Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault Sharing #26

Closed
kspearrin opened this issue Jan 17, 2017 · 8 comments
Closed

Vault Sharing #26

kspearrin opened this issue Jan 17, 2017 · 8 comments
Assignees
@kspearrin
Labels
enhancement

Comments

@kspearrin
Copy link
Member

Add ability for users to share items in their vault through folders and/or individual logins.

Design

password sharing diagram

Flow

  1. User A creates Folder X.
  2. User A decides to share Folder X with User B.
  3. Random symmetric key is generated for Folder X.
  4. Folder X key is encrypted using the public key for User A and User B.
  5. User B logs in an obtains access to Folder X.
  6. User B receives symmetric key B and decrypts with private key.
  7. User B decrypts Folder X data with Folder X symmetric key.
  8. User B adds Login Y to Folder X, encrypts with Folder X symmetric key.
  9. User A can now access and decrypt with symmetric Key A from Folder X.

Comments

  1. Every user has a public and private (asymmetric) key
  2. Every share folder has a random generated symmetric key with a stored copy that is encrypted using the public key of each user that it is shared with.
  3. Every share folder and it's share data is encrypted/decrypted using the folder symmetric key.
  4. A folder's symmetric key can be re-generated as long as the logins and encrypted keys for each user are re-generated as well. This shouldn't ever really need to happen.
  5. If a user needs to change their master password, their private key will just need to be re-encrypted. There should be no affect on the shared folder data or it's keys.

Issues

  1. How will nested folders fit into this sharing scheme? Will all child folders be visible?
  2. How will parent folders be handled when a child folder is shared?
  3. How will individual login shares be handled?
@kspearrin kspearrin self-assigned this Jan 17, 2017
@dougharris
Copy link

This is essential for me. My use case:

  • My wife and I both have lots of logins
  • Some are kept separate because we have separate identities (e.g. email or social media)
  • Some are shared because it's shared info:
    • bank and other shared finance accounts
    • Amazon and other shopping
    • health insurance

For the shared items, it's helpful to know that if update a password, it's immediately available to her.

It's not enough to enable just sharing individual items. By sharing a folder, she can add a new site's login and it's immediately available to me.

@kspearrin kspearrin mentioned this issue Jan 23, 2017
Closed
@computer-spezialisten-de
Copy link

If your Software support this feature we will use it in our company and spend some money for your project!

@kspearrin
Copy link
Member Author

@computer-spezialisten-de we're already working on this and hope to have it available in the coming months. Stay tuned.

@kspearrin
Copy link
Member Author

@computer-spezialisten-de this is now complete with organizations. See https://blog.bitwarden.com/password-sharing-is-here-organizations-cf9e7a2098d2

@kspearrin
Copy link
Member Author

Also @dougharris see https://blog.bitwarden.com/password-sharing-is-here-organizations-cf9e7a2098d2

@dougharris
Copy link

Excellent news. I'll read up. Thanks

@damiencuvillier
Copy link

Something new on this old topic ?

In addition of organization sharing, it would be great

  • either to allow ownership transfer of a password.
    Use case is : I create a password for a new collaborator. It will be available in his own vault and I do not get access to this anymore
  • or to allow sharing without creating a specific collection.
    Use case is quite the same : I want to create a new password, shared with final user, without creating a specific new collection (which is bad way to do in my organization, because it would create too much collections, a bit messy)

@dahawk
Copy link

dahawk commented Nov 5, 2020

I share @damiencuvillier first use case. I am sysadmin in my company and create personalized credentials on a regular basis.
I would like to transfer the created login entry to a user in my organization (sharing implies that I still have access, which I neither want nor need nor should I have according to our password and encryption policies).

The closest flow I could come up with within bitwarden enterprise is:

  1. create a new collection
  2. create the login and share it with the new collection
  3. share the collection with the intended recipient
  4. wait until the recipient has created a new, non-shared login entry
  5. remove the shared login and the collection

As stated above, I don't want the collection nor the shared login to remain after the recipient has received their credentials.
Is there a simpler way to achieve this? Because this is the cryptographically secure variation of passing on sticky notes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kspearrin kspearrin

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@computer-spezialisten-de @dougharris @kspearrin @damiencuvillier @dahawk