Understand Log In vs. Unlock
In order to understand why unlocking and logging in are not the same, it's important to remember that Bitwarden
Logging in
Logging in to Bitwarden retrieves the encrypted vault data and decrypts the vault data locally on your device. In practice, that means two things:
Logging in will always require you to use your master password or
login with deviceto gain access to theaccount encryption keythat will be needed to decrypt vault data.
This stage is also whereany enabled two-step login methodswill be required.Logging in will always require you to be connected to the internet (or, if you are self-hosting, connected to the server) to download the encrypted vault to disk, which will subsequently be decrypted in your device's memory.
Unlocking
Unlocking can only be done when you are already logged in. This means, according to the above section, your device has encrypted vault data stored on disk. In practice, this means two things:
You don't specifically need your master password. While your master password can be used to unlock your vault, so can other methods like
PINcodes andbiometrics.note
When you setup a PIN or biometrics, a new encryption key derived from the PIN or biometric factor is used to encrypt the
account encryption key, which you will have access to by virtue of being logged in, and stored on diskª.Unlocking your vault causes the PIN or biometric key to decrypt the account encryption key in memory. The decrypted account encryption key is then used to decrypt all vault data in memory.
Locking your vault causes all decrypted vault data, including the decrypted account encryption key, to be deleted.
ª- If you use the Require master password on browser restart option, this key is only stored in memory rather than on disk.You don't need to be connected to the internet (or, if you are self-hosting, connected to the server).