How the encryption works?

Hello everyone,

I am a new user of Bitwarden_rs and I really enjoy this password manager, so thank you to all the team !!

I am trying to migrate to Bitwarden_rs instead of the old KeePass file we have at work, but my manager asked me some questions for which I didn’t find the answers. So here I am, asking for help (please) :slight_smile:

  • How the database (SQLite) is encrypted ?
  • When the container is started, how the end-to-end encryption works ?

Thank you in advance.


The vast majority of security-relevant operations are done on the client side. bitwarden_rs mostly just acts as a storage backend for client-encrypted blobs. You can find some details on how Bitwarden works at

Bitwarden started out as an open source alternative to LastPass, and the basic architecture seems heavily inspired by it, so the LastPass whitepaper may be relevant as well:

Hi! How is “password sharing” (Organisation with multiple users) in regards to encryption handled, when the client application is responsible for encryption?

It works pretty much the same as in LastPass, although Bitwarden has their own whitepaper now:

But to summarize, it works like this:

  1. When the original owner of the org first creates the org, their client generates a symmetric key used for encrypting all entries in the org.
  2. When the owner invites a new org member, during the confirmation step, the owner’s client encrypts the org’s symmetric key with the new member’s public key (a public-private keypair was generated by the new member’s client when they originally registered with the server). This encrypted symmetric key is saved to the server to pass on to the new member.
  3. When the new member syncs with the server again, their client downloads the encrypted symmetric key, which can be decrypted using the new member’s private key. The new member now has the symmetric key needed to read/write entries in the org.

The new member (if they have appropriate permissions in the org) can now add other new members in the same way, since everyone in the org uses the same symmetric key.


Thank you very much!


I want to discussing about vaultwarden encryption, and it’s also regarding on Bitwarden whitepaper on this link Bitwarden Security Whitepaper | Bitwarden Help Center

we has installed vaultwarden on docker, and if we open database, email aren’t encrypt and using plain text. the case is, on Bitwarden whitepaper explain that email and password are encrypted using (PBKDF2) enclosed picture

our question

  1. Is betwen Bitwarden and Vaultwarden are using different encryption?
  2. if yes different, could give us Vaultwarden whitepaper? we want to know is email address are encrypted too

Where are you seeing that the email is encrypted on the server?
The only reference to email in the section you mentioned makes the note that your email is used as the salt for the Master Key.