Add security advice

author: alexpdp7 <alex@pdp7.net> 2026-01-08 14:18:34 +0100
committer: GitHub <noreply@github.com> 2026-01-08 14:18:34 +0100
commit: 8ecb6f7f0c3134f6860bf8dfcb1a5dc2b52ba473 (patch)
tree: 3266bdf3f587f7a31993ef7c58643f3e739b36a4 /infrastructure/roles/vaultwarden/README.md
parent: 8581f1ba8a760660af3286798ad695350ce59ec4 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/infrastructure/roles/vaultwarden/README.md b/infrastructure/roles/vaultwarden/README.md
index ad689cc..e3096aa 100644
--- a/infrastructure/roles/vaultwarden/README.md
+++ b/infrastructure/roles/vaultwarden/README.md
@@ -18,3 +18,10 @@ Visit `/vaultwarden`, select "create account", then use `$USER@localhost` as you
 1. Press d to delete the "welcome" message.
 1. Press d to delete the "new device" message.
 1. Press q and y to exit and purge deleted messages.
+
+## Security
+
+[The Bitwarden Security Whitepaper](https://bitwarden.com/help/bitwarden-security-white-paper/) says that Bitwarden clients, such as the browser extension, never pass the master password that can decrypt passwords to the Bitwarden server.
+Note that root on the system can tamper with the Vaultwarden web vault, but the browser extensions are controlled by Bitwarden.
+
+Therefore, we recommend changing the master password *before* entering any sensitive data in Vaultwarden, to ensure that the password cannot be snooped by root on the system.
author	alexpdp7 <alex@pdp7.net>	2026-01-08 14:18:34 +0100
committer	GitHub <noreply@github.com>	2026-01-08 14:18:34 +0100
commit	8ecb6f7f0c3134f6860bf8dfcb1a5dc2b52ba473 (patch)
tree	3266bdf3f587f7a31993ef7c58643f3e739b36a4 /infrastructure/roles/vaultwarden/README.md
parent	8581f1ba8a760660af3286798ad695350ce59ec4 (diff)