help/install-on-premise-manual/#create-bitwarden-local-user-and-directory/) so the containers run under them, for example: ``` LOCAL_UID=1001 LOCAL_GID=1001 ``` ### Start your server Start your Bitwarden server with the following command: ``` docker compose -f ./docker/docker-compose.yml up -d ``` Verify that all containers are running correctly: ``` docker ps ``` ![Docker healthy](https://bitwarden.com/assets/3Sq7MaJZ1jaEJUCW44wmwj/008be5ee5e43c20c8c840e71617e57eb/2025-05-05_15-34-44.png) Congratulations! Bitwarden is now up and running at `https://your.domain.com`. Visit the web vault in your browser to confirm that it's working. You may now register a new account and log in. You will need to have configured SMTP environment variables (see [Environment Variables](https://bitwarden.com/help/environment-variables/)) in order to verify the email for your new account. ## Next Steps: - If you are planning to self-host a Bitwarden organization, see [self-host an organization](https://bitwarden.com/help/self-host-an-organization/) to get started. - For additional information see [self hosting FAQs](https://bitwarden.com/help/hosting-faqs/). ## Update your server Updating a self-hosted server that has been installed and deployed manually is different from the [standard update procedure](https://bitwarden.com/help/updating-on-premise/). To update your manually-installed server: 1. Download the latest `docker-stub.zip` archive from the [releases pages on GitHub](https://github.com/bitwarden/server/releases). 2. Unzip the new `docker-stub.zip` archive and compare its contents with what's currently in your `bwdata` directory, copying anything new to the pre-existing files in `bwdata`. **Do not** overwrite your pre-existing `bwdata` directory with the contents of the newer `docker-stub.zip` archive, as this would overwrite any custom configuration work you've done. 3. Run the following command to restart your server with your updated configuration and the latest containers: ``` docker compose -f ./docker/docker-compose.yml down && docker compose -f ./docker/docker-compose.yml up -d ``` --- URL: https://bitwarden.com/help/install-on-premise-windows/ --- # Windows Standard Deployment This article will walk you through the procedure to install and deploy Bitwarden to your own Windows server. Bitwarden can also be installed and deployed on [Linux and macOS](https://bitwarden.com/help/install-on-premise-linux/) machines. Please review Bitwarden [software release support](https://bitwarden.com/help/bitwarden-software-release-support/#release-support-at-bitwarden/) documentation. ## System specifications | | **Minimum** | **Recommended** | |------|------|------| | Processor | x64, 1.4GHz | x64, 2GHz Dual Core | | Memory | 6GB RAM | 8+ GB RAM | | Storage | 76GB | 90GB | | Docker Version | Engine 26+ and Compose`ª` | Engine 26+ and Compose`ª` | `ª` - Docker Compose can be installed via Docker Desktop, which includes Engine and Compose. ### Nested virtualization Running Bitwarden on Windows Server **requires use of nested virtualization**. Please check your Hypervisor's documentation to find out if nested virtualization is supported and how to enable it. > [!NOTE] microsoft azure vm > If you are running Windows Server as an Azure VM, we recommend a **Standard D2s v3 Virtual Machine running Windows Server 2022**, which meets all [system requirements](https://bitwarden.com/help/install-on-premise-windows/#system-specifications/) including support for nested virtualization. You will also need to select **Security Type**: **Standard** rather than the default **Trusted launch virtual machines**. ## TL;DR The following is a summary of the [installation procedure](https://bitwarden.com/help/install-on-premise-windows/#installation-procedure/) in this article. Links in this section will jump to detailed **Installation procedure** sections: 1. [**Configure your domain**](https://bitwarden.com/help/install-on-premise-windows/#configure-your-domain/). Set DNS records for a domain name pointing to your machine, and open ports 80 and 443 on the machine. 2. [**Install and setup Docker Desktop**](https://bitwarden.com/help/install-on-premise-windows/#setup-docker-desktop/) on your machine. 3. [**Create a Bitwarden user & directory**](https://bitwarden.com/help/install-on-premise-windows/#create-bitwarden-local-user-directory/) from which to complete the installation. 4. Retrieve an installation id and key from [**https://bitwarden.com/host**](https://bitwarden.com/host/) for use in installation. For more information, see [What are my installation id and installation key used for?](https://bitwarden.com/help/hosting-faqs/#general/) 5. [**Install Bitwarden**](https://bitwarden.com/help/install-on-premise-windows/#install-bitwarden/) on your machine. 6. [**Configure your environment**](https://bitwarden.com/help/install-on-premise-windows/#post-install-configuration/) by adjusting settings in `\bwdata\env\global.override.env`. > [!NOTE] > At a minimum, configure the `globalSettings__mail__smtp...` variables to setup an email server for inviting and verifying users. 7. [**Start your instance**](https://bitwarden.com/help/install-on-premise-windows/#start-bitwarden/). 8. Test your installation by opening your configured domain in a web browser. 9. Once deployed, we recommend regularly [backing up your server](https://bitwarden.com/help/backup-on-premise/) and [checking for system updates](https://bitwarden.com/help/updating-on-premise/). ## Installation procedure > [!NOTE] Will not execute in powershell ISE > Using the PowerShell ISE to run PowerShell commands will cause the Bitwarden installation to fail. Completing a successful install will require PowerShell. ### Configure your domain By default, Bitwarden will be served through ports 80 (`http`) and 443 (`https`) on the host machine. Open these ports so that Bitwarden can be accessed from within and/or outside of the network. You may opt to choose different ports during installation. > [!NOTE] windows fire wall docker > **If you are using Windows Firewall**, Docker Desktop for Windows will not automatically add an exception for itself in Windows Firewall. Add exceptions for TCP ports 80 and 443 (or chosen alternative ports) to prevent related errors. We recommend configuring a domain name with DNS records that point to your host machine (for example, `server.example.com`), especially if you are serving Bitwarden over the internet. We recommend not including Bitwarden in your hostname to keep the server identity or type concealed. ### Setup Docker Desktop Bitwarden will be deployed and run on your machine using an array of [Docker containers](https://docs.docker.com/get-started/). Bitwarden can be run with any Docker edition or plan. Evaluate which edition is best for your installation. Deployment of containers is orchestrated using [Docker Compose](https://docs.docker.com/compose/). Docker Compose can be installed via Docker Desktop, which includes Engine and Compose. [Install Docker Desktop for Engine and Compose](https://docs.docker.com/desktop/install/windows-install/). During this setup, you must **uncheck** the **Use WSL2 instead of Hyper-V (recommended)** option. After installing, open Docker Desktop and select ⚙️ **Settings**and then **Resources**. Bitwarden requires at least 4GB of RAM allocated to Docker Desktop. This setting will dedicate the RAM from Windows exclusively to Docker. As a result, setting this value too high may cause instability within Windows. ### Create Bitwarden local user & directory Open PowerShell and create a Bitwarden local user by running the following commands: ``` PS C:\> $Password = Read-Host -AsSecureString ``` After running the above command, enter the desired password in the text input dialog. After specifying a password, run the following: ``` New-LocalUser "Bitwarden" -Password $Password -Description "Bitwarden Local Admin" ``` As the newly created user, create a Bitwarden folder under `C:\`: ``` PS C:\> mkdir Bitwarden ``` In Docker Desktop, navigate to **Settings** → **Resources** → **File Sharing** and add the created directory (`C:\Bitwarden`) to the Resources list. Select **Apply & Restart** to apply your changes. > [!NOTE] Docker user group > The Bitwarden user must be added to the docker-users group. See Docker's [documentation](https://docs.docker.com/desktop/install/windows-install/#install-docker-desktop-on-windows) to learn how. Log in as the newly created user before completing all subsequent procedures in this document. ### Install Bitwarden Bitwarden provides a PowerShell Cmdlet file (`.ps1`) for easy installation on Windows machines. Complete the following steps to install Bitwarden using the Cmdlet: > [!NOTE] already created bitwarden user and directory > Once you have [created a Bitwarden user & directory](https://bitwarden.com/help/install-on-premise-windows/#create-bitwarden-local-user--directory/), complete the following as the `Bitwarden` user. 1. Navigate to the [created](https://bitwarden.com/help/install-on-premise-windows/#create-bitwarden-local-user--directory/) directory: ``` cd C:\Bitwarden ``` 2. Run the following command to download the Bitwarden installation script (`bitwarden.ps1`): ``` Invoke-RestMethod -OutFile bitwarden.ps1 -Uri "https://func.bitwarden.com/api/dl/?app=self-host&platform=windows" ``` 3. Run the installer script using the following command: ``` .\bitwarden.ps1 -install ``` 4. Complete the prompts in the installer: - **Enter the domain name for your Bitwarden instance:** Typically, this value should be the configured DNS record. - **Do you want to use Let's Encrypt to generate a free SSL certificate? (y/n):** Specify `y` to generate a trusted SSL certificate using Let's Encrypt. You will be prompted to enter an email address for expiration reminders from Let's Encrypt. For more information, see [Certificate Options](https://bitwarden.com/help/certificates/). Alternatively, specify `n` and use the **do you have a SSL certificate to use?** option. - **Enter your installation id:** Retrieve an installation id using a valid email at [https://bitwarden.com/host](https://bitwarden.com/host/). For more information, see [What are my installation id and installation key used for?](https://bitwarden.com/help/hosting-faqs/#q-what-are-my-installation-id-and-installation-key-used-for/) - **Enter your installation key:** Retrieve an installation key using a valid email at [https://bitwarden.com/host](https://bitwarden.com/host/). For more information, see [What are my installation id and installation key used for?](https://bitwarden.com/help/hosting-faqs/#q-what-are-my-installation-id-and-installation-key-used-for/) - **Enter your region (US/EU):**Enter US or EU depending on the [cloud server](https://bitwarden.com/help/server-geographies/) you will use to [license paid features](https://bitwarden.com/help/licensing-on-premise/), only applicable if you're connecting a self-hosted account or organization to a paid subscription. - **Do you have a SSL certificate to use? (y/n)** If you already have your own SSL certificate, specify `y` and place the necessary files in the `C:\Bitwarden\bwdata\ssl\` directory. You will be asked whether it is a trusted SSL certificate (`y/n`). For more information, see [Certificate Options](https://bitwarden.com/help/certificates/). Alternatively, specify `n` and use the **self-signed SSL certificate?** option, which is only recommended for testing purposes. - **Do you want to generate a self-signed SSL certificate? (y/n)**: Specify `y` to have Bitwarden generate a self-signed certificate for you. This option is only recommended for testing. For more information, see [Certificate Options](https://bitwarden.com/help/certificates/). If you specify `n`, your instance will not use an SSL certificate and you will be required to front your installation with an HTTPS proxy, or else Bitwarden applications will not function properly. ### Post-install configuration Configuring your environment can involve making changes to two files; an [environment variables file](https://bitwarden.com/help/install-on-premise-windows/#environment-variables/) and an [installation file](https://bitwarden.com/help/install-on-premise-windows/#installation-configuration/): #### Environment variables (*required*) Some features of Bitwarden are not configured by the `bitwarden.ps1` Cmdlet. Configure these settings by editing the environment file, located at `\bwdata\env\global.override.env`. **At a minimum, you should replace the values for:** ``` ... globalSettings__mail__smtp__host= globalSettings__mail__smtp__port= globalSettings__mail__smtp__ssl= globalSettings__mail__smtp__username= globalSettings__mail__smtp__password= ... adminSettings__admins= ... ``` Replace `globalSettings__mail__smtp...=` placeholders to connect to the SMTP mail server that will be used to send verification emails to new users and invitations to organizations. Adding an email address to `adminSettings__admins=` will provision access to the System Administrator Portal. After editing `global.override.env`, run the following command to apply your changes: ``` .\bitwarden.ps1 -restart ``` #### Installation file The Bitwarden installation script uses settings in `.\bwdata\config.yml` to generate the necessary assets for installation. Some installation scenarios (such as installations behind a proxy with alternate ports) may require adjustments to `config.yml` that were not provided during standard installation. Edit `config.yml` as necessary and apply your changes by running: ``` .\bitwarden.ps1 -rebuild ``` ### Start Bitwarden Once you have completed all previous steps, start your Bitwarden instance by running the following command: ``` .\bitwarden.ps1 -start ``` > [!NOTE] > The first time you start Bitwarden it may take some time as it downloads images from Docker Hub. Verify that all containers are running correctly: ``` docker ps ``` ![List showing Healthy Containers ](https://bitwarden.com/assets/3kcV9CFkWJrw5qCmKZsyBg/5cd5030d96352e6b1f5f20d1ffb79654/docker-ps-win.png) Congratulations! Bitwarden is now up and running at `https://your.domain.com`. Visit the web vault in your web browser to confirm that it’s working. You may now register a new account and log in. You will need to have configured `smtp` environment variables (see [Environment Variables](https://bitwarden.com/help/environment-variables/)) in order to verify the email for your new account. > [!TIP] Backup and Update your Server > Once deployed, we recommend regularly [backing up your server](https://bitwarden.com/help/backup-on-premise/) and [checking for system updates](https://bitwarden.com/help/updating-on-premise/). ## Next Steps: - If you are planning to self-host a Bitwarden organization, see [self-host an organization](https://bitwarden.com/help/self-host-an-organization/) to get started. - For additional information see [self hosting FAQs](https://bitwarden.com/help/hosting-faqs/). ## Start Docker on boot Docker Desktop will only automatically start on boot if you have a logged-in RDP session. To start Docker Desktop on boot regardless of whether there is a user logged in: > [!NOTE] > Docker Desktop may take up to 15 minutes after boot to fully start and for containers to be accessible from the network. 1. Open Task Scheduler and select **Create Task...** from the Actions menu. 2. Configure the task with the following security options: - Set the task to use the [created](https://bitwarden.com/help/install-on-premise-windows/#create-bitwarden-local-user--directory/) `Bitwarden` user account. - Set the task to **Run whether user is logged on or not**. 3. Select the **Triggers** tab and create the following trigger: - From the **Begin the task** dropdown, select **At startup**. - In the Advanced settings section, check the **Delay task for:** checkbox and select **1 minute** from the dropdown. 4. Select the **Actions** tab and create the following action: - In the Program/script input, specify `"C:\Program Files\Docker\Docker\frontend\Docker Desktop.exe"`. 5. Select **OK** to finish creating the scheduled task. ## Script commands reference The Bitwarden installation script (`bitwarden.ps1`) has the following commands available. All command must be prefixed with a switch (`-`), for example `.\bitwarden.ps1 -start`: | **Command** | **Description** | |------|------| | -install | Start the installer. | | -start | Start all containers. | | -restart | Restart all containers. | | -stop | Stop all containers. | | -update | Update all containers and the database. | | -updatedb | Update/initialize the database. | | -updaterun | Update the run.ps1 file. | | -updateself | Update the installation script. | | -updateconf | Update all containers without restarting the running instance. | | -uninstall | Before this command executes, you will be prompted to save database files. `y `will create a tarfile of your database including the most recent backup. Stops containers, deletes the `bwdata `directory and all its contents, and removes ephemeral volumes. After executing, you will be asked whether you want to purge all Bitwarden images. | | -renewcert | Renew certificates. | | -rebuild | Rebuild generated installation assets from `config.yml`. | | -help | List all commands. | --- URL: https://bitwarden.com/help/install-safari-app-extension/ --- # Safari Web Extension Bitwarden's Safari web extension is a port of the prior app extension designed for use with [Safari 14](https://developer.apple.com/documentation/safariservices/safari_web_extensions/converting_a_safari_app_extension_to_a_safari_web_extension?language=objc) and newer. The Safari web extension is packaged with the Bitwarden desktop app available on the app store, so you don't need to download it separately. > [!NOTE] Mac OS Safari app > Due to changes by Apple, Safari limits web extension use to **only those obtained through Mac App Store downloads**. As of the [2021-03-11 Release](https://bitwarden.com/help/releasenotes/), users will not be able to use a Bitwarden Safari extension obtained through a `.dmg` installation from [bitwarden.com/download](https://bitwarden.com/download/) or any other non-App Store source. > > **If you are using a Safari version prior to 14**, you can continue using a `.dmg` installation, which can be downloaded from [bitwarden.com/download](https://bitwarden.com/download/) by clicking **more desktop installation options >**. Keeping the `.dmg` outside of the Applications folder should allow you to simultaneously use both an older Safari extension and the latest desktop app. The Safari web extension has full feature parity to the prior app extension. For developer detail on the difference between Safari web extensions and app extensions, click [here](https://developer.apple.com/documentation/safariservices/safari_web_extensions/converting_a_safari_app_extension_to_a_safari_web_extension?language=objc). ## Enable the extension Before enabling the Safari web extension, run the desktop app at least once. In Safari: 1. Open the **Safari** menu and select **Settings**. 2. Navigate to the **Extensions** page. 3. Check the **Bitwarden** checkbox, and select **Turn on** in the confirmation dialog. > [!NOTE] Extension for mobile browsers instead of desktop browsers > These instructions apply to the browser extensions for desktop web browsers, learn how to setup an extension for mobile web browsers on iOS [here](https://bitwarden.com/help/auto-fill-ios/#browser-app-extension-autofill/). --- URL: https://bitwarden.com/help/integrated-authenticator/ --- # Integrated Authenticator Password Manager integrated authentication is an alternative solution to dedicated authentication apps like [Bitwarden Authenticator](https://bitwarden.com/help/bitwarden-authenticator/), which you can use to verify your identity for websites and apps that use two-step login. Integrated authentication generates six-digit [time-based one-time passwords](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) (TOTPs) using SHA-1 and rotates them every 30 seconds. > [!NOTE] TOTP account requirements > Storing keys is available to all accounts. Generating TOTP codes is available with Premium or membership to a paid organization (Families, Teams, or Enterprise). If you are new to using TOTPs for two-step login, refer to the [Field Guide to Two-step Login](https://bitwarden.com/help/bitwarden-field-guide-two-step-login/#securing-important-websites/) for more information. ## Generate TOTP codes In Bitwarden Password Manager, you can generate TOTPs using two methods: - From a Bitwarden mobile app or browser extension by [**scanning a QR code**](https://bitwarden.com/help/authenticator-keys/#scan-a-qr-code/). - From any Bitwarden app by [**manually entering a secret**](https://bitwarden.com/help/authenticator-keys/#manually-enter-a-secret/). ### Scan a QR code Complete the following steps to set up integrated authentication from your app of choice: ### Mobile 1. **Edit** the vault item for which you want to generate TOTPs. 2. Tap the [camera] **Set up TOTP**button: ![Set up TOTP on mobile](https://bitwarden.com/assets/1cjF7IObqGhZL2ETA6XhTU/10641831c6fb690b85c3c99f39f1b1b1/2025-01-21_16-46-53.png) 3. Scan the QR code and tap **Save** to begin generating TOTPs. ### Browser extension 1. **Edit** the vault item for which you want to generate TOTPs. 2. Select the [camera]**TOTP**button, which will scan the authenticator QR code from the current webpage. The full QR code must be visible on-screen. ![Browser extension TOTP scan](https://bitwarden.com/assets/7vTPBRNX8Q1xxOZsqFxWBQ/3a91391f5c233743b8f6be509086f895/2024-10-29_11-04-36.png) 3. Tap **Save** once the code has been entered to begin generating TOTPs. Once set up, integrated authentication will continuously generate six-digit TOTPs rotated every 30 seconds, which you can use as a secondary step for two-step login to connected websites or apps. You can update the TOTP seed at any time using the [camera] icon on the Edit Item screen. ### Manually enter a secret Complete the following steps to manually enter a secret key: 1. **Edit** the vault item for which you want to generate TOTPs. 2. Select the **Authenticator key**field. On mobile apps, you can alternatively select [camera] **Set up authenticator key** → **Enter key manually** from the Edit view. 3. Paste the secret key into the **Authenticator Key**field and save the item. Once set up, integrated authentication will continuously generate six-digit TOTPs rotated every 30 seconds, which you can use as a secondary step for two-step login to connected websites or apps. You can edit the TOTP seed at any time using the [camera] icon on the Edit Item screen. ## Use generated codes > [!TIP] TOTP & Time > TOTPs rely on time-based code generation. If your device has an incorrect time compared to the server, it will generate codes that don't work. If you are having trouble with your TOTP codes, set your device's time and time zone to **Automatic**. Bitwarden browser extensions and iOS (version 18.0 or newer) will autofill your TOTP code, unless the **Autofill on page load** option is active. In that case, the browser extension also copies the TOTP code to your clipboard for easy pasting into the form. On browser extensions, you can also copy the TOTP code from the context menu: ![Browser Extension context menu ](https://bitwarden.com/assets/5YmvBLK63g2xMnUewNVjOg/a63aec8b36ac65d6d91acf666fc8406f/2024-10-29_11-11-51.png) > [!TIP] Extension TOTP copying. > Automatic TOTP copying can be turned off on browser extensions using **Settings** → **Autofill** → **Copy TOTP automatically**, which will be on by default. Additionally, use the nearby **Clear clipboard**option to set an interval with which to clear copied values. ### Viewing TOTP codes > [!TIP] Viewing codes when offline > As long as you have access to your Bitwarden vault, you'll be able to view generated codes, even if you're logged in to Bitwarden while the device is offline. All Bitwarden apps display your rotating TOTP code inside the vault item, which can be copied and pasted just like a username or password: ![Copy a TOTP code ](https://bitwarden.com/assets/41IqtUVMLh7MLxwwNU2ZpD/b9fc56ddc82ab78130305c0751aac0ca/2024-12-02_14-55-24.png) Mobile apps also have a dedicated Verification Codes screen that lists active TOTPs for quick copying: ![Verification codes on mobile](https://bitwarden.com/assets/3MRb58qhCFvVHVjPaxMk6R/227fae64af8e1a13e6c86a74412929eb/2025-01-21_17-13-12.png) ### Troubleshooting TOTP codes are generated based on the system clock of your device. If your generated codes are not working or invalid, the most likely reason is that your device clock has become out-of-step from the Bitwarden server. To re-sync the clock on your device: ### Windows Navigate to **Start** → **Settings** → **Time & language** → **Date & time**, and turn the **Set time automatically** option off and back on. If this doesn't work, use the following PowerShell commands to set your timezone, being sure to replace the timezone name with the right one from [this list](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-time-zones?view=windows-11#time-zones), and restart your computer: ```plain text Set-TimeZone -Id "Central Standard Time" ``` ```plain text Restart-Computer ``` ### macOS Navigate to **System Settings** → **General** → **Date & Time**, and turn the **Set time and date automatically** and **Set time zone automatically using your currently location** options off and back on. ### Android Navigate to **Settings** → **System** → **Date & time**, and turn the **Set time automatically** option off and back on. ### iOS Navigate to **Settings** → **General** → **Date & Time**, and turn the **Set Automatically** option off and back on. ## Support for more parameters By default, Bitwarden will generate six-digit TOTPs using SHA-1 and rotate them every 30 seconds, however some websites or services will expect different parameters. Parameters can be customized in Bitwarden by manually editing the `otpauth://totp/` URI for your vault item. | **Parameter** | **Description** | **Values** | **Sample** **Query** | |------|------|------|------| | Algorithm | Cryptographic algorithm used to generate TOTPs. | -sha1 -sha256 -sha512 -otpauth | `algorithm=sha256` | | Digits | Number of digits in the generated TOTP. | 1-10 | `digits=8` | | Period | Number of seconds with which to rotate the TOTP. | Must be > 0 | `period=60` | For example: ``` otpauth://totp/Test:me?secret=JBSWY3DPEHPK3PXP&algorithm=sha256&digits=8&period=60 ``` Learn more about using `otpauth://` URIs [here](https://github.com/google/google-authenticator/wiki/Key-Uri-Format). ## Set a default on iOS iOS users running iOS 16+ can set any application as the default for storing verification codes when scanning codes directly from the camera app, including [Bitwarden Authenticator](https://bitwarden.com/help/bitwarden-authenticator/) and Password Manager [integrated authentication](https://bitwarden.com/help/integrated-authenticator/). To set this up: 1. Open the iOS **Settings**app on your device. 2. Tap **General**. 3. Tap **AutoFill & Passwords**. 4. In the **Verification Codes** section, choose an app from the **Set Up Codes In** dropdown. ## Azure and Office 365 By default, Microsoft Azure and Office 365 accounts expect the use of Microsoft Authenticator for TOTPs. If you want to use Bitwarden Password Manager integrated authentication to generate TOTPs for your Microsoft Azure or Office 365 accounts, you'll need to complete the following steps: 1. In Microsoft, navigate to your account settings page. Depending on whether yours is a personal or business account, this may be `account.microsoft.com` or `myaccount.microsoft.com`. 2. Depending on whether yours is a personal or business account, open your **Security dashboard** or select **Security info**. If you're going through the **Security dashboard**, you'll need to also select **Two-step verification** from that screen. ![Turn on 2FA](https://bitwarden.com/assets/4x8LX6bcktyPDnQhPvSLOz/7903ba57aeb75b15e83562841136a16b/Screen_Shot_2023-02-23_at_10.24.27_AM.png) 3. Select either the Two-step verification**Turn on** button or **Add sign-in method** button and choose Authenticator app from the dropdown. 4. During the setup procedure, you'll see a dropdown menu for the verification method. Select **Authenticator App**or **An app**. 5. Proceed until you see a blue "different authenticator app" hyperlink. Select the hyperlink when you see it. 6. Continue until you see a QR code, at which point you can follow the normal instructions [here](https://bitwarden.com/help/authenticator-keys/#scan-a-qr-code/). ## Steam Guard TOTPs The Bitwarden Authenticator (TOTP) can be used as an alternative means of TOTP generation for Steam using a `steam://` prefix followed by your secret key. Generated `steam://` TOTPs are by default alphanumeric and five digits, as opposed to traditional six-digit numeric TOTPs. > [!NOTE] Steam app auth > To use this functionality, you will need to manually extract your Steam account's secret using a third-party tool. There are tools such as [SteamTimeIdler](https://github.com/SteamTimeIdler/stidler/wiki/Getting-your-%27shared_secret%27-code-for-use-with-Auto-Restarter-on-Mobile-Authentication#getting-shared-secret-from-ios-windows) that can help you accomplish this, however such **extraction tools are not officially supported by Bitwarden or Steam**. Use these tools at your own risk. --- URL: https://bitwarden.com/help/invoked-crypto-libraries/ --- # Invoked Crypto Libraries Bitwarden does not implement any cryptographic primitives. Bitwarden only uses cryptographic primitives from popular and reputable crypto libraries that are written and maintained by cryptography experts. The following crypto libraries are used: - JavaScript: - [Web crypto](https://www.w3.org/TR/WebCryptoAPI/) - [Node.js crypto](https://nodejs.org/api/crypto.html) - [Forge](https://github.com/digitalbazaar/forge) - [Argon2](https://github.com/antelle/argon2-browser) - Rust Crates: - [RustCrypto](https://github.com/rustcrypto) - [curve25519-dalek](https://github.com/dalek-cryptography/curve25519-dalek) - [rust-random](https://github.com/rust-random/) - [rustls](https://github.com/rustls/rustls) --- URL: https://bitwarden.com/help/is-bitwarden-audited/ --- # Compliance, Audits, and Certifications Bitwarden is a global company with customers located all over the world. Our business is to help customers protect, store, and share their sensitive data. We prioritize protecting the personal data of our customers and their end-users as paramount to our company mission. Bitwarden complies with industry standards, and conducts comprehensive annual audits that are shared transparently with our customers and users. Our open source approach puts us in a unique position, where our software is viewed and scrutinized by a globally engaged community. ## Privacy For our privacy policy, visit [bitwarden.com/privacy](https://bitwarden.com/privacy/). ### GDPR Bitwarden is GDPR compliant. We use applicable, approved information transfer mechanisms where required, such as EU Standard Contractual Clauses (SCCs), or the EU - U.S. Data Privacy Framework. Bitwarden uses Standard Contractual Clauses pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at [https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj](https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj). ### CCPA Bitwarden is compliant with the California Consumer Privacy Act (CCPA). ### Data Privacy Framework (DPF) Bitwarden complies with the Data Privacy Framework (DPF), previously called Privacy Shield, which defines the safe transfer of personal data ### HIPAA Bitwarden is HIPAA compliant and annually undergoes a third-party audit for HIPAA Security Rule compliance. ### ISO 27001 Bitwarden is ISO 27001 certified and in compliance with ISO 27001 control sets surrounding data security. For more information, please contact your Account Executive. ## Third party security audits Bitwarden regularly conducts comprehensive third-party security audits with notable security firms. These annual audits include source code assessments and penetration testing across Bitwarden IPs, servers, and web applications. ### 2024 Bitwarden Marketing Website Security Assessment Bitwarden completed a dedicated audit of the Bitwarden marketing website by security firm Paragon Initiative Enterprises (PIE).  [Read the report.](https://bitwarden.com/assets/3alBclinYuMVZ9erf1tuhM/59d4a7a3e5f3268fa59747bd86f8cba7/2024_Bitwarden_Marketing_Website_Security_Report.pdf) ### 2024 Bitwarden Mobile App Security Assessment Bitwarden completed a dedicated audit of the Bitwarden mobile and mobile authenticator applications by security firm Mandiant.  [Read the report.](https://bitwarden.com/assets/5xEFYurTu7zhrlKg8dM9Wr/943d125e789b1c4eebc7b29ad6fb9b1a/2024_Bitwarden_Mobile_App_Security_Report.pdf) ### 2024 Web App and Network Security Assessment Bitwarden completed a dedicated source code audit and penetration test of the web app and related network components by security firm Fracture Labs. [Read the report.](https://bitwarden.com/assets/7MlQ3dJr20zEwA2FIDlPET/6d7cf890c21a75d5e8246df1b79b8d2f/2024_Bitwarden_Web_App_and_Network_Security_Report.pdf) ### 2024 Mobile Apps and SDK Security Assessment Bitwarden completed a dedicated source code audit and penetration test of the mobile apps and SDK by security firm Cure53. [Read the report.](https://bitwarden.com/assets/bEfNZ6r3BJ9ehwNfAqw6C/4020b6eb762e0b6051a40638f45269d9/2024_Bitwarden_Mobile_Apps_and_SDK_Report.pdf) ### 2023 Bitwarden Web App Security Assessment Report Bitwarden completed a dedicated source code audit and penetration test of the web app by security firm Cure53. [Read the report](https://bitwarden.com/assets/5AyZwIfhKkwuQjXGvJ2e3l/488c8a8466deead9c306d4df9db08cdc/2023_Bitwarden_Web_App_Security_Assessment_Report.pdf). ### 2023 Bitwarden Desktop App Security Assessment Report Bitwarden completed a dedicated source code audit and penetration test of the desktop app by security firm Cure53. [Read the report](https://bitwarden.com/assets/6m0rD5aBvmE7LtOGJrpYdP/199f548d2dd29fd120099cf0c64d5bd1/2023_Bitwarden_Electron_Desktop_App_Security_Assessment_Report.pdf). ### 2023 Bitwarden Core App & Library Security Assessment Report Bitwarden completed a dedicated source code audit and penetration test of the core application and library by security firm Cure53. [Read the report](https://bitwarden.com/assets/3OA3ul8mM744GI2Ap0OhgW/564008ab586c81f76d1e5560be942bd9/2023_Bitwarden_Core_App___Library_Security_Assessment_Report.pdf). ### 2023 Bitwarden Browser Extension Security Assessment Report Bitwarden completed a dedicated source code audit and penetration test of the browser extension by security firm Cure53. [Read the report](https://bitwarden.com/assets/4X0rKCkFkWcPg86PUV3cRn/7277e4651464e0a8efd21d9fcf83d296/2023_Bitwarden_Browser_Extension_Security_Assessment_Report.pdf). ### 2023 Network Security Assessment Bitwarden completed a network security assessment and penetration test by security firm Cure53. [Read the report](https://bitwarden.com/assets/6E4JwsHCseBSHlTsXc8ecR/b39a63ebcd7f51683463c4e4d9838d37/bitwarden-2023-network-security-assessment-report.pdf). ### 2022 Security Assessment Bitwarden completed a dedicated source code audit and penetration test by security firm Cure53. [Read the report](https://bitwarden.com/assets/4eMmA16Zz9MACTHOexlxx0/05f3ed75c04f7d6e086479279d82c733/2022_Bitwarden_Security_Assessment_Report.pdf). ### SOC 2 Type 2 and SOC 3 Bitwarden has completed [SOC Type 2 and SOC 3 compliance](https://bitwarden.com/compliance/#third-party-security-audits/). For more information, see the blog post [Bitwarden achieves SOC 2 certification](https://bitwarden.com/blog/bitwarden-achieves-soc-2-certification/). ### 2022 Network Security Assessment Bitwarden completed a network security assessment and penetration test by security firm Cure53. [Read the report](https://bitwarden.com/assets/2otFuNRCjJzAoZRsueaN89/cca35829e6dcc09edc246c5de99f6abd/2022_Bitwarden_Network_Security_Assessment_Report.pdf). ### 2021 Network Security Assessment Bitwarden completed a thorough network security assessment and penetration test by auditing firm [Insight Risk Consulting](https://www.insightriskconsulting.com/). [Read the report.](https://bitwarden.com/assets/5UaSjdbvTgTTtzkBpXLLV/e39fc66998b82c4e512855aa291d9dd0/bitwarden-2021-network-security-assessment-report.pdf) ### 2021 Security Assessment Bitwarden completed a dedicated source code audit and penetration test by the security firm Cure53. [Read the report](https://bitwarden.com/assets/4G0yonTshy2ezRo1R7s6Yl/7ba5bdac721b2ad8d14117c1c6a36b37/2021-bitwarden-security-assessment-report.pdf). ### 2020 Network Security Assessment Bitwarden completed a thorough security assessment and penetration test by auditing firm [Insight Risk Consulting](https://www.insightriskconsulting.com/). For more information, please see the blog post [Bitwarden 2020 Security Audit is Complete](https://bitwarden.com/blog/bitwarden-network-security-assessment-2020/). [Read the report](https://cdn.bitwarden.com/misc/Bitwarden%20Network%20Security%20Assessment%20Report%20-%202020.pdf). ### 2018 Security Assessment Bitwarden completed a thorough security audit and cryptographic analysis by security firm [Cure53](https://cure53.de/). For more information, please see the blog post [Bitwarden Completes Third-party Security Audit](https://bitwarden.com/blog/third-party-security-audit/). [Read the report](https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Assessment%20Report.pdf). ## Open source codebase ### Codebase on GitHub Bitwarden is focused on open source software with the entirety of the codebase available on github.com. See our codebase at [github.com/bitwarden](https://github.com/bitwarden), or learn more on [our open source page](https://bitwarden.com/open-source/). ### Licensing Source code in Bitwarden repositories are covered by one of two licenses, the [GNU Affero General Public License (AGPL) v3.0](https://github.com/bitwarden/server/blob/master/LICENSE_AGPL.txt) and the [Bitwarden License v1.0](https://github.com/bitwarden/server/blob/master/LICENSE_BITWARDEN.txt). Refer to these links to learn more about what is included in and permitted by each license. ## Cloud hosting The Bitwarden cloud service is hosted on Microsoft Azure. Please visit [Microsoft Azure Compliance Offerings](https://azure.microsoft.com/en-us/resources/microsoft-azure-compliance-offerings/) for more detail. ## Security information ### Zero knowledge encryption Bitwarden takes a zero knowledge encryption approach to password management, meaning every piece of information in your vault is encrypted. For more information on this approach, please see the blog post [How End-to-End Encryption Paves the Way for Zero Knowledge](https://bitwarden.com/blog/end-to-end-encryption-and-zero-knowledge/). ### Vault security in Bitwarden For more information on how Bitwarden vaults are protected, including options for Bitwarden client applications, please see the blog post [Vault Security in the Bitwarden Password Manager](https://bitwarden.com/blog/vault-security-bitwarden-password-manager/). ### Bug bounty program Bitwarden also interacts with independent security researchers through our private bug bounty program on [HackerOne](https://hackerone.com/bitwarden/). --- URL: https://bitwarden.com/help/jit-provisioning/ --- # JIT Provisioning Enterprise organizations using [SSO](https://bitwarden.com/help/about-sso/) support Just-In-Time (JIT) provisioning of members. No extra configuration, beyond the SAML or OIDC setup processes documented in the **SSO Guides**, is required to support JIT. ## Recommended JIT strategy An optimized JIT provisioning strategy can make for one of the simplest signup processes available for your members. As an administrator, help your members join quickly and easily by noting the following: - **Do** issue email invitations to members with [SCIM](https://bitwarden.com/help/about-scim/), with [Directory Connector](https://bitwarden.com/help/directory-sync/), or [manually](https://bitwarden.com/help/managing-users/#confirm/). - An added benefit of using SCIM or Directory Connector is that [groups and group membership](https://bitwarden.com/help/about-groups/) can be synced to your organization, which JIT on its own does not support, automatically assigning members to groups for streamlined [collection assignment](https://bitwarden.com/help/assign-users-to-collections/). - **Do not** allow members to preemptively create Bitwarden accounts before being invited to the organization. > [!TIP] Why is this the best JIT strategy? > Invitation-initiated JIT provisioning of new accounts bypasses a few steps that admins or members might otherwise need to take (see **Non-standard signup**). This strategy also ensures that members who should not have master passwords, as a result of a [trusted devices](https://bitwarden.com/help/about-trusted-devices/) or [Key Connector](https://bitwarden.com/help/about-key-connector/) implementation, will not have one set on their accounts. ### Member signup process Members provisioned with the **Recommended JIT strategy** will only need to: 1. Select the **Finish account setup**button contained in the organization invitation email. 2. When prompted, log in to their IdP with their SSO credentials. If they have an active session with the IdP, this step is skipped. 3. Depending on your organization's chosen [decryption method](https://bitwarden.com/help/sso-decryption-options/): - If **master password decryption**, create a master password. - If **trusted device decryption**, choose whether to remember the device. Once complete, members will be moved to the `Accepted` state. At that time, they will need to be [confirmed](https://bitwarden.com/help/managing-users/#confirm/) by an administrator. ### Non-standard signup In cases that deviate from the **Recommended JIT strategy**, the signup process for members will be somewhat different: ### No invitations sent In cases where invitations were not sent to members, the organization can still be joined with relative ease. Instruct members to follow [these instructions](https://bitwarden.com/help/using-sso/), unless they need to join with a pre-existing Bitwarden account, in which case refer to the **Pre-existing account** tab. > [!TIP] Unless Claimed Domains, admin must provide SSO Identifier. > Unless your organization has already [claimed a domain](https://bitwarden.com/help/claimed-domains/), an administrator will need to provide the [SSO identifier](https://bitwarden.com/help/sso-faqs/#configuration/) to members. They'll need to enter it during the signup process. ### Pre-existing account > [!WARNING] This user will have a master password. > A member who needs to follow this process, unlike a member who follows the standard **Member signup process** for an organization that uses [trusted device decryption](https://bitwarden.com/help/about-trusted-devices/), will have a master password set on their account. If it is required that organization members do not have master passwords, instruct the user to: > > 1. Export data from the pre-existing account. > 2. Delete the pre-existing account. > 3. JIT provision a new Bitwarden account following the standard **Member signup process**. > 4. Import data from the pre-existing account to the new one. In cases where the member needs to join the organization with a pre-existing Bitwarden account: 1. As an administrator, issue an email invitation to the email address associated with the member's Bitwarden account. This member won't be able to join your organization unless through an email invitation. 2. Instruct the user **Accept Invitation** and, on the log in screen the invitation leads to, to log in with their master password. This member won't be able to use SSO until they're confirmed to the organization, even if the [Require single sign-on authentication](https://bitwarden.com/help/policies/#require-single-sign-on-authentication/) policy is activated. 3. Once confirmed, the member can use SSO to log in and, if the [Require single sign-on authentication](https://bitwarden.com/help/policies/#require-single-sign-on-authentication/) policy is activated, will be required to do so. --- URL: https://bitwarden.com/help/jumpcloud-scim-integration/ --- # JumpCloud SCIM Integration System for cross-domain identity management (SCIM) can be used to automatically provision and de-provision members and groups in your Bitwarden organization. > [!NOTE] SCIM vs. BWDC > SCIM integrations are available for **Teams and Enterprise organizations**. Customers not using a SCIM-compatible identity provider may consider using [Directory Sync](https://bitwarden.com/help/directory-sync/) as an alternative means of provisioning. This article will help you configure a SCIM integration with JumpCloud. Configuration involves working simultaneously with the Bitwarden web vault and JumpCloud Portal. As you proceed, we recommend having both readily available and completing steps in the order they are documented. ## Enable SCIM > [!NOTE] Self-hosting SCIM > **Are you self-hosting Bitwarden?** If so, complete [these steps to enable SCIM for your server](https://bitwarden.com/help/self-hosting-scim/) before proceeding. To start your SCIM integration, open the Admin Console and navigate to **Settings**→ **SCIM provisioning**: ![SCIM provisioning](https://bitwarden.com/assets/6sw1kuK7GuZ3dfQkkbs6rV/a4f4e18e561733297338e4ed44c6ed8c/2024-12-03_15-25-46.png) Select the **Enable SCIM**checkbox and take note of your **SCIM URL**and **SCIM API Key**. You will need to use both values in a later step. ## Create a JumpCloud app > [!TIP] SCIM if SSO already exists (JumpCloud). > If you are already using this IdP for login with SSO, open that existing application and [skip to this step](https://bitwarden.com/help/jumpcloud-scim-integration/#identity-management/). Otherwise, proceed with this section to create a new application. In the JumpCloud Portal, select **Applications** from the menu and select the **Get Started** button: ![Create Bitwarden app Jumpcloud](https://bitwarden.com/assets/63S5F953fjQN6V4xYKZR3h/515abac11c991e20cf8d5286e1b80a1d/Screen_Shot_2023-02-07_at_10.49.15_AM__2_.png) Enter `Bitwarden` in the search box and select the **configure**button: ![Configure Bitwarden ](https://bitwarden.com/assets/2pFRcBTjlIjBhMbqlKMhxb/b80b23ecfd660d5c314028297c606879/jc-bw.png) ### General info In the **General Info**tab, give the application a Bitwarden-specific name. ### SSO If you plan on using JumpCloud for single sign-on, select the **SSO** tab and setup SSO with [these instructions](https://bitwarden.com/help/saml-jumpcloud/). When you are done, or if you are skipping SSO for now, select the **activate**button and complete the confirmation modal. ### Identity management Re-open the application and navigate to the **Identity Management**tab. Expand the **Configuration Settings**box and enter the following information: | **Field** | **Description** | |------|------| | Base URL | Enter the SCIM URL ([learn more](https://bitwarden.com/help/jumpcloud-scim-integration/#enable-scim-in-the-web-vault/)). | | Token Key | Enter the SCIM API Key ([learn more](https://bitwarden.com/help/jumpcloud-scim-integration/#enable-scim-in-the-web-vault/)). | Once you have configured these fields, select the **Activate** button. Once the test comes back successfully, select **Save**. ### User groups In the **User Groups**tab, select the Groups you would like to provision in Bitwarden. Once you select the **Save**button, provisioning according to this specification will begin immediately. ![Select User Groups](https://bitwarden.com/assets/55RivcAbqDxw0CZ18jpg4J/3f894e05b1448cd0ad5e6383a4ce0422/Screen_Shot_2022-07-19_at_12.01.57_PM.png) ## Finish User Onboarding Now that your users have been provisioned, they will receive invitations to join the organization. Instruct your users to [accept the invitation](https://bitwarden.com/help/managing-users/#accept/) and, once they have, [confirm them to the organization](https://bitwarden.com/help/managing-users/#confirm/). > [!NOTE] Invite/Accept/Confirm > The Invite → Accept → Confirm workflow facilitates the decryption key handshake that allows users to securely access organization vault data. ## Appendix ### User attribute mapping Bitwarden uses standard SCIM v2 property names, however these may differ from JumpCloud property names. Bitwarden will use the following properties for each user: | **Bitwarden Attribute** | **JumpCloud Default Property** | |------|------| | `active` | `!suspended && !passwordExpired` | | `emails`ª | `email` | | `displayName` | `displayName` | ª - Because SCIM allows users to have multiple email addresses expressed as an array of objects, Bitwarden will use the `value` of the object which contains `"primary": true`. ### Group attribute mapping Bitwarden will use the following properties for each group: | **Bitwarden Attribute** | **JumpCloud Default Property** | |------|------| | `displayName` | `displayName` | | `members`ª | `members` | ª - Memberships are sent to Bitwarden as an array of objects, each of which represent a user who is a member of that group. --- URL: https://bitwarden.com/help/kdf-algorithms/ --- # Encryption Key Derivation Bitwarden first uses Key Derivation Functions (KDFs) on account creation to derive a master key for the account from the input master password, which acts as input for a master password hash for the account ([learn more](https://bitwarden.com/help/bitwarden-security-white-paper/#overview-of-the-master-password-hashing,-key-derivation,-and-encryption-process/)). Whenever a user is authenticated, for example when unlocking a vault or satisfying [master password re-prompt](https://bitwarden.com/help/managing-items/#protect-individual-items/), the process is repeated so that the newly-derived hash can be compared to the originally-derived hash. If they match, the user is authenticated. KDFs are used in this capacity to frustrate brute-force or dictionary attacks against a master password. KDFs force an attacker's machines to compute a non-trivial number of hashes for each password guess, at increasing cost to the attacker. Two KDF algorithms are currently available for use in Bitwarden for password derivation; **PBKDF2**and **Argon2**. Each algorithm has a selection of options available which can be used to increase the time and expense, or "work factor", imposed on the attacker. ## PBKDF2 Password-Based Key Derivation Function 2 (PBKDF2) is [recommended by NIST](https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver) and, as implemented by Bitwarden, satisfies FIPS-140 requirements so long as default values are not changed. PBKDF2, as implemented by Bitwarden, works by salting your master password with your username and running the resultant value through a one-way hash algorithm (HMAC-SHA-256) to create a fixed-length hash. This value is again salted with your username and hashed a configurable number of times (**KDF iterations**). The resultant value after all iterations is your master key, which acts as input for the master password hash used to authenticate that user whenever they log in ([learn more](https://bitwarden.com/help/bitwarden-security-white-paper/#overview-of-the-master-password-hashing,-key-derivation,-and-encryption-process/)). > [!NOTE] Additional interations beyond configuration > Bitwarden performs additional iterations beyond what is configured between the client and the server. The master password hash has a total default of 700,000 iterations. See the [Bitwarden Security Whitepaper](https://bitwarden.com/help/bitwarden-security-white-paper/) for more details. By default, Bitwarden is set to iterate 600,000 times, as [recommended by OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2) for HMAC-SHA-256 implementations. So long as the user does not set this value lower, the implementation is FIPS-140 compliant, but here are some tips should you choose to change your settings: - More KDF iterations will increase **both** the time it will take an attacker to crack a password **and** the time it will take a legitimate user to log in. ## Argon2id Argon2 is the winner of the 2015 [Password Hashing Competition](https://www.password-hashing.net/), is available as an alternative to [PBKDF2.](https://bitwarden.com/help/kdf-algorithms/#pbkdf2/) There are three versions of the algorithm, and Bitwarden has implemented Argon2id [as recommended by OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html). Argon2id is a hybrid of other versions, using a combination of data-depending and data-independent memory accesses, which gives it some of Argon2i's resistance to side-channel cache timing attacks and much of Argon2d's resistance to GPU cracking attacks ([source](https://github.com/p-h-c/phc-winner-argon2)). Argon2, as implemented by Bitwarden, works by salting your master password with your username and running the resultant value through a one-way hash algorithm (BLAKE2b) to create a fixed-length hash. Argon2 then allocates a portion of memory (**KDF memory**) and fills it with the computed hash until full. This is repeated, starting in the subsequent portion of memory where it left off in the first, a number of times iteratively (**KDF iterations**) across a number of threads (**KDF parallelism**). The resultant value after all iterations, is your master key, which acts as input for the master password hash used to authenticate that user whenever they log in ([learn more](https://bitwarden.com/help/bitwarden-security-white-paper/#overview-of-the-master-password-hashing,-key-derivation,-and-encryption-process/)). By default, Bitwarden is set to allocate 64 MiB of memory, iterate over it 3 times, and do so across 4 threads. These defaults are above [current OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#introduction), but here are some tips should you choose to change your settings: - Increasing **KDF iterations** will increase running time linearly. - The amount of **KDF parallelism** you can use depends on your machine's CPU. Generally, Max. Parallelism = Num. of Cores x 2. > [!NOTE] Argon2id iOS autofill message > Argon2id users with a KDF memory value higher than 64 MiB will receive a warning dialogue every time iOS autofill is initiated or a new Send is created through the Share sheet. To avoid this message, adjust Argon2id settings or enable [unlock with biometrics](https://bitwarden.com/help/biometrics/#enable-unlock-with-biometrics/). ## Changing KDF algorithms To change your KDF algorithm, navigate to the **Settings**→ **Security** → **Keys** page of the web vault. Changing the algorithm will re-encrypt the protected symmetric key and update the authentication hash, much like a normal master password change, but will not rotate the symmetric encryption key so vault data will not be re-encrypted. See [here](https://bitwarden.com/help/account-encryption-key/) for information on re-encrypting your data. Setting your KDF iterations too high could result in poor performance when logging into and unlocking Bitwarden on devices with slower CPUs. We recommend increasing the value in increments of 100,000, and then testing on all of your devices. > [!NOTE] Warning before changing KDF > Before making **any** changes to encryption settings, it is recommended that you backup your individual vault data first. See [Export Vault Data](https://bitwarden.com/help/export-your-data/) for more information. ### Low KDF iterations In the [2023.2.0 release](https://bitwarden.com/help/releasenotes/#2023-2-0/), Bitwarden increased the default number of KDF iterations for accounts using the [PBKDF2](https://bitwarden.com/help/kdf-algorithms/#pbkdf2/) algorithm to 600,000, in accordance with updated OWASP guidelines. This strengthens vault encryption against hackers armed with increasingly powerful devices. If you are using the PBKDF2 algorithm and have KDF iterations set below 600,000, **you'll receive a warning message encouraging you to increase your KDF settings**. If you see this message, select the **Update KDF settings** button and either increase your PBKDF2 iterations to at least 600,000, or change your KDF algorithm to [Argon2id](https://bitwarden.com/help/kdf-algorithms/#argon2id/) with default settings. When you save these changes, you'll be logged out of all clients, so be sure that you know your master password and that your two-step login method is accessible. Changing the iteration count can help protect your master password from being brute forced by an attacker, however should not be viewed as a substitute to using a strong master password in the first place. A strong master password is always the first and best line of defense for your Bitwarden account. ### HKDF HKDF is a HMAC-based KDF specified in [RFC 5869](https://datatracker.ietf.org/doc/html/rfc5869) that is widely used in the industry and recommended by NIST in [SP 800-56](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf). Bitwarden uses HKDF in order to derive encryption keys from non-password material, such as other keys or cryptographically randomly generated material. --- URL: https://bitwarden.com/help/kerberos-integration/ --- # Kerberos Integration Kerberos integrated authentication allows Bitwarden users to use integrated AD authentication with external MSSQL databases. > [!NOTE] Prereq Keytab file > This guide assumes that you have already exported the required keytab file that will be used on the Bitwarden server to authenticate to the domain. ## Keytab File An exported `keytab` file is used by the Bitwarden server to authenticate the domain. 1. From the Windows Domain controller, enter the following code example (this may vary depending on your requirements): ```plain text ktpass /princ bitwarden@ /mapuser "bitwarden" /pass super_secure_password_here /out bitwarden.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set ``` 2. Once the file has been generated, copy the file to the Bitwarden server location in the next section. ## Bitwarden Configuration Next, create the Bitwarden configuration: 1. Create the Kerberos directory: ```plain text mkdir /opt/bitwarden/bwdata/kerberos ``` 2. Place the two files in this directory 1. The `keytab` file generated in the previous section 2. the `krb5.conf` file (example below) 3. Create the` krb5.conf` file: ```plain text nano /opt/bitwarden/bwdata/kerberos/krb5.conf ``` [Here](https://bitwarden.com/assets/dfAMaYL2JmdC3j0i4ZTPO/304e3d038d3a9c8cd1cbdd505c57d7c0/Generic_example) is an example file. [Here](https://bitwarden.com/assets/6TdaNaNKfcxcmIc0PfBipR/74364f58e11b12f59e4aff49c3899db4/TEST) is example TEST file. Check that these values match your own and that the `kdc` and `admin_server` are accessible from the Bitwarden server. > [!NOTE] Keytab file renewal > The ticket lifetime and renewal values are set in the `krb5.config` file using the `ticket_lifetime` and `renew_lifetime` variables. If both the ticket lifetime and ticket renewal expire, you will be unable to re-authenticate the ticket. For additional information, see the [Kerberos documentation](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html). ## Update Bitwarden #### global.override.env In order to update Bitwarden, an additional environment variable will have to be added to the `global.override.env` file. 1. Access `global.override.env`: ```plain text nano ~/global.override.env/ ``` 2. Add the following variable to `global.override.env`: ```plain text globalSettings__kerberosUser=bitwarden ``` > [!NOTE] Kerberos user global env > This variable should be the AD user used to authenticate with the domain, and should match your domain user. #### SQL connection string Replace the SQL connection string to point to the external DB and use the integrated authentication. Change your SQL server `hostname` and `database` name: ```plain text globalSettings__sqlServer__connectionString="Data Source=tcp:example-sql-server.example.domain,1433;Initial Catalog=vault;Persist Security Info=False;Integrated Security=true;Multiple Active Result Sets=False;Connect Timeout=30;Encrypt=True;Trust Server Certificate=True" ``` #### Docker updates Once the previous setup steps have been completed, the configuration file should exist on your host OS. Next, modify Bitwarden's Docker Compose configuration to add an additional volume mount to the relevant containers. This will ensure that the configuration is retained, following updates and changes to the main docker-compose file. Compose provides an `override` file that will merge your local changes to the standard Bitwarden configuration. 1. Create the override file: ```plain text nano /opt/bitwarden/bwdata/docker/docker-compose.override.yml ``` 2. Include the following contents for a standard configuration: ```plain text services: admin: volumes: - ../kerberos:/etc/bitwarden/kerberos sso: volumes: - ../kerberos:/etc/bitwarden/kerberos identity: volumes: - ../kerberos:/etc/bitwarden/kerberos api: volumes: - ../kerberos:/etc/bitwarden/kerberos events: volumes: - ../kerberos:/etc/bitwarden/kerberos ``` 3. If using SCIM, you will also have to include: ```plain text scim: volumes: - ../kerberos:/etc/bitwarden/kerberos ``` 4. Once completed, save the file. ## Starting Bitwarden Once setup has been completed, you may start Bitwarden. Restart the Bitwarden containers following the setup if you have not yet: ```plain text ./bitwarden restart ``` The `admin` container will populate your new external MSSQL database. If you stored any information in the built-in `mssql` container, you will be required to migrate it to the new external database, with either databse backup and restore, or export/import. --- URL: https://bitwarden.com/help/keyboard-shortcuts/ --- # Keyboard Shortcuts Keyboard shortcuts can speed up common tasks in Bitwarden, like [autofilling logins](https://bitwarden.com/help/auto-fill-browser/) and saving new items. They help you navigate more efficiently and provide a vital alternative to using a mouse. ## Browser extension shortcuts These shortcuts allow you to use the Bitwarden browser extension with your keyboard. If they don't work, you may need to [update your browser's shortcut settings](https://bitwarden.com/help/keyboard-shortcuts/#customize-browser-extension-shortcuts/). ### General | To do this | Press | |------|------| | Activate the extension. | `Ctrl/Cmd` + `Shift` + `Y` | | Generate a password and copy it to the clipboard. | `Ctrl/Cmd` + `Shift` + `9` | | Lock the vault. | `Ctrl/Cmd` + `Shift` + `N` | ### Autofill You can use a [keyboard shortcut to autofill credentials](https://bitwarden.com/help/auto-fill-browser/#keyboard-shortcuts/) into websites. The autofill shortcut works when username and password fields appear together on one page and separately in split login workflows. | To do this | Press | |------|------| | Autofill the last used login for the current website. | `Ctrl/Cmd` + `Shift` + `L` Press again to cycle through multiple matches. | | Autofill the last used card. | [Create a keyboard shortcut.](https://bitwarden.com/help/auto-fill-card-id/#using-keyboard-shortcuts/) | | Autofill the last used identity. | [Create a keyboard shortcut.](https://bitwarden.com/help/auto-fill-card-id/#using-keyboard-shortcuts/) | > [!TIP] Authenticator keyboard shortcut > If the login uses the [Bitwarden authenticator](https://bitwarden.com/help/integrated-authenticator/) for TOTPs and you use the autofill shortcut, the TOTP is automatically copied to the clipboard after autofill. Press `Cmd/Ctrl` + `V` to paste the TOTP. ### Customize browser extension shortcuts Some browsers, including Microsoft Edge and Safari, use default shortcuts that overlap with the Bitwarden shortcuts. To fix this, adjust your browser's default shortcuts to allow the Bitwarden ones to function as intended. The steps vary by browser: - **Chromium-based browsers, including Chrome, Edge, Vivaldi, and Brave**: Go to the browser settings page, like `chrome://extensions/shortcuts` or `edge://extensions/shortcuts` to change the shortcuts that conflict or apply a new one. - **Safari**: Update the [Mac keyboard shortcuts](https://support.apple.com/en-ca/guide/mac-help/mchlp2271/mac). You may need to reassign the shortcut for Show/Hide Sidebar so the [autofill shortcut](https://bitwarden.com/help/keyboard-shortcuts/#autofill/) works. - **Firefox**: Update the [shortcut settings for extensions](https://support.mozilla.org/en-US/kb/manage-extension-shortcuts-firefox). ## Desktop app shortcuts Use the following keyboard shortcuts to navigate the Bitwarden desktop app with your keyboard. ### General | To do this | Press | |------|------| | Lock the vault. | `Ctrl/Cmd` + `L` | | Open Bitwarden preferences. | `Ctrl/Cmd` + `,` | | Reload the Bitwarden desktop app. | `Ctrl/Cmd` + `Shift` + `R` | | Quit the Bitwarden desktop app. | `Ctrl/Cmd` + `Q` | | Place the cursor in the vault's search box. | `Ctrl/Cmd` + `F` | | Open the [Bitwarden generator](https://bitwarden.com/help/generator/). | `Ctrl/Cmd` + `G` | ### Edit items | To do this | Press | |------|------| | Add a new login. | `Ctrl/Cmd` + `N` | | Undo the last action when editing an item. | `Ctrl/Cmd` + `Z` | | Redo the last action from editing an item. | `Ctrl/Cmd` + `Y` | | Select all text in the active field or item. | `Ctrl/Cmd` + `A` | | Cut the selected text and copy it. | `Ctrl/Cmd` + `X` | | Copy the selected text. | `Ctrl/Cmd` + `C` | | Paste the last copied text. | `Ctrl/Cmd` + `V` | | Copy the open item's username. | `Ctrl/Cmd` + `U` | | Copy the open item's password. | `Ctrl/Cmd` + `P` | | Copy the open item's TOTP. | `Ctrl/Cmd` + `T` | ### Adjust display | To do this | Press | |------|------| | Zoom in. | `Ctrl/Cmd` + `=` | | Zoom out. | `Ctrl/Cmd` + `-` | | Reset the zoom level. | `Ctrl/Cmd` + `0` | | Enter full-screen mode. | Windows and Linux: `F11` Mac: `Fn` + `F` | | Open developer mode. | Windows and Linux: `F12` | ### Control window | To do this | Press | |------|------| | Minimize the Bitwarden desktop app. | `Ctrl/Cmd` + `M` | | Hide Bitwarden desktop app in the tray. | `Ctrl/Cmd` + `Shift` + `M` | | Always keep the Bitwarden desktop app on top. | `Ctrl/Cmd` + `Shift` + `T` Press again to undo the action. | | Close the Bitwarden desktop app window. | `Ctrl/Cmd` + `W` | --- URL: https://bitwarden.com/help/kubernetes-service-accounts/ --- # Kubernetes Service Accounts Kubernetes service accounts can be used to apply specific security contexts to specific pods. This can be useful, for example, in scenarios where you need to run your Bitwarden server in rootless mode, as the included SQL container requires elevated permissions. Once you've created and configured your service account with the desired permissions, change any of the pod service account designations (for example, `database.podServiceAccount`) in your `my-values.yaml` file. For example, a `my-values.yaml` with `component.admin.podServiceAccount` assigned a service account named `bitwarden-sa` should look like the following: ```bash component: # The Admin component admin: # Additional deployment labels labels: {} # Image name, tag, and pull policy image: name: ghcr.io/bitwarden/admin resources: requests: memory: "64Mi" cpu: "50m" limits: memory: "128Mi" cpu: "100m" securityContext: podServiceAccount: bitwarden-sa ``` Pods that are eligible for service account designation include: - `component.admin.podServiceAccount` - `component.api.podServiceAccount` - `component.attachments.podServiceAccount` - `component.events.podServiceAccount` - `component.icons.podServiceAccount` - `component.identity.podServiceAccount` - `component.notifications.podServiceAccount` - `component.scim.podServiceAccount` - `component.sso.podServiceAccount` - `component.web.podServiceAccount` - `database.podServiceAccount` --- URL: https://bitwarden.com/help/lastpass-enterprise-migration-guide/ --- # LastPass Enterprise Migration Guide Secure migration of your organization with Bitwarden is straightforward and secure. Follow the steps in this guide to migrate data and users from LastPass: 1. [Create and configure your Bitwarden organization](https://bitwarden.com/help/lastpass-enterprise-migration-guide/#step-2-setup-your-organization/). 2. [Import your data into Bitwarden](https://bitwarden.com/help/lastpass-enterprise-migration-guide/#step-3-import-to-your-organization/). 3. [Onboard your users](https://bitwarden.com/help/lastpass-enterprise-migration-guide/#step-4-onboard-users/). 4. [Configure access to collections and vault items](https://bitwarden.com/help/lastpass-enterprise-migration-guide/#step-5-configure-access-to-collections-and-items/). > [!NOTE] Assistance during migration? > If you need assistance during your migration, our [Customer Success team is here to help](https://bitwarden.com/contact/)! ## Scope This document describes the best practices for migrating data securely from Lastpass to a Bitwarden [Teams or Enterprise organization](https://bitwarden.com/help/about-organizations/), building an infrastructure for security based on simple and scalable methods. [Password management](https://bitwarden.com/products/business/) is crucial for organizational security and operational efficiency. Providing insight into the best methods to perform migration and configuration is intended to minimize the trial-and-error approach that is often needed when exchanging enterprise tools. Steps in this document **are listed in the recommended order**for ease-of-use and smooth onboarding for users ## Step 1: Setup your organization Bitwarden organizations relate users and vault items together for [secure sharing](https://bitwarden.com/help/sharing/) of logins, notes, cards, and identities. > [!TIP] Import to org instead of to personal. > It's important that you create your organization first and [import data to it directly](https://bitwarden.com/help/import-to-org/), rather than importing the data to an individual account and then [moving items](https://bitwarden.com/help/sharing/) to the organization secondarily. 1. **Create your organization**. Start by creating your organization. To learn how, check out [this article](https://bitwarden.com/help/about-organizations/#create-an-organization/). > [!NOTE] Creating a self-hosted org. > To self-host Bitwarden, create an organization on the Bitwarden cloud, generate a [license key](https://bitwarden.com/host/), and use the key to [unlock organizations](https://bitwarden.com/help/licensing-on-premise/#organization-license/) on your server. 2. **Onboard administrative users**. With your organization created, further setup procedures can be made easier by onboarding some [administrative users](https://bitwarden.com/help/user-types-access-control/). It's important that you **do not begin end-user onboarding** at this point, as there are a few steps left to prepare your organization. Learn how to invite admins [here](https://bitwarden.com/help/managing-users/#onboard-users/). 3. **Configure identity services**. Enterprise organizations support [logging in with single sign-on](https://bitwarden.com/help/about-sso/) (SSO) using either SAML 2.0 or OpenID Connect (OIDC). To configure SSO, open the organization's **Settings** → **Single Sign-On** screen in the Admin Console, accessible by [organization owners and administrators](https://bitwarden.com/help/user-types-access-control/). 4. **Enable enterprise policies**. [Enterprise policies](https://bitwarden.com/help/policies/) enable organizations to implement rules for users, for example requiring use of two-step login. It is highly recommended that you configure policies before onboarding users. ## Step 2: Import data Data can be imported directly from LastPass or using an [exported file](https://bitwarden.com/help/import-from-lastpass/#export-from-lastpass/) from LastPass. If you're a member of a team using SSO with LastPass, a LastPass administrator will need to complete a short setup procedure before you can use the **Direct import** option ([learn more](https://bitwarden.com/help/import-from-lastpass/#direct-import-with-sso/)). To import data to your organization using the **Direct import** method: 1. Log in to the Password Manager browser extension or desktop app. 2. In the browser extension, select the **Settings** tab and choose the **Import items** option**.** Or, in the desktop app, select **File**> **Import data**. 3. Complete the following fields from the drop down menus: - **Import destination:**Select the import destination, such as the organizational vault that you have access to. - **Folder or Collection:**Select if you would like the imported content moved to a specific collection that you have access to. - [**File format**](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/)**:** Select **LastPass**. - In the LastPass Instructions box, choose the **Import directly from LastPass** option. - Enter your **LastPass email**. > [!TIP] LP MFA during import > If your LastPass account has multi-factor authentication activated, you will be prompted to enter a one-time passcode from your authenticator app. If you use Duo for MFA, only in-app approval is supported to fulfill your MFA requirement. 4. Select the **Import data**button to trigger the import. 