diff options
| author | alexpdp7 <alex@pdp7.net> | 2026-01-08 14:18:34 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-01-08 14:18:34 +0100 |
| commit | 8ecb6f7f0c3134f6860bf8dfcb1a5dc2b52ba473 (patch) | |
| tree | 3266bdf3f587f7a31993ef7c58643f3e739b36a4 | |
| parent | 8581f1ba8a760660af3286798ad695350ce59ec4 (diff) | |
Add security advice
| -rw-r--r-- | infrastructure/roles/vaultwarden/README.md | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/infrastructure/roles/vaultwarden/README.md b/infrastructure/roles/vaultwarden/README.md index ad689cc..e3096aa 100644 --- a/infrastructure/roles/vaultwarden/README.md +++ b/infrastructure/roles/vaultwarden/README.md @@ -18,3 +18,10 @@ Visit `/vaultwarden`, select "create account", then use `$USER@localhost` as you 1. Press d to delete the "welcome" message. 1. Press d to delete the "new device" message. 1. Press q and y to exit and purge deleted messages. + +## Security + +[The Bitwarden Security Whitepaper](https://bitwarden.com/help/bitwarden-security-white-paper/) says that Bitwarden clients, such as the browser extension, never pass the master password that can decrypt passwords to the Bitwarden server. +Note that root on the system can tamper with the Vaultwarden web vault, but the browser extensions are controlled by Bitwarden. + +Therefore, we recommend changing the master password *before* entering any sensitive data in Vaultwarden, to ensure that the password cannot be snooped by root on the system. |