failed to decrypt: failed to decrypt encrypted secret: invalid mac about rbw HOT 31 CLOSED

The problem is the new individual item encryption function of Bitwarden.
All clients since 2024.2.x (i think) are able to decrypt those items. Since the new 2024.7.x clients they are starting to always use this feature.

This has nothing to do with Vaultwarden specifically. Vaultwarden supports this feature already for a while.
Also, trying to use rbw on Bitwarden Cloud will probably also fail if new items are created there.

from rbw.

If it helps others, we managed to get rbw to work again by deleting the entries that were created in Bitwarden since the 2024.7.x update that @BlackDex mentions.

If you have this issue and cannot stop using rbw you may want to make a backup of your Bitwarden vaults, inspect admin logs and look for recently created/updated items, and delete them and save them somewhere else for now

from rbw.

yeah, sorry about this! i'm working on fixing it, but in the meantime, you can work around it by using rbw to add/edit secrets instead of using the web vault (and if necessary, deleting any entries you may have created in the web vault in the past few days and recreating them from the command line).

from rbw.

For NixOS users, I've submitted #333147, after that's merged it will land in unstable soon after, and for 24.05 users it may take an additional day or 2 to be backported.

from rbw.

I am now getting this error on two machines running Arch Linux (one under WSL). Perhaps after updating some package/s? Nothing really standing out, though. Vaultwarden Web and Bitwarden Mobile seem unaffected.

from rbw.

if you've tried a bunch of things the bitwarden server is probably blocking you from from trying to brute force a login. probably have to wait some time.

from rbw.

Having this issue on NixOS with rbw 1.11.1. Weirdly was working fine until I updated my system, but I don't think rbw updated. Tried rebooting, purging, logging in, and rolling back my system to a previous state, and nothing worked.

Edit: apologies, seen there's a new version bump, will update and try again.

from rbw.

Not at all! You can find it with rbw help. The exact command is rbw stop-agent. Try that, then purge, then login, then sync (not sure it's necessary but doesnt hurt). That should completely reset your connection to the Bitwarden vault

from rbw.

I do use conda (micromamba), though NixOS makes it a bit of a nightmare and you have to be running an impure state to do it. Rust might work (NixOS might fight me on this, too - definitely hopping back to Arch (btw) soon), but at this stage I'll just wait for new version to hit the repos. I really appreciate your help, though!

from rbw.

From what i understand, this is the code that fails : https://github.com/doy/rbw/blob/main/src/cipherstring.rs#L227-L229

So, with my low understanding, it seems related to the key used on his account, with either an incorrect key (corrupted sha256?), or the code in rbw that checks it has an issue with his specific key.

from rbw.

We tried to downgrade rbw version, without success.

We made a new user account, and rbw does not have any issue with this new account.
It seems to indicate that his key was somehow kinda corrupted (but not that much as it was still working with vaultwarden web client).

I leave issue open in case you have an idea about what may have happen, but it sounds like a vaultwarden issue, nothing to do with rbw's code.

from rbw.

glad to hear that it's working again - i'm not sure there's much i can do here without more information about how to reproduce the issue, but definitely let me know if it comes up again.

from rbw.

gnupg, gpgme, and pinentry were rebuilt against libassuan 3.0.0, but rbw unlock seems to work fine.

from rbw.

Issue remains after downgrading those.

from rbw.

I have the same issue as @polyzen, also running arch. I started after I ran rbw sync (I edited an entry on the Bitwarden app on my phone). After I run rbw purge I get: rbw list: failed to log in to bitwarden instance: failed to parse JSON: EOF while parsing a value at line 1 column 0. I use rbw 1.9.0, I don't use vaultwarden.

edited: added version info.

from rbw.

what version of vaultwaden are you all using? have you tried rolling it back?

from rbw.

@BartSte

rbw list: failed to log in to bitwarden instance: failed to parse JSON: EOF while parsing a value at line 1 column 0. I use rbw 1.9.0, I don't use vaultwarden.

Version 1.10.2 was released May 21 to resolve that.

The other two reporters mention they use vaultwarden.

from rbw.

I just tried the latest version (rbw 1.11.1) but the issue persists.

from rbw.

you need to kill the agent from the old version that is running. run rbw purge and login again.

from rbw.

Yeah I tried that as well (also did a reboot). The issue persists. I will send an update once I managed to solve it..

from rbw.

what version of vaultwaden are you all using? have you tried rolling it back?

Upgraded to 1.31.0 from 1.30.5 on July 8th, and restarted the system after. Have restarted the system several times since and used rbw on a daily basis. Have not tried rolling it back.

you need to kill the agent from the old version that is running. run rbw purge and login again.

Same issue after logging back in, syncing, and trying to get a password.

from rbw.

@polyzen

Same issue after logging back in, syncing, and trying to get a password.

that was not meant for the people having issues with vaultwarden. different issue.

did you try as OP did?

We made a new user account, and rbw does not have any issue with this new account.

?

from rbw.

1. Installed rbw on a third machine
2. Confirmed issue still occurs with my actual account
3. Confirmed issue does not occur with a new account

from rbw.

I don't know much about vaultwarden but it may be your database schema didn't get updated on your account. I would suggest going to their project and figure out how to export and reimport fresh.

If you want to track it down. Make a backup and create a test environment and try rolling back vw versions and see if one works still.

from rbw.

Better yet, in the database, look for entries which have the key column filled instead of NULL

from rbw.

I'm currently having this issue. rbw 1.11.1 trying to access secrets from bitwarden.

from rbw.

Yup, fixed after i ran a rbw purge and logged back in. thank you!

from rbw.

@jacanchaplais you don't mention stopping the agent, did you do that before logging in again?

Otherwise for some of us it was necessary to switch to 1.12.1, the first release was not enough. Maybe try again with that version?

from rbw.

Sorry to be dense, but how do I stop the agent? I tried finding a service called rbw using systemctl, and came up with nothing, so I guessed rebooting might do the trick. I'm guessing I'm missing something basic here?

from rbw.

Thanks for your patience! No joy, and looks like it hasn't updated in the Nix repos, so I guess I'll just have to stick with the bitwarden web client for now. :(

~ ❯ rbw stop-agent                                                                                                                                              6s 14:55:16
~ ❯ rbw purge                                                                                                                                                      14:57:07
~ ❯ rbw login                                                                                                                                                      14:57:14
~ ❯ rbw sync                                                                                                                                                   12s 14:57:31
~ ❯ rbw list                                                                                                                                                       14:57:35
WARN: failed to decrypt username: failed to decrypt: failed to decrypt encrypted secret: invalid mac
WARN: failed to decrypt password: failed to decrypt: failed to decrypt encrypted secret: invalid mac
WARN: failed to decrypt uri: failed to decrypt: failed to decrypt encrypted secret: invalid mac
rbw list: failed to decrypt: failed to decrypt encrypted secret: invalid mac

from rbw.

If you can use Rust, Jesse has uploaded the latest version on Crates.
If you can use Conda, we made a build for arch linux-64.

from rbw.