bitwarden · quexten · Dec 18, 2025 · Dec 18, 2025 · Dec 18, 2025 · Dec 18, 2025
@@ -1,6 +1,6 @@
 use bitwarden_crypto::{
-    AsymmetricCryptoKey, AsymmetricPublicCryptoKey, CryptoError, PublicKeyEncryptionAlgorithm,
-    SpkiPublicKeyBytes, UnsignedSharedKey, fingerprint, generate_random_alphanumeric,
+    CryptoError, PrivateKey, PublicKey, PublicKeyEncryptionAlgorithm, SpkiPublicKeyBytes,
+    UnsignedSharedKey, fingerprint, generate_random_alphanumeric,
 };
 #[cfg(feature = "internal")]
 use bitwarden_crypto::{EncString, SymmetricCryptoKey};
@@ -32,7 +32,7 @@ pub struct AuthRequestResponse {
 /// to another device. Where the user confirms the validity by confirming the fingerprint. The user
 /// key is then encrypted using the public key and returned to the initiating device.
 pub(crate) fn new_auth_request(email: &str) -> Result<AuthRequestResponse, CryptoError> {
-    let key = AsymmetricCryptoKey::make(PublicKeyEncryptionAlgorithm::RsaOaepSha1);
+    let key = PrivateKey::make(PublicKeyEncryptionAlgorithm::RsaOaepSha1);
 
     let spki = key.to_public_key().to_der()?;
 
@@ -52,7 +52,7 @@ pub(crate) fn auth_request_decrypt_user_key(
     private_key: B64,
     user_key: UnsignedSharedKey,
 ) -> Result<SymmetricCryptoKey, EncryptionSettingsError> {
-    let key = AsymmetricCryptoKey::from_der(&private_key.as_bytes().into())?;
+    let key = PrivateKey::from_der(&private_key.as_bytes().into())?;
     let key: SymmetricCryptoKey = user_key.decapsulate_key_unsigned(&key)?;
     Ok(key)
 }
@@ -66,7 +66,7 @@ pub(crate) fn auth_request_decrypt_master_key(
 ) -> Result<SymmetricCryptoKey, EncryptionSettingsError> {
     use bitwarden_crypto::MasterKey;
 
-    let key = AsymmetricCryptoKey::from_der(&private_key.as_bytes().into())?;
+    let key = PrivateKey::from_der(&private_key.as_bytes().into())?;
     let master_key: SymmetricCryptoKey = master_key.decapsulate_key_unsigned(&key)?;
     let master_key = MasterKey::try_from(&master_key)?;
 
@@ -88,7 +88,7 @@ pub(crate) fn approve_auth_request(
     client: &Client,
     public_key: B64,
 ) -> Result<UnsignedSharedKey, ApproveAuthRequestError> {
-    let public_key = AsymmetricPublicCryptoKey::from_der(&SpkiPublicKeyBytes::from(&public_key))?;
+    let public_key = PublicKey::from_der(&SpkiPublicKeyBytes::from(&public_key))?;
 
     let key_store = client.internal.get_key_store();
     let ctx = key_store.context();
@@ -130,8 +130,7 @@ mod tests {
             248, 43, 255, 67, 35, 61, 245, 93,
         ];
 
-        let private_key =
-            AsymmetricCryptoKey::from_der(&request.private_key.as_bytes().into()).unwrap();
+        let private_key = PrivateKey::from_der(&request.private_key.as_bytes().into()).unwrap();
 
         let secret = BitwardenLegacyKeyBytes::from(secret);
         let encrypted = UnsignedSharedKey::encapsulate_key_unsigned(

