[GH-ISSUE #6457] Problem with changing KDF algorithm to Argon2id #2441

New issue

Closed

opened 2026-03-03 02:18:22 +03:00 by kerem · 3 comments

kerem commented 2026-03-03 02:18:22 +03:00

Owner

Copy link

Originally created by @controlaltnerd on GitHub (Nov 10, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6457

Originally assigned to: @BlackDex on GitHub.

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.34.3-9017ca26
• Web-vault version: v2025.10.1
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Alpine)
• Database type: SQLite
• Database version: 3.50.4
• Uses config.json: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN, SSO_ENABLED, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY

Config:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**********************",
  "domain_origin": "*****://**********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": false,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "CK Cloud Services",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": false,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "******************************",
  "smtp_from_name": "***********",
  "smtp_host": "***********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "******************************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://*************************************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://***************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "****************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.34.3-9017ca26

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

traefik v2.11

Host/Server Operating System

Linux

Operating System Version

Ubuntu 22.04.1

Clients

Web Vault

Client Version

CLI, Chrome, Brave - v2025.10.1

Steps To Reproduce

1. Go to /settings/security/security-keys in any user account
2. Change KDF algorithm to Argon2id
3. Keep all default values
4. Click on Change KDF
5. Enter master password

Expected Result

KDF algorithm successfully changed to Argon2id

Actual Result

A generic error appears in the web UI, and container logs show an error parsing JSON.

Logs

[request][INFO] POST /api/accounts/kdf

[vaultwarden::api::core::accounts::_][WARN] Data guard `Json < ChangeKdfData >` failed: Parse("
	{
		"newMasterPasswordHash": "REDACTED",
		"key": "REDACTED",
		"authenticationData": {
			"salt": "MYEMAIL@EXAMPLE.COM",
			"kdf":{
				"kdfType": 1,
				"iterations": 3,
				"memory": 64,
				"parallelism": 4
			},
			"masterPasswordAuthenticationHash": "REDACTED"
		},
		"unlockData": {
			"salt": "MYEMAIL@EXAMPLE.COM",
			"kdf":{
				"kdfType": 1,
				"iterations": 3,
				"memory": 64,
				"parallelism": 4
			},
			"masterKeyWrappedUserKey": "REDACTED"
		},
		"masterPasswordHash": "REDACTED"
	}
	", Error("missing field `kdf`", line: 1, column: 852)).

[response][INFO] (post_kdf) POST /api/accounts/kdf => 422 Unprocessable Entity

Screenshots or Videos

No response

Additional Context

I found this related issue, but it did not address the specific field that is reported as missing in the logs: https://github.com/dani-garcia/vaultwarden/pull/3210

Originally created by @controlaltnerd on GitHub (Nov 10, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6457 Originally assigned to: @BlackDex on GitHub. ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-9017ca26 * Web-vault version: v2025.10.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Alpine) * Database type: SQLite * Database version: 3.50.4 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, ADMIN_TOKEN, SSO_ENABLED, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY **Config:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://**********************", "domain_origin": "*****://**********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": false, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "CK Cloud Services", "invitations_allowed": false, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": false, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "******************************", "smtp_from_name": "***********", "smtp_host": "***********************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "******************************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://*************************************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://***************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "****************************************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_pkce": true, "sso_scopes": "email profile", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.34.3-9017ca26 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy traefik v2.11 ### Host/Server Operating System Linux ### Operating System Version Ubuntu 22.04.1 ### Clients Web Vault ### Client Version CLI, Chrome, Brave - v2025.10.1 ### Steps To Reproduce 1. Go to /settings/security/security-keys in any user account 2. Change KDF algorithm to Argon2id 3. Keep all default values 4. Click on Change KDF 5. Enter master password ### Expected Result KDF algorithm successfully changed to Argon2id ### Actual Result A generic error appears in the web UI, and container logs show an error parsing JSON. ### Logs ```text [request][INFO] POST /api/accounts/kdf [vaultwarden::api::core::accounts::_][WARN] Data guard `Json < ChangeKdfData >` failed: Parse(" { "newMasterPasswordHash": "REDACTED", "key": "REDACTED", "authenticationData": { "salt": "MYEMAIL@EXAMPLE.COM", "kdf":{ "kdfType": 1, "iterations": 3, "memory": 64, "parallelism": 4 }, "masterPasswordAuthenticationHash": "REDACTED" }, "unlockData": { "salt": "MYEMAIL@EXAMPLE.COM", "kdf":{ "kdfType": 1, "iterations": 3, "memory": 64, "parallelism": 4 }, "masterKeyWrappedUserKey": "REDACTED" }, "masterPasswordHash": "REDACTED" } ", Error("missing field `kdf`", line: 1, column: 852)). [response][INFO] (post_kdf) POST /api/accounts/kdf => 422 Unprocessable Entity ``` ### Screenshots or Videos _No response_ ### Additional Context I found this related issue, but it did not address the specific field that is reported as missing in the logs: https://github.com/dani-garcia/vaultwarden/pull/3210

kerem 2026-03-03 02:18:22 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-03-03 02:18:23 +03:00

Author

Owner

Copy link

@stefan0xC commented on GitHub (Nov 11, 2025):

Thanks. Seems like this has been changed in web-v2025.10.0 (github.com/bitwarden/clients@4b73198ce5).
Relevant upstream PR: https://github.com/bitwarden/server/pull/6121

<!-- gh-comment-id:3514664702 --> @stefan0xC commented on GitHub (Nov 11, 2025): Thanks. Seems like this has been changed in `web-v2025.10.0` (https://github.com/bitwarden/clients/commit/4b73198ce51fa9e1f10ef70643065a31c1384887). Relevant upstream PR: https://github.com/bitwarden/server/pull/6121

kerem commented 2026-03-03 02:18:23 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Nov 11, 2025):

Should be fixed when #6458 is merged.

<!-- gh-comment-id:3518029099 --> @BlackDex commented on GitHub (Nov 11, 2025): Should be fixed when #6458 is merged.

kerem commented 2026-03-03 02:18:23 +03:00

Author

Owner

Copy link

@controlaltnerd commented on GitHub (Nov 11, 2025):

The latest testing release worked 👍

<!-- gh-comment-id:3518727699 --> @controlaltnerd commented on GitHub (Nov 11, 2025): The latest testing release worked 👍

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#2441

No description provided.