5. You will be prompted for your LastPass master password or, if your LastPass account uses SSO, to log in to your IdP. In either case, follow the prompts to log in to your LastPass account. > [!TIP] Recommend org users import individual data. > You should also recommend to employees that they export their individually-owned data from your existing password manager and prepare it for import into Bitwarden. Learn more [here](https://bitwarden.com/help/import-from-lastpass/#tab-direct-import-7dsxR2Yah8mdGJAmQdYZea/). ## Step 3: Onboard users Bitwarden supports manual onboarding via the web vault and automated onboarding through SCIM integrations or syncing from your existing directory service: ### Manual onboarding To ensure the security of your organization, Bitwarden applies a 3-step process for onboarding a new member, [invite](https://bitwarden.com/help/managing-users/) → [accept](https://bitwarden.com/help/managing-users/) → [confirm](https://bitwarden.com/help/managing-users/). Learn how to invite new users [here](https://bitwarden.com/help/managing-users/#onboard-users/). > [!TIP] Instruct users to import from LP > Once users are onboarded, instruct them to import their personal data to Bitwarden using an exported file or, if their LastPass accounts are still active, using the **Direct import**method described [here](https://bitwarden.com/help/import-from-lastpass/#import-to-bitwarden/). ### Automated onboarding Automated user onboarding is available through SCIM integrations with [Azure AD](https://bitwarden.com/help/microsoft-entra-id-scim-integration/), [Okta](https://bitwarden.com/help/okta-scim-integration/), [OneLogin](https://bitwarden.com/help/onelogin-scim-integration/), and [JumpCloud](https://bitwarden.com/help/jumpcloud-scim-integration/), or using [Directory Connector](https://bitwarden.com/help/directory-sync/), a standalone application available in a [desktop app](https://bitwarden.com/help/directory-sync-desktop/) and [CLI](https://bitwarden.com/help/directory-sync-cli/) tool that will synchronize users and groups from your existing directory service. Whichever you use, users are automatically invited to join the organization and can be confirmed manually or automatically using the [Bitwarden CLI tool](https://bitwarden.com/help/cli/#confirm/). > [!TIP] Instruct users to import from LP > Once users are onboarded, instruct them to import their personal data to Bitwarden using an exported file or, if their LastPass accounts are still active, using the **Direct import**method described [here](https://bitwarden.com/help/import-from-lastpass/#import-to-bitwarden/). ## Step 4: Configure access to collections and items Share vault items with your end-users by configuring access through collections, groups, and group-level or user-level permissions: ### Collections Bitwarden empowers organizations to share sensitive data easily, securely, and in a scalable manner. This is accomplished by segmenting shared secrets, items, logins, etc. into **collections**. Collections can organize secure items in many ways, including by business function, group assignment, application access levels, or even security protocols. Collections function like shared folders, allowing for consistent access control and sharing amongst groups of users. Shared folders from LastPass can be imported as collections into Bitwarden by using the organization import template found [here](https://bitwarden.com/assets/4DdJLATeuhMYlE581pPErF/ef60b56917b58f59141ae9aa58b5a46d/bitwarden_export_org.csv) and placing the name of the shared folder in the `collections` column. Collections can be shared with both groups and individual users. Limiting the number of individual users that can access a collection will make management more efficient for admins. Learn more [here](https://bitwarden.com/help/about-collections/). > [!NOTE] Nested collection permissions > Nested collections do not inherit the permissions of the top level collection. See [using groups](https://bitwarden.com/help/about-groups/#using-groups/) to designate permissions. ### Groups Using groups for sharing is the most effective way to provide credential and secret access. Groups, like users, can be synced to your organization using SCIM or Directory Connector. ### Permissions Permissions for Bitwarden collections can be assigned on the group or user-level. This means that each group or user can be configured with different permissions for the same collection. Collection permissions options include options: - Can view - Can view, except passwords - Can edit - Can edit, except passwords - Can manage Learn more about permissions [here](https://bitwarden.com/help/user-types-access-control/#permissions/). Bitwarden uses a union of permissions to determine final access permissions for a user and a collection. For example: - User A is part of the Tier 1 Support group, which has access to the Support collection, with can view permission. - User A is also a member of the Support Management group, which has access to the Support collection, with can edit access. - In this scenario, User A will be able to edit to the Collection. ## Migration support The Bitwarden Customer Success team is available 24/7 with priority support for your organizations. If you need assistance or have questions, please do not hesitate to [contact us](https://bitwarden.com/contact/). --- URL: https://bitwarden.com/help/ldap-directory/ --- # LDAP or Active Directory This article will help you get started using Directory Connector to sync users and groups from your LDAP or Active Directory service to your Bitwarden organization. Bitwarden provides built-in connectors for the most popular LDAP directory servers, including: - Microsoft Active Directory - Apache Directory Server (ApacheDS) - Apple Open Directory - Fedora Directory Server - Novell eDirectory - OpenDS - OpenLDAP - Sun Directory Server Enterprise Edition (DSEE) - Any generic LDAP directory server ## Connect to your server Complete the following steps to configure Directory Connector to use your LDAP or Active Directory: 1. Open the Directory Connector [desktop app](https://bitwarden.com/help/directory-sync-desktop/). 2. Navigate to the **Settings** tab. 3. From the **Type** dropdown, select **Active Directory / LDAP**. The available fields in this section will change according to your selected type. 4. Configure the following options: | **Option** | **Description** | **Examples** | |------|------|------| | Server Hostname | Hostname of your directory server. | `ad.example.com`, `ldap.company.org` | | Server Port | Port on which your directory server is listening. | `389 `or `10389` | | Root Path | Root path at which Directory Connector should start all queries. | `cn=users`, `dc=ad`, `dc=example`, `dc=com `or `dc=ldap`, `dc=company`, `dc=org` | | This server uses active directory | Check this box if the server is an Active Directory server. | | | This server pages search results | Check this box if the server paginates search results (LDAP only). | | | This server uses an encrypted connection | Checking this box will prompt you to select one of the following options: **Use SSL**(LDAPS) If your LDAPS server uses an untrusted certificate, you can configure certificate options on this screen. **Use TLL**(STARTTLS) If your LDAP server uses a self-signed certificate for STARTTLS, you can configure certification options on this screen. | | | Username | The distinguished name of an administrative user that the application will use when connecting to the directory server. For **Active Directory**, if synchronizing the status of users removed from the directory is desired, the user should be a member of the built-in administrator group. | | | Password | The password of the user specified above. The password is safely stored in the operating system's native credential manager. | | ## Configure sync options > [!NOTE] Clear sync cache > When you are finished configuring, navigate to the **More** tab and select the **Clear Sync Cache** button to prevent potential conflicts with prior sync operations. For more information, see [Clear Sync Cache](https://bitwarden.com/help/clear-sync-cache/). Complete the following steps to configure the settings used when syncing using Directory Connector: > [!NOTE] > If you are using Active Directory, many of these settings are predetermined for you and are therefore are not shown. 1. Open the Directory Connector [desktop app](https://bitwarden.com/help/directory-sync-desktop/). 2. Navigate to the **Settings** tab. 3. In the **Sync** section, configure the following options as desired: | **Option** | **Description** | |------|------| | Interval | Time between automatic sync check (in minutes). | | Remove disabled users during sync (**Not available for LDAP**) | Check this box to remove users from the Bitwarden organization that have been disabled in your organization. | | More than 2000 users or groups are expected to sync | Check this box if you expect to sync 2000+ users or groups. If you don't check this box, Directory Connector will limit a sync at 2000 users or groups. | | Member Attribute | Name of the attribute used by the directory to define a group's membership (for example, `uniqueMember`). | | Creation Data Attribute | Name of the attribute used by the directory to specify when an entry was created (for example, `whenCreated`). | | Revision Date Attribute | Name of the attribute used by the directory to specify when an entry was last changed (for example, `whenChanged`). | | If a user has no email address, combine a username prefix with a suffix value to form an email | Check this box to form valid email options for users that do not have an email address. This option is available after selecting **This server uses Active Directory**. **Users without real or formed email addresses will be skipped by Directory Connector.** Formed Email = **Email Prefix Attribute**+ **Email Suffix** | | Email Prefix Attribute | Attribute used to create a prefix for formed email addresses. | | Email Suffix | A string (`@example.com`) used to create a suffix for formed email addresses. | | Sync users | Check this box to sync users to your organization. Checking this box will allow you to specify a **User Filter**, **User Path**, **User Object Class**, and **User Email Attribute**. | | User Filter | See [Specify sync filters](https://bitwarden.com/help/ldap-directory/#specify-sync-filters/). | | User Path | Attribute used with the specified **Root Path**to search for users (for example, `ou=users`). If no value is supplied, the subtree search will start from the root path. | | User Object Class | Name of the class used for the LDAP user object (for example, `user`). | | User Email Attribute | Attribute to be used to load a user's stored email address. | | Sync groups | Check this box to sync groups to your organization. Checking this box will allow you to specify a **Group Filter**, **Group Path**, **Group Object Class**, **Group Name Attribute**. | | Group Filter | See [Specify sync filters](https://bitwarden.com/help/ldap-directory/#specify-sync-filters/). | | Group Path | Attribute used with the specified **Root Path**to search for groups (for example, `ou=groups`). If no value is supplied, the subtree search will start from the root path. | | Group Object Class | Name of the class used for the LDAP group object (for example, `groupOfUniqueNames`). | | Group Name Attribute | Name of the attribute used by the directory to define the name of a group (for example, `name`). | ### Specify sync filters User and group filters can be in the form of any LDAP-compatible search filter. Active Directory provides some advanced options and limitations for writing search filters, when compared to standard LDAP directions. Learn more about writing Active Directory search filters [here](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax?redirectedfrom=MSDN). > [!NOTE] LDAP nested groups bwdc > Nested groups can sync multiple group objects with a single referent in the Directory Connector. Do this by creating a group whose members are other groups. #### Samples To filter a sync for all entries that have `objectClass=user` and `cn` (common name) that contains `Marketing`: ``` (&(objectClass=user)(cn=*Marketing*)) ``` (**LDAP-only**) To filter a sync for all entries with an `ou` (organization unit) component of their `dn` (distinguished name) that is either `Miami` or `Orlando`: ``` (|(ou:dn:=Miami)(ou:dn:=Orlando)) ``` (**LDAP-only**) To exclude entities that match an expression, for example all `ou=Chicago` entries *except* those that also match a `ou=Wrigleyville` attribute: ``` (&(ou:dn:=Chicago)(!(ou:dn:=Wrigleyville))) ``` (**AD Only**) To filter a sync for users in the `Heroes` group: ``` (&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=Heroes,ou=users,dc=company,dc=com)) ``` (**AD Only**) To filter a sync for users that are members of the `Heroes` group, either directly or via nesting: ``` (&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=Heroes,ou=users,dc=company,dc=com)) ``` ## Test a sync > [!TIP] BWDC connect to EU server. > Before testing or executing a sync, check that Directory Connector is connected to the right cloud server (e.g. US or EU) or self-hosted server. Learn how to do so with the [desktop app](https://bitwarden.com/help/directory-sync-desktop/#getting-started/) or [CLI](https://bitwarden.com/help/directory-sync-cli/#config/). To test whether Directory Connector will successfully connect to your directory and return the desired users and groups, navigate to the **Dashboard** tab and select the **Test Now** button. If successful, users and groups will be printed to the Directory Connector window according the specified [sync options](https://bitwarden.com/help/ldap-directory/#configure-sync-options/) and [filters](https://bitwarden.com/help/ldap-directory/#specify-sync-filters/): ![Test sync results ](https://bitwarden.com/assets/5QYMxvtCPhjbluuoLcCapD/96e9c630ead9ceba5124b55f9d2764a3/dc-okta-test.png) ## Start automatic sync Once [sync options](https://bitwarden.com/help/ldap-directory/#configure-sync-options/) and [filters](https://bitwarden.com/help/ldap-directory/#specify-sync-filters/) are configured and tested, you can begin syncing. Complete the following steps to start automatic syncing with Directory Connector: 1. Open the Directory Connector [desktop application](https://bitwarden.com/help/directory-sync-desktop/). 2. Navigate to the **Dashboard** tab. 3. In the **Sync** section, select the **Start Sync** button. You may alternatively select the **Sync Now** button to execute a one-time manual sync. Directory Connector will begin polling your directory based on the configured [sync options](https://bitwarden.com/help/ldap-directory/#configure-sync-options/) and [filters](https://bitwarden.com/help/ldap-directory/#specify-sync-filters/). If you exit or close the application, automatic sync will stop. To keep Directory Connector running in the background, minimize the application or hide it to the system tray. > [!NOTE] Teams Starter + BWDC > If you're on the [Teams Starter](https://bitwarden.com/help/password-manager-plans/#teams-starter-organizations/) plan, you are limited to 10 members. Directory Connector will display an error and stop syncing if you try to sync more than 10 members. > > **This plan is no longer available for purchase**. This error does not apply to Teams plans. ## Sync with Active Directory troubleshooting **Value limit reached when synchronizing from an Active Directory instance:** The Active Directory `MaxValRange` has a default setting of 1500. If an attribute, such as `members` on a Group has more than 1500 values, Active Directory will return both a blank `members` attribute, as well as a truncated list of` members `on separate attributes, up to the value of `MaxValRange`. - You can adjust the `MaxValRange` policy to a value higher than the number of members of your largest group in Active Directory. See the Microsoft documentation for setting Active Directory LDAP policies by using the [ntdsutll.exe](https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/view-set-ldap-policy-using-ntdsutil) utility. --- URL: https://bitwarden.com/help/learning-center/ --- # About the Learning Center Welcome to the Bitwarden Learning Center! Learning Center articles guide users through video training courses, helping them become more proficient in Bitwarden offerings including Password Manager, Secrets Manager, Passwordless.dev, and reseller/MSP portals. Each training course is centered around a unique stage in the Bitwarden journey: - [Customer Activation Kit:](https://bitwarden.com/help/customer-activation-kit/) This course provides essential resources and strategies for effectively rolling out Bitwarden and introducing it to your team. - [First Steps with Bitwarden](https://bitwarden.com/help/first-steps-with-bitwarden/): This course will help you set up your Bitwarden account and prepare your devices for easy storage of passwords and sensitive information. - [Get to know Password Manager](https://bitwarden.com/help/get-to-know-password-manager/): This course will help you get comfortable with navigating your Bitwarden vault, personalizing your view, and importing or creating new vault items. - [Bitwarden Power Users](https://bitwarden.com/help/bitwarden-power-users/): This course will help you take your Bitwarden vault beyond standard password management using security functionality like Send. - [Bitwarden for Business Admins](https://bitwarden.com/help/courses/bitwarden-for-business-admins/): This course introduces Bitwarden administrators to the features available to the Teams and Enterprise business plans. - [Get to know Secrets Manager](https://bitwarden.com/help/courses/secrets-manager/): This course will get you started with securely storing, sharing, and injecting infrastructure secrets in your development pipelines using Bitwarden Secrets Manager. - [Bitwarden for MSPs](https://bitwarden.com/help/bitwarden-for-msps/): This course introduces Managed Service Providers (MSPs) to implementing Bitwarden Password Manager for your clients. - [Get to know Passwordless.dev](https://bitwarden.com/help/courses/passwordless-dev/): This course introduces using Bitwarden Passwordless.dev to establish smooth passwordless authentication for your application's users. ## More resources Continue your Bitwarden journey with any of the following resources: - [Help Center](https://bitwarden.com/help/): Learn about any Bitwarden topic using the home for Bitwarden user documentation and education material. - [Weekly live demo](https://bitwarden.com/bitwarden-demo/): Discover how Bitwarden safeguards your sensitive online information by signing up for a weekly deep dive. - [More Bitwarden events](https://bitwarden.com/events/): Attend other Bitwarden events to learn about unique and varied topics directly from the Bitwarden team. - [Bitwarden Blog](https://bitwarden.com/blog/): Keep up do date with everything happening at Bitwarden and in the world of online security. - [Community Forums](https://community.bitwarden.com/): Get involved with other Bitwarden users talking about requested features and sharing their Bitwarden experiences. --- URL: https://bitwarden.com/help/legacy-user-support/ --- # Legacy User Support > [!NOTE] update encryption scheme if you haven't > As of the 2025.6.2 server release deployed on June 24, 2025 Bitwarden has officially removed support for legacy users. > > - **If your account was created after 2017**, you are not impacted by this change. > - **If your account was created before 2017**, as long as you have logged in to the web app since 2023, you are not impacted by this change. **Accounts created prior to 2017** leveraged an encryption scheme that used a key derived from your master password directly to encrypt account data. This encryption method was inflexible and created an environment with potential vulnerabilities. In 2017, Bitwarden's [encryption scheme](https://bitwarden.com/help/bitwarden-security-white-paper/#hashing-key-derivation-and-encryption/) was updated to address these vulnerabilities. Following this update: - (2017) Workflows for automatically migrating accounts to the new encryption scheme were added to the web app. - (2023) Bitwarden clients, not including the web app, underwent changes that prevented legacy users from logging in. Error messages directed users to log in on the web app to execute migration. - (2025) Bitwarden servers underwent changes that logged remaining legacy users out of active sessions, requiring them to log in on the web app to execute migration. Impacted users were emailed following these changes. As a result of these actions, as of version 2025.6.1, it is unlikely that any actively-used Bitwarden accounts still utilize the legacy encryption scheme. --- URL: https://bitwarden.com/help/licensing-on-premise/ --- # License Organizations or Premium Self-hosting Bitwarden is free, however some features must be unlocked in your self-hosted instance with a registered license file. A license file can be obtained from the Bitwarden-hosted web app by either an account with a premium individual subscription or by the owner of an organization. The steps are different when working with an [individual license](https://bitwarden.com/help/licensing-on-premise/#individual-license/) versus an [organization license](https://bitwarden.com/help/licensing-on-premise/#organization-license/). > [!NOTE] licensing paid features > The procedures in this article assume that you have already started a paid subscription to Bitwarden. If you haven't, refer to [About Bitwarden Plans](https://bitwarden.com/help/password-manager-plans/) and [What Plan is Right for Me?](https://bitwarden.com/help/what-plan-is-right-for-me/) ## Individual license Follow these procedures when working with an individual license for a premium subscription. You'll be working in both the cloud web vault and your self-hosted web vault, and your account email addresses should match. ### Retrieve individual license After you create an account on your self-hosted server, retrieve your license from the cloud web app: 1. Log in and select **Settings** → **Subscription** from the navigation. 2. Select the **Download license**button: ![Download personal license](https://bitwarden.com/assets/bXoVGOMEI1d8iCVoy5fmI/af545e3c083aeebaf12c751fc38a59ea/2024-12-04_10-02-56.png) ### Apply individual license Next, log in to your self-hosted Bitwarden server to apply the downloaded license: 1. If you haven't already, verify your email address. You will need to have [configured SMTP-related environment variables](https://bitwarden.com/help/environment-variables/) to do so. 2. Select **Settings** → **Subscription** from the navigation. 3. In the License file section, select the **Browse...** or **Choose file** button button and add the downloaded license file. 4. Select the **Submit** button to apply your premium license. ### Update individual license If for any reason you need to update your individual license file, for example when it expires: 1. Follow the steps to **Retrieve your license**again. 2. Follow the steps to **Apply your license**again, only this time you will see an **Update license**button rather than a button to browse for a new license. ## Organization license Follow these procedures when working with an organization license for a Families or Enterprise organization. You must be an [organization owner](https://bitwarden.com/help/user-types-access-control/) to retrieve, apply, and update a license. ### Retrieve organization license Before starting an organization on your self-hosted server, retrieve your organization license from the cloud web app. 1. In the Bitwarden web app, open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Navigate to **Billing** → **Subscription**. 3. Scroll down and select the **Download license** button. 4. When prompted, enter the installation ID that was used to install your self-hosted server and select **Submit**. If you don't know the installation ID off-hand, you can retrieve it from `./bwdata/env/global.override.env`. > [!NOTE] Installation ID & Region > Make sure that the installation ID you retrieved from [bitwarden.com/host](https://bitwarden.com/host/) uses the same [data region](https://bitwarden.com/help/server-geographies/) as where your organization exists. ### Apply organization license Applying your license in a self-hosted server is the means by which you'll create a self-hosted organization. From your self-hosted web vault: 1. Start a new organization by selecting the + **Add organization** button. 2. Select the **Browse...** or **Choose file** button, add the downloaded license file, and select **Submit**. > [!NOTE] organization license error > If you receive a `version not supported` error message, update your server and try uploading your license file again. To update your server, make a backup of the `bwdata` directory and follow [these instructions](https://bitwarden.com/help/updating-on-premise/). ### Update organization license Organizations may need to update the license file on their self-hosted server, for example to add user seats or when your license expires. When your license expires and your organization renews, you have 60 days to apply the updated license file to your self-hosted organization. There are two methods for doing so, however **Families organizations may only update manually**: ### Automatic sync > [!TIP] Automatic Sync still requires a trigger > Automatic sync: > > - Eliminates the need for organization admins to manually re-upload licenses. Once setup, admins will only need to trigger a sync from the **Organization** → **Billing** when an update to the license used by the self-hosted organization is required, for example when the number of seats has changed or for renewal. > - Makes [Families sponsorships](https://bitwarden.com/help/families-for-enterprise/) possible for members of self-hosted organizations. Sync for these sponsorships will automatically occur per day. To set up automatic sync: > [!NOTE] Automatic Billing sync applies to paid organizations > To successfully setup Automatic Billing Sync, an active subscription license is required. If a self-hosted organization has been setup from a cloud hosted organization still in its trial period, a license will have to be downloaded and applied to the self-hosted organization once the trial period is over. Learn more about paid subscriptions [here](https://bitwarden.com/help/password-manager-plans/). #### Step 1: Enable cloud communication First, you'll need to configure your server to allow communication with our cloud systems. > [!TIP] Who can Enable Cloud Comms > This step must be completed by someone with access to your self-hosted instance's configuration files. In order to enable cloud communication, set the following line in `bwdata/env/global.override.env `to `true`: ``` globalSettings__enableCloudCommunication=true ``` Once you have set this value, apply your change by running the `./bitwarden.sh rebuild `command. Start your server again with the `./bitwarden.sh start` command. > [!NOTE] Self-hosting communication fire walls > Enabling automatic sync requires communication with Bitwarden's cloud systems. If your environment uses a firewall to block outbound traffic, you will need to allow `https://api.bitwarden.com` or `.eu` and `https://identity.bitwarden.com` or `.eu`. #### Step 2: Retrieve billing sync token Once cloud communication is enabled at the server-level, a sync token needs to be passed from the cloud organization you use for billing to your self-hosted organization. To retrieve your sync token from the cloud web app: 1. Log in to the Bitwarden web app and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Navigate to **Billing** → **Subscription**. 3. Scroll down to the self-hosting section and select the **Set up billing sync **button. 4. Enter your master password and select **Generate token**. 5. Copy the generated token. #### Step 3: Apply billing sync token To apply the billing sync token to your self-hosted organization: 1. Open the self-hosted Admin Console and navigate to **Billing** → **Subscription**. 2. In the License and billing management section, choose the **Automatic sync** option. 3. Select the **Manage billing sync** button. 4. Paste your generated **Billing Sync Token** and select **Save**. > [!NOTE] Sync Status `Never` > Sync for [Families for Enterprise](https://bitwarden.com/help/families-for-enterprise-self-hosted/) will occur once daily once you've triggered your first sync. The **Last sync** field in this section will report **Never** until you trigger your first sync. > > Sync for license updates must always be done manually by selecting the **Sync license** button (see the next section for details). #### Step 4: Trigger sync Trigger a sync once you've completed setup and **each time you need to update your license**. Sync for Familes for Enterprise will occur **once daily**. To trigger a sync: 1. Open the self-hosted Admin Console and navigate to **Organization** → **Billing**. 2. Select the **Sync license**button. > [!NOTE] organization license error > If you receive a `version not supported` error message, update your server and try uploading your license file again. To update your server, make a backup of the `bwdata` directory and follow [these instructions](https://bitwarden.com/help/updating-on-premise/). ### Manual update To manually re-upload a license file: 1. Follow the steps to **Retrieve your license**again. 2. Open the self-hosted Admin Console and navigate to **Billing** → **Subscription**. 3. In the License and billing management section, choose the **Manual upload** option. 4. Select the **Browse...** or **Choose file** button to add your license file. 5. Select **Submit**. > [!NOTE] organization license error > If you receive a `version not supported` error message, update your server and try uploading your license file again. To update your server, make a backup of the `bwdata` directory and follow [these instructions](https://bitwarden.com/help/updating-on-premise/). --- URL: https://bitwarden.com/help/link-sso/ --- # Link SSO You typically only need to link to SSO if you're joining an organization with a **pre-existing Bitwarden account** or if your organization does not [require you to use SSO](https://bitwarden.com/help/policies/#require-single-sign-on-authentication/). To link to SSO: 1. Open the web app, and select the ⋮ **Options**menu next to your organization. 2. From the dropdown menu, select 🔗 **Link SSO**. ![Link SSO](https://bitwarden.com/assets/cv0DGhcgyEbQEn4MvdJp5/fefb4158c09be8cf9804ed5579c2d7dc/Screenshot_2024-02-26_at_2.07.03_PM.png) Once linked, you'll be able to [log in to the account with SSO](https://bitwarden.com/help/using-sso/). > [!NOTE] Unlinking SSO > Once you're linked, you can **Unlink SSO**from the same menu. This is generally most useful when your email address changes in your IdP (e.g. Google, Azure) or in Bitwarden and SSO stops working as a result, or in situations when an IdP identity is linked to the wrong Bitwarden account and the existing link must be broken before a correct one can be made. ## --- URL: https://bitwarden.com/help/link-to-an-item/ --- # Hyperlink Organization Items When you need to direct members of your organization to a specific* *vault item, for example in documentation, you can copy the URL of an item to be used as a direct link for users that **have access to the item**. > [!TIP] Linkable Items for Personal Use > Item linking is not exclusive to organizations! You can save links to items in your individual vault if you find it useful, but only you will be able to access them. When you are viewing an item in the web vault, the URL in your address bar will include a query parameter like `?itemnrId=fced56b3-d83c-4b01-8751-ae9301551da7`, where the `itemId` value represents the unique item identifier: ![Item link](https://bitwarden.com/assets/6v3WH6FljmTFOlSqOjjAqZ/a9c1ae50155e6692d52987fe4f0cc888/2024-12-04_09-55-51.png) Copy the full value in the address bar and use that link to direct organization members directly to this item. When a user uses the link, the item will be automatically opened once they login. Users **must already have access to the item**in order to successfully use a link. --- URL: https://bitwarden.com/help/list-of-emails/ --- # Emails from Bitwarden Servers This article describes the automated emails that will be sent from `no-reply@bitwarden.com` or `.eu` to organization members, including owners, admins, and end-users, as well as individual users. Emails in this article are organized by who will receive them as well as by criticality. **Whether an email is considered critical in an organization context may depend on your organization's particular deployment or requirements.** ## Organization emails ### Critical administrative emails The following emails alert owners and admins of Bitwarden organizations to critical changes or action items related to their organization: | Subject line | Variable | Description | |------|------|------| | Your Subscription Will Renew Soon | n/a | The billing email for an organization receives this email when their organization subscription is [approaching a renewal date](https://bitwarden.com/help/organization-renewal/). | | {Organization} Seat Count Has Increased | {Organization} = Your organization's display name. | All owners receive this email when their [organization seat count autoscales](https://bitwarden.com/help/managing-users/#user-seats/). | | {Organization} Seat Limit Reached | {Organization} = Your organization's display name. | All owners receive this email when the number of their organization's members matches their [seat limit](https://bitwarden.com/help/managing-users/#set-a-seat-limit/). | | Domain not claimed | n/a | All owners and admins receive this email when an [attempt to claim a domain for their organization was not successful](https://bitwarden.com/help/claimed-domains/). | | Action Required: {User} Needs to be Confirmed | {User} = A user's email address. | All owners and admins receive this email when a user is waiting to be [confirmed to join the organization.](https://bitwarden.com/help/managing-users/#confirm/) | | Review SSO login request for new device | n/a | All owners and admins receive this email when a user is waiting for a [trusted device to be approved](https://bitwarden.com/help/approve-a-trusted-device/). | | Request to Delete Your Organization | n/a | An owner receives this email if they have requested deletion of their organization from Bitwarden support. This email will only be sent to a valid owner who has confirmed with Bitwarden support that organization deletion can be initiated. | ### Critical member emails The following emails alert members of Bitwarden organizations, in all roles, to critical changes or action items related to their account: | Subject line | Variable | Description | |------|------|------| | {Organization} invited you to their Bitwarden organization. | {Organization} = Your organization's display name. | A user receives this email when they are invited to join an organization, **if** they have an existing Bitwarden account. | | {Organization} set up a Bitwarden account for you. | {Organization} = Your organization's display name. | A user receives this email when they are invited to join an organization, **if** they do not have an existing Bitwarden account. | | You have been revoked from {Organization} | {Organization} = Your organization's display name. | A user receives this email when their access is revoked due to violation of the [Require two-step login](https://bitwarden.com/help/policies/#require-two-step-login/) or [Single organization](https://bitwarden.com/help/policies/#single-organization/) policies. | | Your admin has initiated account recovery | n/a | A user receives this email when an administrator has [initiated account recovery on their account](https://bitwarden.com/help/account-recovery/#recover-an-account/). | | Login request approved | n/a | A user receives this email when a trusted device [login request is approved by an administrator](https://bitwarden.com/help/add-a-trusted-device/). | | Your Bitwarden account is claimed by {Organization} | {Organization} = Your organization's display name. | A user receives this email when their account is [claimed by an organization they are a member of](https://bitwarden.com/help/claimed-accounts/). | ### Critical Secrets Manager emails The following emails alert owners of Bitwarden organizations to critical changes or action items related to their use of Secrets Manager: | Subject | Variable | Description | |------|------|------| | {Organization} Secrets Manager Seat Limit Reached | {Organization} = Your organization's display name. | All owners receive this email when the number of users in an organization [assigned to Secrets Manager matches its seat limit](https://bitwarden.com/help/secrets-manager-quick-start/#user-seats-and-machine-account-scaling/). | | {Organization} Secrets Manager Machine Accounts Limit Reached | {Organization} = Your organization's display name. | All owners receive this email when the number of [machine accounts created in an organization matches its machine account limit](https://bitwarden.com/help/secrets-manager-quick-start/#user-seats-and-machine-account-scaling/). | ### Non-critical organization emails The following emails alert members of Bitwarden organizations, in all roles, to non-critical changes or actions items related to their account or organization: | Subject line | Variable | Description | |------|------|------| | You Have Been Confirmed to {Organization} | {Organization} = Your organization's display name. | A user receives this email when their access to the organization is confirmed. | | Access Requested for Secrets Manager | n/a | An admin or owner receives this email when a user has requested access to [Secrets Manager](https://bitwarden.com/help/secrets-manager-overview/). | | Accept Your Free Families Subscription | n/a | A user receives this email when a member of an organization invited them to [create a sponsored Families organization](https://bitwarden.com/help/families-for-enterprise/). | | Success! Families Subscription Accepted | n/a | A user receives this email when they've redeemed an invitation to [create a sponsored Families organization](https://bitwarden.com/help/families-for-enterprise/). | | Your Families Sponsorship was Removed | n/a | A user receives this email when they've manually removed [sponsorship for a Families organization](https://bitwarden.com/help/families-for-enterprise/). | | Removal of Free Bitwarden Families plan | n/a | A user receives this email when sponsorship for a Families organization has been [removed by an administrator, typically by activating a policy](https://bitwarden.com/help/policies/#remove-free-bitwarden-families-sponsorship/). | ## Provider & business unit emails The following emails alert provider and business unit admins to any changes or action items relevant to their provider or business unit: | Subject line | Variable | Description | |------|------|------| | Create a Provider | n/a | A provider admin receives this email when they are [registered to create a provider](https://bitwarden.com/help/getting-started-providers/#start-a-provider/). | | Set Up Business Unit | n/a | A business unit admin receives this email when they are registered to create a [business unit](https://bitwarden.com/help/business-unit-portal/). | | Join {Provider/Business Unit} | {Provider/Business Unit} = Your provider's display name. | A user receives this email when they are [invited to join a provider](https://bitwarden.com/help/provider-users/#invite/) or business unit. | | You Have Been Confirmed To {Provider/Business Unit} | {Provider/Business Unit} = Your provider's display name. | A user receives this email when their [access to a provider or business unit is confirmed](https://bitwarden.com/help/provider-users/#confirm/). | | You Have Been Removed from {Provider/Business Unit} | {Provider/Business Unit} = Your provider's display name. | A user receives this email when their [access to a provider or business unit is removed](https://bitwarden.com/help/provider-users/#deprovision-users/). | | Update your billing information | n/a | A client organization owner receives this email if their organization is removed from provider management and must add a billing method. | | Request to Delete Your Provider | n/a | An owner receives this email if they have requested deletion of their organization from Bitwarden support. | ## Self-hosting emails The following emails alert administrators of self-hosted Bitwarden deployments of changes or action items related to their server: | Subject line | Variable | Description | |------|------|------| | License Expired | n/a | An owner receives this email when the [license file for their self-hosted server](https://bitwarden.com/help/licensing-on-premise/) has exceeded its 60-day [grace period after expiration](https://bitwarden.com/help/organization-renewal/). | | [Admin] Continue Logging In | n/a | An administrator receives this email while logging in to the [System Administrator Portal](https://bitwarden.com/help/system-administrator-portal/). | ## Widely-applicable emails The following emails alert Bitwarden users, including members of organizations in any role and individual users, of changes or action items related to their account: | Subject line | Variable | Description | |------|------|------| | Verify Your Email | n/a | A user receives this email during independent account creation. | | Your Email Change | n/a | A user receives this email when a request to change their account email address is initiated. | | Your Master Password Hint | n/a | A user receives this email when they've requested a [master password hint](https://bitwarden.com/help/master-password/) during login. | | Master Password Has Been Changed | n/a | A user receives this email when their master password is changed. | | Your Bitwarden Verification Code | n/a | A user receives this email when logging in if they need to input [email-based two-step login](https://bitwarden.com/help/setup-two-step-login-email/#use-email-verification/) or [verify a new device](https://bitwarden.com/help/new-device-verification/). | | New Device Logged In From {Device} | {Device} = Device type, for example "Chrome Extension", "Windows", or "iOS". | A user receives this email when their account is logged into from a new device. | | Failed login attempts detected | n/a | A user receives this email when several attempts to log in to their Bitwarden account fail. | | Recover 2FA From {IP} | {IP} = An IP address. | A user receives this email when a two-step login [recovery code is used to deactivate 2FA](https://bitwarden.com/help/two-step-recovery-code/#use-your-recovery-code/). | | Delete Your Account | n/a | A user receives this email when [deletion of their account has been requested](https://bitwarden.com/help/delete-your-account/#delete-a-personal-account/). | | Payment Failed | n/a | A user receives this email when the payment method attached to their subscription has failed on renewal. | | Account Credit Payment Processed | n/a | A user receives this email when account credit is processed toward a subscription renewal. | | Welcome to Bitwarden! | n/a | A user receives this email when they create a new Bitwarden account. | | Emergency Access Contact Invite | n/a | A user receives this email when they are [invited to be an emergency contact for another user](https://bitwarden.com/help/emergency-access/#set-up-emergency-access/). | | Accepted Emergency Access | n/a | A user receives this email when another user has [accepted an invitation to become an emergency contact](https://bitwarden.com/help/emergency-access/#set-up-emergency-access/). | | You Have Been Confirmed as Emergency Access Contact | n/a | A user receives this email when they are [confirmed as an emergency contact for another user](https://bitwarden.com/help/emergency-access/#set-up-emergency-access/). | | Emergency Access Initiated | n/a | A user receives this email when a emergency contact [requests access to their account](https://bitwarden.com/help/emergency-access/#use-emergency-access/). | | Emergency Access Approved | n/a | A user receives this email when their [request for emergency access to another's account is approved](https://bitwarden.com/help/emergency-access/#use-emergency-access/). | | Emergency Access Rejected | n/a | A user receives this email when their [request for emergency access to another's account is rejected](https://bitwarden.com/help/emergency-access/#use-emergency-access/). | | Pending Emergency Access Request | n/a | A user receives this email when an [initiated emergency access request is still pending](https://bitwarden.com/help/emergency-access/#use-emergency-access/) after a certain amount of time. | | Emergency Access Granted | n/a | A user receives this email when access to their account [has been granted to an emergency contact](https://bitwarden.com/help/emergency-access/#use-emergency-access/). | --- URL: https://bitwarden.com/help/localization/ --- # Localization ## Change app language In the web app, Bitwarden will default to your browser's language, which is often determined by your designated system language. The browser extension, mobile app, and desktop app will default directly to your system language. The language can be manually changed on the following Bitwarden clients: [![Vimeo Video](https://vumbnail.com/795737043.jpg)](https://vimeo.com/795737043) *[Watch on Vimeo](https://vimeo.com/795737043)* **Video Chapters:** Learn more about changing the app's language [here](https://bitwarden.com/help/localization/). ### Web app 1. Select**Settings** → **Preferences** from the navigation: ![Preferences](https://bitwarden.com/assets/7vKmhsOfJqieQbYRxALV75/ce2505a6fa89531d5784ca6afe45cecd/2024-12-02_11-46-04.png) 2. Select a language from the **Language**dropdown**.** ### Desktop 1. Open the desktop app's **Preferences** panel (on Windows, **File** → **Settings**) (on macOS, **Bitwarden** → **Preferences**). 2. Scroll to the **App Settings** section and use the **Language** dropdown to select your language. ### Mobile 1. Open the mobile app and tap the **Settings** tab. 2. Tap **Appearance**. 3. Locate the **Language** field and select your preferred language: ![Language on mobile](https://bitwarden.com/assets/5pqOwt6W99sLHRCpN1DX1w/bc3581ebc015c0343c116c5eb609e2f5/2025-01-21_15-19-31.png) 4. Restart the application in order to apply changes. Bitwarden browser extensions will dynamically change to use the language set by your web browser: - [Learn how to change Chrome's language](https://support.google.com/chrome/answer/173424?co=GENIE.Platform%3DDesktop&hl=en) - [Learn how to change Firefox's language](https://support.mozilla.org/en-US/kb/use-firefox-another-language) ### Currently supported languages The following languages are currently supported. Please note, **not all languages are available for all client applications**: | Symbol | Language | |------|------| | af | Afrikaans | | ar | الفصحى العربية | | az | Azərbaycanca | | be | Беларуская | | bg | български | | ca | català | | cs | čeština | | cy | Welsh | | da | dansk | | de | Deutsch | | el | Ελληνικά | | en | English | | en-GB | English (British) | | eo | Esperanto | | es | español | | et | eesti | | fa | فارسی | | fi | suomi | | fr | français | | gl | Galician | | he | עברית | | hi | हिन्दी | | hr | hrvatski | | hu | magyar | | id | Bahasa Indonesia | | it | italiano | | ja | 日本語 | | ko | 한국어 | | lv | Latvietis | | ml | മലയാളം | | mr | मराठी | | my | မြန်မာဘာသာ | | nb | norsk (bokmål) | | ne | नेपाली | | nl | Nederlands | | or | ଓଡ଼ିଆ | | pl | polski | | pt-BR | português do Brasil | | pt-PT | português | | ro | română | | ru | русский | | sk | slovenčina | | sr | Српски | | sv | svenska | | te | తెలుగు | | th | ไทย | | tr | Türkçe | | uk | українська | | vi | Tiếng Việt | | zh-CN | 中文(中国大陆) | | zh-TW | 中文(台灣) | ### Don't see your language? If your language isn't listed in the web vault or desktop app, or if your browser extension or mobile app isn't dynamically using your language, **we want your help!** Bitwarden uses a translation tool called [Crowdin](https://crowdin.com) to manage our localization effort across many different languages (**no programming knowledge required**). - To contribute to or make corrections to an existing translation, [join our project](https://crowdin.com/profile/mpowerbw). - To start translating Bitwarden to a new language, join our project and contact the [project owner](https://crowdin.com/profile/mpowerbw). --- URL: https://bitwarden.com/help/log-in-to-secrets-manager/ --- # Log in to Secrets Manager The end-to-end zero-knowledge encrypted Bitwarden account you use to log into Password Manager will be the same as what you use to log into Secrets Manager. > [!TIP] Not SM CLI > This article pertains to logging in to the Secrets Manager web vault. The [Secrets Manager CLI](https://bitwarden.com/help/secrets-manager-cli/), which is primarily used to script secrets injection into your applications and infrastructure, requires logging in with an [access token](https://bitwarden.com/help/access-tokens/). ## Master password Your master password is the primary method for accessing your Bitwarden account. It's important that your master password is: - **Memorable**: Bitwarden employees and systems have no knowledge of, way to retrieve, or way to reset your master password. **Do not forget your master password!** - **Strong**: A longer, more complex, and less common master password is the best way to protect your account. Bitwarden provides a free password strength testing tool to test the strength of some memorable pass words you are considering. > [!TIP] Tips to mitigate forgetting master password. > Worried about forgetting your master password? Here is what to do: > > - **Setup a hint**. In case you need a reminder, a master password hint email can be requested on the login screen. Make sure you use a hint that only you will understand. > - **Designate a**[**trusted emergency contact**](https://bitwarden.com/help/emergency-access/). Users with premium access can grant account access to a friend or family member in the case of emergency. Learn how to [change your master password](https://bitwarden.com/help/master-password/#change-master-password/), or what to do if you've [forgotten your master password](https://bitwarden.com/help/forgot-master-password/). ## Two-step login Using [two-step login](https://bitwarden.com/help/bitwarden-field-guide-two-step-login/) (also called two-factor authentication or 2FA) to protect your Bitwarden account prevents a malicious actor from accessing your data even if they discover your master password by requiring authentication from a secondary device when you log in. There are lots of different methods for two-step login, ranging from dedicated authenticator apps to hardware security keys. Whatever you choose, Bitwarden highly recommends that you secure your vault using two-step login. ### Free methods Bitwarden offers several two-step login methods for free, including: | **Method** | **Setup instructions** | |------|------| | via an authenticator app (for example, [Authy](https://authy.com/) or [Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en)) | Click [**here**](https://bitwarden.com/help/setup-two-step-login-authenticator/). | | via email | Click [**here**](https://bitwarden.com/help/setup-two-step-login-email/). | | via a FIDO WebAuthn Authenticator | Click [**here**](https://bitwarden.com/help/setup-two-step-login-fido/). | ### Premium methods For premium users (including members of paid organizations), Bitwarden offers several advanced two-step login methods: | **Method** | **Setup instructions** | |------|------| | via Duo Security with Duo Push, SMS, phone call, and security keys | Click [**here**](https://bitwarden.com/help/setup-two-step-login-duo/). | | via YubiKey (any 4/5 series device or YubiKey NEO/NFC) | Click [**here**](https://bitwarden.com/help/setup-two-step-login-yubikey/). | ## Log in with device Did you know you can log in to the Bitwarden web app using a secondary device instead of your master password? Logging in with a device is a passwordless approach to authentication, removing the need to enter your master password by sending authentication requests to any certain devices you're currently logged in to for approval. [Learn more](https://bitwarden.com/help/log-in-with-device/). ## Single sign-on If your organization uses [login with SSO](https://bitwarden.com/help/about-sso/), you can access your Bitwarden web app [using your federated SSO credentials](https://bitwarden.com/help/using-sso/). --- URL: https://bitwarden.com/help/log-in-with-device/ --- # Log In With Device Although most people log into their Bitwarden vault with a master password, there is a more convenient method of doing so called passwordless authentication. Using **Log in with device**, any time you log into Bitwarden on one device, you can opt to use a different Bitwarden app you're logged in to to approve the authentication request instead of typing your master password. [Learn about our zero-knowledge encryption implementation](https://bitwarden.com/help/log-in-with-device/#how-it-works/). ## Prepare to log in with a device To set up logging in with a device: - Log in normally to the initiating app (web app, browser extension, desktop, or mobile app) at least once so that Bitwarden can recognize your device. > [!NOTE] Passwordless + Private Browsing > Using Incognito mode or Private Browsing prevents Bitwarden from registering your browser, so you won't be able to log in with a device in a private browser window. - Have a recognized account on an approving app (web app, browser extension, mobile or desktop app). Recognizing an account requires you to have successfully logged on to that device at any time. > [!NOTE] Passwordless + Require SSO > If, as a member of an Enterprise organization, you are subject to the [require SSO policy](https://bitwarden.com/help/policies/#require-single-sign-on-authentication/), you won't be able to use the **Log in with device** option. You'll need to [use SSO to log in](https://bitwarden.com/help/using-sso/#login-using-sso/) instead. ## Log in with a device On the login screen of the initiating app, enter your email address and select **Continue**. Then, select the **Log in with device**option: ![Log in with a device](https://bitwarden.com/assets/7owqaTEe9Bo05wfLRZPhn8/38f1d0334964bb3d98a430b80b9d6b95/2025-09-09_10-03-52.png) ### Approve a log in request Using **Log in with device**will send authentication requests to any Bitwarden app that you're currently logged in to for approval: ### Mobile app To approve a request with the mobile app: 1. In the mobile app, navigate to **Settings** → **Account** **security**→ **Pending login requests**: ![Pending login requests on mobile](https://bitwarden.com/assets/1ZB3Pc8T0mlP96W3IZefrR/a22c8efe63a88941bad11a278b1d113d/2025-09-09_09-39-13.png) *Pending login requests on mobile* 2. Locate and tap the pending device request. 3. Verify that fingerprint phrase matches and select **Confirm access**: ![Approve a login on mobile](https://bitwarden.com/assets/6xeP36n7g2dbwLI9YWjNg4/2aa9fdc96e765e963ee07f38ad0b6c06/2025-09-09_09-39-44.png) *Approve a login on mobile* ### Browser extension To approve a request with the browser extension: 1. In the browser extension, wait for a device approval request to be received or navigate to **Settings**→ **Account** **security**→ **Devices**: ![Devices view on browser extensions](https://bitwarden.com/assets/6OZfQt2jDDqa9F0MaUdBUq/1460f0ec04c63ab55da1f5eaf37ca469/2025-09-09_09-49-23.png) *Devices view on browser extensions* 2. In the **Devices**view, locate and select the pending device request: ![Devices list on browser extensions](https://bitwarden.com/assets/64f1jZ30In2BbWDEUZVtxO/9de965d59fedca2bad4e325f4181f69a/2025-09-09_09-49-42.png) *Devices list on browser extensions* 3. Verify that fingerprint phrase matches and select **Confirm access**: ![Approve a device on browser extensions](https://bitwarden.com/assets/2LFY10MMpI9G0ZcojcXveg/0a891ec5fa8f6052e5804841e7ec7724/2025-09-09_09-48-55.png) *Approve a device on browser extensions* ### Web app To approve a request with the web app: > [!NOTE] Browser extensions & web app approval > When requesting approval for a login of the browser extension, the extension will wait for up to two minutes for approval even if you click out of or minimize the extension window in order to approve the request using the web app. 1. In the web app, select the **Review login request**link in the banner notification or navigate to **Settings** → **Security**→ **Devices**: ![Approval request on web](https://bitwarden.com/assets/1K9FeC1OVOwyu0T8DMiwOp/90852f4e82b80827750bffd19cb6493d/2025-09-09_09-23-06.png) *Approval request on web* 2. On the **Devices** tab, locate and select the pending device request: ![Device list on web app](https://bitwarden.com/assets/7GLmOwtReFuUD3uxPQ0LB8/2abd84049d99f0dc0c21158c636ab55d/2025-09-09_09-22-11.png) *Device list on web app* 3. Verify that fingerprint phrase matches and select **Confirm access**: ![Confirm access with web app](https://bitwarden.com/assets/6s6Hdn9L1EyeRfBsmOcfgX/a4e9e4996abc1ac63b8c6f2b3880cd07/2025-09-09_09-22-44.png) *Confirm access with web app* ### Desktop app To approve a request with the desktop app: 1. In the desktop app, wait for a device approval request to be received: ![Approve on desktop](https://bitwarden.com/assets/5cpkevhyuiSg82yfopvmc1/7d19d6377dbba8d4c6abee37b96a5037/2025-09-09_09-07-05.png) *Approve on desktop* 2. Verify that fingerprint phrase matches and select **Confirm access**. Note that this is a unique fingerprint that isn't the same as your [account fingerprint phrase](https://bitwarden.com/help/fingerprint-phrase/). Requests expire after 15 minutes if they aren't approved or denied. If you are not receiving login requests, try refreshing the web app, or [manually syncing your vault](https://bitwarden.com/help/vault-sync/) from the mobile app. > [!NOTE] Passwordless & 2FA > If you use the **Login with device**option, you'll still need to use any currently active [two-step login method](https://bitwarden.com/help/setup-two-step-login/). ## How it works When logging in with a device is initiated: 1. The initiating client sends a request which includes the account email address, a unique **Auth-request Public Key**ª, and an access code, to an Authentication Request table in the Bitwarden database. Registered devices, meaning clients that are logged in and have a [device-specific GUID](https://bitwarden.com/help/administrative-data/) stored in the Bitwarden database, are provided the request. 2. When the request is approved, the approving client encrypts the account's **User Encryption key** using the **Auth-request public key** enclosed in the request. 3. The approving client then sends the **User Encryption key** to the Authentication Request record and marks the request fulfilled. 4. The initiating client requests the encrypted **User Encryption key**. 5. The initiating client then **locally**decrypts the **User Encryption key** using the **Auth-request private key.** 6. The initiating client then uses the access code to authenticate the user with the Bitwarden Identity service. 7. The initiating client can then retrieve the user's vault data and use the **User Encryption key** to decrypt it. ª - **Auth-request Public and Private Keys** are uniquely generated for each passwordless login request and only exist for as long as the request does. Requests expire and are purged periodically if they aren't approved or denied. --- URL: https://bitwarden.com/help/login-with-passkeys/ --- # Log In With Passkeys > [!TIP] Autofill vs. Login with Passkeys > Bitwarden provides functionality both for [logging in to Bitwarden with a passkey](https://bitwarden.com/help/login-with-passkeys/) and [autofilling a stored passkey for other websites and services](https://bitwarden.com/help/storing-passkeys/). Passkeys can be used to log in to Bitwarden as an alternative to using your master password and email. Passkeys used to log in to Bitwarden: - Can be used on the web app and chromium-based browser extensions. Support for other client apps is planned for a future release. - Require user verification, meaning you'll need to use something like a biometric factor or security key to successfully establish access to your passkey. - Can only decrypt your vault if both the authenticator (e.g. YubiKey 5) and browser (e.g. Google Chrome) are [PRF-capable](https://bitwarden.com/help/login-with-passkeys/#set-up-encryption/). Non-PRF setups will require that you enter your master password to decrypt your vault after logging in. - Cannot be used by members of an organization that uses the [Require SSO](https://bitwarden.com/help/policies/#require-single-sign-on-authentication/) policy, SSO with [trusted devices](https://bitwarden.com/help/about-trusted-devices/), or [Key Connector](https://bitwarden.com/help/about-key-connector/). - Bypass Bitwarden two-step login. To learn more about the basics of passkeys, check out this [blog from Bitwarden](https://bitwarden.com/blog/log-into-bitwarden-with-a-passkey/). ## Create a passkey You can have up to 5 passkeys to log in with at any given time. To create a passkey to use to log in to Bitwarden: 1. In the web app, select the **Settings** → **Security** from the navigation: 2. Select the **Master password**tab. 3. In the Log in with passkey section, select **Turn on** or, if you've already setup a passkey, **New passkey**. You will be prompted to enter your master password: ![Turn on login with passkeys](https://bitwarden.com/assets/11CPsvELx3sDoQrLY3C2Cb/d2f3e5544537bb32d4e5d5fc5395f8d6/2024-12-02_10-41-47.png) 4. Follow prompts from your browser to create a FIDO2 passkey. You can complete user verification using a factor like a biometric or by creating a PIN. > [!TIP] Browser might have default passkey prompt. > You may need to cancel out of a default authenticator your browser will want you to use, for example if you want to use a hardware security key on a macOS device that will prioritize Touch ID. 5. Give your passkey a**name**. 6. If you don't want to use your passkey for vault encryption and decryption, uncheck the **Use for vault encryption** checkbox: ![Use passkey for vault encryption](https://bitwarden.com/assets/2gsO1o5tDU7s7LXvcpaL7w/9557ba8e4ee421d5dee174881fa129b8/2024-12-04_15-51-07.png) This option will only appear if your browser (e.g. Google Chrome) and authenticator (e.g. YubiKey 5) are [PRF-capable](https://bitwarden.com/help/login-with-passkeys/#set-up-encryption/). 7. Select **Turn on**. > [!NOTE] You can't save this passkey in Bitwarden. > Bitwarden will not prompt or allow you to save a passkey for logging in to Bitwarden in your vault. This prevents a scenario where access to your vault is required to log in to Bitwarden. ### Set up encryption Both your browser (e.g. Google Chrome) and authenticator (e.g. YubiKey 5) must be [PRF-capable](https://bitwarden.com/blog/prf-webauthn-and-its-role-in-passkeys/) in order to support using the passkey for vault encryption and decryption. > [!TIP] PRF-capable things > While Google Chrome is PRF-capable, Chrome profiles are not PRF-capable authenticators. As a counter example, the YubiKey 5 is a PRF-capable authenticator. Additionally, Windows 10 is known to have issues with PRF-capable passkeys. > > The equipment you have at your disposal and in your environment will determine your ability to use passkeys for encryption. Your passkeys list will show whether each passkey is used for encryption, supported but not active, or not supported: ![Passkeys list](https://bitwarden.com/assets/TpXTFNlF2hzRaUaLmxAXr/91127b0b363fe1de8d441f52001abbd0/2024-12-04_15-55-32.png) If you didn't check the **Use for vault encryption**checkbox when you initially set up the passkey, or if for example the browser you were using at the time was not PRF-capable, navigate to this menu and select the **Set up encryption** button. ### Remove a passkey You can remove an existing passkey from Bitwarden using the **Remove**button on the same screen. Removing a passkey from Bitwarden will not delete the private key stored in your FIDO2 authenticator, but you’ll no longer be able to use it to log into Bitwarden. ## Log in with your passkey Once your passkey is created, you can use it to log in to the Bitwarden web app and chromium-based browser extension: > [!WARNING] Known Linux defect for login with passkey. > Due to a known defect, **if you're using** **Linux** you will need to pop out your browser extension **before** attempting to log in with a passkey. > > ![Browser extension pop-out](https://bitwarden.com/assets/1cbJy0jLBmSQmRumvYzVwp/a9e43f4c154686249056924eb3e56323/pop_out_screenshot.png) 1. On the Bitwarden login screen, select **Log in with passkey** where you'd usually enter your email address. 2. Follow prompts from your browser to read the passkey, this will authenticate you with Bitwarden. 3. If your passkey [is setup for vault encryption](https://bitwarden.com/help/login-with-passkeys/#set-up-encryption/), you're done! Otherwise, enter your master password and select **Unlock**to decrypt your vault data. ## How it works The following describes the mechanics of logging in with passkeys. Which tab is relevant to you depends on whether your passkeys was [set up with encryption](https://bitwarden.com/help/login-with-passkeys/#set-up-encryption/). ### Passkeys with encryption turned on #### Create a passkey When a passkey is registered for log in to Bitwarden: - A **passkey public and private key pair** is generated by the authenticator via the WebAuthn API. This key pair, by definition, is what constitutes your passkey. - A **PRF symmetric key** is generated by the authenticator via the WebAuthn API's PRF extension. This key is derived from an **internal secret** unique to your passkey and a **salt** provided by Bitwarden. - A **PRF public and private key pair** is generated by the Bitwarden client. The PRF public key encrypts your **account encryption key**, which your client will have access to by virtue of being logged in and unlocked, and the resulting **PRF-encrypted account encryption key** is sent to the server. - The **PRF private key** is encrypted with the **PRF symmetric key** (see Step 2) and the resulting **PRF-encrypted private key** is sent to the server. - Your client sends data to Bitwarden servers to create a new passkey credential record for your account. If your passkey is registered with support for vault encryption and decryption, this record includes: - The passkey name - The passkey public key - The PRF public key - The PRF-encrypted account encryption key - The PRF-encrypted private key Your passkey private key, which is required to accomplish authentication, only ever leaves the client in an encrypted format. #### Log in with your passkey When a passkey is used to log in and, specifically, to decrypt your vault data: - Using WebAuthn API public key cryptography, your authentication request is asserted and affirmed. - Your **PRF-encrypted account encryption key** and **PRF-encrypted private key** are sent from the server to your client. - Using the same **salt** provided by Bitwarden and the **internal secret** unique to your passkey, the **PRF symmetric key** is re-created locally. - The **PRF symmetric key** is used to decrypt your **PRF-encrypted private key**, resulting in your **PRF private key**. - The **PRF private key** is used to decrypt your **PRF-encrypted account encryption key**, resulting in your **account encryption key**. Your account encryption key is used to decrypt your vault data. ### Passkeys with encryption turned off #### Create a passkey When a passkey is registered for log in to Bitwarden: 1. A **passkey public and private key pair** is created. This key pair, by definition, is what constitutes your passkey. 2. Your client sends data to Bitwarden servers to create a new passkey credential record for your account. If your passkey is not registered with support for vault encryption and decryption, this record includes: - The passkey's name - The passkey's public key Your passkey's private key, which is required to accomplish authentication, only ever leaves the client in an encrypted format. #### Log in with your passkey When a passkey is used to log in, your authentication request is asserted and affirmed using WebAuthn API public key cryptography. You will then be required to decrypt your vault using your master password. --- URL: https://bitwarden.com/help/lost-two-step-device/ --- # Can't Access Two-Step Login Losing access to your secondary device(s) (for example, a mobile device with an installed authenticator, a security key, or a linked email inbox) has the potential to lock you out of your Bitwarden vault. What to do when you have lost access to your secondary device(s) depends on whether you have saved your [two-step login recovery code](https://bitwarden.com/help/two-step-recovery-code/). If you are unsure, remember that recovery codes need to be actively saved (in other words, Bitwarden won't save it anywhere for you) and look something like this: ![Sample Recovery Code ](https://bitwarden.com/assets/64piqJsX7vN25To16iRFIp/09e977fae9485c0764f832c6bb4b4b04/2024-12-02_11-24-35.png) ## Have a recovery code? To use your recovery code, navigate to [https://vault.bitwarden.com/#/recover-2fa/](https://vault.bitwarden.com/#/recover-2fa/), [https://vault.bitwarden.eu/#/recover-2fa](https://vault.bitwarden.eu/#/recover-2fa)/, or, if you are self-hosting, `https://your.domain.com/#/recover-2fa/`. Using your recovery code is like the normal login procedure, requiring your (i) email address, (ii) master password, and (iii) recovery code. On successful authentication of all three, **you will be fully logged in to your vault and all two-step login methods deactivated**, and your device will be considered recognized for [new device login protection](https://bitwarden.com/help/new-device-verification/). **Once used, get a new recovery code, as it will change with each use.** You should also at this point re-activate any two-step login methods you want to use in the future. > [!NOTE] Recovery Codes + Duo for Orgs > Recovery codes will not deactivate Duo for organizations. If you are locked out of your vault by an organizational Duo prompt, reach out to the Duo administrator at your company for help bypassing the prompt. > > If you're not sure whether the Duo prompt is setup personally or by your organization, try using the **Use another two-step login method** button. ## Don't have a recovery code? If you don't have your recovery code saved somewhere outside of your vault, there is unfortunately no way for the team to recover the account or data therein. You will need to delete your account and start a new one. > [!TIP] Recover Account (2FA-specific) > Before proceeding to delete your account, try the following: > > 1. Check if you have an alternative two step login method enabled by selecting **Use another two-step login method** on the log in screen. > 2. **If you are using Duo**, [generate a bypass code](https://duo.com/docs/administration-users#generating-a-bypass-code). For Duo for organizations, your company's Duo administrator can generate a bypass code for you. > 3. **If you are using emergency access:**Two-step login methods can be disabled by trusted emergency contacts with **Takeover** access. [Learn how to use emergency access to access a vault](https://bitwarden.com/help/emergency-access/#use-emergency-access/). > 4. **Check if you are currently logged in to any Bitwarden client applications** (mobile apps, browser extensions, and more). If you are, [export your vault data](https://bitwarden.com/help/export-your-data/) to preserve your data. > > [Account recovery](https://bitwarden.com/help/account-recovery/) does not bypass two-step login. To delete your account: 1. Navigate to [vault.bitwarden.com/#/recover-delete](https://vault.bitwarden.com/#/recover-delete) or [vault.bitwarden.eu/#/recover-delete](https://vault.bitwarden.eu/#/recover-delete). 2. Enter the **Email Address** associated with your account. 