Skip to content

[PM-30584] Implement key-connector migration in SDK#809

Merged
quexten merged 15 commits intomainfrom
km/key-connector-management-api
Mar 13, 2026
Merged

[PM-30584] Implement key-connector migration in SDK#809
quexten merged 15 commits intomainfrom
km/key-connector-management-api

Conversation

@quexten
Copy link
Contributor

@quexten quexten commented Mar 4, 2026
edited
Loading

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-30584
bitwarden/server#7136
#809
bitwarden/clients#19360

📔 Objective

We do not want to keep the same master-key that was used during password derivation, but use a separately sampled key - named "key-connector-key". This means that the conversion flow now requires:

  • Posting the key to key-connector
  • Setting the "key" field on the user to "key-connector-key-wrapped-user-key"

A new request endpoint is used compared to the previous key-connector-migration endpoint. This new endpoint always requires the key-connector-key-wrapped-user-key in the request body.

This will unblock setting the master-key to state during unlock and login, which will improve unlock time, since we can remove double-kdf-derivation.

📸 Screenshots

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026
edited
Loading

Logo
Checkmarx One – Scan Summary & Detailsf9b8cfcf-3c4d-4d7a-9740-037266f2cf6b

Great job! No new security vulnerabilities introduced in this pull request

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026
edited
Loading

🔍 SDK Breaking Change Detection Results

SDK Version: km/key-connector-management-api (db9d693)
Completed: 2026-03-12 10:47:46 UTC
Total Time: 246s

Client Status Details
typescript ❌ Breaking changes detected TypeScript compilation failed with new SDK version - View Details

Breaking change detection completed. View SDK workflow

@quexten quexten changed the title Draft key connector api Implement key-connector migration in SDK Mar 4, 2026
This was referenced Mar 4, 2026
Merged
Draft
@quexten quexten changed the title Implement key-connector migration in SDK [PM-30584] Implement key-connector migration in SDK Mar 4, 2026
@quexten quexten marked this pull request as ready for review March 11, 2026 12:11
@quexten quexten requested review from a team as code owners March 11, 2026 12:11
@quexten quexten requested a review from Thomas-Avery March 11, 2026 12:11
@codecov
Copy link

codecov bot commented Mar 11, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 93.70861% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.49%. Comparing base (9e3be8a) to head (db9d693).
⚠️ Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
...r-crypto-management/src/key_connector_migration.rs 92.98% 19 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #809      +/-   ##
==========================================
+ Coverage   82.40%   82.49%   +0.08%     
==========================================
  Files         350      351       +1     
  Lines       41751    42053     +302     
==========================================
+ Hits        34404    34690     +286     
- Misses       7347     7363      +16

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Thomas-Avery
Thomas-Avery requested changes Mar 11, 2026
View reviewed changes
Copy link
Contributor

@Thomas-Avery Thomas-Avery left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work the structure of these are easy to follow. One concern I found to take a look at.

@quexten
Copy link
Contributor Author

quexten commented Mar 12, 2026

@Thomas-Avery I've change the PR a bit to also implement key-context based wrap/unwrap for key-connector which should make this a bit more readable on the business logic side.

@quexten quexten requested a review from Thomas-Avery March 12, 2026 10:02
@quexten
Copy link
Contributor Author

quexten commented Mar 12, 2026

Also, added better docs for what is happening here.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 12, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Thomas-Avery
Thomas-Avery approved these changes Mar 12, 2026
View reviewed changes
Copy link
Contributor

@Thomas-Avery Thomas-Avery left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice the refactor is even better!

@quexten quexten merged commit dd7787f into main Mar 13, 2026
59 checks passed
@quexten quexten deleted the km/key-connector-management-api branch March 13, 2026 08:29
bw-ghapp bot pushed a commit to bitwarden/sdk-swift that referenced this pull request Mar 13, 2026
@bitwarden-devops-bot
bitwarden/sdk-internal@dd7787f 2.0.0-4948-dd7787f - [PM-30584] Implem…
25ac562 
…ent key-connector migration in SDK (bitwarden/sdk-internal#809)
This was referenced Mar 13, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Thomas-Avery Thomas-Avery Thomas-Avery approved these changes

Assignees

No one assigned

Labels

breaking-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@quexten @Thomas-Avery