Occasionally, when using any service, you may want to change your password. Generally, this will be to something more secure, although you may also want to change your password to be easier to type. With a password manager such as Bitwarden, you may assume that changing your master password would change the encryption key used to encrypt your data. However, this isn’t the case, as changing your encryption key causes a fair amount of complication.
The problem with changing your encryption key is that this re-encrypts all of your data. Unfortunately, if you have another session open, it can still upload data – with the old encryption key. In this situation, you end up corrupting your entire vault, as any data uploaded with the old encryption key can’t be decrypted with the new one.
Bitwarden protects you as much as possible from this scenario by signing you out of your current session and expiring all of your other session tokens too. Unfortunately, it can take up to an hour for other sessions to actually close. During this time, you could accidentally end up corrupting your vault. As such, it is highly recommended that you either sign out of all other sessions before or immediately after you rotate your encryption key.
How to Rotate Your Encryption Key
To rotate your Bitwarden encryption key, you need to go through the “Change master password” form. To get there, sign in to the web vault, then switch to the “Settings” tab. In the settings, complete the “Change master password” form.
Tip: If you don’t want to change your master password, you can set it to be the same as before.
Once you’ve done so, tick the checkbox labeled “Also rotate my account’s encryption key.” A popup will appear detailing the risks involved with rotating your encryption key and what you should do. After reading through the warning, click “Yes” to continue or “No” to change your mind.
Once you’re sure you’re happy with the change master password form, click “Change master password.”
As previously stated, immediately sign out of all other Bitwarden sessions – if you haven’t already done so before submitting the form. Once you’ve signed out on a device, you can sign back in again straight away and start using Bitwarden again as usual.
Tip: Make sure to sign out fully, don’t just lock your vault, as this doesn’t update your encryption key.
If you’ve downloaded an encrypted JSON export of your password vault for safe storage, you will now need to re-download it. This is because the encryption key change will make the old export impossible to decrypt.
Rotating your Bitwarden encryption key is a high-risk choice that can result in your entire vault being corrupted. It also doesn’t really offer any security benefits. Changing your master password should always be enough to secure your account and vault data. Nevertheless, it is an option offered by Bitwarden if you want to do so. By carefully following the steps in this guide, you can safely rotate your Bitwarden encryption key.