@@ -1,5 +1,5 @@
 use bitwarden_crypto::{
-    AsymmetricPublicCryptoKey, DeviceKey, EncString, Kdf, SpkiPublicKeyBytes, SymmetricCryptoKey,
+    DeviceKey, EncString, Kdf, PublicKey, SpkiPublicKeyBytes, SymmetricCryptoKey,
     TrustDeviceResponse, UnsignedSharedKey, UserKey,
 };
 use bitwarden_encoding::B64;
@@ -18,8 +18,7 @@ pub(super) fn make_register_tde_keys(
     org_public_key: B64,
     remember_device: bool,
 ) -> Result<RegisterTdeKeyResponse, EncryptionSettingsError> {
-    let public_key =
-        AsymmetricPublicCryptoKey::from_der(&SpkiPublicKeyBytes::from(&org_public_key))?;
+    let public_key = PublicKey::from_der(&SpkiPublicKeyBytes::from(&org_public_key))?;
 
     let user_key = UserKey::new(SymmetricCryptoKey::make_aes256_cbc_hmac_key());
     let key_pair = user_key.make_key_pair()?;

@@ -61,7 +61,7 @@ impl EncryptionSettings {
         org_enc_keys: Vec<(OrganizationId, UnsignedSharedKey)>,
         store: &KeyStore<KeyIds>,
     ) -> Result<(), EncryptionSettingsError> {
-        use crate::key_management::AsymmetricKeyId;
+        use crate::key_management::PrivateKeyId;
 
         let mut ctx = store.context_mut();
 
@@ -70,7 +70,7 @@ impl EncryptionSettings {
             return Ok(());
         }
 
-        if !ctx.has_asymmetric_key(AsymmetricKeyId::UserPrivateKey) {
+        if !ctx.has_private_key(PrivateKeyId::UserPrivateKey) {
             return Err(MissingPrivateKeyError.into());
         }
 
@@ -81,7 +81,7 @@ impl EncryptionSettings {
         // Decrypt the org keys with the private key
         for (org_id, org_enc_key) in org_enc_keys {
             ctx.decapsulate_key_unsigned(
-                AsymmetricKeyId::UserPrivateKey,
+                PrivateKeyId::UserPrivateKey,
                 SymmetricKeyId::Organization(org_id),
                 &org_enc_key,
             )?;

@@ -12,7 +12,7 @@ use std::sync::RwLock;
 
 use bitwarden_api_api::models::{AccountKeysRequestModel, SecurityStateModel};
 use bitwarden_crypto::{
-    AsymmetricPublicCryptoKey, CoseSerializable, CryptoError, EncString, KeyStore, KeyStoreContext,
+    CoseSerializable, CryptoError, EncString, KeyStore, KeyStoreContext, PublicKey,
     PublicKeyEncryptionAlgorithm, SignatureAlgorithm, SignedPublicKey, SymmetricKeyAlgorithm,
     VerifyingKey,
 };
@@ -27,7 +27,7 @@ use tsify::Tsify;
 use crate::{
     UserId,
     key_management::{
-        AsymmetricKeyId, KeyIds, SecurityState, SignedSecurityState, SigningKeyId, SymmetricKeyId,
+        KeyIds, PrivateKeyId, SecurityState, SignedSecurityState, SigningKeyId, SymmetricKeyId,
     },
 };
 
@@ -214,7 +214,7 @@ impl WrappedAccountCryptographicState {
         mut ctx: KeyStoreContext<KeyIds>,
     ) -> Result<(), AccountCryptographyInitializationError> {
         if ctx.has_symmetric_key(SymmetricKeyId::User)
-            || ctx.has_asymmetric_key(AsymmetricKeyId::UserPrivateKey)
+            || ctx.has_private_key(PrivateKeyId::UserPrivateKey)
             || ctx.has_signing_key(SigningKeyId::UserSigningKey)
         {
             return Err(AccountCryptographyInitializationError::KeyStoreAlreadyInitialized);
@@ -232,7 +232,7 @@ impl WrappedAccountCryptographicState {
                 // Some users have unreadable V1 private keys. In this case, we set no keys to
                 // state.
                 if let Ok(private_key_id) = ctx.unwrap_private_key(user_key, private_key) {
-                    ctx.persist_asymmetric_key(private_key_id, AsymmetricKeyId::UserPrivateKey)?;
+                    ctx.persist_private_key(private_key_id, PrivateKeyId::UserPrivateKey)?;
                 } else {
                     tracing::warn!(
                         "V1 private key could not be unwrapped, skipping setting private key"
@@ -272,7 +272,7 @@ impl WrappedAccountCryptographicState {
                     .to_owned()
                     .verify_and_unwrap(&ctx.get_verifying_key(signing_key_id)?)
                     .map_err(|_| AccountCryptographyInitializationError::TamperedData)?;
-                ctx.persist_asymmetric_key(private_key_id, AsymmetricKeyId::UserPrivateKey)?;
+                ctx.persist_private_key(private_key_id, PrivateKeyId::UserPrivateKey)?;
                 ctx.persist_signing_key(signing_key_id, SigningKeyId::UserSigningKey)?;
                 ctx.persist_symmetric_key(user_key, SymmetricKeyId::User)?;
                 // Not manually dropping ctx here would lead to a deadlock, since storing the state
@@ -311,7 +311,7 @@ impl WrappedAccountCryptographicState {
     fn public_key(
         &self,
         store: &KeyStore<KeyIds>,
-    ) -> Result<Option<AsymmetricPublicCryptoKey>, AccountCryptographyInitializationError> {
+    ) -> Result<Option<PublicKey>, AccountCryptographyInitializationError> {
         match self {
             WrappedAccountCryptographicState::V1 { private_key }
             | WrappedAccountCryptographicState::V2 { private_key, .. } => {
@@ -346,7 +346,7 @@ mod tests {
     use bitwarden_crypto::{KeyStore, PrimitiveEncryptable};
 
