Hi all,
Is it possible to have the filenames in the “icon_cache” directory to be replaced with UUID-codes or similar? When I check the folder on my installation, I see which websites have passwords linked to it in the database.
I would prefer this information not to be visible without being logged in to Vaultwarden. Especially if this would be hosted on a VPS in the cloud.
Many thanks,
Joost
Having icons encrypted would be a good idea as this is metadata for passwords and URIs stored in the password vault.
Unfortunately this is not currently how the icon cache is handled in Bitwarden, and Vaultwarden attempts to make as few changes to remain compatible with the upstream project.
Please see the related link for more information regarding the icon cache. As this can also be disabled per client within Bitwarden.
Vaultwarden has also made possible to disable icon downloads entirely across the board with the use of either environment variables ( -e DISABLE_ICON_DOWNLOAD=true), or via the admin page if enabled.
In all cases the domains will still show in the logs, so that will not work unless you disable it also on the client side.
Also, we can’t really encrypt it, so we can only hash it for example. Which in the case of domains also isn’t very useful. Because even if you hash it with sha512, these strings are probably easy to generate rainbow tables for. While we could use some user defined pre or postfix, it will only generate extra overhead, and you should also disable logging.
So, if you really do not want your domains on the filesystem.
Disable icon downloading on both Vaultwarden and every client app you use. Disable logging for both Vaultwarden and your reverse proxy.
And!! Don’t forget if people can see the files, the probably can also open them, in which case they see the logo which tells enough.