Skip to content

[PM-30584] Move key-connector migration to sdk#19360

Draft
quexten wants to merge 2 commits intomainfrom
km/key-connector-sdk
Draft

[PM-30584] Move key-connector migration to sdk#19360
quexten wants to merge 2 commits intomainfrom
km/key-connector-sdk

Conversation

@quexten
Copy link
Contributor

@quexten quexten commented Mar 4, 2026
edited
Loading

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-30584
bitwarden/server#7136
bitwarden/sdk-internal#809
#19360

📔 Objective

We do not want to keep the same master-key that was used during password derivation, but use a separately sampled key - named "key-connector-key". This means that the conversion flow now requires:

  • Posting the key to key-connector
  • Setting the "key" field on the user to "key-connector-key-wrapped-user-key"

To keep backwards compatibility, we make the request body optional, but if present, the request body contains the key-connector-key-wrapped-user-key. This is subsequently set to the user object.

This will unblock setting the master-key to state during unlock and login, which will improve unlock time, since we can remove double-kdf-derivation.

📸 Screenshots

This was referenced Mar 4, 2026
Open
Draft
@quexten quexten changed the title Move key-connector migration to sdk [PM-30584] Move key-connector migration to sdk Mar 4, 2026
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 4, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026

Logo
Checkmarx One – Scan Summary & Detailsd531af7e-b951-435c-b11d-2bb2f0373245

New Issues (3) Checkmarx found the following issues in this Pull Request
# Severity Issue Source File / Package Checkmarx Insight
1 CRITICAL CVE-2026-3061 Npm-electron-39.2.6
detailsDescription: Out-of-bounds Read in Media in Google Chrome prior to 145.0.7632.116 allowed a remote attacker to perform an out of bounds memory read via a crafte...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
2 CRITICAL CVE-2026-3062 Npm-electron-39.2.6
detailsDescription: Out-of-bounds Read and write in Tint in Google Chrome on Mac prior to 145.0.7632.116 allowed a remote attacker to perform out of bounds memory acce...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
3 MEDIUM CVE-2026-3063 Npm-electron-39.2.6
detailsDescription: Inappropriate implementation in DevTools in Google Chrome prior to 145.0.7632.116 allowed an attacker who convinced a user to install a malicious e...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@quexten