     use super::*;
-    use crate::key_management::{AsymmetricKeyId, SigningKeyId, SymmetricKeyId};
+    use crate::key_management::{PrivateKeyId, SigningKeyId, SymmetricKeyId};
 
     #[test]
     fn test_set_to_context_v1() {
@@ -388,7 +388,7 @@ mod tests {
         let ctx = store.context();
 
         // Assert that the private key and user symmetric key were set in the store
-        assert!(ctx.has_asymmetric_key(AsymmetricKeyId::UserPrivateKey));
+        assert!(ctx.has_private_key(PrivateKeyId::UserPrivateKey));
         assert!(ctx.has_symmetric_key(SymmetricKeyId::User));
     }
 
@@ -450,7 +450,7 @@ mod tests {
         assert!(
             store
                 .context()
-                .has_asymmetric_key(AsymmetricKeyId::UserPrivateKey)
+                .has_private_key(PrivateKeyId::UserPrivateKey)
         );
         assert!(
             store
@@ -495,7 +495,7 @@ mod tests {
         assert_eq!(
             pk_pair.public_key.unwrap(),
             B64::from(
-                ctx.get_public_key(AsymmetricKeyId::UserPrivateKey)
+                ctx.get_public_key(PrivateKeyId::UserPrivateKey)
                     .unwrap()
                     .to_der()
                     .unwrap()
@@ -558,6 +558,6 @@ mod tests {
         // The user symmetric key should be set
         assert!(ctx.has_symmetric_key(SymmetricKeyId::User));
         // But the private key should NOT be set (due to corruption)
-        assert!(!ctx.has_asymmetric_key(AsymmetricKeyId::UserPrivateKey));
+        assert!(!ctx.has_private_key(PrivateKeyId::UserPrivateKey));
     }
 }
@@ -7,11 +7,10 @@
 use std::collections::HashMap;
 