3. In your email inbox, open the email and verify that you want to delete this Bitwarden account. If any of your client applications were logged in (see the above tip), log out of them. If you delete a Bitwarden account that has a premium subscription associated with it, [Contact Us](https://bitwarden.com/contact/) and we'll reapply your existing subscription to the new account. If you were able to successfully export your vault data prior to deletion, you can easily [import it into the new account](https://bitwarden.com/help/import-data/). --- URL: https://bitwarden.com/help/machine-accounts/ --- # Machine Accounts > [!NOTE] Service accounts now Machine account > As of the 2024.4.1 release, service accounts are now referred to as machine accounts in Bitwarden Secrets Manager. All of the feature functionality will remain the same. Machine accounts represent non-human machine users, like applications or deployment pipelines, that require programmatic access to a discrete set of [secrets](https://bitwarden.com/help/secrets/). Machine accounts are used to: - Appropriately scope the selection of secrets a machine user has access to. - Issue [access tokens](https://bitwarden.com/help/access-tokens/) to facilitate programmatic access to, and the ability to decrypt, edit, and create secrets. Machine accounts that your user account has access to can be viewed by selecting **Machine accounts** from the navigation: ![Machine accounts](https://bitwarden.com/assets/3IQzFGc9f4OAoqvJSgrEBn/601542ce696652aac733e63b18cdffb0/2024-12-03_13-25-13.png) Opening a machine account will list the **Secrets** and **People** the service account has access to, as well as any generated **Access tokens** and **Event logs**: ![Inside a machine account](https://bitwarden.com/assets/3L9EGMDn7gGAMi3uwD1MIP/74dd29c2c80c1d67ee3b27bd5160e8b7/2024-12-03_13-26-04.png) ## Create a machine account On the Admin Console **Billing** → **Subscription** page you are able to assign the number of machine accounts available for use in your organization. For additional information regarding your available machine accounts and machine account scaling, see [here](https://bitwarden.com/help/secrets-manager-quick-start/#user-seats-and-service-account-scaling/). To create a new machine account: [![Vimeo Video](https://vumbnail.com/845933062.jpg)](https://vimeo.com/845933062) *[Watch on Vimeo](https://vimeo.com/845933062)* **Video Chapters:** Learn more about machine accounts [here](https://bitwarden.com/help/machine-accounts/). 1. Use the **New**dropdown to select **Machine account**: ![New machine account](https://bitwarden.com/assets/LaVwicbqhvbliXPm6loOU/5559a5caf8ad70a95be3ea89f1b760ad/2024-12-03_11-29-17.png) 2. Enter a **Machine account name** and select **Save**. 3. Open the machine account and, in the **Projects** tab, type or select the name of the project(s) that this machine account should be able to access. For each added project, select a level of **Permissions:** - **Can read**: Machine account can retrieve secrets from assigned projects. - **Can read, write**: Machine account can retrieve and edit secrets from assigned projects, create new secrets in assigned projects, or create new projects altogether. > [!TIP] SM 07/25 dependency > Fully utilizing write access for machine accounts is dependent on a forthcoming [CLI](https://bitwarden.com/help/secrets-manager-cli/) release. For now, this simply makes the option available in the UI. Stay tuned to the [Release Notes](https://bitwarden.com/help/releasenotes/) for more information. ## Add people to a machine account Adding organization members to a machine account will allow those people to generate access tokens for the machine account and interact with all secrets the machine account has access to. To add people to your machine account: 1. In the machine account, select the **People**tab. 2. From the people dropdown, type or select the members or groups to add to the machine account. Once you've selected the right people, select the **Add**button: ![Add people to a machine account](https://bitwarden.com/assets/3TrklnCquoynDHFX6nJ8w/2482453bf759525ccb6d23f8e9731a7d/2024-12-03_13-27-11.png) ## Add projects to a machine account Adding projects to a machine account will allow programmatic access to included secrets using access tokens. To add projects to a machine account: 1. Open the machine account and select the **Projects**tab. 2. From the Projects dropdown, type or select the project(s) to add to the machine account. Once you've chosen the right projects, select the **Add** button: ![Add a project](https://bitwarden.com/assets/3XGkQt3MdNHmAoKLXXXMGh/2c68b9ea5a47885f35360a94d26f0442/2024-12-03_13-28-00.png) 3. For each added project, select a level of **Permissions:** - **Can read**: Machine account can retrieve secrets from assigned projects. - **Can read, write**: Machine account can retrieve and edit secrets from assigned projects, as well as create new secrets in assigned projects or create new projects. ## Delete a machine account To delete a machine account, use the (⋮ ) options menu for the machine account to delete to select **Delete machine account**. Deleting a machine account **will not**delete the secrets associated with it. Machine accounts are fully removed once deleted and **do not** get [sent to the trash like secrets do](https://bitwarden.com/help/secrets/#delete-a-secret/). ## Machine account events Timestamped records of actions taken with each service account are available from the machine account's **Event logs** tab. Any user that has access to a given machine account will be able to view events for that machine account. Events that are captured include: - Accessed secret *secret-identifier*. (`2100`) - Added user: *user-identifier* to machine account with identifier: *machine-account-identifier* (`2300`) - Removed user: *user-identifier* from machine account with identifier: *machine-account-identifier* (`2301`) - Added group: *group-identifier* to machine account with identifier: *machine-account-identifier* (`2302`) - Removed group: *group-identifier* from machine account with identifier: *machine-account-identifier *(`2303`) - Created machine account with identifier: *machine-account-identifier* (`2304`) - Deleted machine account with identifier: *machine-account-identifier* (`2305`) > [!NOTE] Event capture > Each **Event** is associated with a type code (`1000`, `1001`, etc.) that identifies the action captured by the event. Type codes are used by the [Bitwarden Public API](https://bitwarden.com/help/public-api/) to identify the action documented by an event. Event logs are exportable and are retained indefinitely. Exporting events will create a `.csv` of all events within the specified date range, which should not exceed 367 days. ## Configuration information The **Config**tab provides a quick view of information that might be required when configuring an application to use a machine account. **Identity server URL**, **API server URL**, **Organization ID**, and **Project IDs** are displayed and can be copied by selecting each field's respective [clone] icon. For more information on Secrets Manager environments, see the Secrets Manager [SDK documentation](https://bitwarden.com/help/secrets-manager-sdk/) and [CLI documentation](https://bitwarden.com/help/secrets-manager-cli/). ![Machine account config view](https://bitwarden.com/assets/4XRItVAnKy1iVtOM2DbDLg/97e60d73e9bf18823c98fa46c588f99e/2024-12-03_13-38-10.png) --- URL: https://bitwarden.com/help/manage-client-orgs/ --- # Ongoing Administration To access a [client organization](https://bitwarden.com/help/providers/#client-organizations/) as a [service user](https://bitwarden.com/help/provider-users/#provider-user-types/): 1. Open the **Provider Portal** using the product switcher: ![Product switcher - Provider Portal](https://bitwarden.com/assets/4xn04Sj9u8n73TPxZUWi5f/dac0d56f47a05e2d8b28754e997a1391/2025-02-25_15-16-00.png) 2. Select the client organization to administer from the **Clients** tab: ![Provider Portal](https://bitwarden.com/assets/7AoSHeZgJJTBXQmpZ13UBr/56ca464fe6987c8c5fc8e7099235d640/2025-02-25_15-17-46.png) Once in the client's Admin Console you can fully administer the client organization, including the following important tasks: > [!TIP] No more provider-managing items > Provider users may no longer directly view, manage, create, or export items in client organizations' vaults. Provider users may, however, import vault data directly to client organizations. | **Task** | **Description** | **Resources** | |------|------|------| | Add and remove users | Onboard and offboard users from Bitwarden as they join and leave the customers' organization. | [User onboarding](https://bitwarden.com/help/managing-users/#onboard-users/) [User offboarding](https://bitwarden.com/help/managing-users/#deprovision-users/) | | Change user permissions | When end-users change roles, change their permissions as appropriate. | [User types and access control](https://bitwarden.com/help/user-types-access-control/) | | Add and remove user seats | As the customers' business grows, manage the number of user seats for the client organization. | [Manage user seats](https://bitwarden.com/help/provider-billing/) | | Reset users' master passwords | If enabled, use admin password reset to recover end-user accounts if they forget their master password. | [Admin password reset](https://bitwarden.com/help/admin-reset/) | | Secure one-time sharing | Use Bitwarden for secure one-time sharing of credentials, documents, and more. | [Create a Send](https://bitwarden.com/help/create-send/) | | Monitor vault health | Use organization vault health reports and event logs to keep an eye on the overall health of the client organization. | [Vault health reports](https://bitwarden.com/help/reports/) [Event logs](https://bitwarden.com/help/event-logs/) | Additionally, **if your service users help to train customers' end-users to use Bitwarden**, the following resources may be helpful: | **Task** | **Description** | **Resources** | |------|------|------| | User registration | Help end-users register for Bitwarden accounts. | [Register](https://bitwarden.com/go/start-free/) | | Watch training videos | Pass along some of the trainings we have conducted in the past. | [Getting started with Bitwarden](https://bitwarden.com/getting-started/) | | Help users import their data | If permitted by your customer, give users instructions for importing their individual vault data to Bitwarden. | [Import data to your vault](https://bitwarden.com/help/import-data/) | | Help setup two-step login | Give users instructions to help facilitate setup of two-step login. | [Two-step login methods](https://bitwarden.com/help/setup-two-step-login/) | | Demonstrate Bitwarden apps | Help users understand the benefits of Bitwarden mobile apps, browser extensions, and other apps. | [Getting started guides](https://bitwarden.com/help/create-bitwarden-account/) | | Register for demos | Encourage power users to learn independently by attending a weekly demo. | [Bitwarden events](https://www.crowdcast.io/bitwarden) | --- URL: https://bitwarden.com/help/manage-your-secrets-org/ --- # Manage your Organization > [!NOTE] more info for onboarding and succession > For a complete Bitwarden onboarding overview, please review [this guide](https://bitwarden.com/help/onboarding-and-succession/) for more information. As an organization using Secrets Manager, you'll share many of the tools originally used by Password Manager. This article covers these common areas and links to share documentation where appropriate. > [!TIP] Check out Getting Started guide. > If you're brand new to Bitwarden organizations, we recommend checking out our article on [getting started as an organization administrator](https://bitwarden.com/help/courses/password-manager-admin/). ## Enterprise policies Policies allow Enterprise organizations to enforce security rules for their members, for example mandating use of two-step login. While some policies apply primarily to Password Manager, there are a handful of policies that are broadly applicable to users of Secrets Manager: - [Require two-step login](https://bitwarden.com/help/policies/#require-two-step-login/) - [Master password requirements](https://bitwarden.com/help/policies/#master-password-requirements/) - [Master password reset](https://bitwarden.com/help/policies/#master-password-reset/) - [Single organization](https://bitwarden.com/help/policies/#single-organization/) - [Require single sign-on authentication](https://bitwarden.com/help/policies/#require-single-sign-on-authentication/) - [Vault timeout](https://bitwarden.com/help/policies/#session-timeout/) > [!TIP] Set policies first. > If you're new to Bitwarden, we recommend setting policies before onboarding your users. ## User management User management for Secrets Manager organizations is similar to organizations using Password Manager, however some Secrets Manager-specific elements include [granting organization members access](https://bitwarden.com/help/manage-your-secrets-org/#access-to-secrets-manager/) to Secrets Manager, [member role differences](https://bitwarden.com/help/manage-your-secrets-org/#member-roles/), and specifying [user seats and machine accounts](https://bitwarden.com/help/secrets-manager-quick-start/#user-seats-and-service-account-scaling/). ### Onboarding There are a few different methods of onboarding users to your Bitwarden organization. Some of the commonly used methods are highlighted here: #### Manual The Bitwarden web vault provides a simple and intuitive interface for inviting new users to join your organization. This method is best for small organizations or those that aren't using directory services like Azure AD or Okta. [Learn how to get started](https://bitwarden.com/help/managing-users/#invite/). #### SCIM Bitwarden servers provide a SCIM endpoint that, with a valid SCIM API Key, will accept requests from your identity provider for user and group provisioning and de-provisioning. This method is best for larger organizations using a SCIM-enabled directory service or IdP. [Learn how to get started](https://bitwarden.com/help/about-scim/). #### Directory Connector Directory Connector automatically provisions users and groups in your Bitwarden organization by pulling from a selection of source directory services. This method is best for larger organizations using directory services that don't support SCIM. [Learn how to get started](https://bitwarden.com/help/directory-sync/). ### Access to Secrets Manager Once onboarded, give individual members of your organization access to Secrets Manager: 1. Open your organization's **Members** view and select the members your want to give access to Secrets Manager. 2. Using the ⋮ menu, select **Activate Secrets Manager**to grant access to selected members: - For organizations self-hosting, this step must be repeated in the self-hosted instance as well. ![Add Secrets Manager users](https://bitwarden.com/assets/3IBNL6FdndgPeuXa7m3rlP/fd04ec9951123e5a0ccd5fe4f04fa4de/2024-12-03_11-18-52.png) > [!TIP] SM access vs. assignments > Giving members access to Secrets Manager won't automatically give them access to stored projects or secrets. You'll need to [assign people or groups access to the projects](https://bitwarden.com/help/manage-your-secrets-org/#access-to-secrets-manager/) next. ### Member roles The following table outlines what each member role can do within Secrets Manager: | Member role | Description | |------|------| | User | Users can create their own secrets, projects, machine accounts, and access tokens. They can edit these objects once created. Users must be assigned to projects or machine accounts in order to interact with existing objects, and can be given **Can read** or **Can read, write**access. | | Admin | Admins automatically have **Can read, write** access to all secrets, projects, machine accounts, and access tokens. Admins can assign themselves access to Secrets Manager and assign other members access to Secrets Manager. | | Owner | Owners automatically have **Can read, write** access to all secrets, projects, machine accounts, and access tokens. Owners can assign themselves access to Secrets Manager and assign other members access to Secrets Manager. | > [!NOTE] Custom role in SM > Custom roles are not currently scoped with options for Secrets Manager, however can still be used to assign specific Password Manager or broader organization capabilities. ### Groups Groups relate together individual members and provide a scaleable way to access access to and permissions for specific projects. When adding new members, add them to a group to have them automatically inherit that group's configured permissions. [Learn more](https://bitwarden.com/help/about-groups/). Once groups are created in the admin console, assign them to projects from the Secrets Manager web app. ## Single sign-on Login with SSO is the Bitwarden solution for single sign-on. Using login with SSO, Enterprise organizations can leverage their existing Identity Provider to authenticate users with Bitwarden using the SAML 2.0 or Open ID Connect (OIDC) protocols. [Learn how to get started](https://bitwarden.com/help/about-sso/). ## Account recovery administration Account recovery allows designated administrators to recover enterprise organization user accounts and restore access in the event that an employee forgets their master password. Account recovery can be activated for an organization by enabling the Account recovery administration policy. [Learn how to get started](https://bitwarden.com/help/account-recovery/). ## Event logs [Event logs](https://bitwarden.com/help/event-logs/) are timestamped records of events that occur within your Teams or Enterprise organization. Secrets Manager events are available both from the **Reporting** → **Event logs** of your organization vault and from the [machine account Event logs page](https://bitwarden.com/help/service-accounts/#service-account-events/). Event logs are exportable and are retained indefinitely. While many events are applicable to all Bitwarden products and some are specific to Password Manager, Secrets Manager will specifically log the following: - Secret accessed by a machine account ## Self-hosting Enterprise organizations can self-host Bitwarden Secrets Manager using Docker on Linux and Windows machines. If you haven't self-hosted Bitwarden before, use [this guide](https://bitwarden.com/help/self-host-an-organization/) to set yourself on the right track. If you are already self-hosting an Enterprise Bitwarden organization and want to get access to Secrets Manager on that server: 1. Sign up for a Secrets Manager subscription in your cloud-hosted Bitwarden organization. 2. Update your self-hosted server to, at a minimum, 2023.10.0 3. [Retrieve a new license file](https://bitwarden.com/help/licensing-on-premise/#retrieve-organization-license/) from your cloud-hosted organization and [upload it to your self-hosted server](https://bitwarden.com/help/licensing-on-premise/#update-organization-license/). 4. Give individual users [access to Secrets Manager](https://bitwarden.com/help/manage-your-secrets-org/#access-to-secrets-manager/) in the self-hosted instance. > [!NOTE] Self-host SM on Unified, no > Self-hosting Secrets Manager is not supported for the Bitwarden [unified self-hosted deployment option](https://bitwarden.com/help/install-and-deploy-lite/). Enterprise organizations should use a standard [Linux](https://bitwarden.com/help/install-on-premise-linux/) or [Windows](https://bitwarden.com/help/install-on-premise-windows/) installation. --- URL: https://bitwarden.com/help/managing-access-when-the-organization-owner-leaves/ --- # Managing access when the organization owner leaves This article addresses frequently asked questions after an organization owner has left a company. If organization ownership was not transferred prior to the owner leaving, one of the following scenarios may apply to your organization. > [!NOTE] Cannot disclose organization owner > Bitwarden support is unable to disclose the identity of an organization's current owner. This information can only be verified with the organization's owner directly. To facilitate a seamless process, we recommend reaching out to support using the owner's registered email address. ## The organization owner has left, and I have access to their account credentials If you have access to the owner's account credentials: 1. **Access the Admin console to invite a new owner or transfer ownership**: If you have the credentials of the owner account, you may directly access the organization's [admin console](https://bitwarden.com/help/getting-started-organizations/). This will allow you to perform several tasks including inviting a new owner, transferring ownership, and making necessary changes. 2. **Backup the organization data**: Ensure that all important organizational data is backed up to prevent data loss in the future. Learn more [here](https://bitwarden.com/help/export-your-data/#export-an-organization-vault/). 3. **Set up admins or backup owners for access redundancy**: Ensure that multiple admins or backup owners are in place for future access continuity and management of the account. ## The organization owner has left and I do not have access to their account credentials Are there any current admins in the organization? ### Yes - **Contact support using the previous owner's email**: Contact support using the owner's email. If there are admins set up, you may request that support promote one of them to the owner role. If the owner email no longer exists, please recreate the inbox. > [!NOTE] Support will not perform admin promotion > Support will only perform admin promotion if the request comes from the owner's email address. There are no exceptions to this policy. ### No - **Attempt to recover the account**: If no admins exist, you will need to manually back up your organization data and start over as soon as possible. To backup the organization information: - Export organizational vault data using the Bitwarden [export](https://bitwarden.com/help/export-your-data/#export-an-organization-vault/). This requires a user to have a [custom role](https://bitwarden.com/help/user-types-access-control/#custom-role/) with access to import/export. - If no users have custom role with access to Bitwarden export, users may manually copy & paste data for an export of organization vault data. > [!NOTE] Subscription lapse before backup > If the organization's subscription lapses before you can perform a backup, please contact support to request a temporary service activation in order to export organizational data. ## I have to cancel an active subscription Do you have access to the owner or billing contact email? ### Yes If you do have access to the owner or billing contact email address: - **Contact support using the owner or billing contact email address**: If the subscription is still active, you may cancel it by contacting Bitwarden support using the email associated with the billing account. - You may cancel future renewals of an active subscription by contacting Bitwarden support using the email associated as an organization owner, or the billing contact. The authorized billing contact is the email address that receives invoices, payment reminders, and receipts. ### No If you do not have access to the owner or billing contact email address: - **Contact support and provide default payment method details**: You may authorize the removal of a payment method by contacting support and providing the following payment method details: - Expiration date of the card used in the last payment. - Last 4 digits of the card used for the last payment. - Date of the last payment. - Amount of the last payment. > [!NOTE] Cancel subscription without owner > This information will help Bitwarden support confirm your identity and process the cancellation request, see [here](https://bitwarden.com/help/billing-faqs/#q-what-is-the-holder-of-my-organizations-billing-email-allowed-to-do/) for additional information. --- URL: https://bitwarden.com/help/managing-items/ --- # Vault Items ## Item types Bitwarden can securely store more than just usernames and passwords. There are five types of items you can store in your vault: - **Login**: Store username and password combinations for easy autofill [on browser extensions](https://bitwarden.com/help/auto-fill-browser/), [on iOS apps](https://bitwarden.com/help/auto-fill-ios/) and [on Android apps](https://bitwarden.com/help/auto-fill-android/). Login items can also store [passkeys](https://bitwarden.com/help/storing-passkeys/) and, for Premium users, [verification codes](https://bitwarden.com/help/integrated-authenticator/). - **Card**: Store credit or debit card information for easy [autofill on browser extensions and Android](https://bitwarden.com/help/auto-fill-card-id/) apps during online checkouts. - **Identity**: Store identity information, like mailing addresses, for easy [autofill on browser extensions and Android](https://bitwarden.com/help/auto-fill-card-id/) apps during a variety of online form submissions. - **Secure note**: Store freeform text for any kind of information you want protected. - **SSH key**: Use Bitwarden [as an SSH agent](https://bitwarden.com/help/ssh-agent/). ## Add items > [!TIP] This's manual, but you can also import. > This section will cover manually adding a vault item, but for many users Bitwarden recommends [importing items](https://bitwarden.com/help/import-data/) directly into your vault from most password managers or web browsers. You can add vault items from any Bitwarden app: ### Web app Select the + **New** button and choose the item type to create: ![Add an item](https://bitwarden.com/assets/5kGYpHHu4197INxX5kOetu/c1aa36b3847c9824b81466837229ec7d/webappnewtest.png) *Add an item* ### Browser extension Select the + **New** button and choose the item type to create: ![Add an item](https://bitwarden.com/assets/3CGG1jYRfgQqi5UlWuwliO/c95b2da5c9e64564c1aa7842207a3a6f/extnew1.png) *Add an item* ### Mobile Select the + **New** button and choose the item type to create: ![Add an item](https://bitwarden.com/assets/cMVnILAl9uoih1iTqIHx9/19168711ae327ea490fa51c8d9c27ff3/mobilenew1.png) *Add an item* ### Desktop ![Add an item](https://bitwarden.com/assets/7xia34eJyx1K8Gy8IXajQ7/36bac46c997498ba821b5cc347eeb65a/desktopnew1.png) *Add an item* ### CLI Use the `create` command to add a new item. Refer to the [CLI documentation](https://bitwarden.com/help/cli/) for more information. ## Manage items You can manage your vault items from any Bitwarden app: ### Edit To edit an item: ### Web app Select the ⋮ options menu for the item you want to edit: > [!TIP] You can right-click on the web app. > You can also right-click the item to call up the same menu. ![Edit or delete an item](https://bitwarden.com/assets/5FmC9ha8GQ4IKU8UM1ra4x/d470974c62468ba565e58ca1917db0b1/webnew1.png) *Edit or delete an item* ### Browser extension Select an item to open it and select **Edit**: ![Edit or delete an item](https://bitwarden.com/assets/2q1EZnISzEG3i8iU4vTKj6/b13c46c27a7fb896f31f81485859459f/extnew4.png) *Edit or delete an item* ### Mobile Select the ⋮ options menu for the item you want to edit and select **Edit**: ![Edit an item](https://bitwarden.com/assets/357lJe8JKMXNKEhYKUDn4u/31d5f1f811eb35b8b142f9a6f751dae2/2025-11-10_12-05-53.png) *Edit an item* ### Desktop Select an item to open it and select the [pencil] edit icon: ![Edit an item](https://bitwarden.com/assets/6Y4kK7J9aLmo9SDY7Ne8VE/0c422e65f5af509b368ec59928fcd308/desktopnew2.png) *Edit an item* ### CLI Use the `edit` command to add a new item. Refer to the [CLI documentation](https://bitwarden.com/help/cli/) for more information. ### Delete To delete an item: ### Web app Select the ⋮ options menu for the item and select 🗑️ **Delete**: ![Item options](https://bitwarden.com/assets/3OYHvfRCDy3OphkbEHIJEA/fa47beb671d6efc34a18d05daf630aff/webappnewtest3.png) *Item options* ### Browser extension Select an item to open it and select the 🗑️ Delete icon: ![Edit or delete an item](https://bitwarden.com/assets/2q1EZnISzEG3i8iU4vTKj6/b13c46c27a7fb896f31f81485859459f/extnew4.png) *Edit or delete an item* ### Mobile Tap an item to open it and select the ⋮ options menu for the item: ![Item options](https://bitwarden.com/assets/6XFamLqIYX26cUY5LWQbPE/1a6000050526e7f4f9e8bfcad93619fe/2025-11-10_12-06-19.png) *Item options* ### Desktop Select an item to open it and select the 🗑️ Delete icon: ![Delete an item](https://bitwarden.com/assets/1E8ieEw6639tLYAxe2HYir/f12ba224477f2338beae164c21f660eb/desktopnew3.png) *Delete an item* ### CLI Use the `delete` command to add a new item. Refer to the [CLI documentation](https://bitwarden.com/help/cli/) for more information. #### Vault trash Deleted items are sent to the trash, where they remain for 30 days after deletion. Once 30 days have elapsed, the item will be permanently deleted and not recoverable. In the trash, you can **Restore** an item to your vault or **Permanently delete** it prior to the 30-day waiting period using the ⋮ menu: ### Web app Select **Trash**from the Filters menu: ![Trash in the web app](https://bitwarden.com/assets/36mo5LyroRq1BhOcjSsBb7/a05100ab172376caf15b4c454beee321/2024-12-02_14-39-40.png) ### Browser extension Navigate to **Settings** → **Vault** → **Trash**: ![Trash in browser extensions](https://bitwarden.com/assets/5Q0mgKjaDiIKy5ymlVaUnS/fa72b454697bedd7319da17ba671a9e5/2025-04-15_09-33-59.png) ### Mobile app On the **Vaults** tab, scroll down to **Trash** and select the item: ![Trash in mobile apps](https://bitwarden.com/assets/7HwDVQp0ma6RxU95ILNVtI/52275cc54ff5d789f8825d225edb0ecf/2025-04-15_10-22-16.png) ### Desktop app Select **Trash**from the navigation: ![Trash in desktop apps](https://bitwarden.com/assets/viaKopya1CJ9N6mWKyLV6/e6fb6c21ef79f87f8d701ea7e8e2d2c3/2025-08-13_14-36-35.png) ### Clone You can clone any item that you have ownership of to create a duplicate item. If an item is owned by an organization, it can only be cloned by a members with [**Can manage**](https://bitwarden.com/help/collection-management/#collection-management-settings/) access to the item's collection and an only be done from the web app: ### Web app Select the ⋮ options menu for the item you want to duplicate and select [clone] **Clone**: ![Item options](https://bitwarden.com/assets/3OYHvfRCDy3OphkbEHIJEA/fa47beb671d6efc34a18d05daf630aff/webappnewtest3.png) *Item options* ### Browser extension Select the ⋮ options menu for the item you want to duplicate and select [clone] **Clone**: ![Item options](https://bitwarden.com/assets/10bowrbDmxxf8SxrMhplmJ/01597fd4926492def941caf556cd9d12/extnew5.png) *Item options* ### Mobile Tap an item to open it and select the ⋮ options menu for the item: ![Item options](https://bitwarden.com/assets/6XFamLqIYX26cUY5LWQbPE/1a6000050526e7f4f9e8bfcad93619fe/2025-11-10_12-06-19.png) *Item options* ### Desktop Select an item to open it and select the [clone] Clone icon: ![Clone an item](https://bitwarden.com/assets/5KRdegIaIbOHxGkMj64Fs9/705d1dfe97b326f75502b9971df4a0aa/desktopnew4.png) *Clone an item* ## Share items If you're a member of an [organization](https://bitwarden.com/help/about-organizations/), you can [assign vault items to your organization's collections](https://bitwarden.com/help/sharing/), transferring ownership of the vault item to the organization. To share with other organization members, use the ⋮ menu: ![Assign to collections](https://bitwarden.com/assets/stm9byteqzZn9dvqonHrc/0da481b0cf1f54457d08ae02fd917377/2024-12-02_14-33-34.png) ## Next steps Now that you understand the basics of working with vault items, we recommend: - Learning how to navigate your vault using [search](https://bitwarden.com/help/searching-vault/), [filtering](https://bitwarden.com/help/filter-your-vault/), and organizing them in [favorites](https://bitwarden.com/help/favorites/) and [folders](https://bitwarden.com/help/folders/). - Learning about what else you can add to items, including [custom fields](https://bitwarden.com/help/custom-fields/), [TOTP seeds](https://bitwarden.com/help/integrated-authenticator/), and [file attachments](https://bitwarden.com/help/attachments/). --- URL: https://bitwarden.com/help/managing-users/ --- # User Management ## User seats A "user seat" refers to a license for a single user within an organization. A user seat, while occupied by a member of your organization, grants that member access to Bitwarden services under your specific plan. A user seat is not permanently attached to that member; when they leave the organization that user seat is made available for use by a new member. Bitwarden cloud [Teams and Enterprise organizations](https://bitwarden.com/help/about-organizations/#types-of-organizations/) will **automatically scale up** user seats as you [invite](https://bitwarden.com/help/managing-users/#invite/) new users. You can set a [seat limit](https://bitwarden.com/help/managing-users/#set-a-seat-limit/) on scaling to prevent your seat count from exceeding a specified number, or [manually add seats](https://bitwarden.com/help/managing-users/#manually-add-or-remove-seats/) as desired. Regardless of how you choose to add seats, you will need to [manually remove](https://bitwarden.com/help/managing-users/#manually-add-or-remove-seats/) seats you're no longer using. Adding and removing user seats will adjust your future billing totals. Adding seats will immediately charge your payment method on file at an adjusted rate so that **you will only pay for the remainder of the billing cycle** (month/year). Removing seats will cause your next charge to be adjusted so that you are **credited for time not used** by the already-paid-for seat. > [!NOTE] Removing seats > Only an an [organization owner](https://bitwarden.com/help/user-types-access-control/#user-types/) or [provider service user](https://bitwarden.com/help/provider-users/#provider-user-types/) can add or remove seats, as this directly affects billing. ### Set a seat limit > [!NOTE] Managing seats when you're self-hosted > The number of seats a self-hosted organization has will always mirror its [counterpart cloud-organization](https://bitwarden.com/help/self-host-an-organization/#step-3-start-your-organization/). You will be required to manage your seat count through the cloud Admin Console, however [billing sync](https://bitwarden.com/help/licensing-on-premise/#tab-automatic-sync-4cDnzGHwlfBQEFs6eqrkut/) can be setup to make these changes reflect for your self-hosted organization without requiring you to re-upload you license. To set a limit on the number of seats your organization can scale up to: 1. Log in to the Bitwarden [web app](https://bitwarden.com/help/getting-started-webvault/) and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Navigate to **Billing** → **Subscription** and check the **Limit subscription**checkbox: ![Set a seat limit ](https://bitwarden.com/assets/5DBnJW1y9welOF6hrDKrrh/a700ae21b6f3dd20b702aa9d172ed707/2024-12-03_14-48-25.png) 3. In the **Seat limit** input, specify a seat limit. 4. Select **Save**. > [!NOTE] > Once the specified limit is reached, you will not be able to invite new users unless you increase the limit. ### Manually add or remove seats > [!NOTE] Managing seats when you're self-hosted > The number of seats a self-hosted organization has will always mirror its [counterpart cloud-organization](https://bitwarden.com/help/self-host-an-organization/#step-3-start-your-organization/). You will be required to manage your seat count through the cloud Admin Console, however [billing sync](https://bitwarden.com/help/licensing-on-premise/#tab-automatic-sync-4cDnzGHwlfBQEFs6eqrkut/) can be setup to make these changes reflect for your self-hosted organization without requiring you to re-upload you license. To manually add or remove seats to your organization: 1. Log in to the Bitwarden [web app](https://bitwarden.com/help/getting-started-webvault/) and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Navigate to **Billing** → **Subscription.** 3. In the **Subscription seats** input, add or remove seats using the hover-over arrows: ![Add or remove seats ](https://bitwarden.com/assets/6vCLfjhJz8FOGEeAuQmYQN/f6d0bfe07c1f4db8633e735f42f121fe/2024-12-03_14-49-45.png) 4. Select **Save**. > [!NOTE] Increasing subscription seats > If you are increasing your **Subscription seats** above a specified **Seat limit**, you must also increase the seat limit so that it is equal to or greater than the desired subscription seat count. ## Onboard users To ensure the security of your organization, Bitwarden applies a 3-step process for onboarding a new member, [invite](https://bitwarden.com/help/managing-users/#invite/) → [accept](https://bitwarden.com/help/managing-users/#accept/) → [confirm](https://bitwarden.com/help/managing-users/#confirm/). > [!TIP] User Management Alternatives > This document covers the manual onboarding flow for adding users to Bitwarden organizations, however Bitwarden offers two methods for automatic user and group provisioning: > > - Teams and Enterprise organizations can use SCIM integrations for [Azure AD](https://bitwarden.com/help/microsoft-entra-id-scim-integration/), [Okta](https://bitwarden.com/help/okta-scim-integration/), [OneLogin](https://bitwarden.com/help/onelogin-scim-integration/), and [JumpCloud](https://bitwarden.com/help/jumpcloud-scim-integration/). > - Teams and Enterprise organizations can use Directory Connector for [Active Directory/LDAP](https://bitwarden.com/help/ldap-directory/), [Azure AD](https://bitwarden.com/help/microsoft-entra-id/), [Google Workspace](https://bitwarden.com/help/workspace-directory/), [Okta](https://bitwarden.com/help/okta-directory/), and [OneLogin](https://bitwarden.com/help/onelogin-directory/). ### Invite > [!NOTE] Enterprise policy for inviting users > For Enterprise organizations, we recommend configuring [enterprise policies](https://bitwarden.com/help/policies/) prior to inviting users to ensure compliance on-entrance to your organization. To invite users to your organization: 1. Log in to the Bitwarden [web app](https://bitwarden.com/help/getting-started-webvault/) and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Navigate to **Members** and select the + **Invite User** button: ![Invite member to an organization](https://bitwarden.com/assets/7AJjR4oqEnCH3A89YYoWpH/a4bd30d71a74ead44e13768dab8c5dff/2024-12-03_14-02-20.png) 3. On the Invite user panel: - Enter the **Email** address where new users should receive invites. You can add up to 20 users at a time by comma-separating email addresses. - Select the **Member role** to be applied to new users. [Member role](https://bitwarden.com/help/user-types-access-control/#member-role/) will determine what permissions these users will have at an organizational level. - In the **Groups**tab, select which [groups](https://bitwarden.com/help/about-groups/) to add this user to. - In the **Collections**tab, select collects to give this user access to and what [permissions](https://bitwarden.com/help/user-types-access-control/#permissions/) they should have to each collection. 4. Click **Save** to invite the designated users to your organization. > [!NOTE] Invitations expire > **Invitations expire after 5 days**, at which point the user will need to be re-invited. Re-invite users in bulk by selecting each user and using the ⋮ options menu to **Resend invitations**: > > ![Bulk re-invite ](https://bitwarden.com/assets/1yj3MLJDTr7zOn5TwP0FGJ/3f09a294f42a4bc8772369648afd450d/2024-12-03_15-03-31.png) > > If you're self-hosting Bitwarden, you can configure the invitation expiration period [using an environment variable](https://bitwarden.com/help/environment-variables/). ### Accept Invited users will receive an email from Bitwarden inviting them to join the organization. Clicking the link in the email will open the Bitwarden web app, where the user can log in or create an account to accept the invitation: ![Organization invitation](https://bitwarden.com/assets/4Fe96NuWb7yRe6muKf7UbZ/bcb1a8df0bc2ffdecbcd86b82d16c9a3/2025-09-03_10-41-25.png) You must **fully log in to the Bitwarden web app** to accept the invitation. When you accept an invitation, an administrator will need to [confirm](https://bitwarden.com/help/managing-users/#confirm/)access. Once confirmed, you'll be notified that you can access the organization. Additionally, organization members will have their [email automatically verified](https://bitwarden.com/help/product-faqs/#q-what-features-are-unlocked-when-i-verify-my-email/) when they accept an invitation. ### Confirm > [!TIP] Why confirm users > The 3-step [invite](https://bitwarden.com/help/managing-users/#invite/) → [accept](https://bitwarden.com/help/managing-users/#accept/) → [confirm](https://bitwarden.com/help/managing-users/#confirm/) procedure is designed to facilitate secure sharing between organizations and users by maintaining end-to-end encryption. [Learn more](https://bitwarden.com/help/bitwarden-security-white-paper/#sharing-data-between-users/). To confirm accepted invitations into your organization: 1. Log in to the Bitwarden [web app](https://bitwarden.com/help/getting-started-webvault/) and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Navigate to **Members**. 3. Select any `Accepted` users and use the ⋮ options menu to ✓ **Confirm selected**: ![Confirm member to an organization](https://bitwarden.com/assets/5eRDRAooRSGqRWJYZB5fgz/95422412e2a27069ca903f4a6ec1a8a7/2024-12-03_14-04-59.png) 4. Verify that the [fingerprint phrase](https://bitwarden.com/help/fingerprint-phrase/) on your screen matches the one your new member can find in **Settings** → **My account**: ![Sample Fingerprint Phrase ](https://bitwarden.com/assets/6sWPBv5GFAyMcULNxfCCJG/b3115a77e0d8d8d48fcc1f9e24e42d70/fingerprint-phrase.png) Each fingerprint phrase is unique to its account, and ensures a final layer of oversight in securely adding users. If they match, select **Submit**. > [!NOTE] Clear cache and cookie to restore fingerprint phrase prompt > If **Never prompt to verify fingerprint phrases** has been toggled on, fingerprint phrase verification be reactivated by clearing the browser cache and cookies. > [!TIP] Remove & revoke docs have moved > For information on revoking, removing, or deleting members accounts, refer to: > > - [Temporarily Revoke Access](https://bitwarden.com/help/revoke-users/) > - [Permanently Remove Access](https://bitwarden.com/help/remove-users/) > - [Delete Member Accounts](https://bitwarden.com/help/delete-member-accounts/) ## Review user 2FA status The 2FA status of users can be viewed from the **Members** page. If the user has a 🔒 icon, two-step login has been enabled on their Bitwarden account. ![2FA indicator](https://bitwarden.com/assets/HNlJNX9VJVURxGqrrBdRb/55b9ee7cc268e3400eb3d1f136e161fd/2024-12-03_15-14-09.png) --- URL: https://bitwarden.com/help/master-password-re-prompt/ --- # Master Password Re-Prompt For any [item](https://bitwarden.com/help/managing-items/), you can activate the **Master password re-prompt** option from the Add or Edit screen to require verification of your [master password](https://bitwarden.com/help/master-password/) to access or autofill sensitive vault items: ![Master password re-prompt ](https://bitwarden.com/assets/sgKb0RX5hGdrdKLmXcR0R/f78654839e18b3f474dd3e95ed0d203c/2024-12-02_14-38-06.png) Master password re-prompt will behave slightly differently depending on which app you're using, for example: - In the web app, browser extension, and desktop app viewing the item or editing anything about it with this enabled will require you to re-enter your master password. - On mobile apps, only viewing hidden fields (e.g. passwords, hidden custom fields, credit card numbers) will require you to re-enter your master password. Editing anything about the item will also require you to re-enter your master password. Users who do not have master passwords, for example those in organizations using [SSO with trusted devices](https://bitwarden.com/help/about-trusted-devices/) or [Key Connector](https://bitwarden.com/help/about-key-connector/), will not have the master password re-prompt option available to them. Additionally, trusted contacts using [emergency access](https://bitwarden.com/help/emergency-access/#use-emergency-access/) will not be required to re-enter a master password in order to view a protected vault item. > [!WARNING] MPW Reprompt isn't encryption. > Master password re-prompt **is not** an encryption mechanism. This feature is an interface-only guardrail that a sophisticated user may find ways to work around. We recommend **never** leaving your vault unlocked when unattended or on a shared workstation. ## --- URL: https://bitwarden.com/help/master-password/ --- # My Master Password Your master password is the primary method for accessing Bitwarden. It's important that your master password is: - **Memorable**: Bitwarden employees and systems have **no** knowledge of, way to retrieve, or way to reset your master password. **Do not forget your master password!** - **Strong**: A longer, more complex, and less common password is the best way to protect your account. Bitwarden provides a free [**password strength testing tool**](https://bitwarden.com/password-strength/) to test the strength of some memorable passwords you are considering. Master passwords made after the [2023.3.0 release](https://bitwarden.com/help/releasenotes/) must be at least 12 characters. > [!TIP] Tips to mitigate forgetting master password. > Worried about forgetting your master password? Here is what to do: > > - **Setup a hint**. In case you need a reminder, a master password hint email can be requested on the login screen. Make sure you use a hint that only you will understand. > - **Designate a**[**trusted emergency contact**](https://bitwarden.com/help/emergency-access/). Users with premium access can grant account access to a friend or family member in the case of emergency. ## Change master password If you know your current master password, you can change it from the web vault: > [!TIP] If you don't know your master password. > If you do not know your current master password, [learn what to do](https://bitwarden.com/help/forgot-master-password/). 1. In the web app, select the **Settings** → **Security** from the navigation: 2. Select the **Master password** tab: ![Master password settings](https://bitwarden.com/assets/2Svv0PwlH9i7SSK73dlv9A/5ff2708bb08164626baf1f03d3854b24/2024-12-02_10-24-14.png) 3. Enter your **Current master password**. 4. Enter and confirm your **New master password**. 5. If you want to check your master password through HIBP before submitting it, check the **Check known data breaches for the password** ([learn more](https://bitwarden.com/help/reports/#data-breach-report-individual-vaults-only/)) box. To run this report, a hash of your master password is sent to HIBP and compared to stored exposed hashes. Your master password itself is never exposed by Bitwarden. > [!WARNING] Rotate account encryption key. > Don't check the **rotate account's encryption key** box unless you fully understand the ramifications and required follow-up actions. [Learn more](https://bitwarden.com/help/account-encryption-key/). 6. Select the **Change master password** button. Changing your master password will automatically log you out of the web vault session. Other logged-in apps may remain active for up to an hour, but will eventually also require you to log back in with your new master password. ## I forgot my master password Learn what to do if you [forget your master password](https://bitwarden.com/help/forgot-master-password/). ## Additional login options Your master password is a requirement for setting up your Bitwarden account. Depending on how you or your organization interact with Bitwarden, additional options are available for accessing your Bitwarden account. | Method | Description | |------|------| | Log in with device | Login with device is an option to utilize a trusted secondary device that can send authentication requests to Bitwarden. Learn more about login with device [here](https://bitwarden.com/help/log-in-with-device/). | | Log in with SSO | Bitwarden users who are part of an organization that utilizes login with single sign-on(SSO) can login leveraging an existing identity provider, that will authenticate the user. Learn more about login with SSO [here](https://bitwarden.com/help/about-sso/). | | Log in with passkeys (beta) | Passkeys can be used to log in to Bitwarden as an alternative to using your master password and email, and some passkeys can be used for vault encryption and decryption. Learn more [here](https://bitwarden.com/help/login-with-passkeys/). | | Unlock with biometrics and unlock with PIN | Using unlock with biometrics or PIN is not an alternative login method, however, this feature can allow you to access a locked account with system biometrics or a PIN instead of a master password. Learn more about [unlock with biometrics](https://bitwarden.com/help/biometrics/) and [unlock with PIN](https://bitwarden.com/help/unlock-with-pin/). | ## Next steps Now that you have created a **memorable** and **strong** master password, we recommend: - [Further securing your account with two-step login](https://bitwarden.com/help/setup-two-step-login/) - [Enabling emergency access](https://bitwarden.com/help/emergency-access/) (requires premium) --- URL: https://bitwarden.com/help/microsoft-entra-id-scim-integration/ --- # Microsoft Entra ID SCIM System for cross-domain identity management (SCIM) can be used to automatically provision and de-provision members and groups in your Bitwarden organization. > [!NOTE] SCIM vs. BWDC > SCIM integrations are available for **Teams and Enterprise organizations**. Customers not using a SCIM-compatible identity provider may consider using [Directory Sync](https://bitwarden.com/help/directory-sync/) as an alternative means of provisioning. This article will help you configure a SCIM integration with Azure. Configuration involves working simultaneously with the Bitwarden web vault and Azure Portal. As you proceed, we recommend having both readily available and completing steps in the order they are documented. > [!TIP] Entra ID Soft Guide > **Already an expert?** Skip the instructions in this article and download the quick configuration guide to setup SSO and SCIM with Entra ID. > > ⬇️ [Quick reference guide](https://bitwarden.com/assets/1Qe8NasMRjmKyO575a9i5w/649ad79d5cd895f304fc32230280e97b/entra-id-guide.pdf) ## Enable SCIM > [!NOTE] Self-hosting SCIM > **Are you self-hosting Bitwarden?** If so, complete [these steps to enable SCIM for your server](https://bitwarden.com/help/self-hosting-scim/) before proceeding. To start your SCIM integration, open the Admin Console and navigate to **Settings**→ **SCIM provisioning**: ![SCIM provisioning](https://bitwarden.com/assets/6sw1kuK7GuZ3dfQkkbs6rV/a4f4e18e561733297338e4ed44c6ed8c/2024-12-03_15-25-46.png) Select the **Enable SCIM**checkbox and take note of your **SCIM URL**and **SCIM API Key**. You will need to use both values in a later step. ## Create an enterprise application > [!TIP] SCIM if SSO already exists (Azure). > If you are already using this IdP for Login with SSO, open that existing enterprise application and [skip to this step](https://bitwarden.com/help/microsoft-entra-id-scim-integration/#enable-provisioning/). Otherwise, proceed with this section to create a new application In the Azure Portal, navigate to **Microsoft Entra ID**and select **Enterprise applications**from the navigation menu: ![Enterprise applications ](https://bitwarden.com/assets/69h0vJlyvkF5J6tsKfQ7jd/4994ed3200bdce4b5faea87e1ac2de83/Enterprise_application.png) Select the + **New application** button: ![Create new application ](https://bitwarden.com/assets/7f6vbFmJRpfwDXbjHNKp1i/c314ef0bcbb68306858fa0f76da1e369/new_application.png) On the Browse **Microsoft Entra ID** Gallery screen, select the + **Create your own application** button: ![Create your own application ](https://bitwarden.com/assets/6oF8nrPsl7riqg3jWFDk7N/5cf08062f5656e0aee44ea627a2071c5/Create_your_own_application.png) On the Create your own application screen, give the application a unique, Bitwarden-specific name. Choose the **Non-gallery**option and then select the **Create** button. ![Create Entra ID app](https://bitwarden.com/assets/2fCSl3wr0PPuTYBk9zisXd/0e8754a3163b6560d832306b4b88bb1b/create_entra_app.png) ### Enable provisioning Select **Provisioning**from the navigation and complete the following steps: ![Select Provisioning](https://bitwarden.com/assets/3FNghuESyQaW6EB4WfANSy/f0a1ef6cae75ccc9412e5f0e1396b5f1/Select_Provisioning.png) 1. Select the + **New configuration** button. 2. In the **Select authentication method** dropdown, select **Bearer authentication**. 3. Enter your SCIM URL ([learn more](https://bitwarden.com/help/microsoft-entra-id-scim-integration/#enable-scim-in-the-web-vault/)) in the **Tenant URL**field. 4. Enter your SCIM API Key ([learn more](https://bitwarden.com/help/microsoft-entra-id-scim-integration/#enable-scim-in-the-web-vault/)) in the **Secret Token**field. 5. Select the **Test Connection**button. 6. If your connection test successfully, select the **Save**button. ### Mappings This screen is available while performing initial setup for the Enterprise Application, or by navigating to the Enterprise Application, and selecting **Provisioning** under the **Manage**section of the left-hand menu, and then selecting **Edit Provisioning** at the top. Bitwarden uses standard SCIM v2 attribute names, though these may differ from Microsoft Entra ID attribute names. The default mappings will work, but you can use this section to make changes if you wish. #### User mapping If you would like User objects in your directory to synchronize with Bitwarden, you may enable or disable **Provision Microsoft Entra ID Users**. This is enabled by default. Select the **Provision Microsoft Entra ID Users** link to customize the attributes sent to Bitwarden with user objects. The following table describes the default mappings for attributes used by Bitwarden: | **Bitwarden attribute** | **Default AAD attribute** | |------|------| | `active` | `Switch([IsSoftDeleted], , "False", "True", "True", "False")` | | `emails`ª or `userName` | `mail `or `userPrincipalName` | | `displayName` | `displayName` | | `externalId` | `mailNickname` | ª - Because SCIM allows users to have multiple email addresses expressed as an array of objects, Bitwarden will use the `value` of the object which contains `"primary": true`. #### User mapping with object identifiers User mappings may be more performant if they prioritize mapping on an Entra `objectId` over other attributes. Mapping in this way will preserve the connection to a Bitwarden account if the corresponding Entra ID account's email address changes, for example in the case of a name change. To implement this, make the following changes to your user mapping scheme: - Map the `externalId` to `objectId` instead of `mailNickname`. - For the `externalId` to `objectId` mapping, set **Match objects using this attribute** to Yes. - For the `externalId` to `objectId` mapping, set **Matching precedence** to 1. - For the `userName` (**customerappsso Attribute**) to `userPrincipalName` or `mail` (**Microsoft Entra ID Attribute**) mapping, set **Matching precedence** to 2. > [!WARNING] Changing Entra SCIM Mapping ex-post-facto > If you're implementing this mapping strategy **after users have already been synced to Bitwarden**using SCIM, note that those already-synced users will not have had external IDs set by an Entra ID object ID. For these users, use the [Public API's](https://bitwarden.com/help/api/) `/public/members/{id}` endpoint to set their external IDs. #### Group mapping If you would like Group objects in your directory to synchronize with Bitwarden, you may enable or disable **Provision Microsoft Entra ID Groups**. This option is enabled by default. Select the **Provision Microsoft Entra ID Groups** link to customize the attributes sent to Bitwarden with the groups objects if you wish to make changes according to the following table: | **Bitwarden attribute** | **Default AAD attribute** | |------|------| | `displayName` | `displayName` | | `members` | `members` | | `externalId` | `objectId` | ### Settings Under the **Settings**dropdown, choose: - Whether to send an email notification when failure occurs, and if so, what address to send it to (recommended). - Whether to **sync only assigned users and groups** or **sync all users and groups**. This setting is modified based your Mapping configuration. For example, if Group mapping is disabled, Groups added to the Enterprise Application will synchronize only the User objects who are members of the Group, and not create the Group in Bitwarden itself. If you choose to sync all users and groups, skip the next step, as your entire directory will be synchronized, depending on your Mapping settings. ## Assign users and groups Complete this step if you have selected to **sync only assigned users and groups**from the provisioning settings. Select **Users and groups**from the navigation: ![Enterprise application users and groups](https://bitwarden.com/assets/5xXgCDxrB4wVlZmfsKmi2L/cad020d84786fa009a6636b01ce5d918/remove-name-2.png) Select the + **Add user/group**button to assign access to the SCIM application on a user or group level. The following sections describe how modifying users and groups in Azure will impact their counterparts in Bitwarden: #### Users If **Provision Microsoft Entra ID Users** has been enabled in your Mappings, the following actions are taken: - When a new user is assigned in Azure, the user is invited to your Bitwarden organization. - When a user who is already a member of your organization is assigned in Azure, the Bitwarden user is linked to the Azure user through their first available matching precedence attribute. - Users linked in this way are still subject to the other workflows in this list, however values like `displayName` and `externalId/mailNickname` are not automatically changed in Bitwarden. - When an assigned user is disabled via the `accountEnabled` property in Azure, the user has their access to the organization [revoked](https://bitwarden.com/help/about-scim/#revoking-restoring-access/). - When an assigned user is "soft" deleted in Azure, the user has their access to the organization [revoked](https://bitwarden.com/help/about-scim/#revoking-restoring-access/). - When the user is permanently deleted in Azure, the user is removed from the organization. - When an assigned user is removed from the Enterprise application in Azure, the user has their access to the organization [revoked](https://bitwarden.com/help/about-scim/#revoking-restoring-access/). - When an assigned user is removed from a group in Azure, the user is removed from that group in Bitwarden but remains a member of the organization. #### Groups If you have **Provision Microsoft Entra ID Groups** enabled in your Mappings, the following actions are taken: - When a new group is assigned in Azure, the group is created in Bitwarden. - Group members who are already members of your Bitwarden organization are added to the group. - Group members who are not already members of your Bitwarden organization are invited to join. - When a group that already exists in your Bitwarden organization is assigned in Azure, the Bitwarden group is linked to Azure through the first available matching precedence attribute. - Groups linked in this way will have their members synced from Azure. - When a group is renamed in Azure, it will be updated in Bitwarden as long as the initial sync has been made. - When a group is renamed in Bitwarden, it will be changed back to what it's named in Azure. Always change group names Azure-side. ## Start provisioning Once the application is fully configured, start provisioning by selecting the [play] **Start provisioning**button on the enterprise application's **Provisioning**page: ![Start provisioning](https://bitwarden.com/assets/1oJcKq2shIBPxySuKjaZLV/61bbe111c6e1a140698103ae00874d14/Start_provisioning_.png) ## Finish user onboarding Now that your users have been provisioned, they will receive invitations to join the organization. Instruct your users to [accept the invitation](https://bitwarden.com/help/managing-users/#accept/) and, once they have, [confirm them to the organization](https://bitwarden.com/help/managing-users/#confirm/). > [!NOTE] Invite/Accept/Confirm > The Invite → Accept → Confirm workflow facilitates the decryption key handshake that allows users to securely access organization vault data. --- URL: https://bitwarden.com/help/microsoft-entra-id/ --- # Sync with Microsoft Entra ID This article will help you get started using Directory Connector to sync users and groups from your Microsoft Entra ID Directory to your Bitwarden organization. ## Microsoft Entra ID Directory setup Complete the following processes from the Microsoft Azure Portal before configuring Directory Connector. Directory Connector will require information obtained from these processes to function properly. ### Create app registration Complete the following steps to create an app registration for Directory Connector: 1. From your Microsoft Azure portal, navigate to the **Microsoft Entra ID** directory. 2. From the left-hand navigation, select **App registrations**or enter **App registrations** into the search bar. 3. Select the **New registration** button and give your registration a Bitwarden-specific name (such as, `bitwarden-dc`). 4. Select **Register**. ### Grant app permissions Complete the following steps to grant the created app registration the required permissions: 1. On the created Bitwarden app, select **API Permissions** from the left-hand navigation. 2. Select the **Add a permission** button. 3. When prompted to select an API, select **Microsoft Graph**. 4. Set the following **Delegated permissions**: - User > User.ReadBasic.All (Read all users' basic profiles) - User > User.Read.All (Read all users' full profiles) - Group > Group.Read.All (Read all groups) - AdministrativeUnit > AdministrativeUnit.Read.All (Only required if you'll be syncing [Administrative Units](https://bitwarden.com/help/microsoft-entra-id/#specify-sync-filters/)) 5. Set the following **Application Permissions**: - User > User.Read.All (Read all users' full profiles) - Group > Group.Read.All (Read all groups) - AdministrativeUnit > AdministrativeUnit.Read.All (Only required if you'll be syncing [Administrative Units](https://bitwarden.com/help/microsoft-entra-id/#specify-sync-filters/)) 6. Back on the API Permissions page, select the **Grant admin consent for...** button. ### Create app secret key Complete the following steps to create a secret key to be used by Directory Connector: 1. On the created Bitwarden app, select **Certificates & secrets** from the left-hand navigation. 2. Select the **New client secret** button and add a Bitwarden-specific description (such as, `bitwarden-dc-secret`) and an expiration date. We recommend the longest expiration date period possible, and setting a reminder to update it when required. 3. Select **Save** once you have finished. 4. Copy the secret's **value** to a safe place for later use. ### Get app ID Complete the following steps to obtain the app ID to be used by Directory Connector: 1. On the created Bitwarden app, select **Overview** from the left-hand navigation. 2. Copy the **Application (client) ID** to a safe place for later use. ### Get tenant hostname Complete the following steps to obtain the tenant hostname to be used by Directory Connector: 1. From anywhere in the Azure portal, select the ⚙️ icon on the top right navigation bar. 2. Select the**Directory + subscription** filter button from the menu located on the left. 3. Copy the **Current directory:** value to a safe place for later use. ## Connect to your directory Complete the following steps to configure Directory Connector to use Microsoft Entra ID. If you haven't already, take the proper [Microsoft Entra ID setup](https://bitwarden.com/help/microsoft-entra-id/#microsoft-entra-id-directory-setup/) steps before proceeding: 1. Open the Directory Connector [desktop app](https://bitwarden.com/help/directory-sync-desktop/). 2. Navigate to the **Settings** tab. 3. From the **Type** dropdown, select **Azure Active Directory**. The available fields in this section will change according to your selected type. 4. Enter the collected [**tenant** **hostname**](https://bitwarden.com/help/microsoft-entra-id/#get-tenant-hostname/), [**application Id**](https://bitwarden.com/help/microsoft-entra-id/#get-app-id/), and [**secret key**](https://bitwarden.com/help/microsoft-entra-id/#create-app-secret-key/). ## Configure sync options > [!NOTE] Clear sync > When you are finished configuring, navigate to the **More** tab and select the **Clear Sync Cache** button to prevent potential conflicts with prior sync operations. For more information, see [Clear Sync Cache](https://bitwarden.com/help/clear-sync-cache/). Complete the following steps to configure the settings used when syncing using Directory Connector: 1. Open the Directory Connector [desktop app](https://bitwarden.com/help/directory-sync-desktop/). 2. Navigate to the **Settings** tab. 3. In the **Sync** section, configure the following options as desired: | **Option** | **Description** | |------|------| | Interval | Time between automatic sync checks (in minutes). | | Remove disabled users during sync | Check this box to remove users from the Bitwarden organization that have been disabled in your directory. | | Overwrite existing organization users based on current sync settings | Check this box to always perform a full sync and remove any users from the Bitwarden organization if they are not in the synced user set. | | More than 2000 users or groups are expected to sync. | Check this box if you expect to sync 2000+ users or groups. If you don't check this box, Directory Connector will limit a sync at 2000 users or groups. | | Sync users | Check this box to sync users to your organization. Checking this box will allow you to specify **User Filters**. | | User filter | See [Specify sync filters](https://bitwarden.com/help/azure-active-directory/#specify-sync-filters/). | | Sync groups | Check this box to sync groups to your organization. Checking this box will allow you to specify **Group Filters**. | | Group filter | See [Specify sync filters](https://bitwarden.com/help/azure-active-directory/#specify-sync-filters/). | ### Specify sync filters Use comma-separated lists to include or exclude from a sync based on user email, group name, or group membership. #### User filters The following filtering syntaxes should be used in the **User Filter** field: ##### Include/Exclude users by email To include or exclude specific users from a sync based on email address: ``` include:joe@example.com,bill@example.com,tom@example.com ``` ``` exclude:jow@example.com,bill@example.com,tom@example.com ``` ##### User by group membership You can include or exclude users from a sync based on their Microsoft Entra ID group membership using the `includeGroup` and `excludeGroup` keywords. `includeGroup` and `excludeGroup` use Group Object ID, available from the **Overview** page of the group in the [Azure Portal](https://portal.azure.com) or through the [Azure AD PowerShell](https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureadgroup?view=azureadps-2.0): ``` includeGroup:963b5acd-9540-446c-8e99-29d68fcba8eb,9d05a51c-f173-4087-9741-a7543b0fd3bc ``` ``` excludeGroup:963b5acd-9540-446c-8e99-29d68fcba8eb,9d05a51c-f173-4087-9741-a7543b0fd3bc ``` #### Group filters > [!NOTE] Azure AD nested group > Nested groups can sync multiple group objects with a single referent in the Directory Connector. Do this by creating an administrative unit with all of your groups listed. The following filtering syntaxes should be used in the **Group Filter** field: ##### Include/Exclude groups To include or exclude groups from a sync based on group name: ``` include:Group A,Group B ``` ``` exclude:Group A,Group B ``` ##### Group by administrative unit (AU) You can include or exclude groups from a sync based on their tagged [Microsoft Entra ID Administrative Units](https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units) by using the `includeadministrativeunit` and `excludeadministrativeunit` keywords. `includeadministrativeunit` and `excludeadministrativeunit` use the **Object ID** of the Administrative Unit: ``` includeadministrativeunit:7ckcq6e5-d733-4b96-be17-5bad81fe679d ``` ``` excludeadministrativeunit:7ckcq6e5-d733-4b96-be17-5bad81fe679d ``` ## Test a sync > [!TIP] BWDC connect to EU server. > Before testing or executing a sync, check that Directory Connector is connected to the right cloud server (e.g. US or EU) or self-hosted server. Learn how to do so with the [desktop app](https://bitwarden.com/help/directory-sync-desktop/#getting-started/) or [CLI](https://bitwarden.com/help/directory-sync-cli/#config/). To test whether Directory Connector will successfully connect to your directory and return the desired users and groups, navigate to the **Dashboard** tab and select the **Test Now** button. If successful, users and groups will be printed to the Directory Connector window according to specified [sync options](https://bitwarden.com/help/microsoft-entra-id/#configure-sync-options/) and [filters](https://bitwarden.com/help/microsoft-entra-id/#specify-sync-filters/). It may take up to 15 minutes for permissions for your application to properly propagate. In the meantime, you may receive `Insufficient privileges to complete the operation` errors. > [!NOTE] > If you get the error message `Resource does not exist or one of its queried reference-property objects are not present`, you'll need to permanently delete or restore the user(s) with ``. **Please note**, this was fixed in a recent version of Directory Connector. Update your application if you're still experiencing this error. ![Test sync results ](https://bitwarden.com/assets/5QYMxvtCPhjbluuoLcCapD/96e9c630ead9ceba5124b55f9d2764a3/dc-okta-test.png) ## Start automatic sync Once [sync options](https://bitwarden.com/help/microsoft-entra-id/#configure-sync-options/) and [filters](https://bitwarden.com/help/microsoft-entra-id/#specify-sync-filters/) are configured and tested, you can begin syncing. Complete the following steps to start automatic syncing with Directory Connector: 1. Open the Directory Connector [desktop app](https://bitwarden.com/help/directory-sync-desktop/). 2. Navigate to the **Dashboard** tab. 3. In the **Sync** section, select the **Start Sync** button. You may alternatively select the **Sync Now** button to execute a one-time manual sync. Directory Connector will begin polling your directory based on the configured [sync options](https://bitwarden.com/help/microsoft-entra-id/#configure-sync-options/) and [filters](https://bitwarden.com/help/microsoft-entra-id/#specify-sync-filters/). If you exit or close the application, automatic sync will stop. To keep Directory Connector running in the background, minimize the application or hide it to the system tray. > [!NOTE] Teams Starter + BWDC > If you're on the [Teams Starter](https://bitwarden.com/help/password-manager-plans/#teams-starter-organizations/) plan, you are limited to 10 members. Directory Connector will display an error and stop syncing if you try to sync more than 10 members. > > **This plan is no longer available for purchase**. This error does not apply to Teams plans. --- URL: https://bitwarden.com/help/microsoft-sentinel-siem/ --- # Microsoft Sentinel SIEM Microsoft Sentinel is a security information and event management (SIEM) platform that can be used to monitor Bitwarden organizations. Organizations can monitor [event](https://bitwarden.com/help/event-logs/) activity with the Bitwarden Event Logs app on Microsoft Sentinel. ## Setup To setup the Bitwarden integration, an active Azure account with access to a Microsoft Sentinel Workspace is required. Additionally, a Bitwarden [API key](https://bitwarden.com/help/public-api/#authentication/), which can only be retrieved by [organization owners](https://bitwarden.com/help/user-types-access-control/). ## Install the Bitwarden app to your Microsoft Sentinel dashboard The Bitwarden Event Logs application can be located in the [Microsoft Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/8bit-solutions-llc.bitwarden-sentinel-integration?tab=Overview). To add the new application to your Workspace: 1. Choose the Bitwarden Event Logs plan from the dropdown menu and select **Create**. ![Bitwarden Event Logs marketplace app](https://bitwarden.com/assets/7mrbZU5XylvwS9muqfXOM7/5f1216a644693655e970e66deb7dfbc2/2024-10-08_16-20-06.png) 2. Complete the required fields and select the Workspace that will be monitoring Bitwarden organization data. 3. Once complete, select **Review + create**. ## Connect your Bitwarden Organization Once the Bitwarden Event Logs app has been added to your Microsoft Sentinel Workspace, you can connect your Bitwarden organization using your Bitwarden [API key](https://bitwarden.com/help/public-api/#authentication/). 1. Return to the **Data connectors** screen and select the Bitwarden Event Logs app. Select **Open connector page**. If the Bitwarden Event Logs app is not visible, you may be required to select [refresh] **Refresh.