From 8ecb6f7f0c3134f6860bf8dfcb1a5dc2b52ba473 Mon Sep 17 00:00:00 2001
From: alexpdp7 <alex@pdp7.net>
Date: Thu, 8 Jan 2026 14:18:34 +0100
Subject: Add security advice

---
 infrastructure/roles/vaultwarden/README.md | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'infrastructure')

diff --git a/infrastructure/roles/vaultwarden/README.md b/infrastructure/roles/vaultwarden/README.md
index ad689cc..e3096aa 100644
--- a/infrastructure/roles/vaultwarden/README.md
+++ b/infrastructure/roles/vaultwarden/README.md
@@ -18,3 +18,10 @@ Visit `/vaultwarden`, select "create account", then use `$USER@localhost` as you
 1. Press d to delete the "welcome" message.
 1. Press d to delete the "new device" message.
 1. Press q and y to exit and purge deleted messages.
+
+## Security
+
+[The Bitwarden Security Whitepaper](https://bitwarden.com/help/bitwarden-security-white-paper/) says that Bitwarden clients, such as the browser extension, never pass the master password that can decrypt passwords to the Bitwarden server.
+Note that root on the system can tamper with the Vaultwarden web vault, but the browser extensions are controlled by Bitwarden.
+
+Therefore, we recommend changing the master password *before* entering any sensitive data in Vaultwarden, to ensure that the password cannot be snooped by root on the system.
-- 
cgit v1.2.3