 use bitwarden_crypto::{
-    AsymmetricCryptoKey, CoseSerializable, CryptoError, EncString, Kdf, KeyDecryptable,
-    KeyEncryptable, MasterKey, Pkcs8PrivateKeyBytes, PrimitiveEncryptable, RotateableKeySet,
-    SignatureAlgorithm, SignedPublicKey, SigningKey, SpkiPublicKeyBytes, SymmetricCryptoKey,
-    UnsignedSharedKey, UserKey, dangerous_get_v2_rotated_account_keys,
-    derive_symmetric_key_from_prf,
+    CoseSerializable, CryptoError, EncString, Kdf, KeyDecryptable, KeyEncryptable, MasterKey,
+    Pkcs8PrivateKeyBytes, PrimitiveEncryptable, PrivateKey, RotateableKeySet, SignatureAlgorithm,
+    SignedPublicKey, SigningKey, SpkiPublicKeyBytes, SymmetricCryptoKey, UnsignedSharedKey,
+    UserKey, dangerous_get_v2_rotated_account_keys, derive_symmetric_key_from_prf,
     safe::{PasswordProtectedKeyEnvelope, PasswordProtectedKeyEnvelopeError},
 };
 use bitwarden_encoding::B64;
@@ -27,7 +26,7 @@ use crate::{
     client::{LoginMethod, UserLoginMethod, encryption_settings::EncryptionSettingsError},
     error::StatefulCryptoError,
     key_management::{
-        AsymmetricKeyId, SecurityState, SignedSecurityState, SigningKeyId, SymmetricKeyId,
+        PrivateKeyId, SecurityState, SignedSecurityState, SigningKeyId, SymmetricKeyId,
         account_cryptographic_state::WrappedAccountCryptographicState,
         master_password::{MasterPasswordAuthenticationData, MasterPasswordUnlockData},
     },
@@ -543,9 +542,9 @@ pub(super) fn enroll_admin_password_reset(
     client: &Client,
     public_key: B64,
 ) -> Result<UnsignedSharedKey, EnrollAdminPasswordResetError> {
-    use bitwarden_crypto::AsymmetricPublicCryptoKey;
+    use bitwarden_crypto::PublicKey;
 
-    let public_key = AsymmetricPublicCryptoKey::from_der(&SpkiPublicKeyBytes::from(&public_key))?;
+    let public_key = PublicKey::from_der(&SpkiPublicKeyBytes::from(&public_key))?;
     let key_store = client.internal.get_key_store();
     let ctx = key_store.context();
     // FIXME: [PM-18110] This should be removed once the key store can handle public key encryption
@@ -670,8 +669,8 @@ pub(super) fn verify_asymmetric_keys(
             .map_err(VerifyError::DecryptFailed)?;
 
         let decrypted_private_key = Pkcs8PrivateKeyBytes::from(decrypted_private_key);
-        let private_key = AsymmetricCryptoKey::from_der(&decrypted_private_key)
-            .map_err(VerifyError::ParseFailed)?;
+        let private_key =
+            PrivateKey::from_der(&decrypted_private_key).map_err(VerifyError::ParseFailed)?;
 
         let derived_public_key_vec = private_key
             .to_public_key()
@@ -741,7 +740,7 @@ pub(crate) fn make_v2_keys_for_v1_user(
     let mut ctx = key_store.context();
 
     // Re-use existing private key
-    let private_key_id = AsymmetricKeyId::UserPrivateKey;
+    let private_key_id = PrivateKeyId::UserPrivateKey;
 
     // Ensure that the function is only called for a V1 user.
     if client.internal.get_security_version() != 1 {
@@ -754,14 +753,14 @@ pub(crate) fn make_v2_keys_for_v1_user(
     // Ensure the user has a private key.
     // V1 user must have a private key to upgrade. This should be ensured by the client before
     // calling the upgrade function.
-    if !ctx.has_asymmetric_key(AsymmetricKeyId::UserPrivateKey) {
+    if !ctx.has_private_key(PrivateKeyId::UserPrivateKey) {
         return Err(StatefulCryptoError::Crypto(CryptoError::MissingKeyId(
             "UserPrivateKey".to_string(),
         )));
     }
 
     #[allow(deprecated)]
-    let private_key = ctx.dangerous_get_asymmetric_key(private_key_id)?.clone();
+    let private_key = ctx.dangerous_get_private_key(private_key_id)?.clone();
 
     // New user key
     let user_key = SymmetricCryptoKey::make_xchacha20_poly1305_key();
@@ -828,7 +827,7 @@ pub(crate) fn get_v2_rotated_account_keys(
         .ok_or(StatefulCryptoError::MissingSecurityState)?;
 
