bitwarden · quexten · Dec 11, 2025 · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025
@@ -6,6 +6,8 @@ use bitwarden_crypto::SymmetricCryptoKey;
 use bitwarden_crypto::UnsignedSharedKey;
 use bitwarden_error::bitwarden_error;
 use thiserror::Error;
+#[cfg(feature = "internal")]
+use tracing::instrument;
 
 #[cfg(any(feature = "secrets", feature = "internal"))]
 use crate::OrganizationId;
@@ -54,6 +56,7 @@ impl EncryptionSettings {
     }
 
     #[cfg(feature = "internal")]
+    #[instrument(err, skip_all)]
     pub(crate) fn set_org_keys(
         org_enc_keys: Vec<(OrganizationId, UnsignedSharedKey)>,
         store: &KeyStore<KeyIds>,

@@ -10,6 +10,8 @@ use bitwarden_crypto::{
 #[cfg(feature = "internal")]
 use bitwarden_state::registry::StateRegistry;
 use chrono::Utc;
+#[cfg(feature = "internal")]
+use tracing::instrument;
 
 #[cfg(any(feature = "internal", feature = "secrets"))]
 use crate::client::encryption_settings::EncryptionSettings;
@@ -268,6 +270,7 @@ impl InternalClient {
     }
 
     #[cfg(feature = "internal")]
+    #[instrument(err, skip_all)]
     pub(crate) fn initialize_user_crypto_master_key(
         &self,
         master_key: MasterKey,
@@ -279,6 +282,7 @@ impl InternalClient {
     }
 
     #[cfg(feature = "internal")]
+    #[instrument(err, skip_all, fields(user_id = ?self.get_user_id()))]
     pub(crate) fn initialize_user_crypto_decrypted_key(
         &self,
         user_key: SymmetricCryptoKey,
@@ -292,6 +296,7 @@ impl InternalClient {
     }
 
     #[cfg(feature = "internal")]
+    #[instrument(err, skip_all)]
     pub(crate) fn initialize_user_crypto_pin(
         &self,
         pin_key: PinKey,
@@ -303,6 +308,7 @@ impl InternalClient {
     }
 
     #[cfg(feature = "internal")]
+    #[instrument(err, skip_all)]
     pub(crate) fn initialize_user_crypto_pin_envelope(
         &self,
         pin: String,
@@ -345,6 +351,7 @@ impl InternalClient {
     }
 
     #[cfg(feature = "internal")]
+    #[instrument(err, skip_all)]
     pub(crate) fn initialize_user_crypto_master_password_unlock(
         &self,
         password: String,

@@ -18,6 +18,7 @@ use bitwarden_encoding::B64;
 use bitwarden_error::bitwarden_error;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
+use tracing::info;
 #[cfg(feature = "wasm")]
 use {tsify::Tsify, wasm_bindgen::prelude::*};
 
@@ -165,14 +166,21 @@ pub(super) async fn initialize_user_crypto(
         client.internal.init_user_id(user_id)?;
     }
 
-    let key_state = req.account_cryptographic_state;
+    let account_crypto_state = req.account_cryptographic_state.to_owned();
+    let _span_guard = tracing::info_span!(
+        "User Crypto Initialization",
+        user_id = ?client.internal.get_user_id(),
+    )
+    .entered();
 
     match req.method {
         InitUserCryptoMethod::Password { password, user_key } => {
             let master_key = MasterKey::derive(&password, &req.email, &req.kdf_params)?;
-            client
-                .internal
-                .initialize_user_crypto_master_key(master_key, user_key, key_state)?;
+            client.internal.initialize_user_crypto_master_key(
+                master_key,
+                user_key,
+                account_crypto_state,
+            )?;
         }
         InitUserCryptoMethod::MasterPasswordUnlock {
             password,
@@ -183,14 +191,14 @@ pub(super) async fn initialize_user_crypto(
                 .initialize_user_crypto_master_password_unlock(
                     password,
                     master_password_unlock,
-                    key_state,
+                    account_crypto_state,
                 )?;
         }
         InitUserCryptoMethod::DecryptedKey { decrypted_user_key } => {
             let user_key = SymmetricCryptoKey::try_from(decrypted_user_key)?;
             client
                 .internal
-                .initialize_user_crypto_decrypted_key(user_key, key_state)?;
+                .initialize_user_crypto_decrypted_key(user_key, account_crypto_state)?;
         }
         InitUserCryptoMethod::Pin {
             pin,
@@ -200,7 +208,7 @@ pub(super) async fn initialize_user_crypto(
             client.internal.initialize_user_crypto_pin(
                 pin_key,
                 pin_protected_user_key,
-                key_state,
+                account_crypto_state,
             )?;
         }
         InitUserCryptoMethod::PinEnvelope {
@@ -210,7 +218,7 @@ pub(super) async fn initialize_user_crypto(
             client.internal.initialize_user_crypto_pin_envelope(
                 pin,
                 pin_protected_user_key_envelope,
-                key_state,
+                account_crypto_state,
             )?;
         }
         InitUserCryptoMethod::AuthRequest {
@@ -232,7 +240,7 @@ pub(super) async fn initialize_user_crypto(
             };
             client
                 .internal
-                .initialize_user_crypto_decrypted_key(user_key, key_state)?;
+                .initialize_user_crypto_decrypted_key(user_key, account_crypto_state)?;
         }
         InitUserCryptoMethod::DeviceKey {
             device_key,
@@ -245,7 +253,7 @@ pub(super) async fn initialize_user_crypto(
 
             client
                 .internal
-                .initialize_user_crypto_decrypted_key(user_key, key_state)?;
+                .initialize_user_crypto_decrypted_key(user_key, account_crypto_state)?;
         }
         InitUserCryptoMethod::KeyConnector {
             master_key,
@@ -254,12 +262,16 @@ pub(super) async fn initialize_user_crypto(
             let mut bytes = master_key.into_bytes();
             let master_key = MasterKey::try_from(bytes.as_mut_slice())?;
 
