I have what may be a stupid question…
How is it your master password is both used to decrypt your vault and used to authenticate with bitwardens public servers to acquire a copy of your vault/view it in the web app, but bitwarden can’t use that password entry to decrypt the vault themselves?
(please correct me if I’m misunderstanding, as I use self-hosted vaultwarden for my server instead of the public ones)
It’s a valid concern, because the truth is they could. Of course, they could also have some code in the app/plugin that sends your credentials to somewhere even if you’re self-hosting.
Security always comes down to a trade-off between convenience and trust. In theory you could compile everything yourself after auditing the code, but that’s not realistic (and just moves the trust to your toolchain, OS, CPU microcode, etc).
It’s a matter of trust that the code doesn’t have anything nefarious in on purpose, that the semi-fictional “many eyes” have caught any accidental bugs, and that their processes and security are good enough to stop bad actors from inserting malicious code.
I’m assuming you already use 2FA where possible, and I personally keep my codes out of Bitwarden as a little extra defence in depth.