Error: KDF config is required

Help
1

I set up VaultWarden docker last week. It’s been working great, until today.

On mobile I log in then the app crashes.
On Firefox the page says “Invalid master password”.

On Chrome I get “Error: KDF config is required”.

On Firefox the bitwarden plugin is still logged in, and I’m afraid to touch it.

The container image version says 1.34.3

It is set to vaultwarden/server:latest

I brought docker down and back up to make sure that was happy.

When I was importing passwords I was deleting them from my old manager. I can still recover those for the moment, but I’m looking for guidance on what to do.

Thanks,

DK

2

On the firefox that is logged in I get an “Invalid refresh token” message if i try to save a new login.

Unrelated, I think, but I get DNS queries in my Vaultwarden log. I do have PiHole running on docker on the same host, but I’m not sure why Vaultwarden is seeing port 53 activity.

The log is telling me Username or password is incorrect. Try again. IP: IPADDRESS. Username: email@address. but I guarantee it’s what I set when I set it up.

If it comes to it, I assume wiping out the persistent config folder would start fresh, right?

3

Another thing that I did that may have caused the issue is that I changed the config folder. I originally had it in bitwarden. I stopped the container, changed the name, then started the container pointing at vaultwarden. The inside folder didn’t change. And the permissions shouldn’t have changed. But maybe it lost track of the config so no password was ever going to work?

Anyhow, I renamed the config folder and created a blank one then recreated my user, imported, and everything looks happy for now.

Edit: It’s verified. I didn’t update the docker yaml file, so vaultwarden was pointing at the old path. So the password was never going to work. User error.

1 Like
4

Hi,
sorry, but English is not my native language. However please find below my description in English.

I am experiencing what seems to be the same issue that is discussed here and would like to add my setup and observations.

Environment

  • Vaultwarden: 1.35.1 (Docker on Synology NAS, Debian base)
  2. Web vault: 2025.12.1
  4. DB: SQLite 3.50.2
  6. Reverse proxy: Synology, HTTPS termination
  7. Domain: https://<my.domain.synology.me>:<port> (server and browser URL match in diagnostics)

KDF / account settings

  • Algorithm: Argon2id

  • KDF memory: 64 MB

  • KDF iterations: 3

  • KDF parallelism: 4
    → These are the current Bitwarden defaults, nothing exotic.

Symptoms

  • Login in the web vault on the same URL works fine for all accounts.

  • Existing Bitwarden clients keep working (e.g. Safari extension and an already logged‑in Firefox on macOS).

  • New browser extensions (different browsers, profiles and devices) cannot log in anymore:

    • Firefox (Linux, several brand‑new profiles, including completely blank ones):

      • After installing the Bitwarden extension and configuring the self‑hosted URL, I immediately get
        “KDF config is required” right after entering the master password.

      • There is no corresponding /prelogin or identity request visible in the Vaultwarden container logs.

    • Mullvad Browser (Firefox‑based) on two devices (Linux laptop and MacBook):

      • Fresh install, only the Bitwarden extension added, self‑hosted URL configured.

      • Error message:
        “NetworkError when attempting to fetch resource”.

      • Again, the web vault in the same browser/profile can log in, but the extension cannot.

  • The problem is reproducible with:

    • different browsers (Firefox, Mullvad),

    • different profiles (blank, no user.js, no other add‑ons),

    • different devices (Linux, macOS),

    • and even with several older Bitwarden extension versions, as long as it is a new login.

What I have ruled out

  • Broken user.js: initial syntax issues were fixed; brand‑new profiles without any user.js show the same error.

  • Wrong URL/region in the extension: “self‑hosted” selected, URL exactly matches the web vault URL including https and port; diagnostics show “Domain configuration Match HTTPS”.

  2. Outdated Vaultwarden/web version: both are on the latest stable versions listed above.

Question

Are there any known issues with:

  • Vaultwarden 1.35.1 + Web vault 2025.12.1

  • and current Bitwarden browser extensions (Firefox / Mullvad, possibly others) on new logins,

where:

  • the web vault and existing sessions keep working,

  • but new browser extensions show either

    • “KDF config is required”, or

    • “NetworkError when attempting to fetch resource”,

  • and there is no login/prelogin request from the extension visible in the Vaultwarden logs?

5

Can you make double sure? That error message pops up if I don’t enter a valid server (e.g. https://google.com/) as URL
Peek 2026-01-02 19-34

My guess is that you entered the Server URL with an fragment like /#/login, which also does not work.

6

You were absolutely right – that was the issue.

When I copied the URL from the browser, it included the /#/login fragment at the end. The Bitwarden extension UI hides that part, so I didn’t notice it was actually stored and used as part of the server URL. After removing /#/login (so that the URL is just https://my.domain.synology.me``:port), login works again in the new Firefox profile and in Mullvad Browser.

Thank you very much for pointing this out! That detail with the fragment in the URL and the extension not showing it completely fooled me.