Add end-to-end encryption as a principle

MGibson1 · MGibson1 · commit e0297101b1ac · 2025-01-29T13:34:10.000-08:00
diff --git a/docs/architecture/security/principles/01-servers-are-not-trusted.mdx b/docs/architecture/security/principles/01-servers-are-not-trusted.mdx
@@ -0,0 +1,37 @@
+# P01 - Servers are not trusted
+
+Clients do not need to trust Bitwarden server or web infrastructure to be good actors in supplying
+data to keep an account's encrypted content secure. In other words, the special status of providing
+a network sync for client data does not enable a server, or any entity between the server and
+client, to take any action that would aid in decryption of a user's vault by the server.
+
+This is what we mean when we sometimes refer to "End-to-end encrypted."
+
+## Account key sharing as a feature
+
+This principle does not mean that clear text data are never shared, but rather that any such
+exposure is always declared to the user and exclusively between accounts, never to the server or
+infrastructure.
+
+## Exceptions
+
+On occasion, product features require breaking this principle in a controlled manner. These
+exceptions are always a last resort, tightly limited scope, and we are always looking for
+improvements to remove them. All exceptions are outlined here.
+
+### Key Connector
+
+Key connector is a self-host test only feature that allows an Organization to log in and unlock with
+SSO and no password input. This feature is specifically limited to self-hosted instances due to
+breaking this principle. It is possible for a Bitwarden server to create an authentication token,
+contact the Key Connector server, and retrieve key material that will allow decryption of a user's
+vault. For these reasons we encourage strict isolation of key connector servers to private networks
+and only to be used by advanced self-hosted users.
+
+### Icons service
+
+The Bitwarden icons service enables the retrieval of site favicons to decorate vault items in the
+Bitwarden clients. To enable this functionality, clients do send clear text domain name information
+to the Bitwarden icons service. These URIs are normally encrypted in a vault, but we do this to
+aggregate access to the requested domain, speed up loading of vaults, and ensure favicons accurately
+represent the associated URI. This feature is easily disabled in client settings.
diff --git a/docs/architecture/security/principles/02-locked-vault-is-secure.mdx b/docs/architecture/security/principles/02-locked-vault-is-secure.mdx
@@ -1,4 +1,4 @@
-# P01 - A locked vault is secure
+# P02 - A locked vault is secure
 
 Clients must ensure that highly sensitive vault data cannot be accessed in plain text once the vault
 has been locked, even if the device becomes compromised after the lock occurs. Protections are not
diff --git a/docs/architecture/security/principles/03-limited-security-on-semi-compromised.mdx b/docs/architecture/security/principles/03-limited-security-on-semi-compromised.mdx
@@ -1,4 +1,4 @@
-# P02 - Limited security for vaults on semi-compromised devices
+# P03 - Limited security for vaults on semi-compromised devices
 
 :::info Note
 
diff --git a/docs/architecture/security/principles/04-no-security-on-fully-compromised.mdx b/docs/architecture/security/principles/04-no-security-on-fully-compromised.mdx
@@ -1,4 +1,4 @@
-# P03 - No security on fully compromised systems
+# P04 - No security on fully compromised systems
 
 :::info Note
 
diff --git a/docs/architecture/security/principles/05-controlled-access.mdx b/docs/architecture/security/principles/05-controlled-access.mdx
@@ -1,4 +1,4 @@
-# P04 - Controlled access to vault data
+# P05 - Controlled access to vault data
 
 Clients must ensure that vault data, whether at rest or in use, is accessible only to authorized
 parties and always under the user's explicit control. Even when unlocked, access to vault data must
diff --git a/docs/architecture/security/principles/06-minimized-impact-of-security-breaches.mdx b/docs/architecture/security/principles/06-minimized-impact-of-security-breaches.mdx
@@ -1,4 +1,4 @@
-# P05 - Minimized impact of security breaches
+# P06 - Minimized impact of security breaches
 
 Even with robust security measures in place, user error or unforeseen vulnerabilities can lead to
 various security breaches, including the compromise of encryption keys or data leaks. Bitwarden

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# P01 - A locked vault is secure`
	`1`	`+# P02 - A locked vault is secure`
`2`	`2`
`3`	`3`	`Clients must ensure that highly sensitive vault data cannot be accessed in plain text once the vault`
`4`	`4`	`has been locked, even if the device becomes compromised after the lock occurs. Protections are not`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# P02 - Limited security for vaults on semi-compromised devices`
	`1`	`+# P03 - Limited security for vaults on semi-compromised devices`
`2`	`2`
`3`	`3`	`:::info Note`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# P03 - No security on fully compromised systems`
	`1`	`+# P04 - No security on fully compromised systems`
`2`	`2`
`3`	`3`	`:::info Note`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# P04 - Controlled access to vault data`
	`1`	`+# P05 - Controlled access to vault data`
`2`	`2`
`3`	`3`	`Clients must ensure that vault data, whether at rest or in use, is accessible only to authorized`
`4`	`4`	`parties and always under the user's explicit control. Even when unlocked, access to vault data must`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# P05 - Minimized impact of security breaches`
	`1`	`+# P06 - Minimized impact of security breaches`
`2`	`2`
`3`	`3`	`Even with robust security measures in place, user error or unforeseen vulnerabilities can lead to`
`4`	`4`	`various security breaches, including the compromise of encryption keys or data leaks. Bitwarden`