** ![Microsoft Sentinel Bitwarden Event Logs app](https://bitwarden.com/assets/7CoeRtrpz1i7JbbF6Tm91e/a6e46ad19099681aa4b93cfc6fb9ed69/2024-10-08_12-45-04.png) 2. Keep this screen open, on another tab, log in to the Bitwarden web app and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 3. Navigate to your organization's **Settings** → **Organization info** screen and select the **View API key**button. You will be asked to re-enter your master password in order to access your API key information. ![Organization api info](https://bitwarden.com/assets/6gHjAyqgeqDj6UPT6agsBK/3a614e043cb3836a41bd68f226835e53/2024-12-04_09-51-07.png) 4. Return to the Microsoft Sentinel tab. On the **Configuration** page, complete the following fields: | Field | Value | |------|------| | Bitwarden Identity URL | For Bitwarden cloud users, the default URL will be `https://identity.bitwarden.com `or `https://identity.bitwarden.eu`. For self-hosted Bitwarden users, input your self-hosted URL. For example, `https:///identity`. Be sure that the URL does not include any trailing forward slashes at the end of the URL "`/`". | | Bitwarden API URL | For Bitwarden cloud users, the default URL will be `https://api.bitwarden.com `or `https://api.bitwarden.eu`. For self-hosted Bitwarden users, input your self-hosted URL. For example, `https:///api`. Be sure that the URL does not include any trailing forward slashes at the end of the URL "`/`". | | Client ID | Input the value for `client_id` from the Bitwarden organization API key window. | | Client Secret | Input the value for `client_secret` from the Bitwarden organization API key window. | Select **Connect** once the required fields have been completed. > [!NOTE] Org API information sensitive > Your organization API key information is sensitive data. Do not share these values in nonsecure locations. ## Start monitoring event logs > [!NOTE] Historic event data > Historic event data is not available for the Bitwarden Event Logs app on Microsoft Sentinel at this time. Additionally, it may take up to 1 hour for the first events to appear in Microsoft Sentinel. Bitwarden organization event logs can be viewed in Microsoft Sentinel using the `BitwardenEventLogs` query function. 1. From Microsoft Sentinel, select **Logs**. A New Query tab will be created. On the left hand navigation, select **Functions** → **Workspace functions**→**BitwardenEventLogs**. 2. Before running the query, you may select time frame and add specific parameters to the query. To being the query, select **Run**. ![Microsoft Sentinel query](https://bitwarden.com/assets/38MLy3Ieg9nf3YH4s50R1K/d4b9f6df7e1e5e42bbe84a2bbaf5afa5/image_480-1.png) Queries can be saved for future use. ![Microsoft Sentinel query result](https://bitwarden.com/assets/B1P94UrwYOysKWh28oHJp/f6ab59d7f240b0519922fba9d0723598/image__1_.png) ### Monitor using Workbooks Workbooks can be used to review event logs and visualize data. Additionally, templates are included in the Bitwarden Event Logs Workbook for a pre-configured overview of available data. To access Workbooks, select **Workbooks** from the navigation and then **Templates**. ![Workbook templates](https://bitwarden.com/assets/4eh5nlRZ1TCptqg8Q8Yz3T/55e09959de52e396a69f17f5509fdccd/workbooks.png) The Bitwarden Event Logs app will have three templates included by default. Select one of the templates and choose **View Template** to begin monitoring data. ![Included templates](https://bitwarden.com/assets/2UfrEiMzlyVJcJ7P9Exaub/9e0664475aa6b357b5a3710e6ac268b8/included_templates.png) The dashboards include visualized data: ![Microsoft Sentinel dashboard view](https://bitwarden.com/assets/3Wf1N2jRun1kROxJnjGrMy/ebe3cb8fddff817e8a00b1f2666a3f0e/BitwardenEventLogsAuthenticationWhite1.png) Continue scrolling the overview page for additional event log data: ![Bitwarden even log view](https://bitwarden.com/assets/6wGNTITmTwvrzJXIJSZxJA/500b34ddb453cb63036a995e3c3db5d0/BitwardenEventLogsAuthenticationWhite2.png) ## --- URL: https://bitwarden.com/help/migration-script/ --- # Migration Script The [Bitwarden public API](https://bitwarden.com/help/public-api/) allows administrators to automate administrative tasks using scripts. The script documented in this article is written to help Bitwarden customers migrate their existing setup from a previous Bitwarden Password Manager environment into a new organization, providing a way to migrate organization vault data, groups, and associated groups' and members' permissions to a new installation. The script is written in Python and can be run on any operating system with Python v3 installed. Download the script and an example configuration file [here](https://github.com/bitwarden-labs/admin-scripts/tree/main/Python/admin-tools). ## Installation and setup ### System requirements Other than the default libraries shipped with most Python distributions included by default on Linux and macOS, and [available](https://www.python.org/downloads/windows/) for Windows), this script requires an additional module called `requests` be installed before the script can run successfully. A common tool to install Python modules is called pip. To install the module using pip: ``` pip3 install requests ``` > [!NOTE] pip vs pip3 > `pip3` - Some machines will have multiple versions of Python installed. Using `pip3`, instead of just `pip`, specifies that you install `requests` with Python v3. If your machine only has one Python version installed, use `pip` instead. ### Required files The above download contains two files: - `bwAdminTools.py`: This is the script you will need to execute migration. It requires a fully-configured configuration file. - `config-example.cfg`: This is the configuration file required for migration, which you will need to create and setup before running the script. Unpack the `.zip` and save these files to the same directory. Once you do, add the following files to the same directory: - Bitwarden Password Manager [CLI native executable](https://bitwarden.com/help/cli/#download-and-install/). ### Create destination organization Before you can continue, you must create the destination organization that you'll be migrating to. [Learn how to create an organization](https://bitwarden.com/help/about-organizations/#create-an-organization/). > [!NOTE] Invite users prior to migration > We recommend inviting users prior to running the migration script. Users must be in at least an invited state in order to migrate group and permissions settings. ### Migrate with Self-hosted Instance If your organization license originated from the US cloud server, and self-hosted instance was enabled using US cloud credentials, the follow steps will be required in order to migrate the self hosted instance and organization credentials to the EU: 1. Instruct all organization members to [export their individual vaults](https://bitwarden.com/help/export-your-data/#export-an-individual-vault/). > [!TIP] For C2C migration, download attachments > Individually download any file attachments for vault items and note which items they belong to. 2. [Request a new installation Id and Key](https://bitwarden.com/host/). Be sure to set the **Data Region** to the destination you wish to migrate the Bitwarden instance to. 3. Access the `./bwdata/env/global.override.env` file on your self hosted instance. Update the environment variables following the example [here](https://bitwarden.com/help/server-geographies/#connect-your-self-hosted-server/). 4. Login and access the cloud organization and download a new subscription license file using the new EU or US Installation Id. 5. Create a new organization on the self-hosted instance. Manually apply the new subscription license file to the newly created organization. The subscription license **can** **not be applied an existing organization** on the self-hosted instance. 6. Set up your new organization, configuring things like enterprise policies, login with SSO, constructing group-collection relationships, and inviting users with Directory Connector or SCIM. For help, refer to the [Proof-of-Concept Checklist](https://bitwarden.com/help/proof-of-concept/). 7. Instruct organization members to import their individual vaults. ### Environment configuration Before running any `bwAdminTools.py` [script functions](https://bitwarden.com/help/migration-script/#script-functions/), you will need to create a configuration file. Copy the contents of `config-example.cfg` into a new `config.cfg` file in the same directory, and fill in the following variables. Note that, as this is a migration script, variables are broken into **Source** and **Destination** groupings in this documentation: | Source organization variable | Variable description | |------|------| | bw_vault_uri= | FQDN of your source web vault, e.g. https://company.bitwarden.com if you're self-hosting or https://vault.bitwarden.com if you're using US-based Bitwarden cloud services. | | bw_org_client_id= | Source organization API key client ID. [Learn where to find it](https://bitwarden.com/help/public-api/#authentication/). | | bw_org_client_secret= | Source organization API key client secret. [Learn where to find it](https://bitwarden.com/help/public-api/#authentication/). | | bw_org_id= | Source organization's GUID. Copy the `_client_id=` value and remove the `organization.` piece. | | bw_acc_client_id | Source organization admin's or owner's personal API key client ID. [Learn where to find it](https://bitwarden.com/help/personal-api-key/#get-your-personal-api-key/). | | bw_acc_client_secret= | Source organization admin's or owner's personal API key client secret. [Learn where to find it](https://bitwarden.com/help/personal-api-key/#get-your-personal-api-key/). | | Destination organization variable | Variable description | |------|------| | dest_bw_vault_uri= | FQDN of your source web vault, e.g. https://company.bitwarden.com if you want to self-host or https://vault.bitwarden.eu if you want to use EU-based Bitwarden cloud services. | | dest_bw_org_client_id= | Destination organization API key client ID. [Learn where to find it](https://bitwarden.com/help/public-api/#authentication/). | | dest_bw_org_client_secret= | Destination organization API key client secret. [Learn where to find it](https://bitwarden.com/help/public-api/#authentication/). | | dest_bw_org_id= | Destination organization's GUID. Copy the `_client_id=` value and remove the `organization.` piece. | | dest_bw_acc_client_id= | Destination organization admin's or owner's personal API key client ID. [Learn where to find it](https://bitwarden.com/help/personal-api-key/#get-your-personal-api-key/). | | dest_bw_ac_client_secret= | Destination organization admin's or owner's personal API key client secret. [Learn where to find it](https://bitwarden.com/help/personal-api-key/#get-your-personal-api-key/). | Once you've setup these variables, you're ready to start migration using the `bwAdminTools.py` [script functions](https://bitwarden.com/help/migration-script/#script-functions/). ## Script Functions From the directory where you've stored your `bwAdminTools.py` file, `config.cfg` file, and Password Manager CLI executable, you can run the following commands: > [!NOTE] Python3 vs python > `python3` - Some machines will have multiple versions of Python installed. Using `python3`, instead of just `python`, specifies that commands run with Python v3. If your machine only has one Python version installed, use `python` instead. Some distributions will also have a `python` instead of `python3` binary for v3. - To print script helper text: ``` python3 bwAdminTools.py -h ``` - To compare source and destination organizations: ``` python3 bwAdminTools.py -c diffbw ``` - To migrate organization vault data, groups, and groups' permissions from a source organization to a destination organization: ``` python3 bwAdminTools.py -c migratebw ``` Users must be in at least an invited state in the destination organization for `migratebw` to be successful. - To migrate members' permissions (outside of groups) from a source organization to a destination organization: ``` python3 bwAdminTools.py -c migratebwusers ``` Users must be in at least an invited state in the destination organization for `migratebwusers` to be successful. - To delete all collections from the source organization: ``` python3 bwAdminTools.py -c purgecol ``` - To delete all collections from the destination organization: ``` python3 bwAdminTools.py -c purgecoldest ``` - To delete all groups from the source organization: ``` python3 bwAdminTools.py -c purgegroup ``` - To delete all groups from the destination organization: ``` python3 bwAdminTools.py -c purgegroupdest ``` --- URL: https://bitwarden.com/help/migration/ --- # Migrate to a New Server This article will walk you through procedures for transitioning from cloud to self-hosted, from self-hosted to cloud, and from one self-hosted server to another: ### Cloud to self-hosted To migrate from the cloud to a self-hosted server: 1. [Install and deploy](https://bitwarden.com/help/install-on-premise-linux/) Bitwarden to your server. At a high-level, this procedure involves: 1. [Configuring a domain](https://bitwarden.com/help/install-on-premise-linux/#configure-your-domain/) for Bitwarden. 2. Installing [Docker and Docker Compose](https://bitwarden.com/help/install-on-premise-linux/#install-docker-and-docker-compose/). 3. Running the [installation shell script](https://bitwarden.com/help/install-on-premise-linux/#install-bitwarden/). 4. [Configuring your environment](https://bitwarden.com/help/install-on-premise-linux/#configure-your-environment/) to setup the admin portal, an SMTP server connection, and more. 2. Start your server by running `./bitwarden.sh start`. 3. Open the cloud web vault and [download your license](https://bitwarden.com/help/licensing-on-premise/). > [!NOTE] license files > There are separate files for an [organization license](https://bitwarden.com/help/licensing-on-premise/#organization-license/) and an [individual license](https://bitwarden.com/help/licensing-on-premise/#individual-license/). **You don't need both license files.** If you are migrating an organization, you only need to retrieve the organization license and must be an [organization owner](https://bitwarden.com/help/user-types-access-control/) to do so. 4. Still in the cloud web vault, [export your individual vault data](https://bitwarden.com/help/export-your-data/#export-an-individual-vault/), [ export your organization vault data](https://bitwarden.com/help/export-your-data/#export-an-organization-vault/), or [secrets data](https://bitwarden.com/help/export-secrets-data/). If you are migrating an organization, encourage your end-users to export their individual vaults as well. 5. Open your self-hosted web vault and create an account. This account **must use the same email address** as the cloud account you downloaded the license with. 6. Still in your self-hosted web vault, upload your [license](https://bitwarden.com/help/licensing-on-premise/). > [!NOTE] Organization and individual license locations > There are separate locations in which to upload an [organization license](https://bitwarden.com/help/licensing-on-premise/#organization-license/) or an [individual license](https://bitwarden.com/help/licensing-on-premise/#individual-license/). As before, only upload the one that's relevant for you. 7. Still in the self-hosted web vault, import your [individual vault data](https://bitwarden.com/help/import-data/), [organization vault data ](https://bitwarden.com/help/import-to-org/), or [secrets data](https://bitwarden.com/help/import-secrets-data/). > [!NOTE] Organization collections > Importing data to an organization will automatically re-create your [collections](https://bitwarden.com/help/about-collections/) and add the relevant vault items to them. #### Organizations-only next steps If you are migrating an organization to a self-hosted server, continue with the following steps: 1. (**Enterprise organizations only**) Re-implement your [enterprise policy](https://bitwarden.com/help/policies/) specifications and/or configure [login with SSO](https://bitwarden.com/help/about-sso/). 2. Manually [re-create user groups](https://bitwarden.com/help/about-groups/#create-a-group/) in your self-hosted web vault and assign them to the proper collections. 3. Start [inviting users to your organization](https://bitwarden.com/help/managing-users/#invite/) manually or using [directory connector](https://bitwarden.com/help/directory-sync/). ### Self-hosted to cloud To migrate from a self-hosted server to the cloud: 1. Create a full backup of the `./bwdata` directory of your self-hosted Bitwarden server. In particular, you will need access to `./bwdata/core/attachments` to manually upload [file attachments](https://bitwarden.com/help/attachments/) to the cloud (**Step 5**). > [!NOTE] Self-hosted to cloud personal vaults > If users are exporting their individual vaults over a period of time, you may need to re-sync the items from your `./bwdata/core/attachments` directory to your backup location and upload any new items in the event that they change during the cut-over period. 2. In your self-hosted web vault, [export your individual vault data](https://bitwarden.com/help/export-your-data/#export-an-individual-vault/) or [export your organization vault data](https://bitwarden.com/help/export-your-data/#export-an-organization-vault/). If you are migrating an organization, encourage your end-users to export their individual vaults as well. 3. Open the cloud web vault. Most users will have previously created cloud accounts for billing purposes, so log in to that account. If you were previously a free user without a cloud account for billing, create an account now. > [!NOTE] migrating existing organization. > If you are migrating an organization, you will already have a cloud organization established for billing and licensing purposes. For smoothest transition, we recommend using this already-established organization rather than [creating a new one](https://bitwarden.com/help/about-organizations/#create-an-organization/). 4. Still in the cloud web vault, import data to your [individual vault](https://bitwarden.com/help/import-data/) or [organization vault](https://bitwarden.com/help/import-to-org/). > [!NOTE] Importing data collection functionality > Importing data to an organization will automatically re-create your [collections](https://bitwarden.com/help/about-collections/) and add the relevant vault items to them. 5. Manually upload [file attachments](https://bitwarden.com/help/attachments/) to your individual or organization vault. #### Organizations-only next steps If you are migrating an organization to the cloud, continue with the following steps: 1. (**Enterprise organizations only**) Re-implement your [enterprise policy](https://bitwarden.com/help/policies/) specifications and/or configure [login with SSO](https://bitwarden.com/help/about-sso/). 2. Manually [re-create user groups](https://bitwarden.com/help/about-groups/#create-a-group/) in the cloud and assign them to the proper collections. 3. Start [inviting users to your organization](https://bitwarden.com/help/managing-users/#invite/) manually or using [directory connector](https://bitwarden.com/help/directory-sync/). ### Host to host > [!TIP] Host to host is only for linux > These instructions are currently only for migration from one Linux self-hosted server to another Linux self-hosted server. To migrate from one self-hosted Bitwarden server to another: 1. Stop your existing Bitwarden server by running `./bitwarden.sh stop`. When you run this command, Bitwarden will go down for anyone currently using it. 2. Make a full copy of the `./bwdata` directory of the **old** server. This copy will be used to recreate your configuration, database, attachments, and more, for the new server. 3. [Install and deploy](https://bitwarden.com/help/install-on-premise-linux/) Bitwarden to your new server. 4. Once the new Bitwarden server is set up, replace the newly-created `./bwdata` directory with the copy from the old server. 5. Print the new Bitwarden server's UID by running `id -u bitwarden`. 6. Open the file `./bwdata/env/uid.env` and check that the listed values match what was printed in the previous step. If they do not match, replace **both** values with the result of `id -u bitwarden`. 7. If you specified a different server domain during **Step 2**, edit the following: - In `./bwdata/config.yml`, change the `url:` value to the new domain. - In `./bwdata/env/global.override.env`, change `globalSettings__baseServiceUri__vault=` to the new domain. 8. Run `./bitwarden.sh rebuild` to apply changes to `config.yml` and `global.override.env`. 9. Start your Bitwarden server with `./bitwarden.sh start`. ### Cloud to cloud To migrate from one Bitwarden cloud server to another, for example, from a [US server to EU server](https://bitwarden.com/help/server-geographies/): 1. [Export your organization vault](https://bitwarden.com/help/export-your-data/#export-an-organization-vault/) and instruct all organization members to [export their individual vaults](https://bitwarden.com/help/export-your-data/#export-an-individual-vault/). > [!TIP] For C2C migration, download attachments > Individually download any file attachments for vault items and note which items they belong to. 2. Create a new Bitwarden account in the desired region and start a trial organization. Bitwarden support will be able to migrate your subscription to the new region (see **Step 4**). 3. Set up your new organization, configuring things like enterprise policies, login with SSO, constructing group-collection relationships, and inviting users with Directory Connector or SCIM. For help, refer to the [Proof-of-Concept Checklist](https://bitwarden.com/help/proof-of-concept/). 4. [Contact Bitwarden support](https://bitwarden.com/contact/) to move your new organization off of trial and resume your subscription in your new region. 5. Import your organization vault data obtained in **Step 1**, and instruct organization members to import their individual vaults as well. > [!TIP] For C2C migrations, upload attachments > Manually upload the file attachments obtained in **Step 1**back to the vault items they were associated with. ### Migration FAQs **Q:** **Do I need to migrate?** **A:** Migrating regions is not required. The region selector allows organizations to specify the geographic location of vault data. Features and functions are identical across regions. **Q: Is there a process for migrating?** **A:** Bitwarden regions are distinct cloud environments. Bitwarden cannot migrate accounts from one region to another for customers. A script is available for organizations to help facilitate migrations. Subscriptions can be transferred from one region to another region by [contacting us](https://bitwarden.com/contact/). **Q: What does the migration script do?** **A:** The script works with the Bitwarden CLI to move data from one installation to another. Instructions are available in [this article](https://bitwarden.com/help/migration-script/). This script migrates all organization vault data, including attachments, as well as member roles (excluding the custom role), and collections permissions assigned both to members and groups. The script also automatically recreates your groups in the new organization if you’re not using directory integration for automatic provisioning. Note that this does not include the migration of individual user vaults. **Q: What does a manual migration look like?** A: A complete manual migration involves creating a new account in the preferred region and beginning the new organization creation process. Once the new organization is configured, re-invite users, and then export vault data from your old organization and import into the new one. Users will need to manually export/import their individual vaults. --- URL: https://bitwarden.com/help/monitoring-event-logs/ --- # Monitoring Event Logs Event monitoring with SIEM (system information and event management) integration is an important tool for monitoring your organization to maintain best security practices and ensure compliance. The following sections highlight several monitoring reference points that will provide increased observability of your Bitwarden solutions. This monitoring includes enabling insights into user actions in the vault, and providing examples of targets for automated alerting. These events have been selected from the [Bitwarden Event logs](https://bitwarden.com/help/event-logs/). By configuring a combination of instant alerts with alerting-over-time against the events that matter to your business, you will be able to audit your organization's use of Bitwarden in accordance with your unique security landscape. ## Understanding Logs Various SIEM platforms integrate with Bitwarden to review critical information on day to day vault usage. ![Panther JSON Object](https://bitwarden.com/assets/1wHDe1snFJ4NB1G13VBUBC/71def83a275e8bf25e25488b872a02f0/Header_object.png) SIEM event monitoring platforms will provide specific fields which should be monitored to maintain high security standards: | Value | Description | |------|------| | `actingUserEmail` | The email of the user performing the action. | | `actingUserId` | Unique id of user performing action. | | `actingUserName` | Name of the user performing an action. | | `collectionId` | Organization collection id. | | `device` | Numerical id of device. Exact mapping can be located [here](https://github.com/bitwarden/server/blob/d50ad97e6eeb733af9c069a949939b0567ba936d/src/Core/Enums/DeviceType.cs#L4). | | `ipAddress` | The ip address that performed the event. | | `itemId` | Vault item (cipher, secure note, etc..) of the organization vault. | | `policyId` | Organization policy update. See organization events [here](https://bitwarden.com/help/event-logs/#organization-events/). | ## Concerning trends Tracking Bitwarden usage trends can identify questionable activity, or potential security threats: #### Abnormal Rate of failed login attempts - Failed Login attempts - `1005` Login attempt failed with incorrect password - `1006` Login attempt failed with incorrect two step login. #### Abnormal rate of viewing sensitive or hidden fields - Viewing item - `1107` Viewed item `item-identifier` - `1108` Viewed password for item `item-identifier` - `1109` Viewed hidden field for item `item-identifier` - `1110` Viewed security code for item `item-identifier` - Copying item fields - `1111` Copied password for item `item-identifier` - `1112` Copied security code for item `item-identifier` ## Usage trends Monitor usage trends to identify users engaging with Bitwarden and maintaining security practices: #### Monitor user frequency - Vault usage - `1000` Logged in - `1010` User requested [device approval](https://bitwarden.com/help/approve-a-trusted-device/) ## Critical vault actions Specific events may be monitored in order to track critical actions made by high-level users, or changes made to critical vault items: #### Super-user activities - Individual account activity - `1000` Logged in - `1001` Changed account password - `1002` Enabled/updated two-step login - `1003` Disabled two-step login - `1007` User exported their individual vault items - `1603` Organization vault access by a managing [provider](https://bitwarden.com/help/providers/) - Organization activities - `1500` Invited user `user-identifier` - `1501` Confirmed user `user-identifier` - `1502` Edited user `user-identifier` - `1504` Edited groups for user `user-identifier` - `1511` Revoked organization access for user `user-identifier` - `1512` Restored organization access for `user-identifier` - `1513` Approved device for `user-identifier` - `1600` Edited organization settings - `1609` Modified collection management setting - `1700` Modified policy `policy-identifier` - `2001` Removed domain `domain-name` - Exporting organization vault information - `1602` Exported organization vault #### Critical item activities - Changes made to items that have been identified to be critical - `1101` Edited item `item-identifier` - `1105` Moved item `item-identifier` to an organization - `1106` Edited collections for item `item-identifier` - `1107` Viewed item `item-identifier` - `1108` Viewed password for item `item-identifier` - `1109` Viewed hidden field for item `item-identifier` - `1110` Viewed security code for item `item-identifier` - `1111` Copied password for item `item-identifier` - `1112` Copied hidden field for item `item-identifier` - `1113` Copied security code for item `item-identifier` - `1114` Autofilled item `item-identifier` - `1117` Viewed card number for item `item-identifier` --- URL: https://bitwarden.com/help/my-account-was-recovered/ --- # My Account Was Recovered If you are an organization member whose master password was [reset by an administrator](https://bitwarden.com/help/recover-a-member-account/), you'll receive an email from Bitwarden to inform you that **your admin has initiated account recovery**. When you receive this email: 1. Reach out to your admin, if they haven't already reached out to you, to obtain your new temporary master password. Use a secure channel like [Bitwarden Send](https://bitwarden.com/help/create-send/) to receive the temporary master password. 2. Log in to the Bitwarden web app using that temporary master password. Before you can access your items, you'll be prompted to set a new master password: ![Update your master password ](https://bitwarden.com/assets/rNAgMVW0w9f6rZ8ygEpwO/5e3820246b6b27783374ee772185fe09/2025-09-08_13-13-02.png) You are required to update your master password after a reset because a master password should be **strong**, **memorable**, and something **only you** know. --- URL: https://bitwarden.com/help/my-items/ --- # My Items **My items** is a location for organization members to store items that do not need to be shared with other users, while remaining under the ownership of the organization. To enable the My items feature, organizations must turn on the [Enforce data ownership policy](https://bitwarden.com/help/policies/#enforce-organization-data-ownership/). Once the policy has been enabled, My Items will be created in each organization members vaults, where organization owned items can be stored and maintained. > [!WARNING] Phases of My Items > At this time, Bitwarden recommends only organizations that have not started onboarding members to turn on the [Enforce organization data ownership policy](https://bitwarden.com/help/policies/#enforce-organization-data-ownership/). > > If your organization activated the policy before version [2025.11.0](https://bitwarden.com/help/releasenotes/), **My items** will be created for members confirmed since that release. Preexisting members will not have **My items** and can continue using their **My vault**. A future release will allow organizations that already began onboarding members and use individually-owned vaults to migrate all credentials to organization ownership. Once Enforce organization data ownership is activated by an admin or owner, **My items** will be added to all organization member's vaults. - My items is a primary location for organization members to store their vault items. - Vault items created and stored in My items will remain under the ownership of the organization. - Users cannot assign My items to other organization members, and items shared in the organization cannot be moved to a user's My items. - After an organization member account has been removed or deleted, management of the My items will be transferred to administrators. Additional information regarding My items after succession can be found [here](https://bitwarden.com/help/remove-users/). - Items stored in My items are included in event log reporting. ## Use My items My items is located within collections in each member's vault. My items stores vault items that users create for their individual work responsibilities, such as work essential login credentials that are not intended to be shared with other organization members. ![My items location](https://bitwarden.com/assets/7f20Jamu35GDGYF4sOmsgn/ea93b8e238fc3345cd6db96e4c824779/2025-10-08_11-18-36.png) Users cannot create, rename, or delete My items. ## Import to My items Organization members may [import items](https://bitwarden.com/help/import-data/) into My items on any Bitwarden client by selecting **My items** from the **Collection** dropdown: ![Import to My items](https://bitwarden.com/assets/3PO3iAbypeTCIXsWCu2jQ2/846cb1ceb1c696ae549b2df413ff0801/2025-10-08_15-43-37.png) > [!NOTE] My items imports ignore folders > When you import a file to **My items**, any folder references within that file will not carry over. You can organize your imported data into [folders](https://bitwarden.com/help/folders/) after the import is complete. ## Save to My items While the Enforce organization ownership policy is active, users who create new vault items may save them to My items. During item creation, My items will populate by default in the **Collections** field. ![Create new item for My items](https://bitwarden.com/assets/5Z9lis0vkv5MNSWWIy8XHW/476245dcbeec31c62d6c8881f4eb4586/2025-10-08_11-15-05.png) ## Transfer items Enabling the Enforce organization ownership policy allows organization administrators to securely transfer member credentials during member succession. Credentials from removed or deleted users may be transferred to other collections. Learn more about [transferring items after employee off-boarding and succession](https://bitwarden.com/help/remove-users/). --- URL: https://bitwarden.com/help/native-mobile-apps-release/ --- # Native Mobile Apps In a **future** release, Bitwarden Password Manager mobile apps downloaded via the Apple App Store and Google Play Store will be upgraded to [native mobile applications for iOS and Android](https://bitwarden.com/blog/native-mobile-apps/): - Users who **install** Bitwarden after this release will always receive the new native application. - Users who **already have Bitwarden installed** on their devices will have the new native application rolled out to them in phases. > [!WARNING] OS support for native mobile apps > Native mobile applications have stricter operating system requirements than Xamarin applications: > > - Android users must be on Version 10 or higher. Learn [how to check your Android version](https://support.google.com/android/answer/7680439?hl=en). > - iOS users must be in iOS 15.0 or higher. Learn [how to check your iOS version](https://support.apple.com/en-us/109065). > > If your device does not meet these version requirements, your Bitwarden mobile app will remain at the latest version available before this change. --- URL: https://bitwarden.com/help/new-device-verification/ --- # New Device Login Protection > [!NOTE] When device verification launches > Beginning **May 28 2025**, all Bitwarden clients will be subject to new device login protection. To ensure a seamless login experience, please update your Bitwarden clients, as very old versions may not support this feature. To keep your account safe and secure, Bitwarden requires additional verification **for users who do not use**[**two-step login**](https://bitwarden.com/help/setup-two-step-login/). After entering your Bitwarden master password, you will be prompted to enter a one-time verification code sent to your account email to complete the login process **when logging in from a device you have not logged in to previously**. For example, if you are logging in to a mobile app or a browser extension that you have used before, you will not receive this prompt. Most users will not experience this prompt unless they are frequently logging into new devices. This verification is only needed for new devices or after clearing browser cookies. If you regularly access your email, retrieving the verification code should be straightforward. If you prefer not to rely on your Bitwarden account email for verification, you can [set up two-step login](https://bitwarden.com/help/setup-two-step-login/) through an [Authenticator app](https://bitwarden.com/help/setup-two-step-login-authenticator/), a [hardware key](https://bitwarden.com/help/setup-two-step-login-yubikey/), or two-step login via a [different email](https://bitwarden.com/help/setup-two-step-login-email/). ## FAQs ### When did this happen? Beginning **March 4 2025**, logins from new devices began to be be prompted for this new verification. This change was initially only in the web app, then extended to other Bitwarden apps as users updated to the latest release versions. ### Why did Bitwarden implement this? Bitwarden implemented this change to enhance security for users who don't have [two-step login](https://bitwarden.com/help/setup-two-step-login/) activated. If someone gains access to your password, they still won't be able to log into your account without secondary verification (the code sent to your email). This extra layer helps protect your data from hackers who often target weak or exposed passwords to gain unauthorized access. ### When will I get prompted for this verification? You will only get prompted for this verification when logging in from new devices. If you’re logging into a device that you’ve used before, you will not be prompted.  ### What is considered a new device?  A new device is any device that hasn't been previously used to log into your Bitwarden account. This could include a new phone, tablet, computer, or browser extension that you’ve never logged in from before. When you log in from a new device, you'll be asked to verify your identity via a one-time code sent to your email.  Other scenarios that will initiate a new device will be: - Uninstalling and reinstalling the mobile, desktop app, or browser extension will initiate a new device. - Clearing browser cookies will initiate a new device for the web app, but not for browser extensions. - Using the browser extension in Virtual Desktop Infrastructure (VDI) that resets user profile storage after each session. In this scenario [local storage](https://bitwarden.com/help/data-storage/#on-your-local-machine/) is not persisted. ### My email credentials are saved in Bitwarden. Will I be locked out of Bitwarden? Email verification codes will only be required on new devices for users that do not have two-step login enabled. You will not see this prompt on previously logged in devices and you will log in as normal with your account email and your master password.  If you are logging into a new device, your Bitwarden account email will receive a one-time verification code. If you have access to your email, i.e. a persistent logged in email on your mobile phone, then you will be able to grab the one-time verification code to log in. Once logged in to the new device, you will not be prompted again for the verification code.  If you regularly log into your email using credentials saved in Bitwarden or do not want to rely on your email for verification, you should [set up two-step login](https://bitwarden.com/help/setup-two-step-login/) that will be independent from the Bitwarden account email. This includes an authenticator app like the [Bitwarden Authenticator mobile app](https://bitwarden.com/help/bitwarden-authenticator/), security key, or email-based two-step login with a different email. Having any 2FA method active will opt the user out of the email-based new device verification. Users with 2FA active should also save their Bitwarden [recovery code](https://bitwarden.com/help/two-step-recovery-code/) in a safe place. ### Who is excluded from this account email-based new device verification? The following categories of logins are excluded: - Users who have [two-step login](https://bitwarden.com/help/setup-two-step-login/) set up are excluded. - Users who log in with SSO, with a passkey, or with an API key are excluded. - Self-hosted users are excluded. - Users who log in from a device where they have previously logged in are excluded. - Users whose accounts are less than 24 hours old. - Users who opt-out from their **Settings** → **My account** screen are excluded (**Not recommended**). ### My organization uses SSO, do my users have to complete new device verification? No. Users logging in with SSO are exempt and not asked to verify the login on a new device. However, if a user, without two-step login enabled, logs in with a username and password without going through SSO, they are asked to verify the new device. ### I do not want to share my real email with Bitwarden, how can I set up my account? Users who want to remain anonymous have several options available: - Use a [two-step login](https://bitwarden.com/help/setup-two-step-login/) option that doesn’t require an email, including an authenticator app, security key, or email-based two-step login with a different email. - Use an email alias forwarding service. - Self-host Bitwarden. Bitwarden encourages users to have an active email, as Bitwarden sends important security alerts like failed login attempts. ### If I use the 2FA recovery code on a new device because I've lost my 2FA access, will I still be subject to this new device verification? Bitwarden will be updating the recovery code flow so that when you submit your password and recovery code, you are logged into the web app and taken to your 2FA settings. If you are concerned about being locked out, you should **avoid** going through this flow in an incognito browser or on a device with unreliable internet connectivity to make sure you can complete any necessary setup steps in this logged in session. ### I want to opt-out! Is there an option to? This is added security for users that do not have two-step login enabled. Users that do not have two-step login enabled are more vulnerable to unauthorized access by attackers because passwords can be compromised in multiple ways, even if they are strong and unique. For example, common methods include: - **Phishing attacks:** Cybercriminals use deceptive emails or websites to trick you into revealing your password.  - **Social engineering**: Attackers may attempt to manipulate or deceive you into revealing your password through phone calls, texts, or other means.  - **Password cracking via brute-force attack**s: Attackers will use automated tools to repeatedly try guesses for the password. - **Keylogging or malware:** If your device is infected with malware or a keylogger, attackers could record every keystroke you make—including your password—without your knowledge.  With new device verification, even if your password is compromised through one of the methods above, the attacker would still need to retrieve the second verification, which is the one-time code in your email. This significantly reduces the likelihood of unauthorized access. New device verification is designed to be less intrusive than traditional two-step login. It only applies when logging in from a device or client you haven’t used before, so most users won’t experience this extra step, as they’re regularly logging in on their everyday devices. The verification process uses your email, which is something many people keep open on a phone or computer, so retrieving the code is quick and easy. Users that may experience some challenges are those do the following: - Do not have two-step login enabled. - Store their email password in Bitwarden. - Constantly uninstall and reinstall Bitwarden. - Log out of their email everywhere.  Only users that do all these things and match the conditions above will experience friction with this security update. If users do get locked out of their account, they can reach out to Customer Success at Bitwarden.  If users do not want new device verification, it is strongly recommended to turn on an alternate two-step login method (either via an authenticator app, hardware key, or a different mail) to protect your account.  If users do not want new device verification, do not want to set up an alternate two-step login method, and **do not want any additional security on their account,**there is an option to opt-out by navigating to the **Settings** → **My account** screen and scrolling to the Danger Zone section. We must emphasize that this is **strongly not recommended**, as it leaves your account vulnerable to various attacks. --- URL: https://bitwarden.com/help/non-native-siem/ --- # Non-native SIEM Bitwarden provides comprehensive event logging capabilities that enable integration with Security Information and Event Management (SIEM) platforms beyond the solutions for which official integrations are offered. This article provides guidance for integrating Bitwarden with those SIEM solutions, such as popular platforms like Datadog, etc. etc. ## Requirements To integrate Bitwarden with your SIEM platform, you will need: - A Bitwarden Teams or Enterprise plan (required for event logging and API access). - Administrative access to your Bitwarden organization via the admin, owner, or custom role. - Understanding of your SIEM platform's available data ingestion methods. ## Data access Bitwarden provides multiple methods for accessing data that may be relevant to your SIEM monitoring, allowing flexibility in how your platform ingests information: ### Public API access (**Recommended**) The Bitwarden Public API provides programmatic access to event logs through the `/events` endpoint. The API returns JSON-formatted event data that can be consumed by most modern SIEM platforms, and can be used to access more organization data than just events, including member information through the `/members` endpoint, group data through the `/groups` endpoint, and collection data through the `/collections` endpoint. [Learn more about the API](https://bitwarden.com/help/public-api/). ### CLI data extraction The Password Manager CLI can be used to extract additional data that may provide useful context to API-provided event analysis, for example using the `list` command to retrieve item data correlated to a member, group, or collection ID accessed from the API. [Learn more about the Password Manager CLI](https://bitwarden.com/help/cli/). ### Event exports For SIEM platforms that prefer file-based ingestion, Bitwarden allows manual exporting of event logs in .csv format. This method works well for batch processing scenarios and historical data analysis. [Learn more about exporting event logs](https://bitwarden.com/help/event-logs/#export-events/). --- URL: https://bitwarden.com/help/november-deprecation-notice/ --- # November Deprecation Notice With the next release of Bitwarden (2022.11.0), planned for 11-16-2022, two endpoints of the Bitwarden server's API service will be deprecated. The function of the endpoints that will be deprecated will be taken over by endpoints in the Identity service. The new endpoints, which will be used by Bitwarden clients of version 2022.11.0 and above, were added in server version 1.46.0. **This means that self-hosted servers running version 1.45.4 or any earlier version will not be compatible with 2022.11.0 clients.**[ Learn how to check your server version.](https://bitwarden.com/help/versioning/) We recommend [updating your self-hosted server](https://bitwarden.com/help/updating-on-premise/) prior to the release of 2022.11.0. If for any reason you cannot, [contact us](https://bitwarden.com/contact/). > [!NOTE] Non-updated Server & Web Vault > As the web vault is packaged with server, the web vault will continue to work normally if you do not update your server. --- URL: https://bitwarden.com/help/oidc-microsoft-entra-id/ --- # Microsoft Entra ID OIDC This article contains **Azure-specific** help for configuring Login with SSO via OpenID Connect (OIDC). For help configuring Login with SSO for another OIDC IdP, or for configuring Microsoft Entra ID via SAML 2.0, see [OIDC Configuration](https://bitwarden.com/help/configure-sso-oidc/) or [Microsoft Entra ID SAML Implementation](https://bitwarden.com/help/saml-microsoft-entra-id/). Configuration involves working simultaneously within the Bitwarden web app and the Azure Portal. As you proceed, we recommend having both readily available and completing steps in the order they are documented. ## Open SSO in the web vault Log in to the Bitwarden [web app](https://bitwarden.com/help/getting-started-webvault/) and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) Select **Settings** → **Single sign-on** from the navigation: ![OIDC configuration](https://bitwarden.com/assets/51wSToXTHHVmBCrLrE8T0E/85aa432ea19eadf0195317f4f233e973/2024-12-04_09-41-46.png) If you haven't already, create a unique **SSO identifier**for your organization. Otherwise, you don't need to edit anything on this screen yet, but keep it open for easy reference. > [!TIP] Self-hosting, use alternative Member Decryption Options. > There are alternative **Member decryption options**. Learn how to get started using [SSO with trusted devices](https://bitwarden.com/help/about-trusted-devices/) or [Key Connector](https://bitwarden.com/help/about-key-connector/). ## Create an app registration In the Azure Portal, navigate to **Microsoft Entra ID** and select **App registrations.** To create a new app registration, select the **New registration** button: ![Create App Registration ](https://bitwarden.com/assets/6NVeq0dGoBAO8bhhE3zvsC/d107017a0858a388fc8a9b5038942608/azure-newapp.png) Complete the following fields: ![Register redirect URI](https://bitwarden.com/assets/fA8tUAnlBC3eu7oKUOi5c/59c6956688f8f6cf84e5a0c1127ccc51/Register_an_application.png) 1. On the **Register an application** screen, give your app a Bitwarden-specific name and specify which accounts should be able to use the application. This selection will determine which users can use Bitwarden login with SSO. 2. Select **Authentication** from the navigation and select the **Add a platform** button. 3. Select the **Web** option on the Configure platforms screen and enter your **Callback Path** in the Redirect URIs input. > [!NOTE] Callback Path > Callback Path can be retrieved from the Bitwarden SSO Configuration screen. For cloud-hosted customers, this is `https://sso.bitwarden.com/oidc-signin` or `https://sso.bitwarden.eu/oidc-signin`. For self-hosted instances, this is determined by your [configured server URL](https://bitwarden.com/help/install-on-premise-linux/#configure-your-domain/), for example `https://your.domain.com/sso/oidc-signin`. ### Create a client secret Select **Certificates & secrets** from the navigation, and select the **New client secret** button: ![Create Client Secret ](https://bitwarden.com/assets/7wGy3TYoN71TVlDkdvUIMe/5e8d221a695ab34232892b6b309838ed/azure-newcert.png) Give the certificate a Bitwarden-specific name, and choose an expiration timeframe. ### Create admin consent Select **API permissions** and click ✓ **Grant admin consent for {your directory}**. The only permission needed is added by default, Microsoft Graph > User.Read. ## Back to the web app At this point, you have configured everything you need within the context of the Azure Portal. Return to the Bitwarden web app to configure the following fields: | **Field** | **Description** | |------|------| | Authority | Enter `https://login.microsoftonline.com//v2.0`, where `TENANT_ID `is the **Directory (tenant) ID**value retrieved from the app registration's Overview screen. | | Client ID | Enter the App registration's **Application (client) ID**, which can be retrieved from the Overview screen. | | Client Secret | Enter the **Secret Value**of the [created client secret](https://bitwarden.com/help/oidc-azure/#create-a-client-secret/). | | Metadata Address | For Azure implementations as documented, you can leave this field blank. | | OIDC Redirect Behavior | Select either **Form POST**or **Redirect GET**. | | Get Claims From User Info Endpoint | Enable this option if you receive URL too long errors (HTTP 414), truncated URLS, and/or failures during SSO. | | Additional/Custom Scopes | Define custom scopes to be added to the request (comma-delimited). | | Additional/Custom User ID Claim Types | Define custom claim type keys for user identification (comma-delimited). When defined, custom claim types are searched for before falling back on standard types. | | Additional/Custom Email Claim Types | Define custom claim type keys for users' email addresses (comma-delimited). When defined, custom claim types are searched for before falling back on standard types. | | Additional/Custom Name Claim Types | Define custom claim type keys for users' full names or display names (comma-delimited). When defined, custom claim types are searched for before falling back on standard types. | | Requested Authentication Context Class Reference values | Define Authentication Context Class Reference identifiers (`acr_values`) (space-delimited). List `acr_values `in preference-order. | | Expected "acr" Claim Value in Response | Define the `acr `Claim Value for Bitwarden to expect and validate in the response. | When you are done configuring these fields, **Save** your work. > [!TIP] Policies for SSO Guides > You can require users to log in with SSO by activating the single sign-on authentication policy. Please note, this will require activating the single organization policy as well. [Learn more](https://bitwarden.com/help/policies/). ### Additional custom claim types If your SSO configuration requires custom claim types, additional steps are required in order for Microsoft Entra ID to recognize the non-standard claims. 1. On Microsoft Entra ID, add a custom claim type by navigating to **Enterprise applications** → **App registrations** → **Token configuration**. 2. Select + **Add optional claim** and create a new optional claim with a selected value. ![Microsoft Entra ID custom claim](https://bitwarden.com/assets/2qFhIkcJvFpLLKyNEEJN5c/1e5477a6fe8cac0760eaa3897f0c208a/optional_claim_Entra.png) 3. On the Bitwarden SSO configuration screen, enter the fully qualified path for a custom claim field in the corresponding **custom claim types** field. For example: `https://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`. 4. Select **Save** once you have completed the configuration. ## Test the configuration Once your configuration is complete, test it by navigating to [https://vault.bitwarden.com](https://vault.bitwarden.com), entering your email address and selecting the **Use single sign-on** button: ![Log in options screen](https://bitwarden.com/assets/3BdlHeogd42LEoG06qROyQ/c68021df4bf45d72e9d37b1fbf5a6040/login.png) Enter the [configured organization identifier](https://bitwarden.com/help/configure-sso-saml/#step-1-enabling-login-with-sso/) and select **Log In**. If your implementation is successfully configured, you will be redirected to the Microsoft login screen: ![Azure login screen ](https://bitwarden.com/assets/j1YuXioPGFIwxsqfxCrpm/d0185848b3812c22940c6c5956e0b2be/az-login.png) After you authenticate with your Azure credentials, enter your Bitwarden master password to decrypt your vault! > [!NOTE] SSO must be initiated from Bitwarden > Bitwarden does not support unsolicited responses, so initiating login from your IdP will result in an error. The SSO login flow must be initiated from Bitwarden. ## Next steps 1. Educate your organization members on how to [use login with SSO](https://bitwarden.com/help/using-sso/). --- URL: https://bitwarden.com/help/oidc-okta/ --- # Okta OIDC This article contains **Okta-specific** help for configuring login with SSO via OpenID Connect (OIDC). For help configuring login with SSO for another OIDC IdP, or for configuring Okta via SAML 2.0, see [OIDC Configuration](https://bitwarden.com/help/configure-sso-oidc/) or [Okta SAML Implementation](https://bitwarden.com/help/saml-okta/). Configuration involves working simultaneously within the Bitwarden web app and the Okta Admin Portal. As you proceed, we recommend having both readily available and completing steps in the order they are documented. ## Open SSO in the web vault Log in to the Bitwarden [web app](https://bitwarden.com/help/getting-started-webvault/) and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) Select **Settings** → **Single sign-on** from the navigation: ![OIDC configuration](https://bitwarden.com/assets/51wSToXTHHVmBCrLrE8T0E/85aa432ea19eadf0195317f4f233e973/2024-12-04_09-41-46.png) If you haven't already, create a unique **SSO identifier**for your organization. Otherwise, you don't need to edit anything on this screen yet, but keep it open for easy reference. > [!TIP] Self-hosting, use alternative Member Decryption Options. > There are alternative **Member decryption options**. Learn how to get started using [SSO with trusted devices](https://bitwarden.com/help/about-trusted-devices/) or [Key Connector](https://bitwarden.com/help/about-key-connector/). ## Create an Okta app In the Okta Admin Portal, select **Applications** → **Applications** from the navigation. On the Applications screen, select the **Create App Integration** button. For Sign-on method, select **OIDC - OpenID Connect**. For Application type, select **Web Application**: ![Create App Integration](https://bitwarden.com/assets/7fGYbP4aawIh8eorrQF6b7/a52951b16123a3e2f4d7bb293ba22a20/okta-createapp.png) On the **New Web App Integration** screen, configure the following fields: | **Field** | **Description** | |------|------| | App integration name | Give the app a Bitwarden-specific name. | | Grant type | Enable the following [grant types](https://developer.okta.com/docs/concepts/oauth-openid/#choosing-an-oauth-2-0-flow): - Client acting on behalf of itself → **Client Credentials** - Client acting on behalf of a user → **Authorization Code** | | Sign-in redirect URIs | Set this field to your **Callback Path**, which can be retrieved from the Bitwarden SSO Configuration screen. For cloud-hosted customers, this is `https://sso.bitwarden.com/oidc-signin` or `https://sso.bitwarden.eu/oidc-signin`. For self-hosted instances, this is determined by your [configured server URL](https://bitwarden.com/help/install-on-premise/#configure-your-domain/), for example `https://your.domain.com/sso/oidc-signin`. | | Sign-out redirect URIs | Set this field to your **Signed Out Callback Path**, which can be retrieved from the Bitwarden SSO Configuration screen. | | Assignments | Use this field to designate whether all or only select groups will be able to use Bitwarden Login with SSO. | Once configured, select the **Next** button. ### Get client credentials On the Application screen, copy the **Client ID** and **Client secret** for the newly created Okta app: ![App Client Credentials ](https://bitwarden.com/assets/6Q5iWqSrrXUp4s197bfyRt/d1d85d41c31ce60029d84fa6738372f8/okta-clientcredentials.png) You will need to use both values [during a later step](https://bitwarden.com/help/oidc-okta/#back-to-the-web-vault/). ### Get authorization server information Select **Security** → **API** from the navigation. From the **Authorization Servers** list, select the server you would like to use for this implementation. On the **Settings** tab for the server, copy the **Issuer** and **Metadata URI** values: ![Okta Authorization Server Settings ](https://bitwarden.com/assets/7hUKbE9s9HGJUwbqC2W36u/11cee32a7b469a662ae35b9c3cc1a2ba/okta-authserver.png) You will need to use both values [during the next step](https://bitwarden.com/help/oidc-okta/#back-to-the-web-vault/). ## Back to the web app At this point, you have configured everything you need within the context of the Okta Admin Portal. Return to the Bitwarden web app to configure the following fields: | **Field** | **Description** | |------|------| | Authority | Enter the [retrieved Issuer URI](https://bitwarden.com/help/oidc-okta/#get-authorization-server-information/) for your Authorization Server. | | Client ID | Enter the [retrieved Client ID](https://bitwarden.com/help/oidc-okta/#get-client-credentials/) for your Okta app. | | Client Secret | Enter the [retrieved Client secret](https://bitwarden.com/help/oidc-okta/#get-client-credentials/) for your Okta app. | | Metadata Address | Enter the [retrieved Metadata URI](https://bitwarden.com/help/oidc-okta/#get-client-authorization-server-information/) for your Authorization Server. | | OIDC Redirect Behavior | Select **Redirect GET**. Okta currently does not support Form POST. | | Get Claims From User Info Endpoint | Enable this option if you receive URL too long errors (HTTP 414), truncated URLS, and/or failures during SSO. | | Additional/Custom Scopes | Define custom scopes to be added to the request (comma-delimited). | | Additional/Custom User ID Claim Types | Define custom claim type keys for user identification (comma-delimited). When defined, custom claim types are searched for before falling back on standard types. | | Additional/Custom Email Claim Types | Define custom claim type keys for users' email addresses (comma-delimited). When defined, custom claim types are searched for before falling back on standard types. | | Additional/Custom Name Claim Types | Define custom claim type keys for users' full names or display names (comma-delimited). When defined, custom claim types are searched for before falling back on standard types. | | Requested Authentication Context Class Reference values | Define Authentication Context Class Reference identifiers (`acr_values`) (space-delimited). List `acr_values `in preference-order. | | Expected "acr" Claim Value in Response | Define the `acr `Claim Value for Bitwarden to expect and validate in the response. | When you are done configuring these fields, **Save** your work. > [!TIP] Policies for SSO Guides > You can require users to log in with SSO by activating the single sign-on authentication policy. Please note, this will require activating the single organization policy as well. [Learn more](https://bitwarden.com/help/policies/). ## Test the configuration Once your configuration is complete, test it by navigating to [https://vault.bitwarden.com](https://vault.bitwarden.com), entering your email address and selecting the **Use single sign-on** button: ![Log in options screen](https://bitwarden.com/assets/3BdlHeogd42LEoG06qROyQ/c68021df4bf45d72e9d37b1fbf5a6040/login.png) Enter the [configured organization identifier](https://bitwarden.com/help/oidc-okta/#/) and select **Log In**. If your implementation is successfully configured, you'll be redirected to the Okta login screen: ![Log in with Okta ](https://bitwarden.com/assets/3Rh2Bg17sCE57xJsUKfqwN/4342c56fa656be94ef90dd620251a868/okta-login.png) After you authenticate with your Okta credentials, enter your Bitwarden master password to decrypt your vault! > [!NOTE] Okta bookmark app > Bitwarden does not support unsolicited responses, so initiating login from your IdP will result in an error. The SSO login flow must be initiated from Bitwarden. Okta administrators can create an [Okta Bookmark App](https://support.okta.com/help/s/article/How-do-you-create-a-bookmark-app?language=en_US) that will link directly to the Bitwarden web vault login page. > > 1. As an admin, navigate to the **Applications** drop down located on the main navigation bar and select **Applications**. > 2. Click **Browse App Catalog**. > 3. Search for **Bookmark App**and click **Add Integration**. > 4. Add the following settings to the application: > > 1. Give the application a name such as **Bitwarden Login**. > 2. In the **URL** field, provide the URL to your Bitwarden client such as `https://vault.bitwarden.com/#/login` or `your-self-hostedURL.com`. > 5. Select **Done** and return to the applications dashboard and edit the newly created app. > 6. Assign people and groups to the application. You may also assign a logo to the application for end user recognition. The Bitwarden logo can be obtained [here](https://github.com/bitwarden/brand/tree/master). > > Once this process has been completed, assigned people and groups will have a Bitwarden bookmark application on their Okta dashboard that will link them directly to the Bitwarden web vault login page. --- URL: https://bitwarden.com/help/okta-directory/ --- # Sync with Okta This article will help you get starting using Directory Connector to sync users and groups from your Okta directory to your Bitwarden organization. ## Create an Okta API token Directory Connector requires knowledge of an Okta-generated token to connect to your directory. Complete the following steps to create and obtain an Okta API token for use by Directory Connector: 1. From your Okta Developer Console (`https://yourdomain-admin.okta.com`) navigate to **Security** → **API** → **Tokens**. 2. Select the **Create token** button and give your token a Bitwarden-specific name (for example, `bitwarden-dc`). 3. Copy the generated **Token value** to the clipboard. > [!NOTE] Okta api token value > Your token value will not be shown again. Paste it somewhere safe to prevent it from being lost. ## Connect to your directory Complete the following steps to configure Directory Connector to use your Okta Directory: 1. Open the Directory Connector [desktop app](https://bitwarden.com/help/directory-sync-desktop/). 2. Navigate to the **Settings** tab. 3. From the **Type** dropdown, select **Okta**. The available fields in this section will change according to your selected type. 4. Enter your Okta Organization URL in the **Organization URL** field (for example, `https://yourdomain.okta.com`). 5. Paste the API Token Value in the **Token** field. ## Configure sync options > [!NOTE] Clear sync cache > When you're finished configuring, navigate to the **More** tab and select the **Clear Sync Cache** button to prevent potential conflicts with prior sync operations. For more information, see [Clear Sync Cache](https://bitwarden.com/help/clear-sync-cache/). Complete the following steps to configure the settings used when syncing using Directory Connector: 1. Open the Directory Connector [desktop app](https://bitwarden.com/help/directory-sync-desktop/). 2. Navigate to the **Settings** tab. 3. In the **Sync** section, configure the following options as desired: | **Option** | **Description** | |------|------| | Interval | Time between automatic sync checks (in minutes). | | Remove disabled users during sync | Check this box to remove users from the Bitwarden organization that have been disabled in your directory. | | Overwrite existing organization users based on current sync settings | Check this box to always perform a full sync and remove any users from the Bitwarden organization if they are not in the synced user set. | | More than 2000 users or groups are expected to sync | Check this box if you expect to sync 2000+ users or groups. If you don't check this box, Directory Connector will limit a sync at 2000 users or groups. | | Sync users | Check this box to sync users to your organization. Checking this box will allow you to specify **User Filters**. | | User Filter | See [Specify sync filters](https://bitwarden.com/help/okta-directory/#specify-sync-filters/). | | Sync groups | Check this box to sync groups to your organization. Checking this box will allow you to specify **Group Filters**. | | Group Filter | See [Specify sync filters](https://bitwarden.com/help/okta-directory/#specify-sync-filters/). | ### Specify sync filters Use comma-separated lists to include or exclude based on user email or group name. Additionally, Okta APIs provide limited filtering capabilities for users and groups that may be used in Directory Connector filter fields. Consult Okta documentation for more information about using the `filter` parameter for [users](https://developer.okta.com/docs/api/resources/users#list-users-with-a-filter) and [groups](https://developer.okta.com/docs/api/resources/groups#filters). #### User filters ##### Include/Exclude users by email To include or exclude specific users based on email address: ``` include:joe@example.com,bill@example.com,tom@example.com ``` ``` exclude:joe@example.com,bill@example.com,tom@example.com ``` ##### Concatenate with `filter` To concatenate a user filter with the `filter` parameter, use a pipe (`|`): ``` include:john@example.com,bill@example.com|profile.firstName eq "John" ``` ``` exclude:john@example.com,bill@example.com|profile.firstName eq "John" ``` ##### Use only `filter` To use only the `filter` parameter, prefix the query with a pipe (`|`): ``` |profile.lastName eq "Smith" ``` #### Group filters > [!NOTE] nested groups not supported okta > Syncing nested groups is not supported by Okta. ##### Include/Exclude groups To include or exclude groups by name: ``` include:Group A,Group B ``` ``` exclude:Group A,Group B ``` ##### Concatenate with `filter` To concatenate a group filter with the `filter` parameter, use a pipe (`|`): ``` include:Group A|type eq "APP_GROUP" ``` ``` exclude:Group A|type eq "APP_GROUP" ``` ##### Use only `filter` To use only the `filter` parameter, prefix the query with a pipe (`|`): ``` |type eq "BUILT_IN" ``` ## Test connection > [!TIP] BWDC connect to EU server. > Before testing or executing a sync, check that Directory Connector is connected to the right cloud server (e.g. US or EU) or self-hosted server. Learn how to do so with the [desktop app](https://bitwarden.com/help/directory-sync-desktop/#getting-started/) or [CLI](https://bitwarden.com/help/directory-sync-cli/#config/). To test whether Directory Connector will successfully connect to your directory and return the desired users and groups, navigate to the **Dashboard** tab and select the **Test Now** button. If successful, users and groups will be printed to the Directory Connector window according to specified [sync options](https://bitwarden.com/help/okta-directory/#configure-sync-options/) and [filters](https://bitwarden.com/help/okta-directory/#specify-sync-filters/): ![Test sync results](https://bitwarden.com/assets/6LbdKcCZucynwqW7eoOetT/331b88e5bc07cbe92f67a2a92f2d807d/dc-okta-test.png) ## Start automatic sync Once [sync options](https://bitwarden.com/help/okta-directory/#configured-sync-options/) and [filters](https://bitwarden.com/help/okta-directory/#specify-sync-filters/) are configured as desired, you can begin syncing. Complete the following steps to start automatic sync with Directory Connector: 1. Open the Directory Connector [desktop app](https://bitwarden.com/help/directory-sync-desktop/). 2. Navigate to the **Dashboard** tab. 3. In the **Sync** section, select the **Start Sync** button. You may alternatively select the **Sync Now** button to execute a one-time manual sync. Directory Connector will begin polling your directory based on the configured [sync options](https://bitwarden.com/help/okta-directory/#configured-sync-options/) and [filters](https://bitwarden.com/help/okta-directory/#specify-sync-filters/). If you exit or close the application, automatic sync will stop. To keep Directory Connector running in the background, minimize the application or hide it to the system tray. > [!NOTE] Teams Starter + BWDC > If you're on the [Teams Starter](https://bitwarden.com/help/password-manager-plans/#teams-starter-organizations/) plan, you are limited to 10 members. Directory Connector will display an error and stop syncing if you try to sync more than 10 members. > > **This plan is no longer available for purchase**. This error does not apply to Teams plans. --- URL: https://bitwarden.com/help/okta-scim-integration/ --- # Okta SCIM Integration System for cross-domain identity management (SCIM) can be used to automatically provision and de-provision members and groups in your Bitwarden organization. > [!NOTE] SCIM vs. BWDC > SCIM integrations are available for **Teams and Enterprise organizations**. Customers not using a SCIM-compatible identity provider may consider using [Directory Sync](https://bitwarden.com/help/directory-sync/) as an alternative means of provisioning. This article will help you configure a SCIM integration with Okta. Configuration involves working simultaneously with the Bitwarden web vault and Okta Admin Portal. As you proceed, we recommend having both readily available and completing steps in the order they are documented. ### Supported features The following provisioning features are supported by this integration: - **Push Users: **Users in Okta that are assigned to Bitwarden are added as users in Bitwarden. - **Deactivate Users:**Users with the deactivated status will no longer have access to their assigned apps. Deactivating a user in Okta will change their Bitwarden status to revoked.  - **Delete user**: Users deleted in Okta will be moved to revoked status in the Bitwarden organization. > [!NOTE] Suspended users Okta > Choosing the suspended status for a user in Okta will **not** result in a revoked status in Bitwarden. - **Push Groups: **Groups and their users in Okta can be pushed to Bitwarden. > [!NOTE] SCIM Okta Support for Email Stuff > Please note, Bitwarden does not support changing a user's email address once provisioned. Bitwarden also does not support changing a user's email address type, or using a type other than `primary`. The values entered for email and username should be the same.[ Learn more](https://bitwarden.com/help/about-scim/#required-attributes/). ## Enable SCIM > [!NOTE] Self-hosting SCIM > **Are you self-hosting Bitwarden?