     let rotated_keys = dangerous_get_v2_rotated_account_keys(
-        AsymmetricKeyId::UserPrivateKey,
+        PrivateKeyId::UserPrivateKey,
         SigningKeyId::UserSigningKey,
         &ctx,
     )?;
@@ -1248,7 +1247,7 @@ mod tests {
         let private_key: B64 = "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzLtEUdxfcLxDj84yaGFsVF5hZ8Hjlb08NMQDy1RnBma06I3ZESshLYzVz4r/gegMn9OOltfV/Yxlyvida8oW6qdlfJ7AVz6Oa8pV7BiL40C7b76+oqraQpyYw2HChANB1AhXL9SqWngKmLZwjA7qiCrmcc0kZHeOb4KnKtp9iVvPVs+8veFvKgYO4ba2AAOHKFdR0W55/agXfAy+fWUAkC8mc9ikyJdQWaPV6OZvC2XFkOseBQm9Rynudh3BQpoWiL6w620efe7t5k+02/EyOFJL9f/XEEjM/+Yo0t3LAfkuhHGeKiRST59Xc9hTEmyJTeVXROtz+0fjqOp3xkaObAgMBAAECggEACs4xhnO0HaZhh1/iH7zORMIRXKeyxP2LQiTR8xwN5JJ9wRWmGAR9VasS7EZFTDidIGVME2u/h4s5EqXnhxfO+0gGksVvgNXJ/qw87E8K2216g6ZNo6vSGA7H1GH2voWwejJ4/k/cJug6dz2S402rRAKh2Wong1arYHSkVlQp3diiMa5FHAOSE+Cy09O2ZsaF9IXQYUtlW6AVXFrBEPYH2kvkaPXchh8VETMijo6tbvoKLnUHe+wTaDMls7hy8exjtVyI59r3DNzjy1lNGaGb5QSnFMXR+eHhPZc844Wv02MxC15zKABADrl58gpJyjTl6XpDdHCYGsmGpVGH3X9TQQKBgQDz/9beFjzq59ve6rGwn+EtnQfSsyYT+jr7GN8lNEXb3YOFXBgPhfFIcHRh2R00Vm9w2ApfAx2cd8xm2I6HuvQ1Os7g26LWazvuWY0Qzb+KaCLQTEGH1RnTq6CCG+BTRq/a3J8M4t38GV5TWlzv8wr9U4dl6FR4efjb65HXs1GQ4QKBgQC7/uHfrOTEHrLeIeqEuSl0vWNqEotFKdKLV6xpOvNuxDGbgW4/r/zaxDqt0YBOXmRbQYSEhmO3oy9J6XfE1SUln0gbavZeW0HESCAmUIC88bDnspUwS9RxauqT5aF8ODKN/bNCWCnBM1xyonPOs1oT1nyparJVdQoG//Y7vkB3+wKBgBqLqPq8fKAp3XfhHLfUjREDVoiLyQa/YI9U42IOz9LdxKNLo6p8rgVthpvmnRDGnpUuS+KOWjhdqDVANjF6G3t3DG7WNl8Rh5Gk2H4NhFswfSkgQrjebFLlBy9gjQVCWXt8KSmjvPbiY6q52Aaa8IUjA0YJAregvXxfopxO+/7BAoGARicvEtDp7WWnSc1OPoj6N14VIxgYcI7SyrzE0d/1x3ffKzB5e7qomNpxKzvqrVP8DzG7ydh8jaKPmv1MfF8tpYRy3AhmN3/GYwCnPqT75YYrhcrWcVdax5gmQVqHkFtIQkRSCIftzPLlpMGKha/YBV8c1fvC4LD0NPh/Ynv0gtECgYEAyOZg95/kte0jpgUEgwuMrzkhY/AaUJULFuR5MkyvReEbtSBQwV5tx60+T95PHNiFooWWVXiLMsAgyI2IbkxVR1Pzdri3gWK5CTfqb7kLuaj/B7SGvBa2Sxo478KS5K8tBBBWkITqo+wLC0mn3uZi1dyMWO1zopTA+KtEGF2dtGQ=".parse().unwrap();
 
         let private_key = Pkcs8PrivateKeyBytes::from(private_key.as_bytes());
-        let private_key = AsymmetricCryptoKey::from_der(&private_key).unwrap();
+        let private_key = PrivateKey::from_der(&private_key).unwrap();
         let decrypted: SymmetricCryptoKey =
             encrypted.decapsulate_key_unsigned(&private_key).unwrap();
 
