Key Connector is a self-hosted application that facilitates customer-managed encryption (CMS), enabling an enterprise organization to serve cryptographic keys to Bitwarden clients.

Key Connector runs as a docker container on the same network as existing services, and you can use it with an SSO login to serve cryptographic keys as an alternative to requiring a master password for vault decryption. Bitwarden supports the deployment of one Key Connector for use by a single organization for a self-hosted instance.

Key Connector requires connection to a database that stores encrypted user keys and an RSA Key Pair to encrypt and decrypt stored user keys. You can configure Key Connector with a variety of database providers (such as MSSQL, PostgreSQL, or MySQL) and key pair storage providers (including Hashicorp Vault, Cloud KMS Providers, and on-prem HSMs) to fit your business infrastructure requirements.

In implementations that leverage master password decryption, your identity provider handles authentication, and you need a member's master password for vault decryption. This separation of concerns is an important step that ensures that only an organization member can access the key required to decrypt your sensitive vault data.

In implementations that leverage Key Connector for decryption, your identity provider still handles authentication, but Key Connector handles vault decryption. By accessing an encrypted key database, Key Connector provides users with their decryption key when they log in without requiring a master password.

We often refer to Key Connector implementations as leveraging customer-managed encryption because your business is solely responsible for managing the Key Connector application and the vault decryption keys it serves. For enterprises ready to deploy and maintain a customer-managed encryption environment, Key Connector facilitates a streamlined vault login experience.