-            client
-                .internal
-                .initialize_user_crypto_master_key(master_key, user_key, key_state)?;
+            client.internal.initialize_user_crypto_master_key(
+                master_key,
+                user_key,
+                account_crypto_state,
+            )?;
         }
     }
 
+    info!("User crypto initialized successfully");
+
     client
         .internal
         .set_login_method(LoginMethod::User(UserLoginMethod::Username {

@@ -57,6 +57,7 @@ sha1 = { workspace = true }
 sha2 = ">=0.10.6, <0.11"
 subtle = { workspace = true }
 thiserror = { workspace = true }
+tracing = { workspace = true }
 tsify = { workspace = true, optional = true }
 typenum = ">=1.18.0, <1.19.0"
 uniffi = { workspace = true, optional = true }

@@ -9,6 +9,7 @@ use coset::{
 };
 use generic_array::GenericArray;
 use thiserror::Error;
+use tracing::instrument;
 use typenum::U32;
 
 use crate::{
@@ -135,6 +136,7 @@ const SYMMETRIC_KEY: Label = Label::Int(iana::SymmetricKeyParameter::K as i64);
 impl TryFrom<&coset::CoseKey> for SymmetricCryptoKey {
     type Error = CryptoError;
 
+    #[instrument(err, skip_all)]
     fn try_from(cose_key: &coset::CoseKey) -> Result<Self, Self::Error> {
         let key_bytes = cose_key
             .params

@@ -3,6 +3,7 @@ use std::{borrow::Cow, str::FromStr};
 use bitwarden_encoding::{B64, FromStrVisitor};
 use coset::{CborSerializable, iana::KeyOperation};
 use serde::Deserialize;
+use tracing::instrument;
 #[cfg(feature = "wasm")]
 use wasm_bindgen::convert::FromWasmAbi;
 
@@ -367,6 +368,7 @@ impl KeyEncryptable<SymmetricCryptoKey, EncString> for &str {
 }
 
 impl KeyDecryptable<SymmetricCryptoKey, String> for EncString {
+    #[instrument(err, skip_all)]
     fn decrypt_with_key(&self, key: &SymmetricCryptoKey) -> Result<String> {
         let dec: Vec<u8> = self.decrypt_with_key(key)?;
         String::from_utf8(dec).map_err(|_| CryptoError::InvalidUtf8String)

@@ -1,3 +1,5 @@
+use tracing::instrument;
+
 use crate::{CryptoError, EncString, KeyId, KeyIds, store::KeyStoreContext};
 
 /// A decryption operation that takes the input value and decrypts it into the output value.
@@ -9,6 +11,7 @@ pub trait Decryptable<Ids: KeyIds, Key: KeyId, Output> {
 }
 
 impl<Ids: KeyIds> Decryptable<Ids, Ids::Symmetric, Vec<u8>> for EncString {
+    #[instrument(err, skip_all)]
     fn decrypt(
         &self,
         ctx: &mut KeyStoreContext<Ids>,
@@ -19,6 +22,7 @@ impl<Ids: KeyIds> Decryptable<Ids, Ids::Symmetric, Vec<u8>> for EncString {
 }
 
 impl<Ids: KeyIds> Decryptable<Ids, Ids::Symmetric, String> for EncString {
+    #[instrument(err, skip_all)]
     fn decrypt(
         &self,
         ctx: &mut KeyStoreContext<Ids>,

@@ -53,6 +53,7 @@ sha1 = ">=0.10.5, <0.11"
 sha2 = ">=0.10.6, <0.11"
 subtle = { workspace = true }
 thiserror = { workspace = true }
+tracing = { workspace = true }
 tsify = { workspace = true, optional = true }
 uniffi = { workspace = true, optional = true }
 uuid = { workspace = true }

@@ -22,6 +22,7 @@ use chrono::{DateTime, SecondsFormat, Utc};
 use serde::{Deserialize, Serialize};
 use serde_repr::{Deserialize_repr, Serialize_repr};
 use thiserror::Error;
+use tracing::instrument;
 #[cfg(feature = "wasm")]
 use tsify::Tsify;
 #[cfg(feature = "wasm")]
@@ -512,6 +513,7 @@ impl CompositeEncryptable<KeyIds, SymmetricKeyId, Cipher> for CipherView {
 }
 
 impl Decryptable<KeyIds, SymmetricKeyId, CipherView> for Cipher {
+    #[instrument(err, skip_all, fields(cipher_id = ?self.id, org_id = ?self.organization_id, kind = ?self.r#type))]
     fn decrypt(
         &self,
         ctx: &mut KeyStoreContext<KeyIds>,
@@ -576,6 +578,7 @@ impl Cipher {
     /// * `key` - The key to use to decrypt the cipher key, this should be the user or organization
     ///   key
     /// * `ciphers_key` - The encrypted cipher key
+    #[instrument(err, skip_all)]
     pub(super) fn decrypt_cipher_key(
         ctx: &mut KeyStoreContext<KeyIds>,
         key: SymmetricKeyId,