@@ -1554,7 +1553,7 @@ mod tests {
         let key_store = client.internal.get_key_store();
         let context = key_store.context();
         assert!(context.has_symmetric_key(SymmetricKeyId::User));
-        assert!(context.has_asymmetric_key(AsymmetricKeyId::UserPrivateKey));
+        assert!(context.has_private_key(PrivateKeyId::UserPrivateKey));
         let login_method = client.internal.get_login_method().unwrap();
         if let LoginMethod::User(UserLoginMethod::Username {
             email,

@@ -2,8 +2,8 @@
 //! Any code that needs to interact with the [KeyStore] should use these types.
 //!
 //! - [SymmetricKeyId] is used to identify symmetric keys.
-//! - [AsymmetricKeyId] is used to identify asymmetric keys.
-//! - [KeyIds] is a helper type that combines both symmetric and asymmetric key identifiers. This is
+//! - [PrivateKeyId] is used to identify private keys.
+//! - [KeyIds] is a helper type that combines both symmetric and private key identifiers. This is
 //!   usually used in the type bounds of [KeyStore],
 //!   [KeyStoreContext](bitwarden_crypto::KeyStoreContext),
 //!   [PrimitiveEncryptable](bitwarden_crypto::PrimitiveEncryptable),
@@ -50,8 +50,8 @@ key_ids! {
         Local(LocalId),
     }
 
-    #[asymmetric]
-    pub enum AsymmetricKeyId {
+    #[private]
+    pub enum PrivateKeyId {
         UserPrivateKey,
         #[local]
         Local(LocalId),
@@ -64,7 +64,7 @@ key_ids! {
         Local(LocalId),
     }
 
-    pub KeyIds => SymmetricKeyId, AsymmetricKeyId, SigningKeyId;
+    pub KeyIds => SymmetricKeyId, PrivateKeyId, SigningKeyId;
 }
 
 /// This is a helper function to create a test KeyStore with a single user key.

@@ -7,7 +7,7 @@ use bitwarden_encoding::B64;
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
 
-use crate::{MissingPrivateKeyError, key_management::AsymmetricKeyId};
+use crate::{MissingPrivateKeyError, key_management::PrivateKeyId};
 
 /// Request to generate a fingerprint.
 #[derive(Serialize, Deserialize, Debug)]
@@ -66,7 +66,7 @@ pub(crate) fn generate_user_fingerprint(
     // FIXME: [PM-18110] This should be removed once the key store can handle public keys and
     // fingerprints
     #[allow(deprecated)]
-    let private_key = ctx.dangerous_get_asymmetric_key(AsymmetricKeyId::UserPrivateKey)?;
+    let private_key = ctx.dangerous_get_private_key(PrivateKeyId::UserPrivateKey)?;
 
     let public_key = private_key.to_public_key().to_der()?;
     let fingerprint = fingerprint(&fingerprint_material, &public_key)?;

@@ -90,8 +90,8 @@ key_ids! {
         VaultKey(LocalId)
     }
 
-    #[asymmetric]
-    pub enum ExampleAsymmetricKey {
+    #[private]
+    pub enum ExamplePrivateKey {
         Key(u8),
         #[local]
         Local(LocalId)
@@ -104,5 +104,5 @@ key_ids! {
         Local(LocalId)
     }
 
-   pub ExampleIds => ExampleSymmetricKey, ExampleAsymmetricKey, ExampleSigningKey;
+   pub ExampleIds => ExampleSymmetricKey, ExamplePrivateKey, ExampleSigningKey;
 }
@@ -98,8 +98,8 @@ key_ids! {
         ItemKey(LocalId)
     }
 
-    #[asymmetric]
-    pub enum ExampleAsymmetricKey {
+    #[private]
+    pub enum ExamplePrivateKey {
         Key(u8),
         #[local]
         Local(LocalId),
@@ -111,5 +111,5 @@ key_ids! {
         #[local]
         Local(LocalId),
     }
-    pub ExampleIds => ExampleSymmetricKey, ExampleAsymmetricKey, ExampleSigningKey;
+    pub ExampleIds => ExampleSymmetricKey, ExamplePrivateKey, ExampleSigningKey;
 }