** If so, complete [these steps to enable SCIM for your server](https://bitwarden.com/help/self-hosting-scim/) before proceeding. To start your SCIM integration, open the Admin Console and navigate to **Settings**→ **SCIM provisioning**: ![SCIM provisioning](https://bitwarden.com/assets/6sw1kuK7GuZ3dfQkkbs6rV/a4f4e18e561733297338e4ed44c6ed8c/2024-12-03_15-25-46.png) Select the **Enable SCIM**checkbox and take note of your **SCIM URL**and **SCIM API Key**. You will need to use both values in a later step. ## Add the Bitwarden app In the Okta Admin Portal, select **Applications** → **Applications**from the navigation. On the Application screen, select the **Browse App Catalog**button: ![Browse App Catalog](https://bitwarden.com/assets/nBs4O5osFzxI0QCfQLpxx/c8232cb95494901d8c04e38efc1b3662/Screen_Shot_2022-08-29_at_11.43.30_AM.png) In the search bar, enter `Bitwarden` and select **Bitwarden**: ![Bitwarden Okta App](https://bitwarden.com/assets/4I8U9GJFm2w25scodW6aHu/cff940398de8ba4e363b706a2fe98d9f/today1.png) Select the **Add Integration**button to proceed to configuration. ### General settings On the **General Settings**tab, give the application a unique, Bitwarden-specific label. Check the **Do not display application icon to users**and **Do not display application icon in Okta Mobile App**options and select **Done**. ## Setup provisioning To setup provisioning, the following steps must be completed in the order presented. ### Provisioning settings Open the **Provisioning**tab and select the **Configure API Integration**button. Once selected, Okta will list a few options for you to configure: ![Configure API Integration](https://bitwarden.com/assets/1vyUChnKJS2WM2V6u0gMGS/826c7a34f32cc9dc3b864a969d1b00c5/Screen_Shot_2023-02-06_at_1.39.09_PM.png) 1. Check the **Enable API Integration** checkbox. 2. In the **Base URL** field, enter your SCIM URL, which can be found on the SCIM Provisioning screen ([learn more](https://bitwarden.com/help/okta-scim-integration/#enable-scim/)). 3. In the **API Token** field, enter your SCIM API Key ([learn more](https://bitwarden.com/help/okta-scim-integration/#enable-scim/)). Once you are finished, use the **Test API Credentials**button to test your configuration. If it passes the test, select the **Save** button. ### Set Provisioning actions After the provisioning settings step has been completed, navigate to the **Provisioning**→ **To App** screen. Then, select the **Edit**button: ![Provisioning To App](https://bitwarden.com/assets/7HbSzaHxTZ8iddtJ3p0ATj/b24242f237309de4d51e1f7c943d7903/today3.png) Enable, at a minimum, **Create Users** and **Deactivate Users**. Select **Save**when you are done. ## Assignments Open the **Assignments**tab and use the Assign dropdown menu to assign people or groups to the application. Assigned users and groups will be automatically issued an invitation. Depending on your workflow, you may need to use the **Push Groups**tab to trigger group provisioning once they are assigned. ## Finish user onboarding Now that your users have been provisioned, they will receive invitations to join the organization. Instruct your users to [accept the invitation](https://bitwarden.com/help/managing-users/#accept/) and, once they have, [confirm them to the organization](https://bitwarden.com/help/managing-users/#confirm/). > [!NOTE] Invite/Accept/Confirm > The Invite → Accept → Confirm workflow facilitates the decryption key handshake that allows users to securely access organization vault data. --- URL: https://bitwarden.com/help/onboarding-and-succession/ --- # Onboarding and Succession Guide > [!NOTE] > Read the full paper below or [download the PDF](https://start.bitwarden.com/hubfs/PDF/enterprise-password-management-throughout-employee-lifecycle.pdf). ## Password management to fit your business Getting new employees up and running quickly drives productivity. Likewise, saying farewell properly drives assurance in the security of your business's systems and accounts. Whether your business leans towards consolidation and centralization, or prefers a flexible and dynamic environment, Bitwarden fits your needs. This guide covers the Bitwarden approach to onboarding and succession planning for members of your organization, starting with our approach to the relationship between members and organizations, then covering the simplest use-cases for onboarding and succession, and finally and moving on to the levers and options at your disposal to fit Bitwarden to your needs. ## The Bitwarden approach The Bitwarden vision is to imagine a world where no one gets hacked. We carry this forward in our mission to help individuals and companies manage their sensitive information easily and securely. Bitwarden believes that: - Basic password management for individuals can and should be **free**. We provide just that, a [basic free account for individuals](https://bitwarden.com/help/password-manager-plans/#free-individual/). - Individuals and families should take an active role in their security using [TOTPs, emergency access, and other supporting security features](https://bitwarden.com/help/password-manager-plans/#premium-individual/). - Organizations can greatly improve their security profile through [organizational password management and secure sharing](https://bitwarden.com/help/password-manager-plans/#bitwarden-business-plans/). > [!NOTE] > For Bitwarden, [different plans](https://bitwarden.com/help/password-manager-plans/) and options are connected and complementary, all originating in our vision of a hack-free world. Empowering everyone at work **and** at home with password management gets us one step closer to that goal. A key aspect of Bitwarden is that, unlike many software applications, everything in every vault is [end-to-end encrypted](https://bitwarden.com/help/what-encryption-is-used/). To maintain this security model, every person using Bitwarden must have a unique account with a unique [master password](https://bitwarden.com/help/master-password/). Master passwords should be **strong** and **memorable**. Each user is in charge of their master password. Bitwarden is a zero-knowledge encryption solution, meaning that the team at Bitwarden, as well as Bitwarden systems themselves, have no knowledge of, way to retrieve, or way to reset any master password. ### Use Bitwarden anywhere Security everywhere means security anywhere, so the best password managers provide access across all your devices. Bitwarden supports a [range of client applications](https://bitwarden.com/download/), any of which can be connected to our cloud-hosted servers or a self-hosted server of your own: ![Bitwarden Clients/Servers ](https://bitwarden.com/assets/aONk4rWXWWHtOivPOt58m/e75d2f9876a86d7d9a81b7d9fd7182c3/bitwarden-clients-cloud-server.png) ### Users' individual vaults Anyone who creates a Bitwarden account will have their own individual vault. Accessible from any client application, individual vaults are unique to each user and only that user holds the key to access it, using a combination of their email address and master password. Personal accounts, and the individually-owned [vault items](https://bitwarden.com/help/managing-items/) stored therein, are the account owners responsibility. Organization [owners, admins, and managers](https://bitwarden.com/help/user-types-access-control/) cannot see any other user's individual vault by design, guaranteeing someone's individual vault data remains their own. ![Personal Vaults ](https://bitwarden.com/assets/211wU2Nguupsr80j2vCSRz/d157eca06fe478049a3386cbe5b7ce56/bitwarden-individual-personal-vault.png) Families, Teams, and Enterprise organizations automatically provide members individually with premium features, like [emergency access](https://bitwarden.com/help/emergency-access/) and [encrypted attachment storage](https://bitwarden.com/help/attachments/), which they can choose to use. Data in an individual vault belongs to the user. Individual vaults do not enable sharing, [organizations do](https://bitwarden.com/help/onboarding-and-succession/#bitwarden-organizations/). > [!NOTE] > **Why provide individual vaults by default?** > > Individual vaults are an instrumental component of the [Bitwarden approach](https://bitwarden.com/help/onboarding-and-succession/#the-bitwarden-approach/). Employees use a range of credentials every day, personally and professionally, and **habits formed in one area typically become habits in the other**. In our view, employees that use proper security practices in their personal lives will carry over that good behavior to their professional lives, **protecting your business** in the process. > > Using the same tool in both areas helps that habit form faster and easier. Enterprise organizations have the option to [configure policies](https://bitwarden.com/help/onboarding-and-succession/#enterprise-policies/), including to disable individual vaults. ## Bitwarden organizations **Bitwarden organizations** add a layer of collaboration and sharing to password management for your team or enterprise, allowing you to securely share common information like office wifi passwords, online credentials, or shared company credit cards. Secure sharing through organizations is safe and easy. ![Organization Vault](https://bitwarden.com/assets/8wJfYqraeZpZLtfdsVRRF/f0eaf08e43e72d9ea4f728e2de197a1a/bitwarden-organization-collections.png) Anyone can start an organization directly from the web app: ![New organization](https://bitwarden.com/assets/3eSqWiTIuPSFxXdo5AAjT9/248b0fa7bb381add0d71682acd244a63/2024-12-03_13-57-58.png) Once created, you'll land in the Admin Console, which is the central hub for all things sharing and organization administration. Whoever launches the organization will be the [owner](https://bitwarden.com/help/user-types-access-control/), giving them full control to oversee the vault, to manage items, members, [collections](https://bitwarden.com/help/onboarding-and-succession/#collections/), and [groups](https://bitwarden.com/help/onboarding-and-succession/#groups/), to run reporting, and configure settings like [policies](https://bitwarden.com/help/onboarding-and-succession/#enterprise-policies/): ![Free organization Admin Console](https://bitwarden.com/assets/hzBuypc5ISzqC3jUmYbea/edcb03ce3d3071cea4f9afb6c7f8eca9/2024-12-03_13-46-09.png) ### Collections Bitwarden organizations manage members and data in a scalable and secure fashion. Managing members and data on an individual basis is inefficient for large businesses and can leave room for error. To solve this, organizations provide collections and [groups](https://bitwarden.com/help/onboarding-and-succession/#groups/). **Collections** gather together logins, notes, cards, and identities for [secure sharing](https://bitwarden.com/help/sharing/) within an organization: ![Using Collections ](https://bitwarden.com/assets/3dkYfn5K3E4t3Ts3Rs5At0/02954064a4a43a626f03fc9746db4006/collections-graphic-1.png) ### Onboarding members Once your organization is established and collections are setup to store your data, owners and administrators should invite new members. To ensure the security of your organization, Bitwarden applies a 3-step process for onboarding new members, [Invite](https://bitwarden.com/help/managing-users/#invite/) → [Accept](https://bitwarden.com/help/managing-users/#accept/) → [Confirm](https://bitwarden.com/help/managing-users/#confirm/). Members can be onboarded using [SCIM](https://bitwarden.com/help/about-scim/), by syncing with a directory using [Directory Connector](https://bitwarden.com/help/directory-sync/), [directly from the web vault](https://bitwarden.com/help/managing-users/#onboard-users/), or through Just in Time (JIT) provisioning using [login with SSO](https://bitwarden.com/help/about-sso/). #### Adding members In the simplest cases, users can be added to your organization directly from the web app. When adding users, you can designate which [collections](https://bitwarden.com/help/onboarding-and-succession/#collections/) to grant them access to, which [role](https://bitwarden.com/help/onboarding-and-succession/#comprehensive-role--based-access-controls/) to give them, and more. [Learn step-by-step how to add users to your organization](https://bitwarden.com/help/managing-users/#onboard-users/). Once users are fully onboarded to your organization, you can assign access to your organization's vault data by assigning them to [collections](https://bitwarden.com/help/onboarding-and-succession/#collections/). Teams and Enterprise organizations can assign users to [groups](https://bitwarden.com/help/onboarding-and-succession/#groups/) for scalable permissions assignment, and construct group-collection associations instead of assigning access on the individual level. > [!NOTE] > For large organizations, [SCIM](https://bitwarden.com/help/about-scim/) and [Directory Connector](https://bitwarden.com/help/onboarding-and-succession/#directory-connector/) are the best ways to onboard and offboard users at scale. #### Groups Groups relate together individual users, and provide a scaleable way to assign permissions including access to [collections](https://bitwarden.com/help/onboarding-and-succession/#collections/) and other [access controls](https://bitwarden.com/help/onboarding-and-succession/#comprehensive-role--based-access-controls/). When onboarding new users, add them to a group to have them automatically inherit that groups's configured permissions: ![Using Collections with Groups ](https://bitwarden.com/assets/2BrgW8B8pbDiVAKyoYnxjR/e9348006d33dbd3ad25b9a25a5a27095/collections-graphic-2.png) #### Comprehensive role-based access controls Bitwarden takes an enterprise-friendly approach to sharing at scale. Members can be added to the organization with [a number of different roles](https://bitwarden.com/help/user-types-access-control/), belong to different [groups](https://bitwarden.com/help/onboarding-and-succession/#groups/), and have those groups assigned to various [collections](https://bitwarden.com/help/onboarding-and-succession/#collections/) to regulate access. Among the available roles is a [custom role](https://bitwarden.com/help/user-types-access-control/#custom-role/) for granular configuration of administrative permissions. ### Deprovisioning users At Bitwarden, we see sharing of credentials as a vital aspect to getting work done efficiently and securely. We also recognize that once a credential is shared, it is *technically* possible for the recipient to keep it. For that reason, secure onboarding using appropriate [role-based access controls](https://bitwarden.com/help/onboarding-and-succession/#comprehensive-role--based-access-controls/) and [implementing policies](https://bitwarden.com/help/onboarding-and-succession/#enterprise-policies/) plays an important role in facilitating secure succession. There are a variety of tools provided by Bitwarden for tailoring your workflow and exercising more control over succession. The following sections will describe a [basic succession workflow](https://bitwarden.com/help/onboarding-and-succession/#basic-deprovisioning/), which uses none of these tools, and some [advanced succession tactics](https://bitwarden.com/help/onboarding-and-succession/#advanced-deprovisioning/) frequently used by organizations: ### Basic deprovisioning Deprovisioning users from Bitwarden involves removing users from your organization, and like onboarding can be done [directly from the web vault](https://bitwarden.com/help/managing-users/#deprovision-users/) or in automated fashion using [SCIM](https://bitwarden.com/help/about-scim/) or[ Directory Connector](https://bitwarden.com/help/onboarding-and-succession/#directory-connector/). Alice is a **User** in your organization, which is hosted on the Bitwarden cloud and uses company email addresses (e.g. `first-last@company.com`). Currently, this is how Alice uses Bitwarden: | **Product area** | **Description** | |------|------| | **Client applications** | Uses Bitwarden on mobile and a browser Extension personally and professionally, and the web vault for occasional organization-related work. | | **Email & master password** | Logs in to Bitwarden using `alice@company.com `and `p@ssw0rD`. | | **Personal items** | Stores assorted personal items, including logins and credit cards, in her personal vault. | | **Two-step login** | Uses organization-wide [Duo 2FA](https://bitwarden.com/help/setup-two-step-login-duo/). | | **Collections** | Alice has Manage collection permission for the "Marketing Credentials" collection, granted her the ability to manage many aspects of that collection. | | **Shared items** | Created and shared several vault items that are owned by by the organization and reside in her team's Collection. | Once Alice is removed from your organization: | **Product area** | **Description** | |------|------| | **Client applications** | Can continue to use any Bitwarden application to access her individual vault, however will lose access to organization-owned items, all collections, and all shared items. See the tip at the end of this section for information on local caching. | | **Email & master password** | Can continue to log in using `alice@company.com `and `p@ssw0rD`, however since she won't have access to her `@company.com `inbox, she should be advised to change the email associated with her Bitwarden account. | | **Individual items** | Will still be able to use her individual vault and access the items stored therein. | | **Permissions in the organization** | Will**lose all permissions over and access to**anything related to the organization. | | **Two-step login** | Won't be able to use organization Duo 2FA to access her vault, but can setup one of our free two-step login options or upgrade to premium for more. | | **Created collections** | Alice's "Marketing Team" collection will be retained by organization owners and admins, who can assign a new user Manage collection permission | | **Shared items** | Ownership of collections and shared items **belongs to the organization**, so Alice will lose access to all these items despite having created them. | > [!TIP] Remove Org Members + Cacheing > Offline devices cache a read-only copy of vault data, including organizational vault data. Some clients may retain access to this read-only data for a short period of time after a member is deprovisioned. If you anticipate malicious exploitation of this, credentials the member had access to should be updated when you remove them from the organization. ### Advanced deprovisioning > [!WARNING] Accounts without MPs & TDE > For member accounts that do not have master passwords as a result of [SSO with trusted devices](https://bitwarden.com/help/about-trusted-devices/): > > - [Removing them from your organization](https://bitwarden.com/help/remove-users/#remove-members-from-an-organization/) eliminates all access to their Bitwarden account unless they were previously assigned a master password using [account recovery](https://bitwarden.com/help/account-recovery/) and they log in with that master password at least once before being removed. > > These users will not be able to re-join your organization unless the above steps are taken **before** they are removed from the organization. If they aren't, each removed user will be required to [delete their account](https://bitwarden.com/help/delete-your-account/#delete-a-personal-account/) and be issued a new invitation to create an account and join your organization. > - [Revoking access to the organization](https://bitwarden.com/help/revoke-users/), but not removing them from the organization, will still allow them to log in to Bitwarden and access **only** their individual vault. #### Claimed member accounts When you claim a domain, any organization member accounts that have email addresses with a matching domain (e.g. `jdoe@mycompany.com`) will also be claimed by your organization. Claimed member accounts are functionality owned by the organization, meaning they can be outright deleted by organization administrators, instead of only being able to be removed from the organization. Owners and admins can delete a claimed account from the Admin Console's **Members** page using the ⋮ menu: ![Delete claimed accounts](https://bitwarden.com/assets/6HUnGTfMstF4IasZcKBfdi/0d2dbd328ba4a006611576e7d91c70df/2025-01-14_10-45-56.png) #### Administrative take-over Using the [Master password reset policy](https://bitwarden.com/help/policies/#master-password-reset/), owners and admins in your organization can [reset a user's master password](https://bitwarden.com/help/account-recovery/) during succession. Resetting a user's master password logs the user out of all active Bitwarden sessions and resets their login credentials to the ones specified by the administrator, meaning that administrator (and only that administrator) will have the keys to the user's vault data, including items in the individual vault. This vault takeover tactic is commonly used by organizations to ensure that employees don't retain access to individual vault items that may be work-related and can be used to facilitate audits of every credential an employee may have been using. > [!NOTE] 2FA Admin takeover > **Admin password reset does not bypass two-step login**. In many cases, we recommend using SSO as some IdPs will allow you to configure 2FA and 2FA bypass policies for your users. #### Removing the individual vault If your organization requires real-time control of all vault items, you can use the [Enforce organization data ownership policy](https://bitwarden.com/help/policies/#enforce-organization-data-ownership/) to require users to save all vault items to the organization. This will circumvent the need to takeover and audit a user's account during succession, as it'll be completely empty of data once removed from the organization. #### Login-less account deletion As mentioned previously, removing a user from your organization does not automatically delete their Bitwarden account. In the basic succession workflow, when a user is removed they can no longer access the organization or any shared items and collections, however they will still be able to log in to Bitwarden using their existing master password and access any individual vault items. Organizations wanting to completely delete the account, including all individual vault items, may be able to use one of the following methods to do so during succession: 1. If you're self-hosting Bitwarden, an authorized admin can delete the account from the [System Administrator Portal](https://bitwarden.com/help/system-administrator-portal/). 2. If the account has an @yourcompany.com email address that your company controls, you can use the [delete without logging in](https://bitwarden.com/help/delete-your-account/#delete-a-personal-account/) workflow and confirm deletion within the @yourcompany.com inbox. ## Designing your organization for your business At Bitwarden, we often say that password management is people management, and we can fit the workflows suited to your organization. By offering a wide range of options, shared via our open source approach, customers can rest assured that they can meet their own individual needs. [Get started today](https://bitwarden.com/pricing/business/) with a free Enterprise or Teams trial. ### SCIM For Enterprise organizations with large user-bases that operate using a supported identity (currently, Azure AD, Okta, OneLogin, and JumpCloud), SCIM integrations can be used to automatically provision members and groups in your Bitwarden organization. [Learn more](https://bitwarden.com/help/about-scim/). ### Directory Connector For companies with large user-bases that operate using directory services (LDAP, AD, Okta, and others), Directory Connector can synchronize users and groups from the directory to the Bitwarden organization. Directory Connector is a stand-alone application that can be run anywhere with access to your directories and to Bitwarden. ![Directory Connector ](https://bitwarden.com/assets/6kt3QORL97ZWxcZX2gicVl/038aaad07a9c4e00dd4cf7d6303d9578/bitwarden-directory-connector.png) Many Bitwarden Teams and Enterprise organizations focus their onboarding efforts on the Directory Connector and use the organization vault administration areas to manage group-collection relationships. Directory Connector will: - Sync LDAP-based directory groups with Bitwarden groups - Sync users within each group - Invite new users to join the organization - Remove deleted users from the organization ### Login with SSO Bitwarden Enterprise organizations can integrate with your existing identity provider (IdP) using SAML 2.0 or OIDC to allow members of your organization to login to Bitwarden using SSO. Login with SSO separates user authentication from vault decryption: **Authentication** is completed through your chosen IdP and retains any two-factor authentication processes connected to that IdP. **Decryption** of vault data requires the user's individual key, which is derived in part from the master password. There are two [decryption options](https://bitwarden.com/help/sso-decryption-options/), both of which will have users authenticate using their regular SSO credentials. - **Master password**: Once authenticated, organization members will decrypt vault data using their [master passwords](https://bitwarden.com/help/master-password/). - **Customer-managed encryption**: Connect login with SSO to your self-hosted decryption key server. Using this option, organization members won't need to use their master passwords to decrypt vault data. Instead, [Key Connector](https://bitwarden.com/help/about-key-connector/) will retrieve a decryption key securely stored in a database owned and managed by you. - Leverage your existing identity provider. - Protect the end-to-end encryption of your data. - Provision users automatically. - Configure access with or without SSO. - Decrypt vault data according to your company's security needs. ### Enterprise policies Enterprise organizations can implement a variety of policies designed to lay a secure foundation for any business. Policies include: - **Require two-step login:** Require users to set up two-step login on their personal accounts. - **Master password requirements:** Set minimum requirements for master password strength. - **Password generator:** Set minimum requirements for password generator configuration. - **Single organization:** Restrict users from being able to join any other organizations. - **Enforce organization data ownership:** Require users to save vault items to an organization by removing the personal ownership option. > [!NOTE] > The **Enforce organization data ownership** policy, for example, fits into earlier discussion regarding the interplay between individual vaults and organization vaults. Some companies may desire the assurance of have all credentials retained in the organization vault. A possible implementation could involve allowing each individual user to have their own collection, which unlike individual vaults could be overseen by organization owners and admins. ### Event logs Bitwarden organizations include access to [event logs](https://bitwarden.com/help/event-logs/), which can be viewed directly from the web vault or [exported to be analyzed](https://bitwarden.com/help/event-logs/#siem-and-external-systems-integrations/) within security information and event management (SIEM) systems like Splunk. Event logs include information about: - User-item interactions - Changes made to vault items - Onboarding events - Organization configuration changes - Much, much more > [!NOTE] > In addition to these benefits, customers appreciate the ability to tightly integrate Bitwarden into their existing systems. Bitwarden offers a robust public [API](https://bitwarden.com/help/api/) and a fully-featured command line interface ([CLI](https://bitwarden.com/help/cli/)) for further integration into existing organization workflows. ### Self-hosting In keeping with the Bitwarden approach to offer password management anywhere and everywhere, Bitwarden provides an option to self-host to address an even wider range of use cases for Enterprises. There are many reasons for a company to choose to self-host. Specifically when it comes to onboarding, succession, and enhanced features, here are some of the reasons companies choose to do so: - **Immediate deletion of user accounts:** Because you control the server, users can be deleted entirely (including their individual vault). - **Network access control**: Organization owners can determine which network access employees must use to access their Bitwarden server. - **Advanced proxy settings:** Administrators can choose to enable or disable certain types of devices from accessing the Bitwarden Server. - **Use an existing database cluster:** Connect to an existing Microsoft SQL Server database. Additional databases will be supported in the future. - **Increase storage for file attachments and Bitwarden Send:** File attachments for Bitwarden items or Bitwarden Send are retained on user-provided storage. ## Put the pieces together SCIM, Directory Connector, Login with SSO, Enterprise policies, and your vault work well individually or in harmony to optimize your onboarding, succession, and organization management experience. The following table details how that it might look to string together these pieces into one smooth process: | **Step** | **Description** | |------|------| | **Synchronize** | Use SCIM or Directory Connector to sync groups and users to Bitwarden from your existing directory service. | | **Invite** | SCIM or Directory Connector will automatically issue invitations to synced users. | | **Authenticate** | Pair your login with SSO implementation with the SSO policy to require users to sign up with SSO when they accept their invitations. | | **Administer** | Use the web vault to promote some users to different roles and to ensure group-collection relationships are configured to grant the right access to the right users. | | **Re-synchronize** | Maintain your SCIM integration, or periodically re-run Directory Connector, to remove users from Bitwarden that are no longer active in your directory service and to start onboarding for new hires. | ## FAQs #### Q: If an employee already has a Bitwarden account, can we attach it to the organization so they don't need another Bitwarden account? **A:** Yes! You can. Some customers recommend that prior to attaching users to the organization, that those users have a Bitwarden vault attached to their company email. This choice is company-specific and either approach works. #### Q: When an employee leaves, can we detach their account from the organization so that they don't have access to company credentials anymore and they do not lose their individually-owned credentials? **A:** Yes! That's exactly what [deprovisioning entails](https://bitwarden.com/help/onboarding-and-succession/#offboarding-users/). #### Q: What happens to items that were created or shared by a former member of the organization? Will these items also be offboarded? A: No, sharing items from an individual vault to an organization vault will extend item ownership to the organization as well. #### Q: Can we prevent employees from duplicating credentials from the company organization to their individual vault **A:** Yes! Using our [comprehensive suite of role-based access controls](https://bitwarden.com/help/user-types-access-control/#access-control/) you can make credentials **Read Only** to prevent duplication. --- URL: https://bitwarden.com/help/onboarding-checklist/ --- # Onboarding checklist Use this onboarding checklist to track progress and make sure nothing is missed during your onboarding process ## Account setup - Confirm and review with users the 3-step account set up process: Invite > Accept > Confirm  - Log in with existing account or create new account using invited email - Complete SSO login set up if applicable - Create strong master password (14 to 16+ characters with mixed cases, numbers, symbols) Optional if you’re using SSO with trusted devices - Review company-specific password policies and guidelines - Follow company password guidelines, consider using passphrase - Set up 2FA using preferred methods (authenticator app, hardware key, or email) - Save and securely store 2FA recovery codes **Support links:** - [Using login with SSO](https://bitwarden.com/help/using-sso/) - [Setup SSO with Trusted Devices](https://bitwarden.com/help/setup-sso-with-trusted-devices/) ## Client installations - Install browser extension and pin it to the navigation toolbar - Download and install desktop application (Windows, Mac, Linux) - Download mobile app (iOS, Android) - Log into all installed clients with master password and 2FA, or SSO (if applicable) - Adjust login settings to preferences (biometric setup, timeout settings) **Support links:** - [Client downloads](https://bitwarden.com/download/) - [Automatic logout or lock](https://bitwarden.com/help/vault-timeout/) ## Get to know Bitwarden vault - Explore web app, browser extension, mobile and desktop apps interface and main navigation elements - Understand the differences between My vault (individual items) and Organization vault (shared items) - Learn to use search function - Familiarize with item types (logins, notes, cards, identities) **Support links:** - [Vault item types](https://bitwarden.com/help/managing-items/) - [Search your vault](https://bitwarden.com/help/searching-vault/) ## Password management fundamentals - Practice adding new login items (Click + or Add Item) - Learn to edit existing items - click Edit (pencil icon) - Set up extension autofill through browser settings - Practice using autofill from browser extension (hotkey, inline autofill, fill button) - Use built in password generator for creating strong passwords (in extension, click on password field or Generator tab) **Support links:** - [Browser autofill](https://bitwarden.com/help/auto-fill-browser/) - [Generating a strong password](https://bitwarden.com/help/getting-started-browserext/#generate-a-strong-password/) ## Secure credential sharing and collaboration - Understand collections concept for shared items: Collections act as shared folders for passwords/notes in organization vault - Practice accessing shared items through collections - Learn about groups and permission levels: Groups assign collection access to multiple users (eg. "Marketing Team") - Practice organizing individual My Vault items with folders **Support links:** - [Understanding collections](https://bitwarden.com/help/about-collections/) - [Collection access management](https://bitwarden.com/help/teams-enterprise-migration-guide/#step-5-configure-access-to-collections-and-items/) ## Features beyond password management - Explore Bitwarden Send for encrypted sharing to anyone, even non-Bitwarden users - Review password history for login items (Password History tab in login items) - Configure biometric unlock on desktop and mobile (if applicable) - Explore TOTP storage and generation **Support links:** - [Bitwarden Send](https://bitwarden.com/help/about-send/) - [Unlock with biometrics ](https://bitwarden.com/help/biometrics/) - [Generate TOTP codes](https://bitwarden.com/help/integrated-authenticator/#generate-totp-codes/) ## Recovery planning - Understand account recovery options of master password is lost or forgotten - Document account recovery procedures - Verify secure storage of recovery codes and master password backup **Support links:** - [Recover user access ](https://bitwarden.com/help/account-recovery/) - [Get my recovery code](https://bitwarden.com/help/two-step-recovery-code/) ## Best practices - Emphasize Bitwarden in improving organizational security posture - Explain how Bitwarden reduces breach risks, aids compliance, and promotes safe practices - Schedule regular vault maintenance and security reviews - Send regular reminders for users to accept invitation to set up Bitwarden account - Use Vault Health reports to audit password health across company **Support links:** - [Vault health reports](https://bitwarden.com/help/reports/) --- URL: https://bitwarden.com/help/onboarding-workflows/ --- # Member Signup Workflows This document should be used to provide instructions to your users for signing up for the organization. There are a number of different factors that will impact the exact steps your users will need to take. Use this decision tree to help pick the correct option for your organization's users: ![Onboarding decision tree](https://bitwarden.com/assets/6Mjrxky33gwmWzhhF85QgG/523d7421e9dd0aa72a6b9119f50043fb/Final.png) *Onboarding decision tree* The following tabs document onboarding instructions you can provide to your users. Each tab's number corresponds to a selection from the above decision tree: ### 1 To join our organization: 1. Check your inbox for an email from Bitwarden. Select the **Join Organization Now**button. 2. On the screen that opens from opening the link, choose the **Continue**option and log in to your Bitwarden account using your email and master password. *[If your master password does not meet the requirements of our organization, you will be prompted to update it.]* You'll be logged in to Bitwarden. An administrator will be notified that you've accepted the invitation to join our organization and will need to confirm your membership. Once they do, you'll be granted access to shared vault data for your team. ### 2 To sign up for Bitwarden: 1. Check your inbox for an email from Bitwarden. Select the **Join Organization Now**button. 2. On the screen that opens from opening the link, fill in the following details: 1. **Master password**: Create a master password. Bitwarden provides [guidance on how to create a strong master password](https://bitwarden.com/blog/picking-the-right-password-for-your-password-manager/). *[Make sure the master password you create complies with the requirements displayed above where you enter it.]* 2. **Confirm master password**: Re-enter the master password you just created. 3. Optionally, check the **Check known data breaches for the password** ([learn more](https://bitwarden.com/help/reports/#data-breach-report-individual-vaults-only/)) before submitting the form. 4. You'll be redirected back to the Bitwarden login page. Log in using the credentials you just created to accept the invitation to our organization. An administrator will be notified that you've accepted the invitation to join our organization and will need to confirm your membership. Once they do, you'll be granted access to shared vault data for your team. ### 3 Your Bitwarden account's email address must match what you use to log in to *[IdP, e.g. JumpCloud]*. If it does not, [change your email address](https://bitwarden.com/help/product-faqs/#q-how-do-i-change-my-email-address/) and then complete the following steps to join our organization: 1. Check your inbox for an email from Bitwarden. Select the **Join Organization Now**button. 2. On the screen that opens from opening the link, choose the **Continue**option and log in to your Bitwarden account using your email and master password. *[If your master password does not meet the requirements of our organization, you will be prompted to update it.]* You'll be logged in to Bitwarden. An administrator will be notified that you've accepted the invitation to join our organization and will need to confirm your membership. Once they do, you'll be granted access to shared vault data for your team. Once your membership is confirmed, complete the following steps to setup your web browser app as a [trusted device](https://bitwarden.com/help/add-a-trusted-device/): 1. Open *[vault.bitwarden.com or vault.bitwarden.eu] *or your Bitwarden app *[and change the ****Logging in on:**** selector to bitwarden.eu]*. 2. Enter your email address and select **Continue**. 3. On the next screen, choose the **Enterprise single sign-on**option. 4. Log in to *[IdP, e.g. JumpCloud]* with your existing credentials. 5. On the next screen, ensure that the **Remember this device**toggle is on, and select choose **Approve with master password**. 6. Enter your master password and select **Continue**. The next time you log in on this web browser or app, you can use the **Enterprise single sign-on**option to log in and won't be required to enter your master password. You can add other trusted devices by completing these steps again with other apps. ### 4 Your Bitwarden account's email address must match what you use to log in to *[IdP, e.g. JumpCloud]*. If it does not, [change your email address](https://bitwarden.com/help/product-faqs/#q-how-do-i-change-my-email-address/) and then complete the following steps to join our organization: 1. Check your inbox for an email from Bitwarden. Select the **Join Organization Now**button. 2. On the screen that opens from opening the link, choose the **Continue**option and log in to your Bitwarden account using your email and master password. *[If your master password does not meet the requirements of our organization, you will be prompted to update it.]* You'll be logged in to Bitwarden. An administrator will be notified that you've accepted the invitation to join our organization and will need to confirm your membership. Once they do, you'll be granted access to shared vault data for your team. Once your membership is confirmed, complete the following steps to setup your web browser app app as a [trusted device](https://bitwarden.com/help/add-a-trusted-device/): 1. Open *[vault.bitwarden.com or vault.bitwarden.eu] *or your Bitwarden app *[and change the ****Logging in on:**** selector to bitwarden.eu]*. 2. Enter your email address and select **Continue**. 3. On the next screen, choose the **Enterprise single sign-on**option. 4. On the next screen, enter *[your-SSO-identifier]* in the **SSO identifier**box and select **Log in**. 5. Log in to *[IdP, e.g. JumpCloud]* with your existing credentials. 6. On the next screen, ensure that the **Remember this device**toggle is on, and select choose **Approve with master password**. 7. Enter your master password and select **Continue**. The next time you log in on this web browser or app, you can use the **Enterprise single sign-on**option to log in and won't be required to enter your master password. You can add other trusted devices by completing these steps again with other apps. ### 5 Your Bitwarden account's email address must match what you use to log in to *[IdP, e.g. JumpCloud]*. If it does not, [change your email address](https://bitwarden.com/help/product-faqs/#q-how-do-i-change-my-email-address/) and then complete the following steps to join our organization: 1. Check your inbox for an email from Bitwarden. Select the **Join Organization Now**button. 2. On the screen that opens from opening the link, choose the **Continue**option and log in to your Bitwarden account using your email and master password. *[If your master password does not meet the requirements of our organization, you will be prompted to update it.]* You'll be logged in to Bitwarden. An administrator will be notified that you've accepted the invitation to join our organization and will need to confirm your membership. Once they do, you'll be granted access to shared vault data for your team. Once your membership is confirmed, you will be able to log in to Bitwarden using your *[IdP, e.g. JumpCloud]* credentials. ### 6 Your Bitwarden account's email address must match what you use to log in to *[IdP, e.g. JumpCloud]*. If it does not, [change your email address](https://bitwarden.com/help/product-faqs/#q-how-do-i-change-my-email-address/) and then complete the following steps to join our organization: 1. Check your inbox for an email from Bitwarden. Select the **Join Organization Now**button. 2. On the screen that opens from opening the link, choose the **Continue**option and log in to your Bitwarden account using your email and master password. *[If your master password does not meet the requirements of our organization, you will be prompted to update it.]* You'll be logged in to Bitwarden. An administrator will be notified that you've accepted the invitation to join our organization and will need to confirm your membership. Once they do, you'll be granted access to shared vault data for your team. Once your membership is confirmed, you will be able to log in to Bitwarden using your *[IdP, e.g. JumpCloud]* credentials. When you do, you will be required to enter an **SSO identifier**, which is currently set to *[your-SSO-identifier]* for our organization. ### 7 To sign up for Bitwarden: 1. Check your inbox for an email from Bitwarden. Select the **Join Organization Now** button. 2. On the screen that opens from opening the link, select **Log in**. 3. Log in to *[IdP, e.g. JumpCloud]* with your existing credentials. 4. On the next screen, ensure that the **Remember this device** checkbox is checked and select **Continue**. The first time you log in to other Bitwarden apps, like on your mobile device, this last step will instead require you to **Request admin approval** or **Approve from another device**. We recommend that you log in on a mobile device next, as you'll be able to approve subsequent devices from there You'll be logged in to Bitwarden. An administrator will be notified that you've accepted the invitation to join our organization and will need to confirm your membership. Once they do, you'll be granted access to shared vault data for your team. ### 8 To sign up for Bitwarden: 1. Check your inbox for an email from Bitwarden. Select the **Join Organization Now** button. 2. On the screen that opens from opening the link, select **Log in**. > [!TIP] Take note of identifier > We recommend taking note of the **SSO identifier** that's pre-filled in on this screen. You'll need it when you log in to other Bitwarden apps. 3. Log in to *[IdP, e.g. JumpCloud]* with your existing credentials. 4. On the next screen, ensure that the **Remember this device** checkbox is checked and select **Continue**. The first time you log in to other Bitwarden apps, like on your mobile device, this last step will instead require you to **Request admin approval** or **Approve from another device**. We recommend that you log in on a mobile device next, as you'll be able to approve subsequent devices from there You'll be logged in to Bitwarden. An administrator will be notified that you've accepted the invitation to join our organization and will need to confirm your membership. Once they do, you'll be granted access to shared vault data for your team. ### 9 To sign up for Bitwarden: 1. Check your inbox for an email from Bitwarden. Select the **Join Organization Now** button. 2. On the screen that opens from opening the link, select **Log in**. 3. Log in to *[IdP, e.g. JumpCloud]* with your existing credentials. 4. On the next Bitwarden screen, set a master password. Bitwarden provides [guidance on how to create a strong master password](https://bitwarden.com/blog/picking-the-right-password-for-your-password-manager/). *[Make sure the master password you create complies with the requirements displayed above where you enter it.]* 5. Click **Submit**. You'll be logged in to Bitwarden. An administrator will be notified that you've accepted the invitation to join our organization and will need to confirm your membership. Once they do, you'll be granted access to shared vault data for your team. ### 10 To sign up for Bitwarden: 1. Check your inbox for an email from Bitwarden. Select the **Join Organization Now** button. 2. On the screen that opens from opening the link, select **Log in**. > [!TIP] Take note of identifier > We recommend taking note of the **SSO identifier** that's pre-filled in on this screen. You'll need it when you log in to other Bitwarden apps. 3. Log in to *[IdP, e.g. JumpCloud]* with your existing credentials. 4. On the next Bitwarden screen, set a master password. Bitwarden provides [guidance on how to create a strong master password](https://bitwarden.com/blog/picking-the-right-password-for-your-password-manager/). *[Make sure the master password you create complies with the requirements displayed above where you enter it.]* 5. Click **Submit**. You'll be logged in to Bitwarden. An administrator will be notified that you've accepted the invitation to join our organization and will need to confirm your membership. Once they do, you'll be granted access to shared vault data for your team. ### 11 To sign up for Bitwarden: 1. Download and open the Bitwarden mobile app for [iOS](https://apps.apple.com/app/bitwarden-free-password-manager/id1137397744) or [Android](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden&pli=1), or download and open the [Bitwarden desktop app](https://bitwarden.com/download/#downloads-desktop/). 2. *[Change the ****Logging in on: ****selector to bitwarden.eu.]* 3. Enter your *[@company.com]* email address, which should be what you use to log in to *[IdP, e.g. JumpCloud]*, and select **Continue**. 4. On the next screen, choose the **Enterprise single sign-on**option. 5. Log in to *[IdP, e.g. JumpCloud]* with your existing credentials. 6. On the next screen, ensure that the **Remember this device**toggle is on, and select **Continue**. The first time you log in to other Bitwarden apps, like on your computer's web browser, this last step will instead require you to **Approve from another device**, which you can do from the mobile app or desktop app. You'll be logged in to Bitwarden. An administrator will be notified that you've accepted the invitation to join our organization and will need to confirm your membership. Once they do, you'll be granted access to shared vault data for your team. ### 12 To sign up for Bitwarden: 1. Download and open the Bitwarden mobile app for [iOS](https://apps.apple.com/app/bitwarden-free-password-manager/id1137397744) or [Android](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden&pli=1), or download and open the [Bitwarden desktop app](https://bitwarden.com/download/#downloads-desktop/). 2. *[Change the ****Logging in on: ****selector to bitwarden.eu.]* 3. Enter your *[@company.com]* email address, which should be what you use to log in to *[IdP, e.g. JumpCloud]*, and select **Continue**. 4. On the next screen, choose the **Enterprise single sign-on**option. 5. On the next screen, enter *[your-SSO-identifier]* in the **SSO identifier**box and select **Log in**. 6. Log in to *[IdP, e.g. JumpCloud]* with your existing credentials. 7. On the next screen, ensure that the **Remember this device**toggle is on, and select **Continue**. The first time you log in to other Bitwarden apps, like on your computer's web browser, this last step will instead require you to **Approve from another device**, which you can do from the mobile app or desktop app. You'll be logged in to Bitwarden. An administrator will be notified that you've accepted the invitation to join our organization and will need to confirm your membership. Once they do, you'll be granted access to shared vault data for your team. ### 13 To sign up for Bitwarden: 1. In a web browser, navigate to *[vault.bitwarden.com or vault.bitwarden.eu]*. 2. Enter your *[@company.com]* email address, which should be what you use to log in to *[IdP, e.g. JumpCloud]*, and select **Continue**. 3. On the next screen, choose the **Enterprise single sign-on**option. 4. Log in to *[IdP, e.g. JumpCloud]* with your existing credentials. 5. On the next Bitwarden screen, set a master password. Bitwarden provides [guidance on how to create a strong master password](https://bitwarden.com/blog/picking-the-right-password-for-your-password-manager/).* [Make sure the master password you create complies with the requirements displayed above where you enter it.]* 6. Click **Submit**. You'll be logged in to Bitwarden. An administrator will be notified that you've accepted the invitation to join our organization and will need to confirm your membership. Once they do, you'll be granted access to shared vault data for your team. ### 14 To sign up for Bitwarden: 1. In a web browser, navigate to *[vault.bitwarden.com or vault.bitwarden.eu]*. 2. Enter your *[@company.com]* email address, which should be what you use to log in to *[IdP, e.g. JumpCloud]*, and select **Continue**. 3. On the next screen, choose the **Enterprise single sign-on**option. 4. On the next screen, enter *[your-SSO-identifier]* in the **SSO identifier**box and select **Log in**. 5. Log in to *[IdP, e.g. JumpCloud]* with your existing credentials. 6. On the next Bitwarden screen, set a master password. Bitwarden provides [guidance on how to create a strong master password](https://bitwarden.com/blog/picking-the-right-password-for-your-password-manager/).* [Make sure the master password you create complies with the requirements displayed above where you enter it.]* 7. Click **Submit**. You'll be logged in to Bitwarden. An administrator will be notified that you've accepted the invitation to join our organization and will need to confirm your membership. Once they do, you'll be granted access to shared vault data for your team. --- URL: https://bitwarden.com/help/onelogin-directory/ --- # Sync with OneLogin This article will help you get started using Directory Connector to sync users and groups from your OneLogin directory to your Bitwarden organization. ## Create API credentials Directory Connector requires knowledge of OneLogin-generated API credentials to connect to your directory. Complete the following steps to create and obtain API credentials for use by Directory Connector: 1. From your OneLogin Administration portal (`https://yourdomain.onelogin.com/admin`), select to **Developers** → **API Credentials** from the navigation menu. 2. Select the **New Credential** button and give your credential a Bitwarden-specific name (for example, `bitwarden-dc`). 3. Select the **Read Users** radio button to give read permission for user fields, roles, and groups, and select **Save**. 4. Copy the generated **Client ID** and **Client Secret**. You may return to view these at any time. ## Connect to your directory Complete the following steps to configure Directory Connector to use your OneLogin directory: 1. Open the Directory Connector [desktop app](https://bitwarden.com/help/directory-sync-desktop/). 2. Navigate to the **Settings** tab. 3. From the **Type** dropdown, select **OneLogin**. The available fields in this section will change according to your selected type. 4. Enter the **Client ID** and **Client Secret** [obtained from OneLogin](https://bitwarden.com/help/onelogin-directory/#create-api-credentials/). 5. From the **Region** dropdown, select your region. ## Configure sync options > [!NOTE] Clear sync cache > When you're finished configuring, navigate to the **More** tab and select the **Clear Sync Cache** button to prevent potential conflicts with prior sync operations. For more information, see [Clear Sync Cache](https://bitwarden.com/help/clear-sync-cache/). Complete the following steps to configure the settings used when syncing using Directory Connector: 1. Open the Directory Connector [desktop application](https://bitwarden.com/help/directory-sync-desktop/). 2. Navigate to the **Settings** tab. 3. In the **Sync** section, configure the following options as desired: | **Option** | **Description** | |------|------| | Interval | Time between automatic sync checks (in minutes). | | Remove disabled users during sync | Check this box to remove users from the Bitwarden organization that have been disabled in your directory. | | Overwrite existing organization users based on current sync settings | Check this box to always perform a full sync and remove any users from the Bitwarden organization if they are not in the synced user set. **Recommended for OneLogin directories.** | | More than 2000 users or groups are expected to sync | Check this box if you expect to sync 2000+ users or groups. If you don't check this box, Directory Connector will limit a sync at 2000 users or groups. | | If a user has no email address, combine a username prefix with a suffix value to form an email | Check this box to form valid email options for users that do not have an email address.  **Users without real or formed email addresses will be skipped by Directory Connector.** Formed Email = `username `+ **Email Suffix** | | Email Suffix | A string (`@example.com`) used to create a suffix for formed email addresses. | | Sync users | Check this box to sync users to your organization. Checking this box will allow you to specify **User Filters**. | | User Filter | See [Specify sync filters](https://bitwarden.com/help/onelogin-directory/#specify-sync-filters/). | | Sync groups | Check this box to sync groups to your organization. Checking this box will allow you to specify **Group Filters**. **Please be aware, Directory Connector uses OneLogin****`role `****values to create Bitwarden groups.** | | Group Filter | See [Specify sync filters](https://bitwarden.com/help/onelogin-directory/#specify-sync-filters/). | ### Specify sync filters Use comma-separated lists to include or exclude from a sync based on user email or group. > [!NOTE] > Directory Connector will create Bitwarden groups based on OneLogin Roles, not OneLogin Groups. #### User filters To include or exclude specific users from a sync based on email address: ``` include:joe@example.com,bill@example.com,tom@example.com ``` ``` exclude:joe@example.com,bill@example.com,tom@example.com ``` #### Group filters > [!NOTE] Nested groups not supported OneLogin > Syncing nested groups is not supported by OneLogin. To include or exclude groups from a sync based on OneLogin roles: ``` include:Role A,Role B ``` ``` exclude:Role A,Role B ``` ## Test a sync > [!TIP] BWDC connect to EU server. > Before testing or executing a sync, check that Directory Connector is connected to the right cloud server (e.g. US or EU) or self-hosted server. Learn how to do so with the [desktop app](https://bitwarden.com/help/directory-sync-desktop/#getting-started/) or [CLI](https://bitwarden.com/help/directory-sync-cli/#config/). To test whether Directory Connector will successfully connect to your directory and return the desired users and groups, navigate to the **Dashboard** tab and select the **Test Now** button. If successful, users and groups will be printed to the Directory Connector window according to specified [sync options](https://bitwarden.com/help/onelogin-directory/#configure-sync-options/) and [filters](https://bitwarden.com/help/onelogin-directory/#specify-sync-filters/): ![Test sync results ](https://bitwarden.com/assets/5QYMxvtCPhjbluuoLcCapD/96e9c630ead9ceba5124b55f9d2764a3/dc-okta-test.png) ## Start automatic sync Once [sync options](https://bitwarden.com/help/onelogin-directory/#configure-sync-options/) and [filters](https://bitwarden.com/help/onelogin-directory/#specify-sync-filters/) are configured as desired, you can begin syncing. Complete the following steps to start automatic sync with Directory Connector: 1. Open the Directory Connector [desktop app](https://bitwarden.com/help/directory-sync-desktop/). 2. Navigate to the **Dashboard** tab. 3. In the **Sync** section, select the **Start Sync** button. You may alternatively select the **Sync Now** button to execute a one-time manual sync. Directory Connector will begin polling your directory based on the configured [sync options](https://bitwarden.com/help/onelogin-directory/#configure-sync-options/) and [filters](https://bitwarden.com/help/onelogin-directory/#specify-sync-filters/). If you exit or close the application, automatic sync will stop. To keep Directory Connector running in the background, minimize the application or hide it to the system tray. > [!NOTE] Teams Starter + BWDC > If you're on the [Teams Starter](https://bitwarden.com/help/password-manager-plans/#teams-starter-organizations/) plan, you are limited to 10 members. Directory Connector will display an error and stop syncing if you try to sync more than 10 members. > > **This plan is no longer available for purchase**. This error does not apply to Teams plans. --- URL: https://bitwarden.com/help/onelogin-scim-integration/ --- # OneLogin SCIM Integration System for cross-domain identity management (SCIM) can be used to automatically provision and de-provision members and groups in your Bitwarden organization. > [!NOTE] SCIM vs. BWDC > SCIM integrations are available for **Teams and Enterprise organizations**. Customers not using a SCIM-compatible identity provider may consider using [Directory Sync](https://bitwarden.com/help/directory-sync/) as an alternative means of provisioning. This article will help you configure a SCIM integration with OneLogin. Configuration involves working simultaneously with the Bitwarden web vault and OneLogin Admin Portal. As you proceed, we recommend having both readily available and completing steps in the order they are documented. ## Enable SCIM > [!NOTE] Self-hosting SCIM > **Are you self-hosting Bitwarden?** If so, complete [these steps to enable SCIM for your server](https://bitwarden.com/help/self-hosting-scim/) before proceeding. To start your SCIM integration, open the Admin Console and navigate to **Settings**→ **SCIM provisioning**: ![SCIM provisioning](https://bitwarden.com/assets/6sw1kuK7GuZ3dfQkkbs6rV/a4f4e18e561733297338e4ed44c6ed8c/2024-12-03_15-25-46.png) Select the **Enable SCIM**checkbox and take note of your **SCIM URL**and **SCIM API Key**. You will need to use both values in a later step. ## Create a OneLogin app In the OneLogin Portal, navigate to the the **Applications** screen and select the **Add App** button: ![Add an Application ](https://bitwarden.com/assets/37OSt7e5j969j9ikvH8buI/3bf9fa6b57a45b357a9d2bc012d8a6af/ol-addapp.png) In the search bar, type `SCIM` and select the **SCIM Provisioner with SAML (SCIM v2 Enterprise)** app: ![SCIM Provisioner App](https://bitwarden.com/assets/1nhhqAjka2eRfzl0cG00re/009afae8e9a056db414523aaf99392b2/remove-name-3.png) Give your application a Bitwarden-specific **Display Name** and select the **Save** button. ### Configuration Select **Configuration**from the left-hand navigation and configure the following information, some of which you will need to retrieve from the Single Sign-On and SCIM Provisioning screens in Bitwarden. ![SCIM App Configuration](https://bitwarden.com/assets/2AeNYZyjrTZSU8CHupIXjY/d8e0475924f924fceebc9a6e4a2331b7/remove-name-4.png) #### Application details OneLogin will require you to fill in the **SAML Audience URL**and **SAML Consumer URL** fields even if you aren't going to use single sign-on. [Learn what to enter in these fields](https://bitwarden.com/help/saml-onelogin/#configuration/). #### API connection Enter the following values in the **API Connection** section: | **Application setting** | **Description** | |------|------| | SCIM base URL | Set this field to the SCIM URL ([learn more](https://bitwarden.com/help/onelogin-scim-integration/#enable-SCIM/)). | | SCIM bearer token | Set this field to the SCIM API key ([learn more](https://bitwarden.com/help/onelogin-scim-integration/#enable-SCIM/)). | Select **Save**once you have configured these fields. ### Access Select **Access** from the left-hand navigation. In the **Roles**section, assign application access to all the roles you would like provision in Bitwarden. Each role is treated as a group in your Bitwarden organization, and users assigned to any role will be included in each group including if they are assigned multiple roles. ### Parameters Select **Parameters**from the left-hand navigation. Select **Groups**from the table, enable the **Include in User Provisioning**checkbox, and select the **Save**button: ![Include Groups in User Provisioning](https://bitwarden.com/assets/2h03FR4hdjbrxWuUojzzGb/c004d00d53e780b98429453f20591125/remove-name-5.png) ### Rules Create a rule to map OneLogin Roles to Bitwarden groups: 1. Select **Rules**from the left-hand navigation. 2. Select the Add Rule button to open the **New mapping**dialog: ![Role/Group Mapping](https://bitwarden.com/assets/42I8sAk9GBypUCDFxWbb4V/3c34b07f12bc62fb85270bf91881f582/Screen_Shot_2022-07-21_at_12.14.25_PM.png) 3. Give the rule a **Name**like Create Groups from Rules. 4. Leave **Conditions**blank. 5. In the **Actions**section: 1. Select **Set Groups in ** from the first dropdown. 2. Select the **Map from OneLogin** option. 3. Select **role**from the "For each" dropdown. 4. Enter .* in the "with value that matches" field to map all roles to groups, or enter a specific role name. 6. Select the **Save**button to finish creating the rule. ### Test connection Select **Configuration**from the left-hand navigation, and select the **Enable**button under **API Status:** ![Test API Connection](https://bitwarden.com/assets/6JJ9yBJshFhR7BgxXBg83K/74cc06192465100b109c6f94cc9ae680/remove-name-6.png) This test **will not** start provisioning, but will make a GET request to Bitwarden and display **Enabled**if the application gets a response from Bitwarden successfully. ### Enable provisioning Select **Provisioning**from the left-hand navigation: ![Provisioning Settings](https://bitwarden.com/assets/YMC1HjBpeKREdb3lJNHqb/1abdcbb216848efb62795c921edc05b5/image.png) On this screen: 1. Select the **Enable Provisioning**checkbox. 2. In the **When users are deleted in OneLogin...**dropdown, select **Delete**. 3. In the **When user accounts are suspended in OneLogin...** dropdown, select **Suspend**. When you are done, select **Save** to trigger provisioning. ## Finish user onboarding Now that your users have been provisioned, they will receive invitations to join the organization. Instruct your users to [accept the invitation](https://bitwarden.com/help/managing-users/#accept/) and, once they have, [confirm them to the organization](https://bitwarden.com/help/managing-users/#confirm/). > [!NOTE] Invite/Accept/Confirm > The Invite → Accept → Confirm workflow facilitates the decryption key handshake that allows users to securely access organization vault data. ## Appendix ### User attributes Both Bitwarden and OneLogin's **SCIM Provisioner with SAML (SCIM v2 Enterprise)** application use standard SCIM v2 attribute names. Bitwarden will use the following attributes: - `active` - `emails`ª or `userName` - `displayName` - `externalId` ª - Because SCIM allows users to have multiple email addresses expressed as an array of objects, Bitwarden will use the `value` of the object which contains `"primary": true`. --- URL: https://bitwarden.com/help/openshift-deployment/ --- # OpenShift Deployment This article dives into how you might alter your [Bitwarden self-hosted Helm Chart](https://bitwarden.com/help/self-host-with-helm/) deployment based on the specific offerings of OpenShift. ## Requirements Before proceeding with the installation, ensure the following requirements are met: - [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) is installed. - [Helm 3](https://helm.sh/docs/intro/install/) is installed. - You have an SSL certificate and key or access to creating one via a certificate provider. - You have a SMTP server or access to a cloud SMTP provider. - A [storage class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) that supports ReadWriteMany. - You have an installation id and key retrieved from [https://bitwarden.com/host](https://bitwarden.com/host/). ### Rootless requirements Bitwarden will detect whether your environment restricts what user containers can be run as during startup and will automatically initiate deployment in rootless mode if restriction is detected. Successfully deploying in rootless mode requires one of the following two options: - Deploying an [external MSSQL database](https://bitwarden.com/help/external-db/) instead of the SQL container included by default in the Helm chart. - Assigning elevated privileges to the included SQL container [using a service account](https://bitwarden.com/help/kubernetes-service-accounts/), [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod), or other method. > [!TIP] SQL pod as root to non-root > While Microsoft requires that SQL containers be run as root, container startup will step down to a non-root user before executing application code. ## OpenShift routes This example will demonstrate [OpenShift Routes](https://docs.openshift.com/container-platform/3.11/architecture/networking/routes.html#overview) instead of the default ingress controllers. #### Disable default ingress 1. Access `my-values.yaml`. 2. Disable the default ingress by specifying `ingress.enabled: false`: ```bash general: domain: "replaceme.com" ingress: enabled: false ``` The remaining ingress values do not require modification, as setting `ingress.enabled: false` will prompt the chart to ignore them. #### Add raw manifest for routes Locate the `rawManifests` section in `my-values.yaml`. This section is where the OpenShift Route manifests will be assigned. An example file for a `rawManifests` section that uses OpenShift Routes can be downloaded ⬇️ [here](https://bitwarden.com/assets/330r6BrWsFLL9FLZbPSLIc/badadefadd43ce575fd5f42221155786/rawManifests.yaml). > [!NOTE] Rawmanifest example > In the example provided above, `destinationCACertificate` has been set to an empty string. This will use the default certificate setup in OpenShift. Alternatively, specify a certificate name here, or you can use Let's Encrypt by following [this guide](https://developer.ibm.com/tutorials/secure-red-hat-openshift-routes-with-lets-encrypt/). If you do, you will be required to add `kubernetes.io/tls-acme: "true"` to the annotations for each route. ## Shared storage class A shared storage class is required for most OpenShift deployments. `ReadWriteMany` storage must be enabled. This can be done through the method of your choice, one option is to use the [NFS Subdir External Provisioner](https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner/blob/master/charts/nfs-subdir-external-provisioner/README.md). ## Secrets The `oc` command can be used to deploy secrets. A valid installation id and key can be retrieved from [bitwarden.com/host/](https://bitwarden.com/host/). For more information, see [What are my installation id and installation key used for?](https://bitwarden.com/help/hosting-faqs/#q-what-are-my-installation-id-and-installation-key-used-for/) The following command is an example: > [!WARNING] Insecure way of setting a secret > This example will record commands to your shell history. Other methods may be considered to securely set a secret. ```bash oc create secret generic custom-secret -n bitwarden \ --from-literal=globalSettings__installation__id="REPLACE" \ --from-literal=globalSettings__installation__key="REPLACE" \ --from-literal=globalSettings__mail__smtp__username="REPLACE" \ --from-literal=globalSettings__mail__smtp__password="REPLACE" \ --from-literal=globalSettings__yubico__clientId="REPLACE" \ --from-literal=globalSettings__yubico__key="REPLACE" \ --from-literal=globalSettings__hibpApiKey="REPLACE" \ --from-literal=SA_PASSWORD="REPLACE" # If using SQL pod # --from-literal=globalSettings__sqlServer__connectionString="REPLACE" # If using your own SQL server ``` --- URL: https://bitwarden.com/help/org-faqs/ --- # Organizations FAQs This article contains Frequently Asked Questions (FAQs) regarding organizations. For more high-level information about organizations, refer to the following articles: - [About Organizations](https://bitwarden.com/help/about-organizations/) - [About Collections](https://bitwarden.com/help/about-collections/) - [About Groups](https://bitwarden.com/help/about-groups/) ## Organizations general ### Q: What's the difference between organizations and premium? **A:** Organizations enable secure sharing from organizations to organization users. Premium individual plans unlock premium password security and management features, including advanced 2FA options, the Bitwarden authenticator (TOTP), encrypted file attachments, and more. Premium individual does not include secure data sharing. Paid organizations (Families, Teams, or Enterprise) automatically include premium features (advanced 2FA options, Bitwarden authenticator, and more) for every user enrolled in the organization. ## Organization administration ### Q: My organization's owner is no longer with the company, can a new owner be created? **A:** Only an owner can create a new owner or assign owner to an existing user. For failover purposes, Bitwarden recommends creating multiple owner users. If your single owner has left the company, [contact us](https://bitwarden.com/contact/). ### Q: I have invited users but they cannot see shared items, what do I do? **A:** Invited users will receive an email asking them to join the organization. First, make sure they have accepted the invitation. If they have, an admin or owner should navigate to the **Members**screen and use the ⋮ options menu to select **Confirm**. ### Q: What events are audited for my organization? **A:** For a full list of what's included in Bitwarden event logs, see [Event Logs](https://bitwarden.com/help/event-logs/). ### Q: Can I prevent users from self-registering into my organization? **A:** If you are self-hosting, [configure the environment variable](https://bitwarden.com/help/environment-variables/) `globalSettings__disableUserRegistration=` to `true` to prevent users from signing up for an account via the registration page. Once configured, organization admins or owners must invite users to signup for an account on the self-hosted instance. ### Q: How do I change the name of my organization? **A:** To change the name of your organization: 1. In the web app, open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 2. Navigate to the ⚙️ **Settings** → **Organization info** screen. 