search

GurpreetKang / BitwardenDecrypt

Decrypts an encrypted Bitwarden data.json file.
GNU General Public License v3.0
245 stars 30 forks source link

Added support for Argon2id KDF #23

Open Davek145 opened 1 year ago

Davek145 commented 1 year ago

Support for Argon2 KDF added in Bitwarden 2023.2.0. It is utilizing argon2-cffi library.

Davek145 commented 1 year ago

Feel free to take the code over if you are interested and modify as you wish. Unfortunatelly, I do not have time to make it 100%.

GurpreetKang commented 1 year ago

So far I'm only seeing 2 tiny changes needed.

Davek145 commented 1 year ago

I have corrected these two points and tested that. In the requirements I added version of the library I'm able to confirm to be working. It will probably work already from version 16.3.0, but I cannot verify that.

ataraxia937 commented 1 year ago

I'm curious, where does this PR stand? I see the requested changes were made. Can this be merged?

ataraxia937 commented 1 year ago

Oh, I see it's not actually working. I can't decrypt my export with this.

Davek145 commented 1 year ago

Hi, let me know, what is not working for you. Resp. what are you decrypting and how. It is working for me fine.David8. 6. 2023 v 18:19, Ray Kohler @.***>: Oh, I see it's not actually working. I can't decrypt my export with this.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

ataraxia937 commented 1 year ago

I have a password-protected export with fields like this:

  "encrypted": true,
  "passwordProtected": true,
  "salt": <normal stuff>,
  "kdfType": 1,
  "kdfIterations": 2,
  "kdfMemory": 256,
  "kdfParallelism": 4,
  "encKeyValidation_DO_NOT_EDIT": <normal stuff>
  "data": <normal stuff>
}

When I try to decrypt it:

$ python3 BitwardenDecrypt.py bitwarden_encrypted_export_20230608111639.json

Enter Password (EncryptedJSON):
ERROR: MAC did not match. Protected Symmetric Key was not decrypted. (Password may be wrong)

I am on OpenBSD and I installed the needed python modules from OpenBSD's repository.

ataraxia937 commented 1 year ago

I just tested the same on Ubuntu 22.04 and it didn't work there either.

GurpreetKang commented 1 year ago

I'm curious, where does this PR stand? I see the requested changes were made. Can this be merged?

Sorry @ataraxia937 I haven't had time to get back this. Will try to finish I the next 2 weeks. There was some refactor and other changes I wanted to make before merging into main.

Davek145 commented 1 year ago

I have just tested the code on my Ubuntu 20.04 and it is working OK for me both for data.json synced via CLI as well as password protected export. However, I use Vaultvarden. It shall have the same format of the file as the official Bitwarden as the Webvault is the same (I'm now on verion 2023.3.0), but I cannot test it. What looks strange to me is, that you claim to test it on password protected export, but he your file has kdfType = 1, so argon2. If I make password protected export, it always uses pbkdf2. Argon2 is only used for directcly synced data.json file from my server. If you try it on official Bitwarden server, may be they have changed something with the password protected export that Vaultwarden is not yet using. Try it also on synced data.json that is having data in better format and also including organization entries.

ataraxia937 commented 1 year ago

Yes, I'm using the official Bitwarden server, so that explains it.

On Thu, Jun 8, 2023 at 1:03 PM Davek145 @.***> wrote:

I have just tested the code on my Ubuntu 20.04 and it is working OK for me both for data.json synced via CLI as well as password protected export. However, I use Vaultvarden. It shall have the same format of the file as the official Bitwarden as the Webvault is the same (I'm now on verion 2023.3.0), but I cannot test it. What looks strange to me is, that you claim to test it on password protected export, but he your file has kdfType = 1, so argon2. If I make password protected export, it always uses pbkdf2. Argon2 is only used for directcly synced data.json file from my server. If you try it on official Bitwarden server, may be they have changed something with the password protected export that Vaultwarden is not yet using. Try it also on synced data.json that is having data in better format and also including organization entries.

— Reply to this email directly, view it on GitHub https://github.com/GurpreetKang/BitwardenDecrypt/pull/23#issuecomment-1583037315, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA6RYWIXJBJJM5WGEL7AO3XKIAVLANCNFSM6AAAAAAVIU77IE . You are receiving this because you were mentioned.Message ID: @.***>

--

Healthcare & Life Science Equipment Service Solutions are our only  business.

zackslash commented 11 months ago

This branch is working well for me using Argon2 in official Bitwarden. @ataraxia937 the name of the file you are attempting to decrypt (bitwarden_encrypted_export_20230608111639.json) indicates it is likely a bitwarden export file, decrypting exports is not something supported by this project anyway (according to the readme) and is most likely the reason for it not working for you, you need to instead use the data.json file (from the Desktop App).

Note: BitwardenDecrypt does not work with Bitwarden Encrypted JSON Exports. These exports lack the Protected Symmetric Key needed to decrypt entries.