Skip to main content
Key Connector is a self-hosted application that facilitates customer-managed encryption (CMS), enabling an enterprise organization to serve cryptographic keys to Bitwarden clients. You can use Key Connector, which runs as a docker container on the same network as existing services, with a login with SSO to serve cryptographic keys for your organization as an alternative to requiring a master password for vault decryption. Bitwarden supports the deployment of one Key Connector for use by one organization for a self-hosted instance. Key Connector requires connection to a database where you store encrypted user keys and an RSA Key Pair to encrypt and decrypt stored user keys. You can configure Key Connector with a variety of database providers (such as MSSQL, PostgreSQL, or MySQL) and key pair storage providers (including Hashicorp Vault, Cloud KMS Providers, and on-prem HSM devices) to fit your business infrastructure requirements.

Why use Key Connector?

In implementations that leverage master password decryption, your identity provider handles authentication, and you need a member’s master password for vault decryption. This separation of concerns is an important step that ensures that only an organization member can access the key required to decrypt sensitive vault data. In implementations that leverage Key Connector for decryption, your identity provider still handles authentication, but Key Connector handles vault decryption. By accessing an encrypted key database, Key Connector provides users with their decryption key when they log in without requiring a master password. We often refer to Key Connector implementations as leveraging Customer-Managed Encryption, because your business has sole responsibility for the management of the Key Connector application and of the vault decryption keys it serves. For enterprises ready to deploy and maintain a customer-managed encryption environment, Key Connector facilitates a streamlined vault login experience.