3. Edit the **Organization name** field and select the **Save** button. **If you are self-hosting**, you will also need to: 1. Navigate to the ⚙️ **Billing** → **Subscription** page. 2. Select the **Download license** button to download a license with the updated organization name. 3. [Upload the new license](https://bitwarden.com/help/licensing-on-premise/#organization-license/) to your self-hosted server. ### Q: How do I optimize performance for a vault with lots of items? **A**: Since decryption of vault items is done locally, never in our servers, load times may occasionally be longer for a vault with a large number of items. Our team is always working on performance optimization, however here are a few tips that can help reduce load times: - Follow the principle of least privilege, for example by using collections to organize your vault items. Reducing the number of items a user can access will reduce the number of items to be decrypted while the app is loading. - For owners and admins, don't use the **This user can access and modify all items**option. These user roles get access to everything via the organization vault anyway, so selecting this options will only add additional items to their **Vaults**view and increase the number of items to be decrypted while the app is loading. - If you manage multiple organizations, consider contacting us to become a [Provider](https://bitwarden.com/help/providers/). Accessing organizations from the Provider Portal will slightly reduce the amount of required to decrypt all managed items. ### Q: How do I leave an organization? **A**: To leave an organization, use the web app to select the ⋮ options menu for the organization you want to leave. From the dropdown, select [sign-in] **Leave**: ![Leave an organization](https://bitwarden.com/assets/2MP5ZWZbCJe6ArraaEMku9/eda75c81ab46706bd8ef373a395bd78b/2025-04-01_14-59-09.png) ## Sharing with an organization ### Q: How do I "unshare" an item from my organization? **A:** To unshare an item: 1. Clone the item back to your individual vault by using the ⋮ **Options** menu to select **Clone**. This can be done from the Admin Console or, if you are an Owner, Admin, or have Manage collection access to the collection the item is kept in, it can also be done from your Vaults view. 2. Delete the item from the organization vault by selecting **Delete** from the ⋮ **Options** menu. Alternatively, you can unshare items by moving them to a different collection with higher access control restrictions. ### Q: How do I hide a password from my organization's users? **A:** Assign the users you want to hide passwords from either **View items, hidden passwords**or **Edit items, hidden passwords**[permission](https://bitwarden.com/help/user-types-access-control/#permissions/) to relevant collections. ### Q: Does an item I move to the organization stay after I leave? **A:** It does! When a user shares an item with an organization, the organization takes ownership of the item. Even if the user leaves the organization or deletes their account, that item will remain in the organization vault. ## Organization installations ### Q: Can I silently install the Bitwarden desktop app for my users? **A:** Yes. When silently installing the desktop app across workstations, please do so as a privileged account like an administrator and use the `/allusers` switch in addition to `/S`. For single-user installation, or if your system supports `Logged on User`, use `/S` without `/allusers`.` ` --- URL: https://bitwarden.com/help/organization-renewal/ --- # Organization Renewal Organization subscriptions renew automatically on an annual or monthly basis. Organization owners can check the renewal date from the web app Admin Console by navigating to organization's **Billing** → **Subscription** screen: ![Organization subscription view](https://bitwarden.com/assets/7MT9lfZZDTOQOBmnrLGceN/1ac8c615153e35250d15ce3921148cfe/2024-12-04_10-33-12.png) As your renewal date approaches, Bitwarden recommends that you validate the payment method by navigating to organization **Billing** → **Payment method**. For help updating your payment method, see [update your billing information](https://bitwarden.com/help/update-billing-info/#update-billing-information-for-organizations/). > [!NOTE] Organization payment failure > If we cannot process your payment method, or if you have cancelled your subscription, your organization will be disabled. Bitwarden cloud customers will have a seven day grace period between the expiration of your [license](https://bitwarden.com/help/licensing-on-premise/#organization-license/) and disabling of your organization. For **self-hosted customers**, there is a 60 day grace period. In either case, a disabled organization will result in the following: > > **Organization-owned vault items** > > [Owners](https://bitwarden.com/help/user-types-access-control/) will retain access to [shared vault items](https://bitwarden.com/help/sharing/), however all other users will lose access to these items. Organization vault items and existing [collections](https://bitwarden.com/help/about-collections/) **will not be deleted**. > > **Organization members** > > Members and existing [groups](https://bitwarden.com/help/about-groups/) **will not be removed** from the organization. When your organization is [re-enabled](https://bitwarden.com/help/organization-renewal/#re-enabling-a-disabled-organization/), members will not need to take any action. ## Re-enabling a disabled Organization If your cloud-hosted organization is disabled, paying the outstanding invoice on the Admin Console **Billing** → **Subscription** page will automatically restore services. If you encounter any issues, [contact us](https://bitwarden.com/contact/) with the subject **Disabled Subscription Organization**. The Bitwarden team will manually re-enable your organization and work with the Accounts Receivable team for any further billing assistance. If your self-hosted organization is disabled, download a new license file from your cloud-hosted Bitwarden organization vault. Once downloaded, open your self-hosted web vault and update the license on the Admin Console **Billing** → **Subscription** page. --- URL: https://bitwarden.com/help/organization-sponsored-families-plans/ --- # Organization Sponsored Families Plans Bitwarden Enterprise customers may sponsor Bitwarden Families plans as a benefit for their employees. Enterprise organization admins may use enterprise seats to sponsor Families plans for employees who are not active members of the Enterprise organization. This article demonstrates how Enterprise organization admins can issue Families sponsorships to non-organization members. > [!NOTE] Existing enterprise users can redeem F4E > Bitwarden users who are already members of an Enterprise organizations may redeem families sponsorships by following [these instructions](https://bitwarden.com/help/families-for-enterprise/). ## Issue a sponsorship Once Bitwarden sponsored Families plans have been enabled for your organization, a new option will be available for selection on the Admin Console. To access the new menu and invite users: > [!NOTE] Contact support to enable sponsored Families > To issue Families sponsorships, Owners, Admins or Custom users with Manage users permission must first [contact us](https://bitwarden.com/contact/) to enable admin-issued Families sponsorships. 1. Navigate to the Admin Console and select **Members** → **Free Bitwarden Families**: ![Free Bitwarden Families](https://bitwarden.com/assets/3ZLi9Ap4Hk44fCNWHvvrFY/b3e4a05fd72aa106e938295d27e0d37a/2025-05-21_11-35-45.png) 2. Select + **Add sponsorship** and a dialogue will appear where you can enter in the email of the user, as well as any notes. The invitation can be sent to an email already connected to an existing Bitwarden account, or an email without an existing Bitwarden account. ![Add sponsorship](https://bitwarden.com/assets/2bYAYxzbgIJqshhOIgNQtX/c35a70ea7ee48f4b4114ce86401caefe/2025-05-21_16-43-35.png) 3. Select **Save** to send an invitation to the user. 4. You may resend an invitation, or remove a user by selecting the ⋮ for the specific user. > [!NOTE] Issued Families for Enterprise user seat > Sponsored Families for Enterprise seats may be offered to Bitwarden users that are not a member of the active organization. However, sponsored Families sponsorships will occupy a seat within the organization. ## Accepting an admin-issued Families sponsorship Issued Families sponsorships can be accepted by new or existing Bitwarden users. 1. Users will receive an email invitation: ![Invitation Email](https://bitwarden.com/assets/3oF2ARkXDOM7xMr8X1YdMS/d873a82a1ed8b129549731bb0c419673/2025-05-21_16-55-45.png) 2. By selecting **Accept Offer** you will be taken to the Bitwarden Web vault where you can create a new account or login and accept the offer: ![Accept free Bitwarden families](https://bitwarden.com/assets/7eNVGhvecJt3WcWLx2jUoY/440e7402daa7b9dd1bfba7985387573c/2025-05-22_12-11-30.png) 3. Complete the following and then, select **Submit**: 1. Select the organization you would like sponsored (New Families organization or an existing Families organization) 2. Provide an organization name and billing email 3. Input billing information > [!NOTE] Free families sponsor billing information > Accepting a Families sponsorship will required the user to enter billing information. However, no charges will be sent to the account while the Families sponsorship remains active. ## Next Steps - Learn more about Bitwarden Families organizations [here](https://bitwarden.com/help/password-manager-plans/#families-organizations/). --- URL: https://bitwarden.com/help/panther-siem/ --- # Panther SIEM Panther is a security information and event management (SIEM) platform that can be used with Bitwarden organizations. Organization users can monitor [event ](https://bitwarden.com/help/event-logs/)activity with the Bitwarden app on their Panther monitoring system. ## Setup ### Create a Panther account To start you will need a Panther account and dashboard. Create a Panther account on their [website](https://panther.com/). ### Initialize Panther Bitwarden Log Source 1. Access the Panther dashboard. 2. On the menu, open the **Configure** dropdown and select **Log Sources**. ![Panther Log Sources](https://bitwarden.com/assets/2ZE57tHcy87V0qBKbUykRO/c0bf68f1da74c896562f87a85950138c/Panther_Log_sources.png) 3. Select **Onboard your logs**. ![Panther Onboard logs](https://bitwarden.com/assets/4mefTa7wGIZ6Kc62Mf9oNu/ab043ca54203609664765bcc0132158d/Panther_integration_marketplace.png) 4. Search **Bitwarden** in the catalogue. ![Elastic Bitwarden integration](https://bitwarden.com/assets/3sSNvUFqgN8dwEWrfe0UFM/f9c1473e113c9851c506720992dfef2a/bitwarden_app.png) 5. Click on the **Bitwarden** integration and select **Start Setup**. ### Connect your Bitwarden organization After you select **Start Setup** you will be brought to the configuration screen. > [!NOTE] Panther cloud organizations > Panther SIEM services are only available for Bitwarden cloud hosted organizations. 1. Enter a name for the integration and then select **Setup.** 2. Next, you will have to access to your Bitwarden organization's **Client ID** and **Client Secret**. Keeping this screen open, on another tab, log in to the Bitwarden web app and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 3. Navigate to your organization's **Settings** → Organization info screen and select the **View API key**button. You will be asked to re-enter your master password in order to access your API key information. ![Organization api info](https://bitwarden.com/assets/6gHjAyqgeqDj6UPT6agsBK/3a614e043cb3836a41bd68f226835e53/2024-12-04_09-51-07.png) 4. Copy and paste the `client_id` and `client_secret` values into their respective locations on the Bitwarden App setup page. Once you have entered the information, continue by selecting **Setup**again. 5. Panther will run a test on the integration. Once a successful test has been completed, You will be given to option to adjust preferences. Complete the setup by pressing **View Log Source**. > [!NOTE] Panther data ingestion > Panther may take up to 10 minutes to ingest data following the Bitwarden App setup. ### Start monitoring data 1. To begin monitoring data, head over to the primary dashboard and select 🔍 **Investigate** and **Data Explorer**. 2. On the Data Explorer page, select the `panther_logs.public` database from the drop down menu. Make sure that `bitwarden_events `is being viewed as well. ![Panther Data Explorer](https://bitwarden.com/assets/3mrpsXxhYXiPHr5bAt2Dfk/9316f68edd7191180174869d37264752/data_explorer.png) 3. Once you have made all of your required selections, select **Run Query**. You may also **Save as** to use the query at another time. 4. A list of Bitwarden events will be produced at the bottom of the screen. ![Panther Event Logs](https://bitwarden.com/assets/3iyy9chBYenrpJ5hCwVKOd/385e7d5348621b7c58649f0632f198b2/Panther_event_logs.png) 5. Events can be expanded and viewed in JSON by selecting **View JSON**. [arrow-circle-right]. ![Panther JSON Object](https://bitwarden.com/assets/1wHDe1snFJ4NB1G13VBUBC/71def83a275e8bf25e25488b872a02f0/Header_object.png) For additional information regarding Bitwarden organization events, see [here](https://bitwarden.com/help/event-logs/#organization-events/). Additional options for specific queries are available, see the [Panther Data Explorer](https://docs.panther.com/search/data-explorer) documentation for more information. ### ### --- URL: https://bitwarden.com/help/password-and-generator-history/ --- # Password & Generator History Bitwarden maintains two distinct histories: one for saved login passwords and another for [generated usernames, passwords, and passphrases](https://bitwarden.com/help/generator/). Finding a previous password is helpful when you generate a password but forget to save it or don't finish resetting a password. ## Password history Bitwarden stores the last five saved passwords for each [login item](https://bitwarden.com/help/managing-items/), including [deleted items](https://bitwarden.com/help/managing-items/#delete/) before they're permanently removed. When you edit a [hidden custom field](https://bitwarden.com/help/custom-fields/), its previous value is also saved in the password history and counts as one of the five saved entries. Logging out or switching Bitwarden clients doesn't impact or clear the password history. > [!WARNING] Password history plain text > Accessing password history immediately reveals the older passwords in plain text. To review an item's password history: ### Web app Open the item and select **Password history**: ![Password history on web](https://bitwarden.com/assets/RT3R5a33WrejA8qnIcmqa/fed083be7acb5fbedfd52e223a086bb5/Password_history_on_web.png) *Password history on web* ### Mobile app Open the item and select **Password history**near the bottom of the window: ![Password history on mobile](https://bitwarden.com/assets/1RJbcOMMkIfVTprx3NZbyQ/82a1eb915b795d439df8fe91917d65af/Password_history_on_mobile.png) *Password history on mobile* ### Browser extension Open the item and select **Password history**: ![Password history on browser](https://bitwarden.com/assets/2XVetRKi7VLJ7Ctq7scOll/411a752e576a21b533f326b938ca6fa4/Password_history_on_browser.png) *Password history on browser* ### Desktop app Open the item and select **Password history**near the bottom of the window: ![Password history on desktop](https://bitwarden.com/assets/lvf2rvKuNcJNUYzXOTI99/f739e51e3fdd72e21647b190a9b075c8/Password_history_on_desktop.png) *Password history on desktop* ## Generator history You can also access the [generator's](https://bitwarden.com/help/generator/) recent history. Each client stores its own generated usernames, passwords, and passphrases; generator history is not synced across Bitwarden clients. Logging out erases that client's specific generator history. For example, passwords generated in the mobile app only appear in the mobile app's generator history. They don't appear in the web app's generator history, and logging out of the web app doesn't remove the mobile app's generator history. > [!WARNING] Generator history plain text > Accessing generator history immediately reveals the previously generated options in plain text. ### Web app To access the generator history: 1. Select **Tools**. 2. Select **Generator**. 3. Select **Generator history**: ![Generator history on web](https://bitwarden.com/assets/W3Cbil4ZzaNUgIoarf6Qm/76248637321f4e4314eb0aa89b1f42af/Generator_history_on_web.png) *Generator history on web* ### Mobile app Generated passwords and passphrases are listed in the mobile app’s generator history. Generated usernames are not currently included. To access the generator history: 1. Tap the [generate] **Generator icon**. 2. Tap the ⋮ **Menu icon**. 3. Tap **Password history**. ### Browser extension To access the generator history: 1. Select **Generator**. 2. Scroll down and select **Generator history**: ![Generator history on browser](https://bitwarden.com/assets/10EgyHZiwC9p2gkuOdhbkN/52083c2ccc2cbd1abd2bd5afb8cbb74e/Generator_history_on_browser.png) *Generator history on browser* ### Desktop app To access the generator history, go to **View** → **Generator history** from the menu bar. To delete the client’s generator history, select **Clear history** below the list: ![Clear generator history](https://bitwarden.com/assets/1BFNT1klLnRNy3o8NLXGmB/0b21df796fbdc3e26d5ff2a046b82b15/Clear_generator_history.png) *Clear generator history* --- URL: https://bitwarden.com/help/password-manager-overview/ --- # Password Manager Overview Bitwarden Password Manager enables businesses and individuals to protect their online data in the face of rising cybercrime threats. Use Bitwarden Password Manager to generate strong, unique passwords for every account you use online. This way if one site suffers a data breach, none of your other accounts are compromised. Password Manager makes it easy to do this by creating, saving, and autofilling those strong passwords, so that you don't need to worry about remembering them. ## Key features For individuals and end-users, some of the most popular features that Bitwarden Password Manager offers are: - **Easy import:**[Import](https://bitwarden.com/help/import-data/) your credentials from almost any password management solution. - **Robust autofill**: Use Password Manager to more easily log in to websites [from browser extensions](https://bitwarden.com/help/auto-fill-browser/) and [from mobile apps](https://bitwarden.com/help/auto-fill-ios/). - **Credential generators**: Use the [username and password generator](https://bitwarden.com/help/generator/) to confidently create secure credentials when signing up for new websites. - **Integrated authentication**: [Generate and autofill temporary one-time passwords (TOTP)](https://bitwarden.com/help/integrated-authenticator/) for two-factor authentication (2FA) right from Bitwarden Password Manager. - **Two-step login options**: Setup a variety of [two-step login methods](https://bitwarden.com/help/setup-two-step-login/), including free options, to keep your important credentials secure. For businesses and administrators, some of the most popular features that Bitwarden Password Manager offers are: - **Easy import**: [Import](https://bitwarden.com/help/import-to-org/) your company's shared credentials from almost any password management solution. - **User management integrations**: Sync end-users to your Bitwarden organization using one of many [system for cross-domain identity management (SCIM)](https://bitwarden.com/help/about-scim/) or [direct-to-directory](https://bitwarden.com/help/directory-sync/) integrations. - **Login with SSO**: [Authenticate your end-users with your existing single sign-on (SSO)](https://bitwarden.com/help/about-sso/) setup through any SAML 2.0 or OIDC identity provider. - **Robust policies**: Enforce security practices for your end-users, like setting up the ability for admins to [recover lost accounts](https://bitwarden.com/help/account-recovery/), using [enterprise policies](https://bitwarden.com/help/policies/). ## Security-first principles Bitwarden is committed to building security-first products. Password Manager is: - **Open source**: All source code is hosted on GitHub and is free for anyone to review and audit. Third-party auditing firms and security researchers are paid to do so regularly. - **End-to-end encrypted**: All encryption and decryption of vault data is done client-side, meaning no sensitive data ever hits our servers unencrypted. - **Zero-knowledge encrypted**: Bitwarden team members can't see your vault data, including data like URLs that other password managers don't encrypt, or your master password. ## Clients Password Manager offers client applications for most devices and many use-cases: - **Web app**: The Password Manager web app is your home for vault administration and organization management. [Get started today](https://bitwarden.com/help/getting-started-webvault/). - **Browser extensions**: Password Manager browser extensions are perfectly suited for autofilling and seamlessly creating credentials to make surfing the web even easier. [Get started today](https://bitwarden.com/help/getting-started-browserext/). - **Mobile apps**: Password Manager mobile apps are built to help you securely take your credentials on the go. [Get started today](https://bitwarden.com/help/getting-started-mobile/). - **Desktop apps**: Password Manager desktop apps bring a full and elegant vault experience natively to your desktop. [Get started today](https://bitwarden.com/help/getting-started-desktop/). - **CLI**: The Password Manager command-line interface (CLI) is a powerful, fully-featured tool for accessing and managing your vault, and is well-positioned to help in automated or development workflows. [Get started today](https://bitwarden.com/help/cli/). --- URL: https://bitwarden.com/help/password-manager-plans/ --- # Password Manager Plans This article describes each Bitwarden Password Manager subscription plan to help you along your password management and secure data storage journey. This article reflects current Password Manager plans, most recently updated on June 04, 2024. Users who created accounts prior to that date can learn about their plans [here](https://bitwarden.com/help/updates-to-plans/). To see Secrets Manager plans instead, see [here](https://bitwarden.com/help/secrets-manager-plans/). ## Personal plans Personal plans are designed to give you or your family all the tools needed to securely manage data: ### Free individual We believe everyone should have access to password security tools. The core features of the Bitwarden Password Manager are 100% free, including unlimited storage of logins, notes, cards, and identities, access to Bitwarden on any device, a secure password generator, and more. Signup [**for free**](https://bitwarden.com/go/start-free/). ### Premium individual Upgrade your individual account to unlock premium password security and management features, including advanced 2FA options, the Bitwarden authenticator (TOTP), encrypted file attachments, emergency access and more. **To upgrade to a premium account**, use the web app to navigate to the **Settings** section and select **Go Premium**, or use the following link to [**signup for a new Premium individual account**](https://bitwarden.com/go/start-premium/). > [!NOTE] Premium features > Premium does not include secure data sharing. In order to access sharing features, you will need a subscription to an organization ([Free](https://bitwarden.com/help/password-manager-plans/#free-organizations/), [Families](https://bitwarden.com/help/password-manager-plans/#families-organizations/), [Teams](https://bitwarden.com/help/password-manager-plans/#teams-organizations/), or [Enterprise](https://bitwarden.com/help/password-manager-plans/#enterprise-organizations/)). Paid organizations ([Families](https://bitwarden.com/help/password-manager-plans/#families-organizations/), [Teams](https://bitwarden.com/help/password-manager-plans/#teams-organizations/), or [Enterprise](https://bitwarden.com/help/password-manager-plans/#enterprise-organizations/)) include premium features for all users enrolled in that organization. Premium individual subscriptions are billed annually. ### Free organizations Start a Free organization to store and securely share data with one other user. Free organizations offer both users all the core features of Password Manager and secure data sharing in up to two collections. Any user of any plan can be the owner of one Free organization. ### Families organizations Start a Families organization to share private data between you and five friends or family members. Families organizations include all premium features for all six users and unlimited secure data sharing within the families organization. Families organizations subscriptions are billed annually. ### Compare personal plans In the following table, "premium features" (included for **Premium individual** and **Families organizations**) are marked with an asterisk (*). | **Features for you** | **Free** | **Premium** | **Free org** | **Families org** | |------|------|------|------|------| | Max users | 1 | 1 | 2 | 6 | | Secure storage for logins, notes, cards, and Identities | Unlimited | Unlimited | Unlimited | Unlimited | | Max no. of collections | - | - | 2 | Unlimited | | Access to Password Manager across devices | ✓ | ✓ | ✓ | ✓ | | Storage sync across devices | ✓ | ✓ | ✓ | ✓ | | Secure password generator | ✓ | ✓ | ✓ | ✓ | | Self-hosting option | ✓ | ✓ | - | ✓ | | [Encrypted export](https://bitwarden.com/help/encrypted-export/) | ✓ | ✓ | ✓ | ✓ | | [Bitwarden Send](https://bitwarden.com/help/about-send/) | Text only | Text and files | Text only | Text and files | | *[Two-step login](https://bitwarden.com/help/setup-two-step-login/) | Hardware security key, authenticator apps, or email | Hardware security key, authenticator apps, email, Yubico OTP, and Duo | Hardware security key, authenticator apps, or email | Hardware security key, authenticator apps, email, Yubico OTP, and Duo (does not include [Duo for organizations](https://bitwarden.com/help/setup-two-step-login-duo/)) | | *[Encrypted file attachments](https://bitwarden.com/help/attachments/) | - | 1 GB | - | 1 GB per user + 1 GB shared | | *[Integrated authenticator](https://bitwarden.com/help/integrated-authenticator/) (TOTP) | - | ✓ | (If also Premium individual) | ✓ | | *[Vault health reports](https://bitwarden.com/help/reports/) | - | ✓ | - | ✓ | | *[Emergency access](https://bitwarden.com/help/emergency-access/) | - | ✓ | - | ✓ | | Eligible for [Secrets Manager add-on](https://bitwarden.com/help/secrets-manager-overview/) | - | - | ✓ | - | | *Priority support | - | ✓ | - | ✓ | | Cost to you | Free | $10 /year, billed annually | Free | $40 /year, billed annually | ## Business plans Bitwarden business plans are designed to meet the storage and sharing needs of small teams, growing companies, and the largest enterprises: ### Teams organizations Teams organizations are great for securely sharing data with your coworkers, department, or entire company. Teams organizations include all premium features for all enrolled users, unlimited secure data sharing within the Teams organization, and a suite of operational tools such as event logging and an API for organization management. Teams organizations can add [Secrets Manager](https://bitwarden.com/help/secrets-manager-overview/) into their product portfolio for an [additional fee](https://bitwarden.com/help/secrets-manager-plans/). Unlike Families organizations and Free organizations, Teams can have an unlimited number of users (priced per user). Teams organizations subscriptions can be billed annually or monthly. ### Enterprise organizations Start an Enterprise organization to secure your business secrets. Enterprise organizations include all premium features for for all enrolled users, all operational tools included in **teams organizations**, and enterprise-only tools like SSO authentication, enterprise policy enforcement, and a self-host option. Enterprise organizations can add [Secrets Manager](https://bitwarden.com/help/secrets-manager-overview/) into their product portfolio for an [additional fee](https://bitwarden.com/help/secrets-manager-plans/). Unlike Families organizations and Free organizations, Enterprise organizations can have an unlimited number of users (priced per user). Enterprise organizations subscriptions can be billed annually or monthly. ### Compare business plans In the following table, "premium features" (included for **Teams organizations** and **Enterprise organizations**) are marked with an asterisk (*). | **Features for your business** | **Teams organizations** | **Enterprise organizations** | |------|------|------| | Secure storage for logins, notes, cards, and Identities | Unlimited | Unlimited | | Data sharing | Unlimited | Unlimited | | Access to Password Manager across devices | ✓ | ✓ | | Storage sync across devices | ✓ | ✓ | | Secure password generator | ✓ | ✓ | | Base no. of users | 1 | 1 | | Max no. of users | Unlimited | Unlimited | | Max no. of collections | Unlimited | Unlimited | | [Encrypted export](https://bitwarden.com/help/encrypted-export/) | ✓ | ✓ | | [Bitwarden Send](https://bitwarden.com/help/about-send/) | Text and files | Text and files | | *[Two-step login](https://bitwarden.com/help/setup-two-step-login/) | Authenticator apps, email, Yubikey, FIDO2, and Duo | Authenticator apps, email, Yubikey, FIDO2, and Duo | | [Duo for organizations](https://bitwarden.com/help/setup-two-step-login-duo/) | ✓ | ✓ | | *[Encrypted file attachments](https://bitwarden.com/help/attachments/) | 1 GB per user + 1 GB shared | 1 GB per user + 1 GB shared | | *[Integrated authenticator](https://bitwarden.com/help/integrated-authenticator/) (TOTP) | ✓ | ✓ | | *[Personal emergency access](https://bitwarden.com/help/emergency-access/) | ✓ | ✓ | | *[Vault health reports](https://bitwarden.com/help/reports/) | ✓ | ✓ | | *Priority Support | ✓ | ✓ | | [Event logs](https://bitwarden.com/help/event-logs/) | ✓ | ✓ | | [User groups](https://bitwarden.com/help/about-groups/) | ✓ | ✓ | | [API access](https://bitwarden.com/help/public-api/) | ✓ | ✓ | | [Directory Connector](https://bitwarden.com/help/directory-sync/) | ✓ | ✓ | | Eligible for [Secrets Manager add-on](https://bitwarden.com/help/secrets-manager-overview/) | ✓ | ✓ | | [Login with SSO](https://bitwarden.com/help/about-sso/) | - | ✓ | | [Key connector](https://bitwarden.com/help/about-key-connector/) | - | ✓ | | [Enterprise policies](https://bitwarden.com/help/policies/) | - | ✓ | | [Account Recovery](https://bitwarden.com/help/account-recovery/) | - | ✓ | | [Self-host option](https://bitwarden.com/help/install-on-premise/) | - | ✓ | | [Custom management role](https://bitwarden.com/help/user-types-access-control/) | - | ✓ | | [Families sponsorship for members](https://bitwarden.com/help/families-for-enterprise/) | - | ✓ | | [SCIM integrations](https://bitwarden.com/help/about-scim/) | ✓ | ✓ | | Cost to you | **Teams**: $4 per user per month, billed annually or $5 per user per month, billed monthly | $6 per user per month, billed annually or $7 per user per month, billed monthly | ## Self-hosted organizations Self-hosted Bitwarden organizations will be able to utilize all paid features provided by their chosen plan. Only Families and Enterprise organizations can be imported to self-hosted servers. Learn more about [self-hosting an organization](https://bitwarden.com/help/self-host-an-organization/). --- URL: https://bitwarden.com/help/personal-api-key/ --- # CLI Authentication via API Key Your Bitwarden personal API key can be used as a method for authenticating into the command line interface (CLI). > [!NOTE] Personal API key vs organization API key > Your personal API key is **not the same** as the [organization API key](https://bitwarden.com/help/public-api/#authentication/) used to access the [Bitwarden Public API](https://bitwarden.com/help/public-api/) or [Directory Connector](https://bitwarden.com/help/directory-sync/). Personal API keys will have a `client_id` with format `"user.clientId"`, while organization API keys will have a `client_id` with format `"organization.ClientId"`. ## Get your personal API key To get your personal API key: 1. In the Bitwarden web app, navigate to **Settings** → **Security** → **Keys**: ![Keys](https://bitwarden.com/assets/3IHpaOpEB5a13TF3B3RqqB/05511a849898a1d2d46efb2764df0547/2024-12-03_10-47-30.png) 2. Select the **View API key** button and enter your master password to validate access. Once entered, you will be provided the following: - `client_id: "user.clientId"` (This value is unique to your account and does not change.) - `client_secret: "clientSecret"` (This value is unique and can be rotated). - `scope: "api"` (This value will always be `"api"`). - `grant_type: "client_credentials"` (This value will always be `"client_credentials"`). ### Rotate your API key Select the **Rotate API Key** button to rotate your personal API key. Rotating your key will only change your `client_secret`. Rotating your key will invalidate your previous key and all active sessions using that key. ## Authenticate using your API key Logging in to the CLI with the personal API key is **recommended for automated workflows or providing access to an external application**. To log in with the API key: ``` bw login --apikey ``` This will initiate a prompt for your personal `client_id` and `client_secret`. Once your session is authenticated using these values, you'll be prompted to use the `unlock` command ([learn more](https://bitwarden.com/help/cli/#unlock/)). #### Using API key environment variables In scenarios where automated work is being done with the Bitwarden CLI, you can save environment variables to prevent the need for manual intervention at authentication. | **Environment variable name** | **Required value** | |------|------| | BW_CLIENTID | `client_id` | | BW_CLIENTSECRET | `client_secret` | --- URL: https://bitwarden.com/help/ping-identity-oidc-implementation/ --- # Ping Identity OIDC This article contains Ping Identity specific help for configuring Login with SSO via OpenID Connect (OIDC). For help configuring Login with SSO for another OIDC IdP, or for configuring Ping Identity via SAML 2.0, see [OIDC Configuration](https://bitwarden.com/help/configure-sso-oidc/) or [Ping Identity SAML implementation](https://bitwarden.com/help/ping-identity-saml-implementation/). Configuration involves working simultaneously within the Bitwarden web app and the Ping Identity Administrator Portal. As you proceed, we recommend having both readily available and completing steps in the order they are documented. ## Open SSO in the web vault Log in to the Bitwarden [web app](https://bitwarden.com/help/getting-started-webvault/) and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) Select **Settings** → **Single sign-on** from the navigation: ![OIDC configuration](https://bitwarden.com/assets/51wSToXTHHVmBCrLrE8T0E/85aa432ea19eadf0195317f4f233e973/2024-12-04_09-41-46.png) If you haven't already, create a unique **SSO identifier**for your organization. Otherwise, you don't need to edit anything on this screen yet, but keep it open for easy reference. > [!TIP] Self-hosting, use alternative Member Decryption Options. > There are alternative **Member decryption options**. Learn how to get started using [SSO with trusted devices](https://bitwarden.com/help/about-trusted-devices/) or [Key Connector](https://bitwarden.com/help/about-key-connector/). ## Create OIDC app In the Ping Identity Administrator Portal, select **Applications** and the + Icon at the top of the screen to open the **Add Application** screen: ![Ping Identity OIDC App](https://bitwarden.com/assets/3upFJSqFSgStI3FB5hSIDH/0714a45788207aed199dc3f3df78e6dd/2024-07-22_16-14-00.png) ### Add application 1. Enter a Bitwarden Specific name in the **Application Name** field. Optionally, add desired description details as needed. 2. Select the **OIDC Web App** option and select **Save** once you have finished. ### Configure application On the Application screen, select the **Configuration** tab and then the edit button located on the top right hand of the screen. ![Ping OIDC Configuration Edit](https://bitwarden.com/assets/7JxMu92pW8hFkRV7Mmh5Qr/870237c0d0580c7407973aeef0109d2c/2024-07-25_11-30-30.png) In the edit screen, fill in the following values retrieved from the Bitwarden Single sign-on screen: | **Ping Identity Field** | **Description** | |------|------| | Redirect URIs | Copy and paste the **Callback path** value retrieved from the Bitwarden Single sign-on page. | | Signoff URLs | Copy and Paste the **Signed out callback path** value retrieved from the Bitwarden Single sign-on page. | Once this step has been completed, select **Save** and return to the **Configuration** tab on the Ping Identity Application screen. No other values on this screen require editing. ## Resources On the Resources tab of the Ping Identity Application screen, select the **edit** icon and enable the following allowed scopes: - email - openid ## Back to the web app At this point, you have configured everything you need within the context of Ping Identity. Return to the Bitwarden web app to configure the following fields: | **Field** | **Description** | |------|------| | Authority | Enter `https://auth.pingone.eu/`, where `TENANT_ID `is the **Environment ID** on Ping Identity. | | Client ID | Enter the App's **Client ID**retrieved from the Application's Configuration tab. | | Client Secret | Enter the Secret Value of the created client secret. Select **Generate New Secret**on the application's Configuration tab. | | Metadata Address | For Ping Identity implementations as documented, you can leave this field blank. | | OIDC Redirect Behavior | Select either **Form POST** or **Redirect GET**. | | Get Claims From User Info Endpoint | Enable this option if you receive URL too long errors (HTTP 414), trusted URLS, and/or failures during SSO. | | Additional/Custom Scopes | Define custom scopes to be added to the request (comma-delimited). | | Additional/Custom Email Claim Types | Define custom claim type keys for users' email addresses (comma-delimited). When defined, custom claim types are searched for before falling back on standard types. | | Additional/Custom Name Claim Types | Define custom claim type keys for users' full names or display names (comma-delimited). When defined, custom claim types are searched for before falling back on standard types. | | Requested Authentication Context Class Reference values | Define Authentication Context Class Reference identifiers (`acr_values`) (space-delimited). List `acr_values `in preference-order. | | Expected "acr" Claim Value in Response | Define the `acr `Claim Value for Bitwarden to expect and validate in the response. | When you are done configuring these fields, **Save** your work. > [!TIP] Policies for SSO Guides > You can require users to log in with SSO by activating the single sign-on authentication policy. Please note, this will require activating the single organization policy as well. [Learn more](https://bitwarden.com/help/policies/). ## Test the configuration Once your configuration is complete, test it by navigating to [https://vault.bitwarden.com](https://vault.bitwarden.com), entering your email address and selecting the **Use single sign-on** button: ![Log in options screen](https://bitwarden.com/assets/3BdlHeogd42LEoG06qROyQ/c68021df4bf45d72e9d37b1fbf5a6040/login.png) Enter the [configured organization identifier](https://bitwarden.com/help/configure-sso-saml/#step-1-enabling-login-with-sso/) and select **Log In**. If your implementation is successfully configured, you will be redirected to the Ping Identity login screen: ![Ping Identity SSO](https://bitwarden.com/assets/1QwyIzAp4JtyGwNLXZNXFI/6d1cc0ca3f278f46d7ad251ff2898dd4/2024-07-22_12-18-19.png) After you authenticate with your Ping credentials, enter your Bitwarden master password to decrypt your vault! > [!NOTE] SSO must be initiated from Bitwarden > Bitwarden does not support unsolicited responses, so initiating login from your IdP will result in an error. The SSO login flow must be initiated from Bitwarden. ## Next steps - Educate your organization members on how to [use login with SSO](https://bitwarden.com/help/using-sso/). --- URL: https://bitwarden.com/help/ping-identity-saml-implementation/ --- # Ping Identity SAML This article contains **Ping Identity-specific** help for configuring login with SSO via SAML 2.0. For help configuring login with SSO for another IdP, refer to [SAML 2.0 Configuration](https://bitwarden.com/help/configure-sso-saml/). Configuration involves working simultaneously with the Bitwarden web app and the Ping Identity Administrator Portal. As you proceed, we recommend having both readily available and completing steps in the order they are documented. ## Open SSO in the web app Log in to the Bitwarden web app and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) Open your organization's **Settings** → **Single sign-on** screen: ![SAML 2.0 configuration ](https://bitwarden.com/assets/20720mRAluo6crSdTiYJrn/1175889d7f6ab42fe7614f34cdd1dcdd/2024-12-04_09-41-15.png) If you haven't already, create a unique **SSO identifier**for your organization and select **SAML**from the the **Type**dropdown. Keep this screen open for easy reference. You can turn off the **Set a unique SP entity ID**option at this stage if you wish. Doing so will remove your organization ID from your SP entity ID value, however in almost all cases it is recommended to leave this option on. > [!TIP] Self-hosting, use alternative Member Decryption Options. > There are alternative **Member decryption options**. Learn how to get started using [SSO with trusted devices](https://bitwarden.com/help/about-trusted-devices/) or [Key Connector](https://bitwarden.com/help/about-key-connector/). ## Create SAML app In the Ping Identity Administrator Portal, select **Applications** and the + Icon at the top of the screen to open the **Add Application** screen: ![Ping Identity Add Application](https://bitwarden.com/assets/6F36iKjI660tvX77XXXaOn/d983daff3168cca8b19da3d4ff2b934b/new_application.png) 1. Enter a Bitwarden Specific name in the **Application Name** field. Optionally add desired description details as needed. 2. Select the **SAML Application** option and then **Configure** once you have finished. 3. On the **SAML Configuration** screen select **Manually Enter**. Using the information on the Bitwarden single sign-on screen, configure the following fields:: | **Field** | **Description** | |------|------| | ACS URL | Set this field to the pre-generated **Assertion Consumer Service (ACS) URL**. This automatically-generated value can be copied from the organization's **Settings** → **Single sign-on** screen and will vary based on your setup. | | Entity ID | Set this field to the pre-generated **SP Entity ID**. This automatically-generated value can be copied from the organization's **Settings** → **Single sign-on** screen and will vary based on your setup. | Select **Save** to continue. ## Back to the web app At this point, you have configured everything you need within the context of the Ping Identity Administrator Portal. Return to the Bitwarden web app to complete configuration. The Single sign-on screen separates configuration into two sections: - **SAML service provider configuration** will determine the format of SAML requests. - **SAML identity provider configuration** will determine the format to expect for SAML responses. ### Service provider configuration Configure the following fields according to the information provided in the Ping Identity app **Configuration** screen: | **Field** | **Description** | |------|------| | Name ID Format | Set this field to the **Subject Name ID** **Format** specified in the Ping Identity app configuration. | | Outbound Signing Algorithm | The algorithm Bitwarden will use to sign SAML requests. | | Signing Behavior | Whether/when SAML requests will be signed. | | Minimum Incoming Signing Algorithm | By default, Ping Identity will sign with RSA SHA-256. Select `sha-256` from the dropdown. | | Expect signed assertions | Whether Bitwarden expects SAML assertions to be signed. This setting should be **unchecked**. | | Validate Certificates | Check this box when using trusted and valid certificates from your IdP through a trusted CA. Self-signed certificates may fail unless proper trust chains are configured with the Bitwarden Login with SSO docker image. | When you are done with the service provider configuration, **Save** your work. ### Identity provider configuration Identity provider configuration will often require you to refer back to the Ping Identity Configuration screen to retrieve application values: | **Field** | **Description** | |------|------| | Entity ID | Set this field to the Ping Identity application's **Entity ID**, retrieved from the Ping Identity Configuration screen. | | Binding Type | Set to **HTTP POST**or **Redirect**. | | Single Sign On Service URL | Set this field to the Ping Identity application's **Single Sign-on Service**url, retrieved from the Ping Identity Configuration screen. | | Single Log Out URL | Login with SSO currently **does not**support SLO. This option is planned for future development, however you may pre-configure it if you wish. | | X509 Public Certificate | Paste the signing certificate retrieved from the application screen. Navigate to the **Configuration** tab and **Download Signing Certificate**. `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` The certificate value is case sensitive, extra spaces, carriage returns, and other extraneous characters **will cause certification validation to fail**. | | Outbound Signing Algorithm | By default, Ping Identity will sign with RSA SHA-256. Select `sha-256 `from the dropdown. | | Disable Outbound Logout Requests | Login with SSO currently **does not**support SLO. This option is planned for future development. | | Want Authentication Requests Signed | Whether Ping Identity expects SAML requests to be signed. | > [!NOTE] X509 cert expiration > When completing the X509 certificate, take note of the expiration date. Certificates will have to be renewed in order to prevent any disruptions in service to SSO end users. If a certificate has expired, Admin and Owner accounts will always be able to log in with email address and master password. When you are done with the identity provider configuration, **Save** your work. > [!TIP] Policies for SSO Guides > You can require users to log in with SSO by activating the single sign-on authentication policy. Please note, this will require activating the single organization policy as well. [Learn more](https://bitwarden.com/help/policies/). ## Test the configuration Once your configuration is complete, test it by navigating to [https://vault.bitwarden.com](https://vault.bitwarden.com), entering your email address and selecting the **Enterprise Single-On** button: ![Log in options screen](https://bitwarden.com/assets/3BdlHeogd42LEoG06qROyQ/c68021df4bf45d72e9d37b1fbf5a6040/login.png) Enter the configured organization identifier and select Log in. If your implementation is successfully configured, you will be redirected to the Ping Identity login screen: ![Ping Identity SSO](https://bitwarden.com/assets/1QwyIzAp4JtyGwNLXZNXFI/6d1cc0ca3f278f46d7ad251ff2898dd4/2024-07-22_12-18-19.png) After you authenticate with your Ping Identity credentials, enter your Bitwarden master password to decrypt your vault! > [!NOTE] SSO must be initiated from Bitwarden > Bitwarden does not support unsolicited responses, so initiating login from your IdP will result in an error. The SSO login flow must be initiated from Bitwarden. ## Next steps - Educate your organization members on how to [use login with SSO](https://bitwarden.com/help/using-sso/). --- URL: https://bitwarden.com/help/ping-identity-scim-integration/ --- # Ping Identity SCIM Integration System for cross-domain identity management (SCIM) can be used to automatically provision and de-provision members and groups in your Bitwarden organization. > [!NOTE] SCIM vs. BWDC > SCIM integrations are available for **Teams and Enterprise organizations**. Customers not using a SCIM-compatible identity provider may consider using [Directory Sync](https://bitwarden.com/help/directory-sync/) as an alternative means of provisioning. This article will help you configure a SCIM integration with Ping Identity. Configuration involves working simultaneously with the Bitwarden web vault and Ping Identity Administrator dashboard. As you proceed, we recommend having both readily available and completing steps in the order they are documented. ## Enable SCIM > [!NOTE] Self-hosting SCIM > **Are you self-hosting Bitwarden?** If so, complete [these steps to enable SCIM for your server](https://bitwarden.com/help/self-hosting-scim/) before proceeding. To start your SCIM integration, open the Admin Console and navigate to **Settings**→ **SCIM provisioning**: ![SCIM provisioning](https://bitwarden.com/assets/6sw1kuK7GuZ3dfQkkbs6rV/a4f4e18e561733297338e4ed44c6ed8c/2024-12-03_15-25-46.png) Select the **Enable SCIM**checkbox and take note of your **SCIM URL**and **SCIM API Key**. You will need to use both values in a later step. ## Create a SCIM app 1. Navigate to provisioning + **New Connection**. ![Ping Identity new Connection](https://bitwarden.com/assets/7rehLEEEAvNwsBHGKqDwln/babec3f81595ead3253285229fe0e653/2024-10-09_11-29-32.png) 2. In the Create a New Connection window, choose the **Select** option for **Identity Store**. 3. In the Identity Store, enter SCIM into the search box and select **SCIM Outbound**. Once this step is complete, select **Next**. ![SCIM Connection ](https://bitwarden.com/assets/1FYhcQpQbuh78ypyLxi2Jn/9081de91a419870aad37dded7c5db080/2024-10-09_11-35-23.png) 4. Input a Name and Description for the SCIM connection. 5. Next, you will be required to input the **SCIM BASE URL**. Copy the **SCIM URL** value located on the Enable SCIM page in the Bitwarden Admin Console and paste it into this field. 6. Using the **Authentication Method** dropdown menu, select **OAuth 2 Bearer Token**. A field will appear named **Oauth Access Token**, paste the **SCIM API key** value from the Bitwarden Admin Console into this field. ![Ping Identity SCIM connection test](https://bitwarden.com/assets/7uGtHe2xM6QxJnqs5LNycl/6408a86d4332001ab1dac5f99c222887/2024-10-09_12-06-25.png) 7. Once setup is complete, you may select **Test Connection**. If successful, select **Next**. 8. On the **Configure Preferences** page, select desired preferences and actions. > [!NOTE] Remove action Ping Identity SCIM > Setting the Remove Action setting to `Disable` will result in Bitwarden users being moved to `Revoked` status rather if the user fails to meet the filter criteria set on Ping Identity. Restoring the criteria will return the user to their `previous state`. > > If the Remove Action is set to `Delete`, the same action will [deprovision the user](https://bitwarden.com/help/managing-users/#deprovision-users/). 9. Select **Save** once complete. Select the newly created Connection and enable the Connection using the toggle. ![Enable Ping Identity Connection](https://bitwarden.com/assets/1GpO1UTspVLzLh0SwRgKuf/4669f4225cca00108f4f0a8700c38e2e/2024-10-09_14-13-24.png) ## Create a Rule Before syncing user groups and directories, a Rule is required to sync the user groups to Bitwarden SCIM. 1. Return to the Provisioning Screen. 2. Select the **Rules**tab and then + **New Rule**. 3. Enter an app specific name for the Rule and select **Create Rule**. 4. Edit the new Rule in the Configuration tab. Select **Bitwarden SCIM connection** and then **Save**. ![Ping Identity Rule](https://bitwarden.com/assets/3eKZXwtiFdQqhlUNRSm6jr/167c28c624cf7f9ceb7dc563d58c64f4/2024-10-09_14-11-35.png) 5. Select the Configuration tab and add a [pencil] **User Filter**. For more information, see the [Ping Identity documentation](https://docs.pingidentity.com/pingone/integrations/p1_add_provisioning_filter.html). Select **Save** once complete. ![Ping Identity User Filter](https://bitwarden.com/assets/1dgfaEYambvyHm7J4WBASe/9b2245b92629e61341856c8cb197be2f/2024-10-09_14-32-31.png) 6. Enable the Rule using the toggle. ![Ping Identity new Rule](https://bitwarden.com/assets/73Y4cHkTeLtxtuqB3xIrOR/6faf11b60a278eab11f5c83d52035b57/2024-10-09_14-37-44.png) ## Provision groups 1. To assign groups, return to the Provisioning screen and select the rule ⋮ **Edit Group Provisioning**. ![Edit group provisioning](https://bitwarden.com/assets/10ztwQpTzsxZoi0vh83no6/f976a4f57d1fbe60b1f616f6114ce635/2024-10-09_15-11-57.png) 2. Choose the group or groups to provision and select **Save**. Once saved, the directory will trigger a sync. ## Appendix ### Required attributes Both the Bitwarden and Ping Identity **SCIM Provisioner with SAML (SCIM v2 Enterprise)** applications use standard SCIM v2 attribute names. Bitwarden will use the following attributes: #### User attributes - `active` - `emails`ª or `userName` - `displayName` - `externalId` ª - Because SCIM allows users to have multiple email addresses expressed as an array of objects, Bitwarden will use the `value` of the object which contains `"primary": true`. #### Group attributes For each group, Bitwarden will use the following attributes: - `displayName` (**required**) - `members`ª - `externalId` ª - `members` is an array of objects, each object representing a user in that group. --- URL: https://bitwarden.com/help/policies/ --- # Enterprise Policies Enterprise polices allow Enterprise organizations to enforce security rules and default settings for all members, like mandating the use of a two-step login. > [!WARNING] Enable policies before invite. > We recommend setting enterprise policies prior to inviting users to your organization. Some policies will revoke non-compliant users when turned on, and some are not retroactively enforceable. ## Set enterprise policies Organization owners and admins can apply enterprise policies. To update a policy: 1. Within the Bitwarden web app, open the Admin Console. 2. Select **Settings**. 3. Select **Policies**. 4. Select the name of the policy you want to change: ![Set policies ](https://bitwarden.com/assets/2flohk6BsRKvazjztwvzsJ/4258307d845b33cd9f765388ca6bfea6/2024-12-03_14-24-58.png) *Set policies * 5. Check or uncheck **Turn on**. 6. (Optional) If more options appear, configure them. 7. Select **Save**. ## Available policies ### Require two-step login Turn on the **Require two-step login** policy to require members to use any two-step login method to access their vaults. If you are using an SSO or identity provider's 2FA functionality, you don't need to enable this policy. This policy is enforced even for users who have only [accepted](https://bitwarden.com/help/managing-users/#accept/) invitation to your organization. > [!WARNING] Non-compliance revokation warning > **Organization members who are not owners or admins and do not comply with this policy will have access revoked when you activate this policy.**Users who have access revoked as a result of this policy will be notified via email, and must take steps to become compliant before their access can be restored. ### Master password requirements Turn on the **Master password requirements** policy to enforce a configurable set of minimum requirements for users' master password strength. Organizations can enforce: - Minimum master password complexity - Minimum master password length - Types of characters required Password complexity is calculated on a scale from 0 (weak) to 4 (strong). Bitwarden calculates password complexity using the [zxcvbn library](https://github.com/dropbox/zxcvbn). Use the **Require existing members to change their passwords**option to require existing, non-compliant organization members, regardless of role, to update their master password during their next login. Users who create a new account from the organization invite will be prompted to create a master password that meets your requirements. ### Remove Unlock with PIN Turn on the **Remove Unlock with PIN** policy to prohibit members from configuring or using [unlock with PIN](https://bitwarden.com/help/unlock-with-pin/) on web apps, browser extensions, and desktop apps. This policy applies to all organization members when turned on, including admins and owners. > [!NOTE] Mobile support added in a future release > Support for enforcing this policy on mobile apps is planned for a future release. Members who are using unlock with PIN prior to the policy will have it enforced on their next log in, meaning if they have an already logged-in session they will still see the option in the UI and be able to unlock with PIN **until** they log out **or** turn off the unlock with PIN option in the client. ### Account recovery administration Turn on the **Account recovery administration** policy to allow owners and admins to help members regain access to their account. With this policy, owners and admins can send members enrolled in [account recovery](https://bitwarden.com/help/account-recovery/) a link to reset their master password. By default, users must [self-enroll in account recovery](https://bitwarden.com/help/account-recovery-enrollment/#self-enrollment/) to be eligible. To simplify account recovery enrollment, check **Require new members to be enrolled automatically** when activating the policy. This enrolls new members when their [invitation to the organization is accepted](https://bitwarden.com/help/managing-users/#accept/) and prevents them from withdrawing from account recovery. Current organization members are not retroactively added, so they still need to self-enroll. The **Account recovery administration** policy is required for your organization to use [SSO with trusted devices](https://bitwarden.com/help/about-trusted-devices/). > [!NOTE] Single org policy required > The [**Single organization**](https://bitwarden.com/help/policies/#single-organization/) policy must be turned on before activating this policy. ### Password generator Turn on the **Password generator** policy to enforce a configurable set of minimum requirements for any user-generated passwords for all members, regardless of role. Organizations can enforce: - Password, passphrase, or user preference **For passwords:** - Minimum password length - Minimum number (0-9) count - Minimum special character (!@#$%^&*) count - Types of characters required **For passphrases:** - Minimum number of words∂ - Whether to capitalize - Whether to include numbers > [!WARNING] Password generator policy warning. > Existing non-compliant passwords **will not** be changed when this policy is turned on, nor will the items be removed from the organization. When changing or generating a password after this policy is turn on, configured policy rules will be enforced. > > A banner is displayed to users on the password generator screen to indicate that a policy is affecting their generator settings. ### Single organization Turn on the **Single organization** policy to restrict non-owner/non-admin members of your organization from being able to join other organizations or from creating other organizations. This policy is enforced even for users who have only [accepted](https://bitwarden.com/help/managing-users/#accept/) invitation to your organization, however this policy is not enforced for owners and admins. > [!WARNING] Non-compliance revokation warning > **Organization members who are not owners or admins and do not comply with this policy will have access revoked when you activate this policy.**Users who have access revoked as a result of this policy will be notified via email, and must take steps to become compliant before their access can be restored. The **Single organization** policy must be turned on before activating the following policies: - [Account recovery administration](https://bitwarden.com/help/policies/#account-recovery-administration/) - [Require single sign-on authentication](https://bitwarden.com/help/policies/#require-single-sign-on-authentication/) - [Default URI match detection](https://bitwarden.com/help/policies/#default-uri-match-detection/) - [Session timeout](https://bitwarden.com/help/policies/#session-timeout/) If you are unable to turn off the **Single organization** policy, verify that all of the above policies are deactivated and then try again. ### Require single sign-on authentication Turn on the **Require single sign-on authentication** policy to require non-owner/non-admin users to log in with SSO. If you're self-hosting, you can enforce this policy for owners and admins using [an environment variable](https://bitwarden.com/help/environment-variables/). For more information, see [Using Login with SSO](https://bitwarden.com/help/using-sso/). This policy is not enforced for owners and admins. Members of organizations using this policy will not be able to [log in with passkeys](https://bitwarden.com/help/login-with-passkeys/). > [!NOTE] Single org policy required > The [**Single organization**](https://bitwarden.com/help/policies/#single-organization/) policy must be turned on before activating this policy. ### Enforce organization data ownership Turn on the **Enforce organization data ownership** policy to prevent private ownership of vault items. This adds [My Items](https://bitwarden.com/help/my-items/), an organization-owned location that can only be accessed by that member. **My items** replaces the individual's **My vault**, shifting ownership from the user to the organization. > [!NOTE] Enforce single org doesn't apply admins and owners > This policy only affects members who are not organization owners or admins. Organization owners and admins can continue using **My vault**. Once turned on, all new saved items are placed in that member’s **My items** by default. When on the Add Item screen, a banner informs users that a policy affects item ownership options. After a [member is removed](https://bitwarden.com/help/remove-users/), the data in that member’s **My items** stays with the organization. Owners, admins, and some custom role users can assign other members access to the removed members’ **My items**. > [!WARNING] Phases of My Items > At this time, Bitwarden recommends only organizations that have not started onboarding members to turn on the [Enforce organization data ownership policy](https://bitwarden.com/help/policies/#enforce-organization-data-ownership/). > > If your organization activated the policy before version [2025.11.0](https://bitwarden.com/help/releasenotes/), **My items** will be created for members confirmed since that release. Preexisting members will not have **My items** and can continue using their **My vault**. A future release will allow organizations that already began onboarding members and use individually-owned vaults to migrate all credentials to organization ownership. ### Remove Send Turn on the **Remove Send** policy to prevent members who are not an owner or admin from creating or editing a Send using [Bitwarden Send](https://bitwarden.com/help/about-send/). Members subject to this policy will still be able to delete existing Sends that have not yet reached their [deletion date](https://bitwarden.com/help/send-lifespan/). This policy is not enforced for owners and admins. A banner is displayed to users in the **Send** view and on opening any existing Send to indicate that a policy is restricting them to only deleting Sends. ### Send options Turn on the **Send options** policy to allow owners and admins to specify options for creating and editing Sends. This policy is not enforced for owners and admins. Options include: | **Option** | **Description** | |------|------| | Do not allow users to hide their email address | Turning on this option removes the [hide email option](https://bitwarden.com/help/send-privacy/#hide-email/), meaning that all [received Sends](https://bitwarden.com/help/receive-send/) will include whom they are sent from. | ### Remove card item type Turn on the **Remove card item type**policy will prevent members from creating or importing credit cards to organization and individual vaults. Users who are members of multiple organizations will still be able to use cards only in an organization that allows it, even if a different organization has activated this policy. Existing cards will be automatically hidden, however the data will not be deleted and cards will re-appear should administrators disable the policy. ### Default URI match detection Turn on the **Default URI match detection** policy to set the [default URI match detection](https://bitwarden.com/help/uri-match-detection/#default-match-detection/) for your members. This helps you configure [autofill](https://bitwarden.com/help/auto-fill-browser/) to best meet your organization's security and policy needs. When turning on this policy, select your organization's **Default URI match detection** from the dropdown menu: - Base domain - Host - Exact - Never > [!NOTE] Default URI policy doesn't include starts with or regex > Users not subject to this policy have two more options when setting their individual account's default match detection: **Starts with** and **Regular expression**. These options are not offered for an organization's default because they can match unintended pages and expose credentials. Once the policy is activated, members cannot view or change their account's **Default URI match detection** in ⚙️ **Settings** → **Autofill**. They can, however, still choose a URI match for individual login items. This policy does not affect organization owners or admins. > [!NOTE] Single org policy required > The [**Single organization**](https://bitwarden.com/help/policies/#single-organization/) policy must be turned on before activating this policy. ### Session timeout Turn on the **Session timeout** policy to set limits and control members' [session timeout](https://bitwarden.com/help/vault-timeout/#vault-timeout/) behavior. You can customize two options: - From the **Maximum allowed timeou**t dropdown menu, set a limit to how long sessions can remain active: - **Immediately**: When the user stops interacting with Bitwarden - **Custom**: After the amount of time entered in **Hours** and **Minutes** - **On system lock**: When the device is locked or the screensaver activates (browser extension and desktop app only) - **On app restart**: When the Bitwarden app is closed and reopened - **Never**: No maximum session duration is set. - From the **Session timeout action** dropdown menu, choose what happens after a session ends. You can specify [**Lock or Log out**](https://bitwarden.com/help/vault-timeout/#vault-timeout-action/) or select **User preference** to let members choose in their account settings. > [!NOTE] Session timeout interim > New timeout options were added in [version 2025.11.0](https://bitwarden.com/help/releasenotes/#2025-11-0/) and are currently only enforced in the Android app: **On system lock**, **On app restart**, and **Never**. These timeout options will be supported on more clients in a future release. When this policy is turned on and users edit their account's **Vault timeout** settings, the **Timeout** options will not exceed the maximum you picked for the organization and some, like **On browser restart** and **Never**, will not be available. This policy does not affect organization owners. > [!NOTE] Single org policy required > The [**Single organization**](https://bitwarden.com/help/policies/#single-organization/) policy must be turned on before activating this policy. ### Remove individual vault export Turn on the **Remove individual vault export**policy to prohibit non-owner/non-admin members of your organization from [exporting their individual vault data](https://bitwarden.com/help/export-your-data/#export-an-individual-vault/). This policy is not enforced for owners and admins. In the web app and CLI, a message is displayed to users indicating that a policy is affecting their options. In other clients, the option will simply be disabled: ![Vault export removed](https://bitwarden.com/assets/5E2871D2vZBzveBmVyv9lO/b89f979980566dda40928db1ce450507/2024-10-14_08-50-45.png) *Vault export removed* ### Remove Free Bitwarden Families sponsorship Turn on the **Remove Free Bitwarden Families sponsorship**policy to prevent members of your organization from having the option to [redeem a free Families plan](https://bitwarden.com/help/families-for-enterprise/) through your organization. Users who have redeemed a sponsored Families organization prior to the policy being activated will continue to have their organization sponsored until the end of the current billing cycle. Their stored payment method will be charged for the organization when the next billing cycle begins. ### Activate auto-fill Turn on the **Activate auto-fill**policy to automatically turn on the [autofill on page load feature](https://bitwarden.com/help/auto-fill-browser/#on-page-load/) on the browser extension for all existing and new members of the organization. If activated, members will not have the ability to disable autofill on page load. ### Automatically log in users for allowed applications Turn on the **Automatically log in users for allowed applications** policy to allow login forms to be filled and submitted automatically when accessing non-SSO apps from your identity provider. In order to enable this setting: 1. To enable the **Automatically log in users for allowed applications** policy, check the **Turn on** box, and enter your**Identity provider host** URL(s). The URL should include `protocol://domain`. ![Automatically log in users for allowed applications](https://bitwarden.com/assets/2qHW4T4CDwpQJmPK6oDDn8/4fe9fb9517db6ed1a09a72be3883f2ae/2024-08-27_11-21-32.png) *Automatically log in users for allowed applications* 2. As an Administrator on your IdP, add an application, or app shortcut to your end-user dashboard containing the destination URL with the added parameter `?autofill=1`. For example, using Microsoft Azure: ![Microsoft app example](https://bitwarden.com/assets/33zjaF3nEYtBB3JaVjBGmS/ab61ee2d6551d5d5bab70319ca64951e/2024-09-24_10-39-55.png) *Microsoft app example* 3. Once the application has been saved, users may select the application from the IdP dashboard and Bitwarden will autofill and login to the application. > [!NOTE] Automatically login users browser extension > Automatically log in users will autofill data based on the users current active account on the Bitwarden browser extension. Additionally, the data autofilled will be the most recent credential that user used associated with the target application's URL. ### --- URL: https://bitwarden.com/help/premium-renewal/ --- # Premium Renewal Premium individual subscriptions renew automatically on an annual basis. You can check your renewal date from your [web vault](https://bitwarden.com/help/getting-started-webvault/) by navigating to **Settings** → **Subscription:** ![Subscription page](https://bitwarden.com/assets/3Ru9TSLguhRNYtLe2TLwXk/d601c1c639cf3eccc0860793aae3299e/2024-12-04_10-15-22.png) As your renewal date approaches, Bitwarden recommends that you validate the payment method by navigating to **Settings** → **Subscription**→ **Payment method**. For help updating your payment method, see [Update Your Billing Information](https://bitwarden.com/help/update-billing-info/). > [!NOTE] Payment disruption > If we cannot process your payment method, or if you have cancelled your subscription, your account will revert to [free individual](https://bitwarden.com/help/password-manager-plans/#free-individual/). Until you re-instate your premium subscription, this will result in the following: > > **Two-step login** > > You will **not** be locked out of your vault, however you will not be able to use advanced two-step login options such as Yubikey or Duo for authentication. > > - If you have a core two-step login option enabled (authenticator app or email), you will be prompted to use the enabled option. > - If you do not have another two-step login option enabled, you will authenticate into your vault without two-step login. > > Your secret keys will remain stored in vault items in the **Authenticator Key (TOTP)** field, however Bitwarden will not generate TOTP codes. > > **Encrypted file attachments** > > Files will **not** be deleted from your vault, however you will not be able to upload or download. > > **Emergency access** > > Trusted emergency contacts will still be able to request and obtain access to your vault. As a grantor, however, you will not be able to add new or edit existing trusted emergency contacts. --- URL: https://bitwarden.com/help/prepare-your-org-for-prod/ --- # Prepare your Trial Organization for Production This guide will help guide your business in preparing for a production implementation of Bitwarden after a successful trial period. If you're just starting your trial period, we recommend starting with the [Proof-of-Concept Project Checklist](https://bitwarden.com/help/proof-of-concept/) before using this guide. ## Step 1: Upgrade or restart your organization When you're ready to move a trial organization into production for your business, you can upgrade your existing organization in-place or start a new organization from scratch. Most customers upgrade their existing organization in-place and purge their vault of test data used during their trial period before importing all shared data into production (**Step 4a**). | Step | Duration (hrs) | Action | Description | |------|------|------|------| | 1a | 0.5 | Upgrade or restart your organization | [Upgrade your organization](https://bitwarden.com/help/about-organizations/#upgrade-an-organization/) or [start a new organization](https://bitwarden.com/help/about-organizations/#create-an-organization/). | > [!TIP] Return to POC Guide > If you choose to start a new organization for your production implementation, revisit the [Proof-of-Concept Project Checklist](https://bitwarden.com/help/proof-of-concept/) and work through those steps before proceeding. ## Step 2: Prep for broader onboarding While you probably have a number of members in your trial organization, most businesses add a lot more users when they move to production. With that in mind, here are a few critical steps you should take before onboarding the rest of your team: | Step | Duration (hrs) | Action | Description | |------|------|------|------| | 2a | 0.5 | Check your policy configuration | To make sure your configured policies are applied to all members as soon they join, [check that all desired policies are enabled](https://bitwarden.com/help/policies/). | | 2b | 0.25 | Activate account recovery | The account recovery policy is considered critical by many organizations for its ability to recover the accounts of users that forget their master password or are deprovisioned. [Activate this policy now](https://bitwarden.com/help/policies/). | ## Step 3: Get a production license **This step only applies if you're self-hosting Bitwarden**. During your trial of Bitwarden, you're using a special trial license that will need to be upgraded to a production license. Once you upgrade your self-hosted server to the production license, you can activate automatic license syncing. Follow these steps: | Step | Duration (hrs) | Action | Description | |------|------|------|------| | 3a | 0.25 | Retrieve your production license | Retrieve your production license from the Bitwarden cloud web app by following [these steps](https://bitwarden.com/help/licensing-on-premise/#retrieve-organization-license/). | | 3b | 0.25 | Manually update your license file | Upload the retrieved license to your self-hosted server by following the **Manual update**procedure [here](https://bitwarden.com/help/licensing-on-premise/#update-organization-license/). | | 3c | 0.5 | Activate billing sync | Setup your organization to automatically pull your license file in the future by following the **Automatic sync**procedure [here](https://bitwarden.com/help/licensing-on-premise/#update-organization-license/). | ## Step 4: Import your data Before onboarding the rest of your team, ensure that all required credentials are collected in your organization, and that members will only have access to what they need once onboarded. Many customers purge their vault of test data used during their trial period before importing all shared data into production (**Step 4a**). Purging vault data, which can be done from the organization's **Settings**→ **Organization info**view, will prevent the creation of duplicates and help you start with a clean slate. You may have completed most or all of these steps, but we recommend double checking that they're done to your satisfaction: | Step | Duration (hrs) | Action | Description | |------|------|------|------| | 4a | 0.5 | Import your data | [Import all shared data](https://bitwarden.com/help/import-to-org/) to your production organization. | | 4b | 0.5 | Audit collections | Ensure that your [collections](https://bitwarden.com/help/about-collections/) contain the right vault items before granting broader access. | | 4c | 0.5 | Audit groups | Ensure that your [groups](https://bitwarden.com/help/about-groups/) are assigned to the right collections before assigning more users. | Additionally, now is a good time to check the privileges you're granting to individual users on your administrative team. Defining good practices for member roles and permissions now will make promoting users easier once you begin onboarding more employees: | Step | Duration (hrs) | Action | Description | |------|------|------|------| | 4d | 0.75 | Review member role assignments | Review the pre-defined [member roles](https://bitwarden.com/help/user-types-access-control/) available in Bitwarden and determine which role is appropriate for IT, managers, etc. | | 4e | 1 | Set up custom admin accounts | Many organizations find it useful to create custom roles for admins in order to assign granular levels of permission to users. Check out [this guide](https://bitwarden.com/resources/setting-up-administrative-accounts-with-lesser-privileges/) for some best practices. | ## Step 5: Configure client apps Since you'll have a large number of users starting to use Bitwarden soon, it can be useful to setup some processes for centrally configuring and deploying key Bitwarden applications: | Step | Duration (hrs) | Action | Description | |------|------|------|------| | 5a | 1 | Configure clients for self-hosting | **Self-hosted only**. Bitwarden clients can be pre-configured to point to your self-hosted server. To do so, follow [these instructions](https://bitwarden.com/help/configure-clients-selfhost/). | | 5b | 1 | Deploy browser extensions to managed devices | Bitwarden browser extensions, the app end-users will most often use in their day-to-day workflows, can be deployed in automated fashion to your users' devices. To do so, follow [these instructions](https://bitwarden.com/help/browserext-deploy/). | ## Step 6: Onboard your team Now that your organization is ready for use in production, onboard the rest of your users. Depending on how you setup your organization during the trial period, this may be: - [Using SCIM](https://bitwarden.com/help/about-scim/) - [Using Directory Connector](https://bitwarden.com/help/directory-sync/) - [Using manual invitation](https://bitwarden.com/help/managing-users/#onboard-users/) We highly recommend reviewing, or re-reviewing, the [Onboarding and Succession](https://bitwarden.com/help/onboarding-and-succession/) guide before onboarding your remaining users. --- URL: https://bitwarden.com/help/private-mode/ --- # Use Bitwarden in Firefox Private Windows ## Allow private windows To allow the browser extension to run in Firefox private windows: 1. Navigate to `about:addons` in your browser and select Bitwarden from the extension list. 2. On the **Details** tab, scroll down to **Run in Private Windows**and toggle **Allow.