4.9 KiB
4.9 KiB
| type | subtype | title | summary | tags | scope | date | last_updated | last_reviewed | related | source | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| reference | api-integration | Vaultwarden vs Bitwarden Cloud — permission and feature parity gotchas | Verified differences between self-hosted Vaultwarden and Bitwarden Cloud that break security designs copied from Bitwarden docs — Edit permission includes delete, no deletion-restriction org policy, no Secrets Manager, trash never auto-purges by default — plus org bot-onboarding gotchas (accept ≠ confirm, collection assignment can silently not persist). |
|
global | 2026-07-09 | 2026-07-10 | 2026-07-09 |
|
ruby-gems |
Vaultwarden Parity Gotchas
Bitwarden's official help docs describe Bitwarden Cloud. Vaultwarden reimplements the server and does NOT match on these points (verified 2026-07-09, vaultwarden discussions #6131, issue #6269):
- Edit collection permission includes deleting items. There is NO org setting to restrict item deletion to Manage-permission members (that toggle is Cloud-only). A "bot with Edit but can't delete" design is impossible server-side — enforce in your wrapper/OS layer.
- Manage permission is worse for least-privilege — it grants collection-membership admin.
- Secrets Manager does not exist in Vaultwarden. Don't plan it as a backend.
- Trash never auto-purges by default — permanent deletion only with
TRASH_AUTO_DELETE_DAYSset. (Cloud docs say 30 days.) Safer, but don't cite "30-day window". - Password history ("last 5") is written client-side into the cipher; compatible clients preserve it, raw API writes can clobber it. Likely works — verify per instance.
bwCLI API-key login still requiresbw unlock+ master password for vault data; the API key does not replace the master password. Non-interactive automation needs a protected--passwordfile.bw list items --searchdoesn't match custom fields — filter client-side on parsed JSON.- Maintainer (BlackDex) states Vaultwarden "does not support the full range of RBAC/GBAC/CBAC".
Org member (bot) onboarding gotchas (verified 2026-07-09, credvault Phase 0)
- Accept ≠ confirm. A member who accepts an invite still sees NO organization via
bw list organizationsuntil an org admin explicitly clicks Confirm on the member (Members page → three-dot menu). Confirm is the step that grants the org key; editing the member's role/collections is not it. - Collection assignment can silently fail to persist — after the admin sets a collection
in Edit member → Collections,
bw list collections(bot side) can still return[]after sync. Verify the collection badge shows on the Members list row; re-open the dialog and re-save if not. bw sync -fafter any server-side membership change — login/unlock state alone won't refresh org/collection visibility on the client.- Password history verified working on Vaultwarden:
bw editwith a changed login password preserves the old one inpasswordHistorywithlastUsedDate. Customfieldsround-trip intact throughbw list itemsJSON.
Credential rotation gotchas (verified 2026-07-10, credvault e2e)
- Master password rotation invalidates cached
bwlogins. After changing an account's master password server-side,bw unlockfails (exit 1) even with the correct new--passwordfile— the cached login holds keys derived from the old password. Fix:bw logout, then re-login with the API key, then unlock works. bwsessions are perBITWARDENCLI_APPDATA_DIR. A plainbw logoutin a shell only clears the default appdata dir; tool-specific dirs (e.g. credvault's~/.config/credvault/bitwarden) keep their stale session until you log out with the matching env var set.- API key rotation changes only
client_secret—client_idis stable across rotations. bw unlock --passwordfilereads only the first line, so a trailing newline from an editor (nvim etc.) is harmless.
bw CLI scripting gotchas (verified 2026-07-10, credvault backup script)
bw unlockalone does not unlock the vault for subsequent commands — you must capture the session token (BW_SESSION=$(bw unlock --passwordfile f --raw)) and export it. Without it, laterbw export/bw listrun against a locked vault; with stderr silenced this looks like a hang or a missing-output failure.bw config serverfails while logged in ("Logout required before server config update"), even when setting the identical URL. Idempotent scripts must comparebw config server(no args prints current) and skip when it matches.bw login --apikeyerrors if already logged in — guard withbw login --check.
Rule of thumb: any "Bitwarden supports X" claim from bitwarden.com/help must be re-verified against the deployed Vaultwarden version before it becomes a security assumption.