** ![Enable Extensions in Private Windows](https://bitwarden.com/assets/1tdckgSp5yF97cp3Jk1nsw/41ae31a8c39b067edefb09a6236d9302/Screen_Shot_2022-03-10_at_11.56.20_AM.png) --- URL: https://bitwarden.com/help/product-faqs/ --- # Password Manager FAQs This article contains frequently asked questions (FAQs) about general Bitwarden Password Manager functionality. ## Most asked questions ### Q: What do I do if I forgot my master password? **A:** As a zero-knowledge encryption solution, Bitwarden and its systems have no knowledge of, way to retrieve, or way to reset your master password. If you have already lost your master password, there is unfortunately no way for the team to recover the account. For help understanding what to do next, or what to do proactively to protect yourself from such a scenario, refer to the article on [your master password](https://bitwarden.com/help/master-password/). ### Q: Is there a way for someone to access my vault items in case of emergency? **A:** There is! Users with a premium subscription can proactively setup trusted emergency contacts who can access your vault in case of emergency. For more information, see [Emergency Access](https://bitwarden.com/help/emergency-access/). ### Q: How do I change my master password hint? **A:** To change your master password hint: 1. In the web app, navigate to **Settings** → **Security** → **Master password**. 2. To change your hint, you must create a new master password. Enter your **Current master password**, then fill out the **New master password** and **Confirm master password** fields. Enter your new hint in the **Master password hint** box. 3. Select the **Change master password**button. ### Q: How do I change my email address? > [!NOTE] Changing Email vs. Changing 2FA Email > Changing your account email address will not change the address that received 2FA codes if you are using [two-step login via email](https://bitwarden.com/help/setup-two-step-login-email/). **A:** To change the email address attached to your account: 1. In the web app, navigate to **Settings** → **My account**. 2. On the **My Account** page, find the **Change email** section. 3. Enter your current **Master password** to prove you have the authority to take this action, and specify the **New email** you'd like to change to. 4. Select the **Continue** button. Bitwarden will email a verification code to the specified email address. Check your inbox for the code and enter it into the **Code** text input displayed in your web vault to finalize the change. If you don't receive the verification code, check your spam folder. You can also whitelist `no-reply@bitwarden.com` to help ensure delivery in the future. When you change your email address, you should immediately logout of all Bitwarden apps you use, and log back in with the new credentials. Sessions using a "stale" email address will eventually be logged out. ### Q: What features are unlocked when I verify my email? **A**: When you verify your email address, you'll unlock the ability to [create file Sends](https://bitwarden.com/help/create-send/) (provided you also have access to premium features). ### Q: Why is a vault item missing from my mobile app, desktop app, or browser extension? **A:** Typically, this is because an app's vault data has fallen behind a web vault or other app's. Performing a vault sync should bring everything up to date. For more information, see [Sync your Vault](https://bitwarden.com/help/vault-sync/). ### Q: What's the safest way to make a backup of my vault data? **A:** You can use [encrypted exports](https://bitwarden.com/help/encrypted-export/#create-an-encrypted-export/) to make secure long-term backups of your vault data that are encrypted with your account encryption key, organization encryption key, or with a password of your choosing. ### Q: Can I set Bitwarden to automatically start when my computer starts? **A:** Yes, toggle the **Start automatically on login** setting on in the Bitwarden desktop app in order to have it automatically launch when you login to your computer. ### Q: Why am I getting a ‘New Device’ email? **A:** Typically this occurs for users that have a setting on their browser which clears their local storage and/or cookies whenever they close the browser or while they are using the browser. There are extensions that perform these actions. If this happens, you lose the indicator which tells our servers that it is an existing device. New device notification messages are not contingent on the IP address, only the device itself. We use local storage in the browser or client to label the device with an id. If that id has never logged in before then you will get an email. If a user clears this local storage, a new id is generated for that device and it will get a new email. You may need to make an exception for Bitwarden or configure your whitelist to keep the cookie or local storage from being cleared for Bitwarden. This could also happen if you have your browser set to never remember history. ## Other questions ### Q: Can I install Bitwarden without Google Play, for instance on F-Droid? **A:** Yes! You can download directly from GitHub [https://github.com/bitwarden/android/releases](https://github.com/bitwarden/android/releases/) or via F-Droid by adding our repo [https://github.com/bitwarden/f-droid](https://github.com/bitwarden/f-droid), which removes all non-approved libraries. Unfortunately, F-Droid can not compile our app from source as it is based on Xamarin and it is not supported by F-Droid's current compiler methods, so we must use a separate repo. ### Q: Can I turn off automatic updates for Bitwarden? **A:** Yes! On Windows, you can add the environment variable `ELECTRON_NO_UPDATER=1` to your desktop app template to prevent automatic update procedures from trying and failing on your end-user workstations. > [!WARNING] Running older versions. > Like with any software, running old versions may present a security risk. ### Q: How do I get logs for the desktop app? **A**: Add the environment variable `ELECTRON_ENABLE_LOGGING=true` to your desktop app template to print logs from the desktop app to the console, or start the desktop app from your console and use command line switches to write logs to a file: - (Windows) `Bitwarden.exe --enable-logging=file --log-file=bitwarden.log` - (macOS) `./Bitwarden.app/Contents/MacOS/Bitwarden --enable-logging=file --log-file=bitwarden.log` ### Q: What happens when I purge my vault? **A:** When you purge an **individual vault**, all vault items and folders will be deleted. When you purge an **organization vault**, all shared (for example owned by the organization) vault items will be deleted however existing users, collections, and groups will remain in place. To purge your vault: ### Individual vault > [!WARNING] Purging your vault > Purging your vault is permanent. It cannot be undone. To purge your individual vault: 1. In the Bitwarden web app, navigate to **Settings** → **My account**. 2. In the Danger zone section, select **Purge vault**. You'll need to confirm your master password to complete a purge. ### Organization vault > [!WARNING] Purging your vault > Purging your vault is permanent. It cannot be undone. To purge an organization vault you must be an [organization owner](https://bitwarden.com/help/user-types-access-control/): 1. In the Bitwarden web app, open the Admin Console and navigate to **Settings** → **Organization info**. 2. In the Danger zone section, select **Purge vault**. You'll need to confirm your master password to complete a purge. ### Q: Can I print my vault data? **A:** Not directly from Bitwarden, however you can [export your vault data](https://bitwarden.com/help/export-your-data/) as a `.csv` or `.json` file and print it out from your text editor. ### Q: Can I prevent my credentials from being saved to the clipboard? **A:** Yes! To automatically clear values copied from Bitwarden from the clipboard: - In your browser extension, navigate to **Settings** → **Autofill** and set **Clear clipboard**to a value other than **Never**. - In your mobile app, navigate to **Settings** → **Other** and set **Clear clipboard**to a value other than **Never**. - In your desktop app, navigate to **Settings**and in the **Preferences**section set **Clear clipboard**to a value other than **Never**. ### Q: Does uninstalling or deleting my Bitwarden app also delete my vault data? **A:** No, deleting a Bitwarden app/extension will not delete your vault data. Vault data will remain encrypted on the server. If you wish to **permanently** delete your vault data, see [Delete an Account or Organization](https://bitwarden.com/help/delete-your-account/). ### Q: Does Bitwarden manage in-browser browser extensions on Android mobile? **A:** There are Bitwarden browser extension available in the Firefox and Edge browsers on Android mobile devices. However, these extensions are not officially supported by Bitwarden, and the team is aware that some functionality in this client is known to not work correctly. Android users may prefer to use the Bitwarden [mobile app](https://bitwarden.com/help/getting-started-mobile/) for an officially supported password manager client. ### Q: Does Bitwarden have any settings that can be adjusted for graphics or performance? **A:** Yes, Bitwarden does include settings in the desktop app to adjust for system performance: - Graphical (GPU) acceleration can be disabled in two ways on Bitwarden desktop apps: - Navigate to **Settings** → **APP SETTINGS (ALL ACCOUNTS)** and uncheck the box labeled **Use hardware acceleration**. - From the navigation bar, **Help** → **Troubleshooting** → **Disable hardware acceleration and restart**. ### Q: Can Bitwarden be installed in an Android private space? **A**: Currently, Bitwarden does not recommend installing the Android application in a private space (15.0+) as private spaces are not suitable for apps that need to run in the background for functions like autofill and syncing. --- URL: https://bitwarden.com/help/projects/ --- # Projects Projects are collections of [secrets](https://bitwarden.com/help/secrets/) logically grouped together for management access by your DevOps and cybersecurity teams. Projects that your user account has access to are listed in the primary Secrets Manager view as well as by selecting **Projects** from the navigation: ![Projects](https://bitwarden.com/assets/71lYVBOdFFIcautbuha9k1/65abe5b658360c4dc3402d8d4f1c815c/2024-12-03_11-34-34.png) Opening a project will list the **Secrets**, **People**, and **Machine accounts**associated with it: ![Inside a project](https://bitwarden.com/assets/7IlJQx9yhxuO5ffABmKyqd/bef389322630e365c40e3dfa386bae4d/2024-12-03_11-35-19.png) ## Create a project To create a new project: [![Vimeo Video](https://vumbnail.com/846445432.jpg)](https://vimeo.com/846445432) *[Watch on Vimeo](https://vimeo.com/846445432)* **Video Chapters:** Learn more about projects [here](https://bitwarden.com/help/projects/). 1. Use the **New**dropdown to select **Project**: ![Create a project](https://bitwarden.com/assets/3gGgCYT0CgS3MKAngKDooL/03bd6080e1f8c695c46fd23918f56951/2024-12-03_11-25-44.png) 2. Enter a **Project name**. You can change the project's name at any time using the (⋮ ) options menu on the Projects page. 3. Select the **Save**button. ## Add secrets to a project You can add both new and existing [secrets](https://bitwarden.com/help/secrets/) to your project: ### Add existing secrets To add existing secrets to your project: 1. Navigate to the **Secrets**view and select the secret to add. 2. In the Edit Secret window, in the **Project**section, type or select the project to associate the secret with. Each secret can only be associated with a single project at a time. 3. When you're finished, select the **Save**button. ### Add new secrets To create new secrets for your project: 1. Use the **New** dropdown to select **Secret**: ![Create a secret](https://bitwarden.com/assets/3uEcZ7G5L2TJM4QgMmFZ4H/24d73aa7121de9c77383f51de618db02/2024-12-03_11-29-17.png) 2. On the New Secret window's Name/Value pair tab, enter a **Name**and **Value**. Adding **Notes**is optional. 3. In the **Project** section, type or select the project to associate the secret with. A few key points. - Only organization members with access to the project will be able to see or manipulate this secret. - Only [machine accounts](https://bitwarden.com/help/machine-accounts/) with access to the project will be able to create a pathway for injecting or editing this secret. - Each secret can only be associated with a single project at a time. 4. When you're finished, select the **Save**button. ## Add people to a project Adding organization members to your project will allow those people to interact with the project's secrets. To add people to your project: 1. In the project, select the **People**tab. 2. From the People dropdown, type or select the members or [groups](https://bitwarden.com/help/about-groups/) to add to the project. Once you've selected the right people, select the **Add**button: ![Add people to a project](https://bitwarden.com/assets/4Vu9wuBd8ceEz7ji7V2kHZ/2f11a06f3ed09a1cd64190ad8197e914/2024-12-03_11-27-19.png) 3. Once members or groups are added to the project, set a level of **Permissions**for those members or groups. Members and groups can have one of the following levels of permission: - **Can read**: Members/groups will be able to view existing secrets in this project. - **Can read, write**: Members/groups will be able to view existing secrets and create new secrets in this project. ## Add machine accounts to a project You can add both new and existing [machine accounts](https://bitwarden.com/help/machine-accounts/) to the project: ### Add existing machine accounts To add existing machine accounts to your project: 1. In the project, select the **Machine accounts**tab. 2. From the Machine accounts dropdown, type or select the machine account(s) to add to the project. Once you've selected the right machine accounts, select the **Add**button: ![Add a machine account](https://bitwarden.com/assets/1IJNE4LCOMqQsAMBYKN5pe/187a4d47245bfbd750e13aa052dc6fb3/2024-12-03_11-36-39.png) 3. For each added project, select a level of **Permissions:** - **Can read**: Machine account can retrieve secrets from assigned projects. - **Can read, write**: Machine account can retrieve and edit secrets from assigned projects, create new secrets in assigned projects, or create new projects altogether. > [!TIP] SM 07/25 dependency > Fully utilizing write access for machine accounts is dependent on a forthcoming [CLI](https://bitwarden.com/help/secrets-manager-cli/) release. For now, this simply makes the option available in the UI. Stay tuned to the [Release Notes](https://bitwarden.com/help/releasenotes/) for more information. ### Add new machine accounts To add a machine account for this project: 1. Use the **New**dropdown to select **Machine account**: ![New machine account](https://bitwarden.com/assets/LaVwicbqhvbliXPm6loOU/5559a5caf8ad70a95be3ea89f1b760ad/2024-12-03_11-29-17.png) 2. Enter a **Machine account name** and select **Save**. 3. Open the machine account and, in the **Projects** tab, type or select the name of the project(s) that this service account should be able to access. For each added project, select a level of **Permissions:** - **Can read**: Machine account can retrieve secrets from assigned projects. - **Can read, write**: Machine account can retrieve and edit secrets from assigned projects, as well as create new secrets in assigned projects or create new projects. > [!TIP] SM 07/25 dependency > Fully utilizing write access for machine accounts is dependent on a forthcoming [CLI](https://bitwarden.com/help/secrets-manager-cli/) release. For now, this simply makes the option available in the UI. Stay tuned to the [Release Notes](https://bitwarden.com/help/releasenotes/) for more information. ## Delete a project To delete a project, use the (⋮ ) options menu for the project to delete to select **Delete project**. Deleting a project **will not**delete the secrets associated with it. Projects are fully removed once deleted and **do not** get [sent to the trash like secrets do](https://bitwarden.com/help/secrets/#delete-a-secret/). --- URL: https://bitwarden.com/help/proof-of-concept/ --- # Proof-of-Concept Project Checklist This guide is designed by our Product, Implementation, and Sales specialists at Bitwarden to help guide your business in running a PoC of Bitwarden. Bitwarden offers a free trial for [Enterprise Organizations](https://bitwarden.com/help/about-organizations/), and we're confident that spreading out these steps over that time will help shape a successful PoC. ## Phase 1: Installation | **Step** | **Key Person** | **Action** | **Resource** | **Duration (hrs)** | |------|------|------|------|------| | Identify Organization Owner | Organization Owner | [Create a free Bitwarden account](https://bitwarden.com/go/start-free/) for your Organization Owner, who will manage your Organization's settings, structure, and subscription. **Note:**If you wish to have a EU-hosted cloud instance, instead navigate to https://vault.bitwarden.eu | [Create your Bitwarden Account](https://bitwarden.com/help/create-bitwarden-account/) | 0.1 | | Create Organization | Organization Owner | [Create a free organization on the Bitwarden cloud](https://bitwarden.com/help/getting-started-organizations/#setup-your-organization/). Once created, let us know and we'll upgrade you to an Enterprise trial. If you're self-hosting, this Organization will be used only for billing purposes. | [Organizations](https://bitwarden.com/help/about-organizations/) | 0.1 | | **Self-hosting only** Download a license file for your self-hosted installation | Organization Owner | If you're self-hosting Bitwarden, a license file enables Enterprise functionality and the right number of seats for your instance. | [License Paid Features](https://bitwarden.com/help/licensing-on-premise/#organization-license/) | 0.1 | | **Self-hosting only** Install self-hosted instance | Organization Owner / IT Team | Setup your Bitwarden server. We recommend deploying on Linux for optimal performance and lowest total cost of ownership. | [Install and Deploy](https://bitwarden.com/help/install-on-premise/) | 2.5 | | Add administrators | Organization Owners + Admins | Onboard [Admins](https://bitwarden.com/help/user-types-access-control/) to Bitwarden, who can manage *most *Organization structures. We also recommend adding a second Owner for redundancy. | [User Management](https://bitwarden.com/help/managing-users/) | 0.2 | | Create Collections for vault items | Organization Owners + Admins | Collections gather items for secure sharing with Groups of users. | [Collections](https://bitwarden.com/help/about-collections/) | 0.25 | | Create Groups to assign users to | Organization Owners + Admins | Groups gather users for scalable assignment of permissions and access to Collections. If you decide to sync Groups and users from your Identity Provider or Directory Service, you may need to reconfigure user and Group assignments later. | [Groups](https://bitwarden.com/help/about-groups/) | 0.25 | | Assign Groups to Collections | Organization Owners + Admins | Assign Groups to Collections, making shared items available to supersets of users. | [Collections Assignment](https://bitwarden.com/help/about-groups/#edit-collections-assignments/) | 0.25 | | Share items to Collections | Organization Owners + Admins | [Add items manually](https://bitwarden.com/help/sharing/#create-an-organization-item/) or [import data](https://bitwarden.com/help/import-to-org/) from another password management application. | [Sharing](https://bitwarden.com/help/sharing/) [Import to an Organization](https://bitwarden.com/help/import-to-org/) | 0.25 | | Select collection management settings | Owner | Choose how collections will behave in the organization. These settings allow for a spectrum of full admin control to completely self-serve where users can create their own collections. These settings can be used to establish a policy of least privilege. | [Collection Management](https://bitwarden.com/help/collection-management/) [Resource: Collections Management Settings](https://bitwarden.com/resources/resource-collections-management-settings/) | | | Configure Enterprise Policies | Organization Owners + Admins | Enterprise Policies can be used to tailor your Bitwarden Organization to fit your security needs. **Enable and configure desired policies before user onboarding begins.** | [Enterprise Policies](https://bitwarden.com/help/policies/) | 0.1 | | Configure Login with SSO (optional) | Organization Owners + Admins | Configure Bitwarden to authenticate using your SAML 2.0 or OIDC Identity Provider. Choose how vault data will be decrypted after users authenticate using SSO. For a streamlined SSO workflow for end-users, verify the ownership of your domain with a DNS TXT record. | [About Login with SSO](https://bitwarden.com/help/about-sso/) [Member Decryption Options](https://bitwarden.com/help/sso-decryption-options/) [Domain Verification](https://bitwarden.com/help/claimed-domains/) [Resource: Choose the Right SSO Login Strategy](https://bitwarden.com/resources/choose-the-right-sso-login-strategy/) | 1.5 | | Review additional integrations | Organization Owners + Admins | Visit the Integrations page in the Admin Console to review relevant integrations and complete the set-up process. Additional integrations may be achieved using the two Bitwarden APIs | [Bitwarden Integrations](https://bitwarden.com/integrations/) | | | Add early users to Groups | Organization Owners + Admins | Add a set of users to your Organization manually and assign them to different groups. With these users, you'll broadly test all pre-configured functionality in the next step, **before**moving on to advanced functions like Directory Connector. | [User Management](https://bitwarden.com/help/managing-users/) | 0.5 | | Download Bitwarden Client Applications | All POC users | All Organization members added for the POC should download Bitwarden on an assortment of devices, login, and test access to shared items/Collections/Groups and application of applied Policies. **If you're self-hosting,**users will need to [connect each client to your server](https://bitwarden.com/help/change-client-environment/). | [Download Bitwarden](https://get.bitwarden.com/) | 0.5 | | Choose between SCIM and Directory Connector | Organization Owners + Admins | Decide whether SCIM or Directory Connector is the right user onboarding and user lifecycle management solution for your Organization. | [About SCIM](https://bitwarden.com/help/about-scim/) [About Directory Connector](https://bitwarden.com/help/directory-sync/) | 1 | | Configure and test user onboarding with SCIM or Directory Connector | Organization Owners + Admins | Configure and test Bitwarden SCIM integrations or the Bitwarden Directory Connector application to automatically sync users and groups. | | 1.5 | | Onboard users with SCIM or Directory Connector | Organization Owners + Admins | Execute on SCIM or Directory Connector syncing to invite your remaining users to the Organization. | | 1 | ## Phase 2: Test and evaluate features When evaluating Bitwarden Password Manager be sure to also review the features highlighted below. Choose to use your own data for your POC or import an [example vault](https://start.bitwarden.com/hubfs/VaultImportExample.json) for testing. | **Feature** | **Action** | **Resource** | |------|------|------| | Account Recovery Administration | As a test, begin the account recovery process for an enrolled user. Create a new master password for the user. Send that new master password to the user in a secure channel, such as through a Bitwarden Send, so they can log in and create a new master password. Note: in cases where access to the account is needed, the admin can use the new master password to log in and access stored individual vault items. This simple, streamlined process makes it easy to reset account passwords or gain access to accounts for separated employees. | [Account Recovery](https://bitwarden.com/help/account-recovery/) | | Assign an item to multiple collections | In the admin console, go to Collections, choose any vault item, and click on the three dot menu > Collections. Use the check boxes to add that item to as many collections as you like. Navigate to the collections you assigned the item to and see it there. Make a change to the item, such as the name, and note that the update is reflected in all the other collections the item is assigned to. This makes updating or deleting an item easy and instant, with no need to duplicate items to have it available to multiple user groups. | [Move an item between collections](https://bitwarden.com/help/about-collections/#move-an-item-between-collections/) | | Download and test the CLI | The Bitwarden command-line interface (CLI) allows for scripting, automation, and API-based commands. | [Password Manager CLI](https://bitwarden.com/help/cli/) | | Review collections access options | In the admin console, go to Settings > Organization info > Collection management. There are two toggleable options, leading to four possible configurations. These options allow for a policy of least privilege, where only intended users have access to vault items. Your organization can be configured so that Administrators will only have access to items that they were intentionally assigned to. These options and a collection-level **Manage collection** permission enables a framework similar to Privileged-Access Management (PAM) solutions. Individual vault item access and adjustments to the collection management settings trigger auditable security events that can raise alerts within Security Incident Event Management (SIEM) tools. **Note:** Collections management settings are only available to the organization owner | [Collections management settings](https://bitwarden.com/resources/resource-collections-management-settings/) | | Public and Vault APIs | Review the two APIs available to your organization: The Public API and the Vault Management API. These APIs can be used for scripting, automation, and integration with third-party applications, such as SIEM tools. | [Bitwarden APIs](https://bitwarden.com/help/bitwarden-apis/) | | Event logs | Navigate to the Event logs in the Admin Console. Review the data displayed on-screen, and export the logs for more detailed viewing in another application. Event logs can also be viewed for specific users or vault items from the Members or Collections windows through the item modals. These detailed and auditable event logs aid in security investigation, auditing, and compliance certification. | [Event Logs](https://bitwarden.com/help/event-logs/) | | Bitwarden Send | Create a test Send from any Bitwarden client. Choose to send either text or a file, adjust the security settings to your preferences and save. Share the link or test it yourself. The file or text is encrypted end-to-end. The key to decode the file is included within the shared URL and is a zero-knowledge process. Bitwarden Send can be used to share sensitive information within the company, such as HR documents, or share with external partners, such as creative agencies. It may also be completely disabled with an enterprise policy. | [Bitwarden Send](https://bitwarden.com/help/about-send/) | | Export and Import data | Export the items you have stored in your organization vault. The created export file can be used as a partial backup solution or for migrating to another service if necessary. Data can also be imported into the organization vault from other services. Test the import function from your prior solution or from this [example file](https://start.bitwarden.com/hubfs/VaultImportExample.json). | [Export your data](https://bitwarden.com/help/export-your-data/) | | Nested collection | Create a nested collection - one collection within another. In the Admin Console, open a parent collection, and from the New dropdown select Collection. The nested collection is for display purposes for organizing the vault and will not inherit permissions from the parent collection. This prevents accidental access and ensures all access to vault items is intentional. | [Nested Collections](https://bitwarden.com/help/about-collections/#nested-collections/) | | Custom role creation | Access a test user in your organization and change their role to Custom. Evaluate the available options. These permissions are useful for various scenarios, such as giving Help Desk employees access to the organization to assist end users, but limiting their ability to access other settings such as SSO. | [Custom role](https://bitwarden.com/help/user-types-access-control/#custom-role/) | | **Manage collection** permission | Create a test collection, such as “Finance team test.” Assign an individual user, such as your company’s accountant, to that collection and grant the **Manage collection** permission. This user can now add/remove items, and add/remove users and groups to the collection. Assign a group, such as “IT department” to the collection with the same **Manage collection** permission. Now anyone within that group can add/remove items and add/remove users and groups. This permission for collections allows for delegation of control to team leads or to a group of administrators that help in the day-to-day company work processes. | [User permissions](https://bitwarden.com/help/user-types-access-control/#permissions/) | | Compare app store ratings of clients | Read the reviews on app stores and note the rating of the Bitwarden app and compare it to other solutions. End user satisfaction is an important factor for successful adoptions, and app ratings offer a proxy evaluation of usability. | [Bitwarden app store listings](https://bitwarden.com/download/) | | Free families plan for all enterprise users | Visit Account settings > Free Bitwarden Families. All users of your enterprise plan are granted a free license for a Bitwarden Families Plan. This reinforces good security habits by having employees practice them at home. Note that the families plan requires a different email address than the user’s email that is attached to the enterprise plan. This maintains separation of personal and work accounts. | [Families for enterprise](https://bitwarden.com/help/families-for-enterprise/) | | Browse the Bitwarden Community Forum | Bitwarden has an active community of users, both personal and professional. The community forums are a channel for providing feedback, getting support from others, and participating in user research studies and beta programs. | [Bitwarden Community Forum](https://community.bitwarden.com/) | | Visit the Bitwarden GitHub repo and review source code | View the Bitwarden source code and browse the available repositories to see the work going into Bitwarden Password Manager. Bitwarden is open source, and all the code is visible for security researchers, the community, and customers to review. Source code transparency is the foundation of trust in important security solutions. Having the eyes of thousands of security enthusiasts on the Bitwarden code makes it safer, with any vulnerabilities quickly discovered and rapidly resolved. | [Open source security](https://bitwarden.com/open-source/) [Bitwarden GitHub](https://github.com/bitwarden) | ## Deployment best practices We've seen a lot of deployments and have found that taking the following actions can positive contribute towards a successful PoC and successful adoption with your users: | | | | | |------|------|------|------| | **Step** | **Key Person** | **Action** | **Resource** | | Determine timeline for rollout to first-wave users | Senior Leadership & Security teams | There are lots of different strategies for rolling out Bitwarden. Take things at whatever pace best suits your team. | | | Craft internal messaging about Bitwarden rollout | Internal Training & Managers | Bitwarden provides a lot of resources to help users quickly adopt, check some out with the links in the **Resource(s)**column. | [Bitwarden YouTube Channel](http://youtube.com/bitwarden) [Help Center](https://bitwarden.com/help/) [Courses](https://bitwarden.com/help/courses/) | ## Next steps When you're ready to move from a proof-of-concept to putting Bitwarden into production, use the following resources: - [Prepare your Trial Organization for Production](https://bitwarden.com/help/prepare-your-org-for-prod/) --- URL: https://bitwarden.com/help/provider-billing/ --- # Provider Billing ## About provider billing When you sign up to be a Provider, you will designate two separate seat count minimums; a **Teams seat minimum** and an **Enterprise seat minimum**. These counts are a fixed floor which you are billed for monthly. When creating client organizations and provisioning their users, client user seats will be pulled from your designated seat count at no additional monthly cost as long as there are remaining unassigned seats. For example, if you signed up for 50 Enterprise seats and have 1 Enterprise client organization utilizing 25 seats, you can add an additional 25 Enterprise seats to this or any Enterprise client organization at no additional monthly charge. Seats can be added to client organizations above your designated seat count minimums at any time and will be: - Listed as **Additional seats purchased** when managing a client organization's seat count or creating a new client organization. - Automatically added to your invoice in the next billing cycle. ## Manage seats To add or remove seats from a client organization, use the ⋮ options menu and select **Manage subscription**: ![Add client organization seats](https://bitwarden.com/assets/5azlW7UdPa9zT23P9Iou6B/13bc3905d44745494afac3f847d87ff2/2024-12-05_16-14-43.png) If you **add** seats to client organizations such that you rise **above** your designated Teams seat minimum or Enterprise seat minimum, a prorated charge will be applied to your next invoice. If you **remove** seats from client organizations such that you drop **back to** your designated Teams seat minimum or Enterprise seat minimum, the cost of the additional seats provisioned above the minimum will be automatically removed from your invoice in the next billing cycle. ## View billing information > [!TIP] Client orgs can't see billing > Only Provider admins can see billing information for their client organizations. Owners of client organizations, when navigating to their **Billing** → **Subscription**screen in the Admin Console, will be shown the following: > > ![Managed client billing](https://bitwarden.com/assets/6vZd3ywiuIByFj88UddPPr/1b39d3bdbd229ce1ad79014f51c3c356/2024-07-02_10-56-01.png) ### Subscription From the **Billing** → **Subscription** page, you can view the total number of Teams and Enterprise seats you are paying for, the rate being charged for each seat, and the date of next charge. ### Billing history From the **Billing** → **Billing history** page, you can download PDF invoices for each billing period as well as .csv files containing a client-by-client breakdown of assigned seats. ## More information ### Partner program Bitwarden offers MSPs incentives on cumulative seats under management in any teams and enterprise organizations, including any created for use by reseller or MSP employees. To learn more about the MSP program, please contact sales [here](https://bitwarden.com/contact/). ### Customer support All MSP's receive priority support from our 24/7 customer support team. [Contact us ](https://bitwarden.com/contact/)for support. --- URL: https://bitwarden.com/help/provider-events/ --- # Provider Event Logs ## What are event logs? Event logs are timestamped records of events that occur within your Provider. Event logs for the Provider are accessible only to [Provider admins](https://bitwarden.com/help/provider-users/) from the **Manage** → **Event logs** view of the Provider Portal: ![Provider event logs ](https://bitwarden.com/assets/78qTc5NI4nFDbpxWMDjwJz/e17201d717128c15e9fb55e55be6b57c/2024-12-05_09-44-47.png) Selecting the **Export** button will create a `.csv` of all events within the specified date range: ![Export Provider event logs ](https://bitwarden.com/assets/1BYgVWThvhR5CWpNKBTuOT/862268581c453d9f3a0aa25df477f9ef/2024-12-05_09-44-47.png) ### Events Event logs record several different types of events for Providers. The event logs screen captures a **Timestamp** for the event, client app information including the application type and IP (accessed by hovering over the [globe] globe icon), the **User** connected to the event, and an **Event** description. Provider events include: - Invited user *user-identifier* - Confirmed user *user-identifier* - Edited user *user-identifier* - Removed user *user-identifier* - Accessed *organization-identifier* organization vault. - Created organization *organization-identifier* (triggered when [a new organization is created within provider](https://bitwarden.com/help/client-org-setup/#create-a-client-organization/)) - Added organization *organization-identifier* (triggered when [an existing organization is added to provider](https://bitwarden.com/help/providers-faqs/#q-can-i-add-an-existing-organizations-to-my-provider/)) - Removed organization *organization-identifier* > [!NOTE] Provider events not in event log > Provider events do not currently roll up the events logged for each [client organization](https://bitwarden.com/help/providers/#client-organizations/). Provider users can access organization event logs from the client organization's vault. [Learn more](https://bitwarden.com/help/event-logs/). --- URL: https://bitwarden.com/help/provider-users/ --- # Provider Users ## Onboard provider users To ensure the secure administration of your client organizations, Bitwarden applies a three-step process for onboarding a new Provider member, [Invite](https://bitwarden.com/help/provider-users/#invite/) → [Accept](https://bitwarden.com/help/provider-users/#accept/) → [Confirm](https://bitwarden.com/help/provider-users/#confirm/). ### Invite To invite users to your Provider: 1. Log in to Bitwarden and and open the Provider Portal using the product switcher: ![Product switcher - Provider Portal](https://bitwarden.com/assets/4xn04Sj9u8n73TPxZUWi5f/dac0d56f47a05e2d8b28754e997a1391/2025-02-25_15-16-00.png) 2. Open the **Manage** → **Members** view and select the + **Invite member** button: ![Add a provider user](https://bitwarden.com/assets/6E5GA111xdiHHkA0gb5LtG/5e5b5fddb5911e1b2ed468c1d49134ad/2024-12-05_09-27-45.png) 3. On the Invite member panel: - Enter the **Email** address where new users should receive their invites. You can add up to 20 members at a time by comma-separating email addresses. - Select the **User type** to be applied to this batch of users. [User type](https://bitwarden.com/help/provider-users/#provider-user-types/) will determine what access these users will have to the provider. **Both user types** will be able to fully administer any [client organization](https://bitwarden.com/help/client-org-setup/). 4. Click **Save** to invite the designated users to join the Provider. > [!NOTE] Resend Provider Invitations > **Invitations expire after five days**, at which point the user will need to be re-invited. Re-invite users in bulk by selecting each user and using the ⋮ option menu to **Resend invitations**: > > ![Resend provider invitation ](https://bitwarden.com/assets/6Sx6YxDzCYoaw7qFGgMvvv/77c341b80fd47aa6865821c30a887a8c/2024-12-05_09-34-07.png) ### Accept Invited users will receive an email from Bitwarden inviting them to join the Provider. Clicking the link in the email will open a Bitwarden invitations window. **Log In** with an existing Bitwarden account or **Create Account** to accept the invitation: ![Email Invitation ](https://bitwarden.com/assets/1DlzjKAmxR82fsAMFqIBwB/ed0e704ccdea7785609b562e79310e0b/provider-accept-invite.png) ### Confirm To confirm accepted invitations to your Provider: 1. In the Provider Portal, navigate to the **Manage**→**Members** view. 2. Select any `Accepted` users and use the ⋮ options menu to ✓ **Confirm selected**: ![Confirm invited provider user](https://bitwarden.com/assets/IxUeScxNYYmI4y8jceC5v/ebdf3fa89abbd69fbb028e0cff8c99aa/2024-12-05_09-29-04.png) 3. On the panel that appears, verify that the [fingerprint phrases](https://bitwarden.com/help/fingerprint-phrase/) for new users match those they can find in their **Settings** → **My account**screen. Each fingerprint phrase is unique to its account, and ensures a final layer of oversight in securely adding users. If they match, select **Confirm**. ## Deprovision users To remove users from your Provider: 1. In the Provider Portal, navigate to the **Manage**→**Members** view. 2. Select the members you want to remove from the provider and use the ⋮ options menu to [close] **Remove**: ![Remove provider users ](https://bitwarden.com/assets/DC18TP9xNK1V8768meTDT/bfedb940285677f78e408294aadf5e0f/2024-12-05_09-36-46.png) ## Provider user types > [!NOTE] Managing distinct user types > **Managing a client organization's users?** Organizations have a set of [member roles and access controls](https://bitwarden.com/help/user-types-access-control/) that are distinct from Provider user types. Bitwarden Provider users can be granted one of two user types to manage their access to the Provider. **Both user types will be able to fully administer any client organization.** Bitwarden strongly recommends that you provision a second user with a Provider admin role for failover purposes. You can set user types when you [invite](https://bitwarden.com/help/provider-users/#invite/) provider users, or at any time from the **Manage** → **Members** screen in your Provider Portal. User types include: | **Role** | **Description** | |------|------| | Service user | Service users can access and manage all [client organizations](https://bitwarden.com/help/client-orgs/), including: - Create or delete collections - Assign users and user groups to collections - Assign users to user groups - Create or delete user groups - Invite and confirm new users - Manage enterprise policies - View event logs - Export organization vault data - Manage password reset - Add or remove seats from a client organization, as long as they're within the [total seats available to the provider](https://bitwarden.com/help/provider-billing/#about-provider-billing/) | | Provider admin | Provider admins manage all aspects of the provider and all client organizations. Provider admins can do all of the above, plus: - Create new client organizations - Invite and confirm new service users and provider admins - View provider event logs - Edit provider settings - Manage billing, subscription, and [total seats available to the provider](https://bitwarden.com/help/provider-billing/#about-provider-billing/) | --- URL: https://bitwarden.com/help/providers-faqs/ --- # Providers FAQs ## Provider Portal ### Q: Is there a startup or monthly fee for using the Provider Portal? **A:** There is no fee for MSPs or their users to use the Provider Portal. It is provided, free of charge, as part of the Bitwarden partner program. If you would like to set up an organization for use by your internal team, those seats will be billed at the discounted rate. ### Q: What happens if I am locked out of my Provider admin account? **A:** Access to the Provider Portal is through your Bitwarden account. If you forget your master password, Bitwarden has no knowledge of, way to retrieve, or way to reset your master password and you will be unable to access the Provider Portal. **Bitwarden strongly recommends that you provision a second user with a Provider admin role for failover purposes.** ## Deployment ### Q: What deployment options are available? **A:** Access to the Bitwarden Provider Portal is available through the Bitwarden cloud service. The Provider Portal is not supported for self-hosted environments at this time. ## Client management ### Q: Is there a recommended workflow for onboarding new clients? **A:** Yes! We recommend this [MSP deployment workflow](https://bitwarden.com/help/bitwarden-for-msps/#phase-1-pre-onboarding/). ### Q: How does an MSP access client organizations? **A:** MSPs can access all client organizations under management from the Provider Portal. Learn more [here](https://bitwarden.com/help/manage-client-orgs/). ### Q: Can an MSP administrator see or manage credentials for all clients? **A:** No. As of 2024.7.0, Provider admins and service users may not view, manage, or create credentials within their client organizations. They may, however, manage collections, users, groups, and other functions within the organization as well as import data directly to their client organizations. ### Q: Can we set default enterprise policies that apply to all clients? **A:** Each client organization operates independently with individually configured policies. [Learn more about configuring enterprise policies](https://bitwarden.com/help/policies/). --- URL: https://bitwarden.com/help/providers/ --- # Provider Portal Overview > [!TIP] Provider Requirements > Interested in becoming a Provider? To get started, we ask that: > > - Your business has an active Enterprise organization. > - Your business has a client ready to be onboarded under your Provider. > > [Become a partner](https://bitwarden.com/partners/) ## What are Providers? Providers are administration entities in Bitwarden that allow managed service providers (MSPs) to create and manage any number of [client organizations](https://bitwarden.com/help/providers/#client-organizations/) on behalf of individual business customers. Client organization management is easily accessible through the **Provider Portal**, available through the product switcher: ![Product switcher - Provider Portal](https://bitwarden.com/assets/4xn04Sj9u8n73TPxZUWi5f/dac0d56f47a05e2d8b28754e997a1391/2025-02-25_15-16-00.png) ### What is the Provider Portal? The Provider Portal is an all-in-one management experience that enables providers to manage customers' Bitwarden organizations at scale. The Provider Portal streamlines administration tasks by centralizing a dedicated space to access and support each client, or to create a new one: ![Provider Portal](https://bitwarden.com/assets/7AoSHeZgJJTBXQmpZ13UBr/56ca464fe6987c8c5fc8e7099235d640/2025-02-25_15-17-46.png) Providers are built with two distinct [user types](https://bitwarden.com/help/provider-users/#provider-user-types/): - **Service users** can administer [client organizations](https://bitwarden.com/help/providers/#client-organizations/). - **Provider admins** can administer [client organizations](https://bitwarden.com/help/providers/#client-organizations/) and administer the Provider itself, including adding new service users to the team. ## Client organizations Client organizations are any [organization](https://bitwarden.com/help/about-organizations/) that is attached to or administered by a [Provider](https://bitwarden.com/help/providers/#what-are-providers/). To your customers, there's no difference between a "client" organization and a "regular" organization except for who is conducting administration. All Provider members have access to all client organizations, however members of a client organization cannot see or access information about the Provider's other client organizations: ![Structure of a Provider ](https://bitwarden.com/assets/28M8mkU03SyVFq70ZgD0Bp/04e3c65eba73892ae3301d366ce97ce1/provider-diagram.png) > [!NOTE] Provider credentials > **As denoted in the above diagram**, if Providers want to use an [organization](https://bitwarden.com/help/about-organizations/) to manage their own credentials, they **should not** include it as a client organization that is administered by the Provider. > > Creating an independent organization for this case will ensure users can be given the appropriate [user types and access controls](https://bitwarden.com/help/user-types-access-control/) over credentials. Organizations relate Bitwarden users and vault items together for [secure sharing](https://bitwarden.com/help/sharing/) of logins, cards, notes, and identities. Organizations have a unique view, the Admin Console, where Provider service users can manage the organization's collections, manage members and groups, run reporting, import data, and configure organization settings: ![Client organization vault ](https://bitwarden.com/assets/5fXREt9aHmnVgLLRPBs8yg/dbecd580231e8ea2f4eec2be224a1e64/2025-02-25_15-20-08.png) Members of a client organization (such as your customer's end-users) will find shared items in their **Vaults** view alongside individually-owned items, as well as several methods for filtering the item list to only organization items or items in particular [collections](https://bitwarden.com/help/about-collections/): ![Organization-enabled vault](https://bitwarden.com/assets/4D2tlh9YKPzDY20SYGVKcG/dff56b66549d29405b1af211860f698e/2024-12-03_14-07-28.png) Once you have [contacted us](https://bitwarden.com/contact/) and been setup with a Provider by a member of the Bitwarden team, [start a client organization](https://bitwarden.com/help/client-org-setup/). --- URL: https://bitwarden.com/help/public-api/ --- # Bitwarden Public API The Bitwarden Public API provides organizations a suite of tools for managing members, collections, groups, event logs, and policies. > [!NOTE] Management of vault items in CLI > This API does not allow for management of individual vault items. If this is what you need to accomplish, use the [Vault Management API](https://bitwarden.com/help/bitwarden-apis/#vault-management-api/) instead. The Public API is a RESTful API with predictable resource-oriented URLs, accepts JSON-encoded request bodies, returns JSON-encoded responses, and uses standard HTTP response codes, authentication, and verbs. The Public API is compatible with the OpenAPI Specification (OAS3) and publishes a compliant [`swagger.json`](https://bitwarden.com/help/api/specs/public/swagger.json/) definition file. Explore the OpenAPI Specification using the Swagger UI: - For public cloud-hosted instances: `https://bitwarden.com/help/api/` - For self-hosted instances: `https://your.domain.com/api/docs/` > [!NOTE] Public API access > Access to the Bitwarden Public API is available for all Enterprise and Teams organizations. For more information, see [Password Manager Plans](https://bitwarden.com/help/password-manager-plans/). ## Endpoints ### Base URL For cloud-hosted, `https://api.bitwarden.com` or `https://api.bitwarden.eu`. For self-hosted, `https://your.domain.com/api`. ### Authentication endpoints For cloud-hosted, `https://identity.bitwarden.com/connect/token` or `https://identity.bitwarden.eu/connect/token`. For self-hosted, `https://your.domain.com/identity/connect/token`. ## Authentication The API uses bearer access tokens to authenticate with protected API endpoints. Bitwarden uses an [OAuth2 Client Credentials](https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/) application request flow to grant bearer access tokens from the endpoint. Authentication requests take `client_id` and `client_secret` as required parameters. > [!NOTE] API key authentication > The API key used to authenticate with the Public API is **not the same** as the [personal API Key](https://bitwarden.com/help/personal-api-key/). Organization API keys will have a `client_id` with format `"organization.ClientId"`, whereas personal API keys will have a `client_id` with format `"user.clientId"`. The API Key `client_id` and `client_secret` can be obtained by an owner from the Admin Console vault by navigating to **Settings** → **Organization info** screen and scrolling down to the **API key** section: ![Get organization API key ](https://bitwarden.com/assets/1Mq824Xunm2wmzd8f905AJ/792cca9c6edddee71abfc350479ec813/Screenshot_2024-02-28_at_2.43.34_PM.png) If, as an owner, you want to share the API key with an admin or other user, use a secure communication method like [Bitwarden Send](https://bitwarden.com/help/about-send/). > [!NOTE] Rotate API key > Your organization API key enables full access to your organization. Keep your API key private. If you believe your API key has been compromised, select **Settings > Organization info >** **Rotate API key** button on this screen. Active implementations of your current API key will need to be reconfigured with the new key before use. ### Bearer access tokens To obtain a bearer access token, make a `POST` request with `Content-Type: application/x-www-form-urlencoded` with your `client_id` and `client_secret` to the [authentication endpoint](https://bitwarden.com/help/public-api/#authentication-endpoints/). When using the API for organization management, you will always use `grant_type=client_credentials` and `scope=api.organization`. For example: ``` curl -X POST \ https://identity.bitwarden.com/connect/token \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=client_credentials&scope=api.organization&client_id=&client_secret=' ``` This request will result in the following response: ``` { "access_token": "", "expires_in": 3600, "token_type": "Bearer" } ``` In this response, `3600` represents the expiration value (in seconds), meaning this token is valid for 60 minutes after being issued. Making an API call with an expired token will return a `401 Unauthorized` [response code](https://bitwarden.com/help/public-api/#response-codes/). ## Content types The Bitwarden Public API communicates with `application/json` requests and responses, with one exception: The [authentication endpoint](https://bitwarden.com/help/public-api/#authentication-endpoints/) expects an `application/x-www-form-urlencoded` request, however will respond with `application/json`. ## Sample request ``` curl -X GET \ https://api.bitwarden.com/public/collections \ -H 'Authorization: Bearer ' ``` Where `` is the value for the `access_token:` key in the obtained [bearer access token](https://bitwarden.com/help/public-api/#bearer-access-tokens/). This request will result in a response: ``` { "object": "list", "data": [ { "object": "event", "type": 1000, "itemId": "string", "collectionId": "string", "groupId": "string", "policyId": "string", "memberId": "string", "actingUserId": "string", "date": "2020-11-04T15:01:21.698Z", "device": 0, "ipAddress": "xxx.xx.xxx.x" } ], "continuationToken": "string" } ``` ## Status Bitwarden has a public [status page](https://status.bitwarden.com), where you can find information about service health and incidents for all services including the Public API. ## Response codes The Bitwarden Public API uses conventional HTTP response codes to indicate the success or failure of an API request: | **Status Code** | **Description** | |------|------| | `200 OK` | Everything worked as expected. | | `400 Bad Request` | The request was unacceptable, possibly due to missing or malformed parameter(s). | | `401 Unauthorized` | The bearer access token was missing, invalid, or expired. | | `404 Not Found` | The requested resource doesn't exist. | | `429 Too Many Requests` | Too many requests hit the API too quickly. We recommend scaling back the number of requests. | | `500, 502, 503, 504 Server Error` | Something went wrong on Bitwarden's end. These are rare, but [contact us](https://bitwarden.com/contact/) if they occur. | ## Continuation token A continuation token is provided for queries that return over 50 logs, this value `field: string` is provided at the bottom of the request response, for example: ```plain text { "object": "list", "data": [ { "externalId": "external_id_123456", "object": "collection", "id": "539a36c5-e0d2-4cf9-979e-51ecf5cf6593", "groups": [ { "id": "bfbc8338-e329-4dc0-b0c9-317c2ebf1a09", "readOnly": true, "hidePasswords": true, "manage": true } ] } ], "continuationToken": "string" } ``` `continuationToken` is present for the following endpoints: - `get/public/collections` - `get/public/events` - `get/public/groups` - `get/public/members` - `get/public/policies` Add the value of the `continuationToken` to the existing request to view the paginated results, for example: ```plain text https://api.bitwarden.com/public/events?continuationToken= ``` ## Further reading For more information about using the Bitwarden Public API, see the following articles: - [Bitwarden Public API OAS Specification](https://bitwarden.com/help/api/) - [Event logs](https://bitwarden.com/help/event-logs/) --- URL: https://bitwarden.com/help/rapid7-siem/ --- # Rapid7 SIEM Rapid7 is a security platform offering several ways to analyze vulnerabilities and threat data, such as security information and event management (SIEM). With the Rapid7 Bitwarden integration, developed by the team at Rapid7, organizations can monitor Bitwarden organization and [event](https://bitwarden.com/help/event-logs/) activity with the Bitwarden app on Rapid7's InsightConnect software. > [!NOTE] Rapid7 Options > The Bitwarden plugin on InsightConnect is available for cloud and Insight Orchestrator users. This guide will demonstrate the cloud setup. For more information on Insight Orchestrator, see the Rapid7 documentation [here](https://docs.rapid7.com/insightconnect/orchestrator/). ## Setup ### Create Rapid7 account To start, you will need an account with Rapid7 with access to InsightConnect. Create an account on the [Rapid7](https://www.rapid7.com/) website. ### Download the Bitwarden plugin 1. Access the InsightConnect dashboard. 2. On the navigation menu, select **SETTINGS** → **Plugins & Tools**. ![Rapid7 Plugins](https://bitwarden.com/assets/1dr9pERHfn4fdumb0QbJfy/f2aebdf026bb1d9ab470855980e40388/settings.png) 3. Search **Bitwarden** in the Extension catalogue and install the plugin. 4. Return to your Extension library and select the Bitwarden plugin, then + **Create Connection**. Keep the connection window open, information from the Bitwarden web vault is required to complete the next step. ![Bitwarden New Connection](https://bitwarden.com/assets/4iHermwAq1WYzraF6pnoK6/a3a841ef3c806242783236c034a80f25/new_connection.png) 5. In a new tab or window, access your Bitwarden organization's **Client ID** and **Client Secret.** Log in to the Bitwarden web app and open the Admin Console using the product switcher: ![Product switcher](https://bitwarden.com/assets/2uxBDdQa6lu0IgIEfcwMPP/e3de3361749b6496155e25edcfdcf08b/2024-12-02_11-19-56.png) 6. Navigate to your organization's **Settings** → **Organization info** screen and select the **View API key**button. You will be asked to re-enter your master password in order to access your API key information. ![Organization api info](https://bitwarden.com/assets/6gHjAyqgeqDj6UPT6agsBK/3a614e043cb3836a41bd68f226835e53/2024-12-04_09-51-07.png) 7. Copy the `client_id` and `client_secret` values. Return to the Create a Cloud Connection window: 1. Paste the `client_id` value into the **Client ID** field. 2. Paste the `client_secret` value into the **Client Secret** field. In order to access this field, select **Add Credential** from the **Select Credential** dropdown menu. Paste the `client_secret` value in the **Secret Key** field. Complete any additional Name and Description values you wish to include in the connection. 8. Once you have input the values, select **Save & Test Connection**. Rapid7 will run a connection test and indicate if the setup was successful. > [!NOTE] Org API information sensitive > Your organization API key information is sensitive data. Do not share these values in nonsecure locations. ## Create a workflow To begin monitoring data with Rapid7, create an InsightConnect workflow. This guide will demonstrate creating a cloud workflow and then testing the workflow. 1. On the main navigation, select **WORKFLOWS**. 2. In the right corner of the screen, select **Add Workflow** to begin. 3. A window will appear showing different options for creating a workflow. For this example, select **Start From Scratch**. Advanced users may choose to browse existing templates. ![Add Workflow](https://bitwarden.com/assets/5jTVduSflnf6c5aHYGbv0h/fd139b270cf7e8af6bdf97ce477fdf96/2024-08-20_11-08-03.png) 4. On the Create New Workflow window, complete the following required fields: 1. **Workflow Name:** Create a name for the Workflow such as **Bitwarden Logs**. 2. **Time Savings:** Time that this Workflow will save. 3. **Optional:** Include Summary and Tags for the Workflow as desired. 5. Select **Create** once you have finished. ### Create workflow trigger 1. Click on the new trigger in the workflow editor. In the Select a Trigger window, select select the trigger you would like to use to initiate your workflow, such as **API Trigger**. Complete the following required fields: 1. **Name:**Provide a name for the new trigger. 2. **Variable:** Choose variable such as `Event`. 3. **Data Type:** Select **String**. 4. **Optional:** Enter a Trigger Description to keep notes about the use of the trigger. 2. Select **Close** once you have completed the setup. ### Add a workflow step 1. On the workflow editor, select the + plus icon to add a new step. ![Add Step](https://bitwarden.com/assets/6B6GApClPXwr3yypKZJ5N0/38a6edc616bd3f23e3ee07ef4f9dfaeb/2024-08-20_12-26-54.png) 2. Select + **Action**to add a new action. Select **Bitwarden** from the plugins list. 3. On the Select an Action screen, choose the action you with to monitor. For this example, we will be selecting **List Events**. Select **Continue** once you have made your selection. ![List Events Action](https://bitwarden.com/assets/jYba6MvQBxtEd81fzUlca/521681306f9cf8d174487589b683ca7c/2024-08-20_12-32-15.png) 4. Choose the **Cloud** option for running. On the connection drop down, choose the Bitwarden connection we established previously in the guide. Select **Continue** once complete. 5. On the Configure Details screen, complete the optional fields as required by your setup, such as **Start Date**. 6. Select **Save Step** once you have customized the step details. > [!NOTE] Additional action steps may be added > Rapid7 allows several actions to be created and chained together. You may repeat this step with additional Bitwarden actions to report more information. See a complete list of Bitwarden integration actions [here](https://extensions.rapid7.com/extension/bitwarden). ### Test workflow 1. Return to the Workflow Editor and select **Test** to try out the workflow. The Test Workflow window will appear. Select **Test Workflow** at the bottom of the window to run the process. 2. This may take a moment. Once complete, a Job Details window will appear with results of the workflow: ![Rapid7 Event Output](https://bitwarden.com/assets/1jgRIiIjIjnPRqn82afwSt/300c593b6221f854deff10f7c85b27d2/Events.png) ### Enable workflow 1. To enable the workflow, select **WORKFLOWS** from the primary navigation. 2. Activate the workflow by using the toggle option: ![Enable Workflow](https://bitwarden.com/assets/6u6JvyiCi3RMkBKgYovZxO/18b513d4e19eefa54045a3ba6ac83a7f/2024-08-20_12-53-54.png) 3. Once active, reports will be generated based on the trigger settings established on your workflow. View these reports by selecting **JOBS**on the navigation. ![View Rapid7 Jobs](https://bitwarden.com/assets/74bmUmBX6LQlNTDeHDYgkm/f10055bdb9c2c791e8c75b9b996ecb84/2024-08-29_11-04-36.png) --- URL: https://bitwarden.com/help/receive-send/ --- # Receive a Send Unlike regular vault items, Sends can be received and opened by anyone with the link (including those who do not have Bitwarden accounts). Send links are randomly generated, and will look something like this: - `https://send.bitwarden.com/#...`, which will automatically resolve to `https://vault.bitwarden/com/#/send/...` - `https://your.selfhosted.domain.com/#/send/....` if you are self-hosting ![A received Send](https://bitwarden.com/assets/LLnrgZwyr6IAJ0GImXLnj/578559931915e04aeb6f037e2f03490e/2024-12-03_10-21-38.png) Depending on the [options configured](https://bitwarden.com/help/create-send/) by the sender, the recipient of a Send may be required to: - Enter a password to access the contents of the send - Manually toggle visibility on a hidden-text send ## Hidden-email Sends By default, Sends will display the email address of the sender to recipients, as in the above screenshot. Senders can optionally hide their email address, which will substitute in a warning message: ![Hidden-email text Send](https://bitwarden.com/assets/47RPmr6xOowzjJbG6JxVG3/98c803df88adcde39c96331cf34ab106/2024-12-03_10-23-03.png) If you receive a Send with this warning, here's what you should do: - **Was this Send expected?** If this Send was expected, get in touch with the sender. Validate with this person that the link you received (`https://vault.bitwarden.com/#/send/xxx/yyy`) matches the one they created. - **Was this Send unexpected?** If this Send was unexpected, identify the sender before interacting with it. Ask your colleagues, managers, or friends whether they might have sent you something. If you do identify the sender, validate with this person that the link you received (`https://vault.bitwarden.com/#/send/xxx/yyy`) matches the one they created. **If you can't identify the sender**, don't interact with the Send. > [!WARNING] Trusting unexpected File Sends. > Taking the above measures to ensure the trustworthiness of a Send are particularly important in the case of file downloads. **Don't download mysterious files.** ## Deleted, expired, and disabled Sends When a Send [is deleted, expired, or disabled](https://bitwarden.com/help/send-lifespan/), recipients who attempt to use the link will be shown a screen that reports the Send does not exist or is no longer available: ![A deleted, expired, or disabled Send ](https://bitwarden.com/assets/6sveEP7CK57cGvSa9zpdwe/896f888bbbc782b8eef633afbd112d68/2024-12-03_10-24-14.png) --- URL: https://bitwarden.com/help/recover-a-member-account/ --- # Recover a Member Account To recover the account of a member who has forgotten their master password or lost their trusted devices: - You must be an [owner, admin, or permitted custom role](https://bitwarden.com/help/user-types-access-control/) member. - Your organization must have the [Account recovery administration policy](https://bitwarden.com/help/policies/#account-recovery-administration/) turned on. - The member whose account you want to recover must [be enrolled](https://bitwarden.com/help/account-recovery-enrollment/). > [!TIP] Seeing who is enrolled > A member that is enrolled in account recovery will have a key icon ( 🔑 ) displayed in the **Policies** column. Complete the following steps to recover an organization member's account: 1. In the Admin Console, navigate to the **Members** view. 2. For the member whose account you want to recover, use the ⋮ Options menu to select 🔑 **Recover account**: ![Recover account](https://bitwarden.com/assets/26oD8iqDY15SNJXCJlQE71/22e66b7e11a56d99c13ac41a1236c4e7/2024-12-03_15-35-51.png) 3. In the Recover account window, create a **New password** for the user. If your organization has enabled the [master password requirements policy](https://bitwarden.com/help/policies/#master-password-requirements/), you will need to create a password that meets the implemented requirements (for example, min. eight characters or contains numbers): ![Create new password](https://bitwarden.com/assets/28qKke9XJLj6nTZJjg4mK4/7b1c2c5cb2c139bf08ea4c5f65c9a02a/2024-12-03_15-38-52.png) 4. Copy the new master password and contact the member to coordinate secure communication of it, for example by using [Bitwarden Send](https://bitwarden.com/help/create-send/). 5. Select **Save** to proceed with account recovery. Doing so will log the user out of their current sessions. Active sessions on some client applications, like mobile apps, may remain active for up to one hour. --- URL: https://bitwarden.com/help/releasenotes/ --- # Release Notes Bitwarden believes source code transparency is an absolute requirement for security solutions like ours. View full, detailed Release Notes in GitHub using any of the following links: - [Server Releases](https://github.com/bitwarden/server/releases) - [Web Releases](https://github.com/bitwarden/clients/releases/) - [Desktop Releases](https://github.com/bitwarden/clients/releases) - [Browser Extension Releases](https://github.com/bitwarden/clients/releases) - [Android Releases](https://github.com/bitwarden/android/releases) - [iOS Releases](https://github.com/bitwarden/ios/releases) - [CLI Releases](https://github.com/bitwarden/clients/releases) - [Directory Connector Releases](https://github.com/bitwarden/directory-connector/releases) ## Release Announcements Bitwarden incrementally updates each client application (Desktop, Browser Extension, Mobile, etc.) and for self-hosted servers following the initial release to ensure feature efficacy and stability. As a result, client applications and self-hosted servers should expect listed features following the initial release. Please review Bitwarden [software release support](https://bitwarden.com/help/bitwarden-software-release-support/#release-support-at-bitwarden/) documentation. > [!TIP] Subscribe to Release Notes > Want Release Announcements delivered straight to your inbox? Sign up to receive an email update with the latest Bitwarden release notes. > > [Contact form] > > You can also subscribe to the [Bitwarden Status RSS Feed](https://status.bitwarden.com/) for service updates, including announcements of release windows. ## 2025.11.0 (*The listed release number is for the Bitwarden Server, other version numbers released in this cycle also include Web 2025.110, Browser Extension 2025.11.0, Mobile 2025.11.0, Desktop 2025.11.0, and CLI 2025.11.0)* #### Password Manager - **Log in with passkey support on browser extensions**: Users can now log in to browser extensions [with a passkey](https://bitwarden.com/help/login-with-passkeys/). Currently, Chrome and Chromium-based browsers like Edge are supported. - **Windows Hello update**: You can now unlock your vault with biometrics immediately after the Windows desktop app restarts, rather than entering a master password or PIN. When setting up [biometrics in the Windows desktop app](https://bitwarden.com/help/biometrics/#set-up-biometrics-for-desktop-app/), uncheck **Require master password or PIN on app restart**. - **Right-click in web app**: In the web app Vaults view, you can now right-click to call up the same menu you'd access using the ⋮ options menu. - **Improved sign-up flow for premium subscription**: Users seeking the benefits of a paid Bitwarden plan will find it easier to upgrade their account. Select the **Upgrade your plan** button within the web app navigation to learn more about and select a paid plan. #### Admin Console - **Default URI match detection for organizations**: Organization owners and admins can now choose the [default URI match detection method](https://bitwarden.com/help/policies/#default-uri-match-detection/) for their members. Members can still edit the URI match detection method for individual login items. - **My items**: When the [Enforce organization data ownership](https://bitwarden.com/help/policies/#enforce-organization-data-ownership/) policy is turned on, the organization owns new members’ items by default. Members subject to this policy can now save items in a new [My items](https://bitwarden.com/help/my-items/) location, providing members with privacy while ensuring admins can transfer data after a member leaves the organization. #### Self-host > [!NOTE] Helm Version Update > **Helm Charts Versioning Update**: For Bitwarden self-host Helm charts, the CalVer versioning scheme (2025.8.0) will be deprecated on November 13, 2025. Moving forward, only SemVer versions will be supported and released. - **Backup script update**: Docker deployments utilizing the packaged [backup-db.sh script](https://bitwarden.com/help/backup-on-premise/) have been updated to the [Simple recovery model](https://learn.microsoft.com/en-us/sql/relational-databases/backup-restore/recovery-models-sql-server?view=sql-server-ver17) to prevent transaction log file sizes from compounding. - **Web clients require https configuration:**Self-hosted server connections will now require `https://` configuration. Server URLs without https:// will receive an error message. ## 2025.10.1 (*The listed release number is for the Bitwarden Server, other version numbers released in this cycle also include Web 2025.10.1 and Mobile 2025.10.1)* #### Password Manager - **Android Chrome integration version requirement**: To continue using the [Chrome browser integration on Android](https://bitwarden.com/help/auto-fill-android/#browser-integrations/), upgrade the Chrome app to at least version 135. This is required due structural changes in Chrome and Bitwarden autofill integration processes. #### Admin Console - **Sumo Logic SIEM integration**: A new integration is available for security information and event management (SIEM) [with Sumo Logic](https://bitwarden.com/help/sumo-logic-siem/). The integration offers comprehensive event coverage across authentication, organizational activities, and vault items. ## 2025.10.0 (*The listed release number is for the Bitwarden Server, other version numbers released in this cycle also include Web 2025.10.0, Browser Extension 2025.10.0, Mobile 2025.10.0, Desktop 2025.10.0, and CLI 2025.10.0)* #### Password Manager - **Direct importer for Edge, Opera, and Vivaldi browsers**: Move your data into Bitwarden quickly and securely with [direct import](https://bitwarden.com/help/import-from-chrome/#import-directly-from-browser/) for Edge, Opera, and Vivaldi browsers. - **Simplified login screen for SSO users**: Members of organizations using the [Require single sign-on policy](https://bitwarden.com/help/policies/#require-single-sign-on-authentication/) will now have other authentication options greyed-out on the login screen, provided they've authenticated at least once on that device. #### Secrets Manager - **New event logs**: Secrets Manager will now [log events](https://bitwarden.com/help/event-logs/#secrets-manager-events/) when machine accounts are created, deleted, have users or groups assigned to them, and have users or groups removed from them. #### Self-host - **New environment variables**: New [environment variables](https://bitwarden.com/help/environment-variables/#refresh-token-variables/) are available for configuring the handling of refresh tokens, allowing users to determine the lifetime and timeout of authentication tokens on self-hosted servers. ## 2025.9.2 (*The listed release number is for the Bitwarden Server, other version numbers released in this cycle also include Web 2025.9.1)* #### Admin Console - **Member invitation subject line update**: The [email subject line](https://bitwarden.com/http://bitwarden.com/help/list-of-emails/#critical-member-emails/) for invitations to join an organization was updated. - **Tax ID reminder**: If you're a business owner or provider admin in a country that collects [value added tax (VAT)](https://bitwarden.com/help/tax-calculation/#value-added-tax-vat/) and haven't added your tax ID yet, you'll see a banner on the Admin Console, Payment Details, and Provider Portal pages. Click **Add a Tax ID** to update the billing details with your organization's tax ID. #### Secrets Manager - **Terraform Provider**: Bitwarden Secrets Manager now offers a Terraform provider, capable of fetching, creating, and managing Secrets Manager secrets for your Terraform infrastructure. Learn more about the Terraform provider [here](https://bitwarden.com/help/terraform-provider/). ## Secrets Manager Kubernetes Operator 1.0.0 - **Update to default mapped secrets behavior:** The new default behavior of the Kubernetes operator will only sync secrets that been mapped in the `BitwardenSecret` object, unless otherwise specified with `onlyMappedSecrets: false`. Learn more about the Secrets Manager Kubernetes operator [here](https://bitwarden.com/help/secrets-manager-kubernetes-operator/). ## 2025.9.0 (*The listed release number is for the Bitwarden Server, other version numbers released in this cycle also include Web 2025.9.0, Browser Extension 2025.9.0, Mobile 2025.9.0, Desktop 2025.9.0, and CLI 2025.9.0)* #### Password Manager - **Device approval using browser extensions**: Approve new [trusted devices](https://bitwarden.com/help/add-a-trusted-device/) and [login with device](https://bitwarden.com/help/log-in-with-device/) requests using the browser extension. - **CXP for iOS 26**: Users on iOS 26 can now import directly to or export directly from Bitwarden and any other iOS app that supports [FIDO's Credential Exchange Protocol](https://fidoalliance.org/specifications-credential-exchange-specifications). Learn more about [importing](https://bitwarden.com/help/import-data/) and [exporting](https://bitwarden.com/help/export-your-data/). #### Admin Console - **Collection settings updates**: Some collection management settings have been renamed and more granular events will now be logged when they're turned on or off. Learn more [here](https://bitwarden.com/help/collection-management/). - **Organization SSH keys**: SSH keys created with the Bitwarden SSH agent can now be stored and shared in organization collections. Learn more about the Bitwarden SSH agent [here](https://bitwarden.com/help/ssh-agent/). ## 2025.8.1 (*The listed release number is for the Bitwarden Server, other version numbers released in this cycle also include Web 2025.8.2 and Mobile 2025.8.1)* #### Password Manager - **Card autofill for Android**: The Bitwarden Android app can now autofill cards, such as debit or credit cards, in Chrome and Chromium-based browsers. Learn more [here](https://bitwarden.com/help/auto-fill-card-id/). - **Failed 2FA emails**: Users will now receive an email notifying them of failed login attempts that were prevented by two-step login. If you receive these emails, update your master password immediately to one that is strong, unique, and has never been used before. Learn more [here](https://bitwarden.com/help/emails-from-bitwarden/). #### Secrets Manager - **New event logs**: Secrets Manager will now log events when projects are accessed, created, edited, or deleted. Learn more [here](https://bitwarden.com/help/event-logs/). ## 2025.8.2 (*This listed release includes ****only Browser Extensions & Desktop Apps****. The next release to include Server updates will resume the typical version progression (2025.8.1))* - To further protect against malicious websites, the inline autofill menu is now always displayed above other content on a web page. ## 2025.8.0 (*The listed release number is for the Bitwarden Server, other version numbers released in this cycle also include Web 2025.8.0, Browser Extension 2025.8.0, Mobile 2025.8.0, Desktop 2025.8.0, and CLI 2025.8.0)* > [!NOTE] Selfhost version support > To ensure compatibility with the latest Bitwarden release, please update both your clients and self-hosted server. Keeping your software current in accordance with the [Bitwarden software release support](https://bitwarden.com/help/bitwarden-software-release-support/) policy will help to maintain full compatibility, support, and unlock the latest Bitwarden features. #### Admin Console - **Remove card item type policy**: An enterprise policy was added that allows enterprise organizations to restrict the use of the card item type. Learn more [here](https://bitwarden.com/help/policies/#remove-card-item-type/). #### Password Manager - **Inline autofill** **password generator improvements**: The inline autofill password generator will now immediately offer to save the generated password as a new login item. Learn more about the inline autofill [here](https://bitwarden.com/help/auto-fill-browser/#inline-autofill-menu/). - **Improved Item view**: New improvements to viewing vault items have been added. Updates include favicons and other important information presented at the top of the vault item. Learn more about vault items [here](https://bitwarden.com/help/managing-items/). - **HTTPS now required on Android**: The Android Password Manager app now requires connection to a server using HTTPS. This change will only affect users who are self-hosting a Bitwarden server without a SSL/TLS certificate. Learn more about certificates [here](https://bitwarden.com/help/certificates/). - **Unlock with biometrics updates**: Desktop apps must now first be unlocked with a method other than biometrics, such as PIN or master password, after application restart. Following this, biometrics can be used to unlock. Learn more about unlock with biometrics [here](https://bitwarden.com/help/biometrics/). ## 2025.7.3 (*The listed release number is for the Bitwarden Server, other version numbers released in this cycle also include Web 2025.7.2)* #### Admin Console - **Members view performance improvements**: Loading times for the Members view, particularly for organizations with large numbers of members, have been optimized. #### Provider Portal - **Billing update**: Providers that have not added a payment method on the **Billing** → **Subscription** page should do so as soon as possible. Providers with unpaid invoices will now be suspended 30 days after an unpaid invoice is due, including suspension of client organizations. Adding a valid payment method, for those that have not already, will ensure seamless continuation of service. #### Self-host - **Deprecated logging methods**: For self-hosted users, the direct integration with `syslog` in Bitwarden - enabled by overriding `enabledglobalSettings__syslog__destination` - has been deprecated in favor of integrating with Docker's `syslog` drivers. Users with the deprecated method will receive warning logs to notify them of the change. Learn more [here.](https://bitwarden.com/help/hosting-faqs/#q-how-do-i-enable-logging-to-syslog/) ## 2025.7.1 (*The listed release number is for the Bitwarden Server, other version numbers released in this cycle also include Web 2025.7.1, Browser Extension 2025.7.0, Desktop 2025.7.1, and CLI 2025.7.0)* #### Password Manager - **URI Match Detection warning update**: Users who choose to setup URI match detection with the advanced options **Starts with** and **Regular expression** will see a warning dialogue to confirm they understand the potential security risks associated with these autofill options. Learn more [here](https://bitwarden.com/help/uri-match-detection/#match-detection-options/). - **Onscreen tips for new users - Browser extension**: To assist new users, onscreen tips have been added to the browser extension. These tips will help introduce new users to the features and components of the browser extension. Learn more [here](https://bitwarden.com/help/getting-started-browserext/). - **Browser extension permission update**: Browser extensions on Firefox and Safari will now require the notifications permission to support [log in with device](https://bitwarden.com/help/log-in-with-device/). - **Chromium integrations on Android**: If you use Brave or Chrome as your web browser, toggle the new **Use Brave autofill integration** or **Use Chrome autofill integration** options. Learn more [here](https://bitwarden.com/help/auto-fill-android/). #### Secrets Manager - **New secrets events**: Event Logs will now log when secrets are created, edited, or deleted. Learn more [here](https://bitwarden.com/help/event-logs/#secrets-manager-events/). ## 2025.7.0 (*The listed release number is for the Bitwarden Server, other version numbers released in this cycle also include Web 2025.7.0)* #### Password Manager - **Password Depot 17** **import**: Password Depot 17 has been added to the list of formats available for direct import into Bitwarden Password Manager. Learn more [here](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/). #### Admin Console - **Policy rename**: The Remove individual vault policy has been renamed to the Enforce organization data ownership policy. Learn more [here](https://bitwarden.com/help/policies/#enforce-organization-data-ownership/). - **Member permissions update**: Organization members with the **Manage account recovery** permission can reset organization member's master passwords. This permission can be granted separately from the Manage users permission. Learn more [here](https://bitwarden.com/help/user-types-access-control/#permissions/). ## 2025.6.2 (*The listed release number is for the Bitwarden server, other version numbers released in this cycle also include Web 2025.6.1, Browser Extension 2025.6.0, Desktop 2025.6.0, and CLI 2025.6.0)* > [!WARNING] Legacy Users > Accounts using a legacy encryption scheme are no longer supported. Older accounts that were created before 2017 and have not logged into the web app since 2023 are using a legacy encryption scheme that is no longer supported. Only inactive accounts without user activity for two years may be impacted. Learn more [here](https://bitwarden.com/help/legacy-user-support/). > [!WARNING] Kerberos is broken > **Kerberos authentication support notice for Self-host**: In some deployment modes, self-host server versions 2025.6.0 through 2025.6.2 have had an interruption in their support for **Kerberos** external database authentication. This will be fixed in an upcoming release of the self-host server. Customers using Kerberos authentication should wait to upgrade their self-host deployments until the next release unless instructed otherwise by Bitwarden support. #### Password Manager - **Persistence in browser extensions when adding & editing items:** Browser extensions will now cache changes to item data for up to two minutes even if you click out of or minimize the extension window. - **Browser extension notification redesign**: Browser extension notifications have a new look and feel. Learn more [here](https://bitwarden.com/help/autosave-from-browser-extensions/). - **Advanced troubleshooting for mobile apps**: In mobile apps, users now have the option to to locally and temporarily log app events to help troubleshoot unexpected behaviors in the Bitwarden app. Learn more [here](https://bitwarden.com/help/flight-recorder/). #### Bitwarden Authenticator - **Sync TOTPs with Password Manager**: Users now have the option to seamlessly sync verification code data between Bitwarden Authenticator and Password Manager. Learn more [here](https://bitwarden.com/help/totp-sync/). ## 2025.6.1 (The listed release number is for the Bitwarden server, other version numbers released in this cycle include Web 2025.6.0 and Self-host 2025.6.1) > [!WARNING] Kerberos is broken > **Kerberos authentication support notice for Self-host**: In some deployment modes, self-host server versions 2025.6.0 through 2025.6.2 have had an interruption in their support for **Kerberos** external database authentication. This will be fixed in an upcoming release of the self-host server. Customers using Kerberos authentication should wait to upgrade their self-host deployments until the next release unless instructed otherwise by Bitwarden support. #### Self-host - **Rootless Containers for Helm**: Helm deployments can now run Bitwarden in rootless mode. Learn more [here](https://bitwarden.com/help/self-host-with-helm/#rootless-requirements/). ## 2025.5.3 #### Self-host - **SQL version support**: Release 2025.5.3 will be the last Bitwarden release that will maintain support for SQL Server 2019. Bitwarden fully supports SQL Server 2022. ## 2025.5.2 (*The listed release number is for the Bitwarden server, other version numbers released in this cycle also include Web 2025.5.1, Browser Extension 2025.5.1, Desktop 2025.5.0, iOS 2025.5.0, Android 2025.5.0, and CLI 2025.5.0*) > [!NOTE] 2025.5.2 Announcement > Important changes are coming to the Bitwarden clients! To help improve security and maintainability, please note that significantly older versions will cease to function if not kept up to date. This is especially important for users of our CLI. Please ensure that you have upgraded to the latest version of any installed clients. #### Password Manager - **Export attachments from desktop and CLI**: On the desktop app and CLI, you can now create a `.zip` export your individual vault file attachments. Learn more [here](https://bitwarden.com/help/attachments/). - **Support for dynamic colors on Android**: You can now apply color schemes to your Bitwarden Android app based on your wallpaper. Learn more [here](https://bitwarden.com/help/change-theme/#tab-mobile-1yAVQbGXha0iO7CioSiFvm/). - **SSH approval settings**: A new setting is available for users who have enabled the SSH agent on the desktop app. You may specify when Bitwarden will require you to authorize access to an SSH credential stored in the vault. Learn more about SSH agent settings [here](https://bitwarden.com/help/ssh-agent/). #### Admin Console - **Organization sponsored Families plan**: Organizations can issue sponsored Families plans directly to employees personal email accounts, including employees that aren't members of the current organization. Learn more about sponsored Families plans [here](https://bitwarden.com/help/organization-sponsored-families-plans/). - **Collection permissions update**: The **Can edit** and **Can edit, hidden passwords** permissions will now grant users the ability to delete collection items, unless the new **Limit item deletion to members with the Manage collection permission** has been enabled. Learn more about collection permissions [here](https://bitwarden.com/help/about-collections/#collections-permissions/). - **New collection management setting**: To increase privilege customization, a new collection management setting has been added, **Limit item deletion to members with the Manage collection permissions**. Learn more about collection management settings [here](https://bitwarden.com/help/collection-management/). ## 2025.5.0 (*The listed release number is for the Bitwarden server, other version numbers released in this cycle also include Web 2025.5.0 and Browser Extension 2025.5.0*) #### Password Manager - **Enhanced PIN requirements**: On browser extensions, PINs used for unlock must now be at least 4 characters. This will be updated in other clients in future releases. - **Export attachments from web and browser**: On the web app and browser extension, you can now create a `.zip` export that includes file attachments. This will be added to other clients in future releases. Learn more [here](https://bitwarden.com/help/attachments/). - **Nested collections in search results**: Nested collections are now included in search results, making it easier to find relevant items. Learn more about collections [here](https://bitwarden.com/help/about-collections/). #### Admin Console - **Organization features previews**: The Admin Console for Teams, Families, and Free organizations will now show previews of features included in higher subscription tiers. ## 2025.4.3 (*The listed release number is for the Bitwarden server, other version numbers released in this cycle also include Web 2025.4.1, Browser Extension 2025.4.0, Desktop 2025.4.2, and CLI 2025.4.0*) This release includes: #### Password Manager - **Persistence in browser extensions when approving devices:** Browser extensions will now wait for up to two minutes for approval even if you click out of or minimize the extension window in order to approve the request using the web app. - **Master password re-prompt desktop update**: When the master password re-prompt option is active for an item, desktop apps will now gate all fields behind successful verification instead of only hidden fields. Learn more [here](https://bitwarden.com/help/managing-items/#protect-individual-items/). #### Admin Console - **External ID display update**: External ID will now only be displayed for the group, collection, and member dialogue if configured using SCIM, Bitwarden Directory Connector or the API. Learn more about Directory Connector [here](https://bitwarden.com/help/directory-connector/). - **Member SSO external ID**: Member SSO external ID will be displayed in the member dialogue for members configured using SSO. ## 2025.4.0 This release includes: #### Password Manager - **Edge export (csv)**: Edge (csv) export has been added to the list of formats available for import into Bitwarden Password Manager. Learn more [here](https://bitwarden.com/help/import-data/). ## 2025.3.3 (*The listed release number is for the Bitwarden server, other version numbers released in this cycle also include Web 2025.3.1, Browser Extension 2025.3.2, Desktop 2025.3.2, and CLI 2025.3.0*) This release includes: #### Password Manager - **Browser extension filter persistence**: For an improved experience when navigating between the browser extension and a web page, search terms and filters will now persist for up to two minutes, or until you change the active tab in your browser extension. - **Browser extension loading times**: We have made several changes to improve the browser extension loading times. Learn more about the Bitwarden browser extension [here](https://bitwarden.com/help/getting-started-browserext/). - **Re-order website URIs**: On the web app and browser extensions Edit Login view, you can now re-order website URIs for better visual organization using the drag-and-drop (☰ ) button. - **FIDO2 two-step login support for Linux desktop**: Linux desktop apps now support two-step login using a FIDO2 passkey. Learn more [here](https://bitwarden.com/help/setup-two-step-login-fido/). - **SSH agent forwarding**: Support for SSH agent forwarding has been improved on the Bitwarden Desktop app. Learn more about the Bitwarden SSH agent [here](https://bitwarden.com/help/ssh-agent/). ## 2025.3.0 This release includes: #### My Account - **Verification of new devices, grace period for new accounts**: Newly created accounts will be exempt from new device login protection for the first 24 hours after account creation. Learn more [here](https://bitwarden.com/help/new-device-verification/). #### Password Manager - **Login request banner notifications**: Login with device requests will now prompt a banner notification to appear in the web app while pending approval. Learn more about login with device [here](https://bitwarden.com/help/log-in-with-device/). #### Admin Console - **Domain verification renamed**: Domain verification, available for Enterprise organizations, has been renamed to "claimed domains". Learn more [here](https://bitwarden.com/help/claimed-domains/). - **Claimed accounts**: When an Enterprise organization claims a domain, any member accounts with emails that match the domain will now be claimed by the organization, allowing account deletion by administrators. Claimed accounts also have a few other restrictions on account actions. Learn more [here](https://bitwarden.com/help/claimed-accounts/). - **Unassigned items in reports**: Organization-owned items not assigned to a collection are now listed with interactive links for further review in organization vault health reports. #### Self-hosting - **Move to GitHub Container Registry**: Container images have been moved from Docker Hub to GitHub Container Registry. If you're deploying with a method that doesn't use the `bitwarden.sh` or `bitwarden.ps1` scripts, update image references to GitHub Container Registry URLs (e.g. `ghcr.io/bitwarden/image_name:version`). ## 2025.2.1 (*The listed release number is for the Bitwarden server, other versions numbers released in this cycle also include Web 2025.2.2, Browser Extension 2025.2.2, Desktop 2025.2.1, and CLI 2025.2.0*) This release includes: #### My Account - **New device login protection**: To keep your account safe and secure, Bitwarden will gradually begin requiring additional verification for users who do not use two-step login or SSO. Learn more [here](https://bitwarden.com/help/new-device-verification/). - **Update to recovery code use**: Using a recovery code, while still requiring your email address and master password, will now automatically log you into your vault and deactivate two-step login, instead of only deactivating two-step login. Learn more [here](https://bitwarden.com/help/two-step-recovery-code/#use-your-recovery-code/). - **FIDO2 two-step login for macOS desktop**: macOS desktop apps now support two-step login using a FIDO2 passkey. Learn more [here](https://bitwarden.com/help/setup-two-step-login-fido/). #### Password Manager - **Click to autofill setting moved**: The Click to autofill setting on the browser extension has been moved to the **Settings** → **Appearance** tab. Learn more [here](https://bitwarden.com/help/auto-fill-browser/#customizing-autofill-behavior/). - **Prevent duplicate passkeys on iOS**: Duplicate passkeys cannot be saved on iOS that match an existing username and service already stored in the Bitwarden vault. The existing passkey may be modified or overwritten instead. Learn more about creating passkeys [here](https://bitwarden.com/help/storing-passkeys/#using-passkeys-with-bitwarden/). - **Enterprise single sign-on login update**: The "Use single sign-on" button has been added to the first step of the SSO login workflow in order to streamline Enterprise SSO login. Learn more [here](https://bitwarden.com/help/using-sso/#login-using-sso/). #### Admin Console - **Remove Unlock with PIN policy**: Enterprise organizations can now set a policy to prohibit members from using unlock with PIN in clients apps. Learn more [here](https://bitwarden.com/help/policies/#remove-unlock-with-pin/). - **Policy non-compliance change**: Policies that previously removed members from an organization for non-compliance will now revoke those members instead. Learn more [here](https://bitwarden.com/help/managing-users/#revoke-access/). - **Email notification for device approval requests**: Admins will now receive an email whenever a member of their organization submits a trusted device approval request. Learn more [here](https://bitwarden.com/help/approve-a-trusted-device/). #### Provider Portal - **Add existing organizations to Provider Portal**: Existing organizations may now be added to the Provider Portal by provider users if they are also the owner of the organization. Learn more [here](https://bitwarden.com/help/getting-started-providers/#add-an-existing-organization/). ## 2025.2.0 (*The listed release number is for the Bitwarden server, other versions numbers released in this cycle also include Web 2025.2.1*) > [!NOTE] New device verification release note > To keep your account safe and secure, in an upcoming release, Bitwarden will require additional verification **for users who do not use two-step login**. Users who want to avoid new device verification workflows can: > > - Preemptively set up two-step login by following any of the guides on [this page](https://bitwarden.com/help/setup-two-step-login/). > - Opt-out of this feature from the Settings → My account screen in the Danger Zone section. > > Learn more [here](https://bitwarden.com/help/new-device-verification/). This release includes: #### Password Manager - **Increased import item limit**: The limit to the number of items that can be in a Password Manager import has been increased. Learn more [here](https://bitwarden.com/help/import-data/). #### Admin Console - **Collection permissions updates:** - **Collection permission names updated**: Collection permission names have been updated to provide additional clarity. Learn more [here](https://bitwarden.com/help/user-types-access-control/#permissions/). - **Update to "Edit items, hidden passwords" permission**: To increase security, the "Edit items, hidden passwords" permission will no longer allow users to assign items within the collection to another collection. ## 2025.1.2 (*The listed release number is for the Bitwarden web app, other versions numbers released in this cycle are Server 2025.1.4, Desktop 2025.1.4, Browser Extension 2025.1.3, CLI 2025.1.3, iOS 2025.1.2, and Android 2025.1.1*) This release includes: #### Password Manager - **Change vault item owner**: On the web app, you can now share a vault item directly from the Edit window by changing its owner to any organization you're a member of. Learn more [here](https://bitwarden.com/help/sharing/). - **Block autofill for browser extensions**: Browser extensions can now specifically be instructed not to allow autofill on certain domains. Learn more [here](https://bitwarden.com/help/blocking-uris/). - **Bitwarden Send updates on mobile**: Bitwarden Send options on mobile apps have discontinued support for setting an expiration date and deactivating the Send, in accordance with what is currently available on browser extensions. Support for these options will be discontinued in other clients in future releases. Learn more [here](https://bitwarden.com/help/send-lifespan/). #### Plans and Pricing - **Restart organization subscription**: Bitwarden subscriptions that have ended or lapsed will now have a 7 day grace period in which users can reactivate their subscription. Learn more about organization renewal [here](https://bitwarden.com/help/organization-renewal/). ## 2025.1.1 This release includes: #### Password Manager - **SSH agent**: Bitwarden users can now securely store and generate SSH keys directly with Bitwarden Password Manager. Learn more about the Bitwarden SSH agent [here](https://bitwarden.com/help/ssh-agent/). - **Use web device approval**: Use the web app to approve new trusted devices and login with device requests. Learn more [here](https://bitwarden.com/help/log-in-with-device/). - **Updated generator for desktop**: The password and username generator on desktop apps has had its UI refreshed to mirror newer designs from other Bitwarden apps. Learn more [here](https://bitwarden.com/help/generator/). #### Admin Console - **SSO external ID added to Public API responses**: Public API responses that return data on organization members will now include their SSO external identifiers when applicable. Learn more [here](https://bitwarden.com/help/api/). #### Self-hosting - **Legacy user encryption key migration**: When updated to server version `2025.1.3`, self-hosted servers will require users with extant legacy encryption keys, typically accounts created prior to 2021 who do not frequently use the web app, to log in to the web app to migrate legacy encryption keys. > [!NOTE] Extant legacy security keys > Impacted users will be logged out of, and prevented from logging in to, non-web Bitwarden clients until they have completed migration by logging into the Bitwarden web app. **To ensure there is no loss of service for your users, Bitwarden recommends**: > > 1. Upgrading your self-hosted server to `2025.1.0` as soon as possible. > 2. Notifying users that they should log in on the web app following this update to ensure extant legacy keys are migrated **before being enforced**by `2025.1.3`. > 3. Scheduling the upgrade of your hosted server to `2025.1.3` some period of time following the notification to allow users to migrate extant legacy keys. ## 2025.1.0 This release includes: #### Password Manager - **More autofill customization options**: Browser extensions now have more options for customizing your autofill experience, including the ability to select the item card to autofill instead of the **Fill** button, and several quick copy actions. Learn more [here](https://bitwarden.com/help/auto-fill-browser/#customizing-autofill-behavior/). - **Biometric unlock for Snap Store desktop app**: Password Managed desktop apps downloaded via the Snap Store now support biometric unlock. Learn more [here](https://bitwarden.com/help/biometrics/#tab-desktop-2vCWb5iFg4OqKS0B2xXpqW/). - **Inline autofill for TOTP codes**: The inline autofill menu can now be used to select TOTP codes. Learn more about the inline autofill menu [here](https://bitwarden.com/help/auto-fill-browser/#use-the-inline-autofill-menu/). - **Long-press to autofill on iOS**: Long-press any text field on iOS 18+ to autofill from Bitwarden. Learn more [here](https://bitwarden.com/help/auto-fill-ios/). - **New Public API operation**: A GET operation has been added to the` /public/organization/subscription` endpoint. Learn more about the Bitwarden Public API [here](https://bitwarden.com/help/public-api/). #### Admin Console - **Remove Free Bitwarden Families sponsorship policy**: This policy will allow Enterprise organizations to prevent users from redeeming a sponsored Families plan through their organization. Learn more [here](https://bitwarden.com/help/families-for-enterprise/). - **Integrations page**: An Integrations page has been added to the Admin Console navigation menu. The integrations page provides Help Center links to popular Bitwarden integrations for SSO, event management and more! #### Provider Portal - **Provider members can no longer export client vaults**: In order to increase security and privacy for client organizations, provider members will no longer have access to export client vaults. ## 2024.12.0 > [!NOTE] U2F Support in 2025 > In 2025, Bitwarden will begin phasing out support for FIDO Universal 2nd Factor (U2F) keys, which can be identifies as those marked **(Migrated from FIDO)** in the Two-step Login → Manage FIDO2 WebAuthn view of the web app. If you currently use a migrated U2F key, remove and re-register the key to automatically [set it up with WebAuthn](https://bitwarden.com/help/setup-two-step-login-fido/). This release includes: #### Password Manager - **Browser extension & web app UI refresh:** The Bitwarden Password Manager browser extension UI has been redesigned. Some included styling changes also enhance the web app's UI. Learn more [here](https://bitwarden.com/blog/bringing-intuitive-workflows-and-visual-updates-to-the-bitwarden-browser/). - **Web app view item panel**: The web app will now open items to a View panel, rather than directly to an Edit panel. Only users with edit access to items will be able to use the Edit button to change a vault item. Learn more [here](https://bitwarden.com/help/managing-items/). - **Autofill TOTP codes iOS 18.0+**: Bitwarden keyboard autofill feature on iOS 18.0 (or newer) will now autofill TOTP codes in login forms. Learn more about iOS autofill [here](https://bitwarden.com/help/auto-fill-ios/). - **PasswordXP .csv importer**: PasswordXP .csv has been added to the list of formats available for import into Bitwarden Password Manager. Learn more [here](https://bitwarden.com/help/import-data/). - **Netwrix Password Secure .csv importer**: Netwrix Password Secure .csv has been added to the list of formats available for import into Bitwarden Password Manager. Learn more [here](https://bitwarden.com/help/import-data/). #### Admin Console - **SCIM for Teams organizations**: Teams organizations can now use System of Cross-domain Identity Management (SCIM) to automatically provision members and groups from a source directory. This was previously only available for Enterprise organizations. Learn more [here](https://bitwarden.com/help/about-scim/). ## 2024.11.0 This release includes: #### My Account - **Email verification during sign up for all clients**: Users who create a new Bitwarden account using any Bitwarden client will now be asked to verify their email before creating a master password. Learn more [here](https://bitwarden.com/help/create-bitwarden-account/). #### Password Manager - **Inline autofill menu password generation**: The inline autofill menu can now be used to easily generate passwords when filling out account creation or password update fields. Learn more [here](https://bitwarden.com/help/auto-fill-browser/#use-the-inline-autofill-menu/). - **Inline autofill menu options for cards and identities**: You can now turn on and off the option to include cards and identities as suggestions in the inline autofill menu. Learn more [here](https://bitwarden.com/help/auto-fill-card-id/#using-the-inline-menu/). - **iOS copy & paste updates**: Several updates have been added to Bitwarden on iOS copy & paste functionality for ease of use. - **Improved error handling for non-official servers**: To help users who are using non-official Bitwarden servers, new error messaging has been added to help identify errors when connecting to a non-official server. - **Temporarily remove 'Allow screen capture' toggle on desktop apps:**To improve the experience with this feature, it has been temporarily removed from macOS and Windows desktop apps. Desktops apps will, for now, be captured by screenshots and screen sharing. - **Increase min number of words for passphrases**: The passphrase generator will now require that generated passphrases include at least 6 words, except on mobile clients. Learn more [here](https://bitwarden.com/help/generator/#password-types/). #### Admin Console - **Collection management settings update**: The limit collection creation and deletion to owners and admins setting has been separated into two individual settings for each action respectively. Learn more about collection management [here](https://bitwarden.com/help/collection-management/#collection-management-settings/). - **Can manage permission required for deleting collection items**: The **Can manage** permission is now required in order to delete collection items. Users with **Can edit** will not longer have the capability. Learn more about member permissions [here](https://bitwarden.com/help/user-types-access-control/#permissions/). ## 2024.10.4 This release includes: #### Admin Console - **Restrict access to**`**bw list org-members**`**command**: This command, and the equivalent endpoint in the Vault Management API, is now restricted to owners, admins, and custom users with the "Manage users" permission. #### Provider Portal - **Billing system migration**: Starting this month, existing providers will begin to be migrated to the updated client organization billing system. Learn more [here](https://bitwarden.com/help/provider-billing/). ## 2024.10.2 This release includes: #### My Account - **Email verification during sign up**: Users who create Bitwarden accounts through the web app will now be asked to verify their email before they create a master password. Learn more [here](https://bitwarden.com/help/create-bitwarden-account/). #### Password Manager - **Unlock with biometrics - Linux browser extension**: Unlock with biometrics for the Bitwarden browser extension is now available for Linux users on Chromium-based browsers. Learn more [here](https://bitwarden.com/help/biometrics/#enable-unlock-with-biometrics/). - **Desktop apps prevent screen capture:**By default, desktop apps for Windows and macOS will now prevent screen capture and recording. Learn more [here](https://bitwarden.com/help/getting-started-desktop/#next-steps/). - **Sync a locked vault on desktop**: Desktop apps can now manually sync even when the active account is locked. Learn more [here](https://bitwarden.com/help/vault-sync/#manual-sync/). #### Admin Console - **Microsoft Sentinel integration:** A new native integration is available for security information and event management (SIEM) with Microsoft Sentinel. The integration offers comprehensive event coverage across authentication, organizational activities, and vault items. Learn more [here](https://bitwarden.com/help/microsoft-sentinel-siem/). - **Ping Identity SCIM support**: System for cross-domain identity management (SCIM) with Ping Identity is now officially supported for Bitwarden organizations. Use the Ping Identity SCIM integration to automatically provision members and groups in your Bitwarden organization. Learn more [here](https://bitwarden.com/help/ping-identity-scim-integration/). - **Upgrade plan UI improvements**: Improvements have been made to streamline the process for upgrading your organization to another plan. Learn more [here](https://bitwarden.com/help/about-organizations/#upgrade-an-organization/). - **Automatically log in users for allowed applications policy**: This new policy will allow IdP administrators to enable non-SSO applications to automatically log in users when launched from their IdP dashboard. Learn more [here](https://bitwarden.com/help/policies/#automatically-log-in-users-for-allowed-applications/). ## 2024.9.2 This release includes: #### Password Manager - **PDF attachments now downloaded by default on web app**: PDFs stored as item attachments will be downloaded to your device for viewing, rather than opening in a new browser tab. Learn more [here](https://bitwarden.com/help/attachments/). #### Secrets Manager - **New Machine account view**: Machine accounts have a new **Config**tab, which provides a quick view of information that might be required when configuring an application to use a machine account. Learn more [here](https://bitwarden.com/help/machine-accounts/#configuration-information/). ## 2024.9.1 This release includes: #### Password Manager - **Inline autofill menu for passkeys**: Use the inline autofill menu to authenticate with passkeys. Learn more [here](https://bitwarden.com/help/auto-fill-browser/#use-the-inline-autofill-menu/). #### Admin Console - **Member access report**: Enterprise organizations can use the member access report to monitor organization member's access to groups, collections and items. Learn more [here](https://bitwarden.com/help/reports/#member-access/). - **Fix for removed user events**: Events are now properly logged for users removed via the Public API or Directory Connector. ## 2024.8.2 This release includes: #### Password Manager - **Native mobile app for iOS**: Password Manager mobile apps downloaded via the Apple App Store have been upgraded to native mobile applications. Learn more [here](https://bitwarden.com/help/native-mobile-apps-release/). - **Password generator for password-protected exports**: Bitwarden can now generate unique passwords for password-protected exports. Learn more about password-protected exports [here](https://bitwarden.com/help/encrypted-export/#create-an-encrypted-export/). #### Admin Console - **Rapid7 SIEM integration:**Bitwarden organizations can now use Rapid7 for security information and event management (SIEM). Learn more [here](https://bitwarden.com/help/rapid7-siem/). ## 2024.8.0 > [!NOTE] Native mobile apps coming soon > In a **future** release, Password Manager mobile apps downloaded via the Apple App Store and Google Play Store will be upgraded to native mobile applications. Learn more [here](https://bitwarden.com/help/native-mobile-apps-release/). This release includes: #### Password Manager - **Autofill cards and identities**: Additional autofill methods can now fill cards and identities: - Autofill cards and identities using keyboard shortcuts. Learn more [here](https://bitwarden.com/help/auto-fill-card-id/#using-keyboard-shortcuts/). - Use the inline autofill menu for cards and identities. Learn more [here](https://bitwarden.com/help/auto-fill-card-id/#using-the-inline-menu/). - **Unlock with biometrics Linux desktop app**: Unlock with biometrics on the Bitwarden desktop app is now available for Linux users using Polkit. Learn more [here](https://bitwarden.com/help/getting-started-desktop/#tab-3-6vQUhrVotSKFarA3cqyESG/). #### Secrets Manager - **Display total amount of machine accounts, projects and secrets**: The Secrets Manager navigation bar will now display the total number of machine accounts, projects, and secrets that you have access to. #### Admin Console - **Additional supported options when changing member decryption options**: If your organization moves from SSO with trusted devices to master password decryption, users will be prompted on next log in to create a master password instead of requiring administrators to issue one beforehand. Learn more [here](https://bitwarden.com/help/about-trusted-devices/#impact-on-master-passwords/). #### Provider Portal - **UI improvements**: The "People" page has been renamed to the "Members" page and the color scheme of the Provider Portal has been changed to match the Admin Console. ## 2024.7.3 This release includes: #### Secrets Manager - **New Secrets Manager landing page**: Quickly learn more about Secrets Manager and sign up for the product directly from the web app. Learn more [here.](https://bitwarden.com/help/secrets-manager-quick-start/#getting-to-secrets-manager/) #### Provider Portal - **Limiting provider access to vault items**: For added security and privacy for clients, provider users may no longer directly view, manage, or create items in client organizations' vaults. Provider users may, however, import vault data directly to client organizations. ## 2024.7.2 This release includes: #### Provider Portal - **Consolidated billing for new providers**: Billing procedures for providers that join Bitwarden after this release are now streamlined and managed exclusively from the Provider Portal. Existing providers will be migrated to the new billing system in a future release. Learn more [here](https://bitwarden.com/help/provider-billing/). ## 2024.7.1 This release includes: #### Password Manager - **Remove user verification for passkeys**: The recent update requiring user verification for using a passkey on the browser extension has been temporarily rolled back. - **PRF-Enabled Passkeys will persist through account encryption key rotation**: PRF keys used when logging into Bitwarden with a passkey will now persist if users rotate their account encryption key. Learn more [here](https://bitwarden.com/help/account-encryption-key/#rotate-your-encryption-key/). - **Invite clarification for emergency contacts and Providers**: Trusted emergency contacts and Provider users will now move to a "Needs confirmation" state after they've accepted an invitation to make your next steps clearer. - **Bulk assign items to collections**: From the Vaults view, you can now bulk assign items to an organization's collections. A previous version of this feature was called "Move to organization". Learn more [here](https://bitwarden.com/help/managing-items/#assign-to-collections/). - **Renamed adding items to folders**: From the Vaults view, the option to add item to a folder has been renamed from "Move selected" to "Add to folder". Learn more [here](https://bitwarden.com/help/folders/#move-items-to-a-folder/). - **Deprecate desktop app setting**: The desktop app can now approve device logins by default. Learn more [here](https://bitwarden.com/help/log-in-with-device/). - **Improved SSO identifier workflow**: Admins can now distribute the URL of the **Enterprise single sign-on** screen with their SSO identifier included as a query parameter to automatically redirect organizations members to the IdP for a more streamlined SSO experience. Learn more [here](https://bitwarden.com/help/sso-faqs/#q-do-i-need-to-enter-my-sso-identifier-every-time-i-login/). #### Secrets Manager - **Add direct access to a secret**: People and machine accounts can now be directly granted access to a secret rather than requiring a project as an intermediary. Learn more [here](https://bitwarden.com/help/secrets/). #### Self-hosting > [!NOTE] Individual item encryption server version notice > Users should upgrade self-hosted servers to at least this version prior to the 2024.10.x release to ensure compatibility with clients using vault item keys. - **Support for bulk device approval**: Self-hosted Bitwarden servers now support bulk device approval for SSO with trusted devices. Learn more [here](https://bitwarden.com/help/approve-a-trusted-device/#bulk-approve-requests/). #### Security - **Vault item keys**: An extra layer of encryption in the form of a new encryption key generated for each individual vault item has been added. Learn more [here](https://bitwarden.com/help/bitwarden-security-white-paper/#how-vault-data-is-encrypted/). #### Plans and Pricing - **Invoicing update, monthly-billed organizations**: Teams and Enterprise organizations billed monthly will see any prorated seat count adjustments included in their next occurring monthly invoice, rather than in a newly generated invoice per seat count change. - **Invoicing update, annually-billed organizations**: Teams and Enterprise organizations billed annually will see any prorated seat count adjustments included in a once-a-month adjustment invoice, rather than in an immediately-generated separate invoice per seat count change. ## 2024.6.3 This release includes: #### Password Manager - **SSO with trusted device bulk approval**: Admins and owners may now approve trusted device requests in bulk using the [web app](https://bitwarden.com/help/approve-a-trusted-device/#bulk-approve-requests/) or [CLI](https://bitwarden.com/help/cli/#device-approval/). - **Legacy user encryption key migration**: Bitwarden accounts created prior to 2021 will have their account encryption keys migrated to Bitwarden's modern user symmetric key. These users will be logged out of non-web Bitwarden clients until they have completed the migration by logging into the Bitwarden web client. Learn more about Bitwarden encryption [here](https://bitwarden.com/help/what-encryption-is-used/). #### Self-hosting - **Support for more collection management options**: Self-hosted Bitwarden servers now support the **Owners and admins can manage all collections and items** collection management option. Learn more [here](https://bitwarden.com/help/collection-management/). ## 2024.6.1 This release includes: #### Password Manager - **Collections management update**: A collection management option has been added that allows you to determine whether admins and owners are automatically provided management permissions to all collections, and the items therein, in your organization. Learn more [here](https://bitwarden.com/help/collection-management/). ## 2024.6.0 This release includes: #### Password Manager - **User verification for passkeys**: Browser extensions may now prompt users to verify with biometrics, PIN, or master password when using a stored passkey to login. Learn more [here](https://bitwarden.com/help/storing-passkeys/#tab-browser-extensions-3XutklkReT3Gw0l1qHhBem/). - **In-product getting started**: Users that are new to Password Manager will now be shown a getting started module to help them get started protecting credentials quickly. - **Browser extension settings reorganization**: Use the newly reorganized settings screen on browser extensions to quickly locate and modify browser extension settings. - **Firefox extension gains full functionality in private windows**: Bitwarden browser extensions used in Firefox private windows no longer have any limitations. Learn more [here](https://bitwarden.com/help/private-mode/). - **Additional location for product switcher**: The product switcher, used to move between Password Manager, Admin Console, Secrets Manager, and Provider Portal can now also be found in the bottom left of your navigation. - **Password-protected export for browser extensions and desktop**: Browser extensions and desktop apps can now export password protected encrypted exports. Learn more [here](https://bitwarden.com/help/encrypted-export/#create-an-encrypted-export/). #### Bitwarden Authenticator - **Import to Bitwarden Authenticator**: Import data directly to Bitwarden Authenticator from a variety of other authenticator apps, including Google Authenticator, LastPass Authenticator, Raivo, and 2FAS. Learn more [here](https://bitwarden.com/help/authenticator-import-export/). #### Secrets Manager - **Start a Secrets Manager trial**: Start a Secrets Manager enterprise trial to test a proof-of-concept and gain access to enterprise features like SSO and SCIM integrations, enterprise policies, self-hosting, event logs, and priority support. [Sign-up for a free 7-day trial of Secrets Manager today](https://bitwarden.com/go/start-secrets-enterprise-trial/). - **Secrets Manager Kubernetes Operator (beta)**: Use the Bitwarden Secrets Manager Kubernetes Operator to securely and efficiently integrate Secrets Manager into Kubernetes workflows. Learn more [here](https://bitwarden.com/help/secrets-manager-kubernetes-operator/). #### Admin Console - **Configure custom users via API**: Organization members' custom role permissions can now be configured via the Public API. Learn more [here](https://bitwarden.com/help/api/). ## 2024.5.0 This release includes: #### Password Manager - **Clone organization items from My vault**: Users with Can manage permission can now clone organization-owned items from their Vaults view. Learn more [here](https://bitwarden.com/help/managing-items/#clone/). - **Browser extension platform upgrade**: Starting this week, Password Manager browser extensions will begin a gradual upgrade to a new extension platform called Manifest V3, beginning with 1% of users and increasing incrementally throughout the month of May. You do not need to take action either to initiate this upgrade or once it’s completed. #### Admin Console - **Splunk Cloud integration**: The Bitwarden Event Logs app is available for information and event management on Splunk Cloud Classic and Splunk Cloud Victoria. Learn more [here](https://bitwarden.com/help/splunk-siem/). #### Self-hosting - **Collection management and deprecation of manager role**: Self-hosted servers can now access collections management functionality and will have users with the Manager role migrated to the User role with a new Can manage permission. Learn more [here](https://bitwarden.com/help/collection-management/). > [!TIP] Update license after FC migration > If you're self-hosting, set your [collection management settings in your cloud organization](https://bitwarden.com/help/collection-management/) and then [update your self-hosted server's license](https://bitwarden.com/help/licensing-on-premise/#update-organization-license/) to carry those settings over to your self-hosted organization. ## 2024.4.2 This release includes: #### Password Manager - **Use passkeys on mobile apps**: Password Manager mobile apps can now be used to create and sign in with passkeys. This feature is available for iOS and as a beta for Android. Learn more [here](https://bitwarden.com/help/storing-passkeys/). - **Delete stored passkeys**: Passkeys that have been stored with Bitwarden login items can now be deleted using the Bitwarden browser extension and desktop app. Learn more [here](https://bitwarden.com/help/storing-passkeys/). - **Additional permission for browser extensions**: Browser extensions in this version require a new permission from Manifest V2 browsers to better manage content script injection. Learn more [here](https://github.com/bitwarden/clients/pull/8222). #### Secrets Manager - **New integrations page**: Get quick access to Secrets Manager integrations through the new page available from the Secrets Manager web app. - **Secrets Manager CLI Docker image**: The Bitwarden Secrets Manager CLI is now available as a Docker image. Learn more [here](https://bitwarden.com/help/secrets-manager-cli/). ## Bitwarden Authenticator Introducing the new Bitwarden Authenticator standalone mobile app. Use Bitwarden Authenticator to generate verification codes for two factor authentication for apps and websites. Download from app stores or [learn more](https://bitwarden.com/help/bitwarden-authenticator/). ## 2024.4.1 This release includes: #### Password Manager - **Delete stored passkeys**: Passkeys that have been stored on Bitwarden login items can now be deleted from the **Vault item** → **Edit**screen of the Bitwarden web app. Learn more [here](https://bitwarden.com/help/storing-passkeys/#delete-vault-item-passkey/). #### Secrets Manager - **"Service accounts" now "Machine accounts"**: Service accounts have been renamed to machine accounts. ## 2024.3.1 > [!TIP] Unassigned curfuffle > With [recent migrations to a new permissions structure](https://bitwarden.com/help/collection-management/#collection-management-settings/) that brings greater collections management flexibility to your organization, vault items that are not assigned to a specific [collection](https://bitwarden.com/help/about-collections/) are now no longer displayed in your Password Manager **All vaults** view. [Learn how to access these items](https://bitwarden.com/help/unassigned-vault-items-moved-to-admin-console/). This release includes: #### Password Manager - **New languages available for Bitwarden apps**: With the contributions of community translators, new language options are now available across Bitwarden apps! See a complete list of languages [here](https://bitwarden.com/help/localization/). Learn more about contributing to Bitwarden localization [here](https://contributing.bitwarden.com/contributing/#localization-l10n). - **Desktop app hardware acceleration**: Bitwarden desktop apps now have an option to turn on or off hardware acceleration to optimize performance. This setting is enabled by default. #### Admin Console - **Bulk assign items to collections**: Organization items can be assigned to collections in bulk from the Admin Console. Learn more [here](https://bitwarden.com/help/about-collections/#bulk-assign-items-to-collections/). ## 2024.3.0 This release includes: #### Self-hosting - **New logs functionality for Linux deployments**: Linux deployments using the standard `bitwarden.sh` shell script can now use a new option to download compressed log files (see [here](https://bitwarden.com/help/install-on-premise-linux/#script-commands-reference/)). ## 2024.2.3 This release includes: #### Password Manager - **Web app navigation update:** The Bitwarden web app has been totally redesigned! We hope you enjoy the new experience ([learn more](https://bitwarden.com/blog/bitwarden-design-updating-the-navigation-in-the-web-app/)). - **Duo 2FA login update:**Duo has introduced Universal Prompt for users and admins. Duo admins who have enabled the service will see slight changes to the Duo 2FA login process. See [here](https://bitwarden.com/help/setup-two-step-login-duo/). #### Self-hosting - **Support for log in with passkeys (beta)**: Self-hosted Bitwarden servers now support the log in with passkeys feature (see [here](https://bitwarden.com/help/login-with-passkeys/)). ## 2024.2.2 This release includes: #### Admin Console - **Collection management for end-users**: Organizations now have the option to allow all users to create and manage their own collections. This option, located on the **Organization info** screen, is opt-in for existing organizations and opt-out for organizations created after 2024.2.2 (see [here](https://bitwarden.com/help/collection-management/)). - **Deprecation of Manager role**: When you turn on collection management, organization users with the Manager role will be migrated to the User role with a new Can manage permission over their assigned collections (see [here](https://bitwarden.com/help/user-types-access-control/)). #### Secrets Manager - **Ansible integration**: Use Bitwarden Secrets Manager to retrieve secrets and inject them into your Ansible playbook (see [here](https://bitwarden.com/help/ansible-integration/)). ## 2024.2.0 This release includes: #### Password Manager - **Browser extension TOTP capture**: Use the Bitwarden browser extension to scan a webpage and save TOTP authenticator QR codes (see [here](https://bitwarden.com/help/authenticator-keys/#scan-a-qr-code/)). - **Increased import item quantity maximum**: Imports made to Bitwarden Password Manager can now contain roughly double the amount of data (see [here](https://bitwarden.com/help/import-data/)). #### Admin Console - **Unique SP entity IDs per organization**: Organizations using SAML for SSO can now upgrade their entity IDs to be unique for their organization. Doing so will require re-configuring on the IdP (see [here](https://bitwarden.com/help/configure-sso-saml/)). #### Plans & Pricing - **Automatic tax calculation**: Tax rates for subscriptions will now be automatically calculated based on geography by our payments sub-processor. The subtotal charged by Bitwarden will remain the same, however you may notice a change in your tax-inclusive monthly invoice. ## 2024.1.2 This release includes: #### Password Manager - **Passkey storage for self-hosted**: Passkeys can now be stored in self-hosted Bitwarden servers (see [here](https://bitwarden.com/help/storing-passkeys/)). #### Admin Console - **More collections permissions via Public API**: You can now use the Public API to hide passwords from users for any collection (see [here](https://bitwarden.com/help/api/)). ## 2024.1.0 This release includes: #### My Account - **Log in with passkeys (beta)**: Passkeys can be used to log in to the Bitwarden web app as an alternative to using your master password and email (see [here](https://bitwarden.com/help/login-with-passkeys/)). #### Password Manager - **Account switching for browser extensions**: Log in to up to 5 accounts and switch seamlessly between them when using Bitwarden browser extensions (see [here](https://bitwarden.com/help/account-switching/)). #### Admin Console - **Configure subscription via Public API**: Use new Public API endpoints to configure subscription information like seat count, maximum auto-scaling, and storage (see [here](https://bitwarden.com/help/api/)). - **More organization upgrade paths**: More Bitwarden organizations can now upgrade to a different subscription without needing to contact support. ## Self-host with Helm GA Bitwarden can now be self-hosted in Kubernetes deployments using a Helm Chart (see [here](https://bitwarden.com/help/self-host-with-helm/)). ## 2023.12.1 This release includes: #### Password Manager - **Auto-fill menu**: Auto-fill credentials while browsing the web by turning on the new inline auto-fill menu (see [here](https://bitwarden.com/help/auto-fill-browser/#inline-auto-fill-menu/)). ## 2023.12.0 This release includes: #### Password Manager - **Option to turn off prompt to use passkeys**: You can now choose whether or not your browser extension will ask to save and use passkeys. (see [here](https://bitwarden.com/help/storing-passkeys/#turn-off-passkey-prompt/)). - **Forward Email support on mobile**: Forward Email can now be used on mobile apps as a forwarded email alias provider for the username generator (see [here](https://bitwarden.com/help/generator/#generate-a-username/)). - **Vault health reports update**: Organization members will now see organization-owned items which they have **Can edit**access to in their individual vault health reports. #### Admin Console - **Elastic integration**: Bitwarden organizations can now use Elastic for security information and event management (SIEM) (see [here](https://bitwarden.com/help/elastic-siem/)). - **CLI event logs**: Event logs viewed from the web app will now specify which events were logged by the Bitwarden CLI. #### Secrets Manager - **Secrets manager CLI output**: A new format has been added to output secrets as key-value pairs in the Secrets Manager CLI (v0.4.0) (see [here](https://bitwarden.com/help/secrets-manager-cli/#o-output/)). ## 2023.10.0 This release includes: #### Password Manager - **Save passkeys to your vault**: Passkeys can now be stored in your Bitwarden vault! Store and log in with passkeys using the Bitwarden browser extension (see [here](https://bitwarden.com/help/storing-passkeys/)). - **Direct LastPass importer**: Import data from LastPass directly to Bitwarden using browser extensions or desktop apps, including if you're a member of a team using SSO with LastPass (see [here](https://bitwarden.com/help/import-from-lastpass/#import-to-bitwarden/)). - **Import from browser extensions and desktop apps**: Data can now be imported to Bitwarden from browser extensions and desktop apps (see [here](https://bitwarden.com/help/import-data/)). - **Mobile settings reorganization**: The Settings tab on mobile apps has been reorganized into more intuitive categories. - **Support for self-hosted alias providers**: The username generator on Password Manager clients can now be connected to self-hosted Addy.io and SimpleLogin instances (see [here](https://bitwarden.com/help/generator/#tab-simplelogin-3Uj911RtQsJD9OAhUuoKrz/)). - **Auto-fill cards and identities via context menu**: Cards and identities can now be auto-filled by browser extensions using the context menu (see [here](https://bitwarden.com/help/auto-fill-card-id/#using-the-context-menu/)). #### Secrets Manager - **Support for self-hosting**: Enterprise organizations can now self-host Secrets Manager (see [here](https://bitwarden.com/help/manage-your-secrets-org/#self-hosting/)). - **New event logs view**: Service account event logs can now be accessed directly from the service accounts view (see [here](https://bitwarden.com/help/service-accounts/#service-account-events/)). ## 2023.9.0 This release includes: - **FIDO2 WebAuthn now a free two-step login option**: The FIDO2 WebAuthn method for two-step login has been expanded to free accounts. Now every Bitwarden user can improve login security using compatible FIDO2 WebAuthn credentials, such as those device-bound to hardware security keys (see [here](https://bitwarden.com/help/setup-two-step-login-fido/)). - **Organization member email verification**: Organization members will have their email automatically verified when they [accept an invitation](https://bitwarden.com/help/managing-users/#accept/) to join or if they are a member of an organization using [domain verification](https://bitwarden.com/help/claimed-domains/). - **Export update**: JSON exports of vault data will now include the password history for applicable items (see [here](https://bitwarden.com/help/export-your-data/)). - **CLI password generator options:** Generating a password using the CLI has additional option flags for customizing password complexity (see [here](https://bitwarden.com/help/generator/#generate-a-password/)). - **ProtonPass JSON importer**: ProtonPass JSON has been added to the list of formats available for direct import into Bitwarden Password Manager (see [here](https://bitwarden.com/help/import-faqs/#q-what-file-formats-does-bitwarden-support-for-import/)). - **Desktop app theme update**: The desktop app's dark theme has been updated! ## 2023.8.2 This release includes: - **SSO with trusted devices:**SSO with trusted devices allows users to authenticate using SSO and decrypt their vault-stored encryption key without entering a master password (see [here](https://bitwarden.com/help/about-trusted-devices/)). - **Manager collection access:**To reduce visibility to non-essential data, managers can now only see collections that they are assigned to. ## 2023.8.0 This release includes: - **Secrets Manager - General availability**: Bitwarden Secrets Manager is now generally available for empowering developers, DevOps, and cybersecurity teams to centrally store, manage, automate, and deploy secrets at scale. Learn more about [Secrets Manager plans](https://bitwarden.com/help/secrets-manager-plans/) and [sign up today](https://bitwarden.com/help/sign-up-for-secrets-manager/). - **Import to a folder or collection:**Import data directly to an existing folder, or if you're a member of an organization directly to a collection, from the **Tools** → **Import data** screen. ## 2023.7.1 This release includes: - **Secrets Manager - CLI updates**: New commands were added for editing and creating projects and secrets, and the syntax used by the CLI has been restructured (see [here](https://bitwarden.com/help/secrets-manager-cli/)). - **EU Cloud**: Bitwarden cloud servers are now available with vault data storage in the European Union (see [here](https://bitwarden.com/help/server-geographies/)). ## 2023.7.0 This release includes: - **Login with device for self-hosted:**Bitwarden applications connected to self-hosted servers can now log in by sending an authentication request to a registered device instead of using a master password (see [here](https://bitwarden.com/help/log-in-with-device/)). - **Forward Email alias integration**: Connect the Bitwarden username generator to [Forward Email](https://forwardemail.net/) for easy creation of email aliases (see [here](https://bitwarden.com/help/generator/#username-types/)). - **Browser extension TOTP auto-fill:**Browser extensions will now auto-fill TOTP codes automatically unless you're using auto-fill on page load (see [here](https://bitwarden.com/help/auto-fill-browser/#totp-auto-fill/)). - **Policies - Renamed Admin password reset**: The Admin password reset policy is now named Account recovery administration (see [here](https://bitwarden.com/help/account-recovery/)). - **Use auto-fill in