[PM-4154] Introduce Bulk Encrypt Service for Faster Unlock Times (#6465)

* Implement multi-worker encryption service * Fix feature flag being flipped and check for empty input earlier * Add tests * Small cleanup * Remove restricted import * Rename feature flag * Refactor to BulkEncryptService * Rename feature flag * Fix cipher service spec * Implement browser bulk encryption service * Un-deprecate browserbulkencryptservice * Load browser bulk encrypt service on feature flag asynchronously * Fix bulk encryption service factories * Deprecate BrowserMultithreadEncryptServiceImplementation * Copy tests for browser-bulk-encrypt-service-implementation from browser-multithread-encrypt-service-implementation * Make sure desktop uses non-bulk fallback during feature rollout * Rename FallbackBulkEncryptService and fix service dependency issue * Disable bulk encrypt service on mv3 * Change condition order to avoid expensive api call * Set default hardware concurrency to 1 if not available * Make getdecrypteditemfromworker private * Fix cli build * Add check for key being null
2024-11-22 11:45:59 +01:00 · 2024-07-18 14:56:22 +02:00 · 2024-07-18 14:56:22 +02:00 · 84b719d797
commit 84b719d797
parent 9b50e5c496
14 changed files with 296 additions and 12 deletions
--- a/apps/browser/src/background/main.background.ts
+++ b/apps/browser/src/background/main.background.ts
@ -112,7 +112,9 @@ import { ConfigApiService } from "@bitwarden/common/platform/services/config/con
 import { DefaultConfigService } from "@bitwarden/common/platform/services/config/default-config.service";
 import { ConsoleLogService } from "@bitwarden/common/platform/services/console-log.service";
 import { ContainerService } from "@bitwarden/common/platform/services/container.service";
+import { BulkEncryptServiceImplementation } from "@bitwarden/common/platform/services/cryptography/bulk-encrypt.service.implementation";
 import { EncryptServiceImplementation } from "@bitwarden/common/platform/services/cryptography/encrypt.service.implementation";
+import { FallbackBulkEncryptService } from "@bitwarden/common/platform/services/cryptography/fallback-bulk-encrypt.service";
 import { MultithreadEncryptServiceImplementation } from "@bitwarden/common/platform/services/cryptography/multithread-encrypt.service.implementation";
 import { Fido2AuthenticatorService } from "@bitwarden/common/platform/services/fido2/fido2-authenticator.service";
 import { Fido2ClientService } from "@bitwarden/common/platform/services/fido2/fido2-client.service";
@ -247,7 +249,6 @@ import CommandsBackground from "./commands.background";
 import IdleBackground from "./idle.background";
 import { NativeMessagingBackground } from "./nativeMessaging.background";
 import RuntimeBackground from "./runtime.background";
-
 export default class MainBackground {
  messagingService: MessageSender;
  storageService: BrowserLocalStorageService;
@ -306,6 +307,7 @@ export default class MainBackground {
  vaultFilterService: VaultFilterService;
  usernameGenerationService: UsernameGenerationServiceAbstraction;
  encryptService: EncryptService;
+  bulkEncryptService: FallbackBulkEncryptService;
  folderApiService: FolderApiServiceAbstraction;
  policyApiService: PolicyApiServiceAbstraction;
  sendApiService: SendApiServiceAbstraction;
@ -744,6 +746,7 @@ export default class MainBackground {
      this.stateService,
      this.autofillSettingsService,
      this.encryptService,
+      this.bulkEncryptService,
      this.cipherFileUploadService,
      this.configService,
      this.stateProvider,
@ -1227,6 +1230,15 @@ export default class MainBackground {
    this.webRequestBackground?.startListening();
    this.syncServiceListener?.listener$().subscribe();

+    if (
+      BrowserApi.isManifestVersion(2) &&
+      (await this.configService.getFeatureFlag(FeatureFlag.PM4154_BulkEncryptionService))
+    ) {
+      await this.bulkEncryptService.setFeatureFlagEncryptService(
+        new BulkEncryptServiceImplementation(this.cryptoFunctionService, this.logService),
+      );
+    }
+
    return new Promise<void>((resolve) => {
      setTimeout(async () => {
        await this.refreshBadge();
--- a/apps/cli/src/service-container.ts
+++ b/apps/cli/src/service-container.ts
@ -75,6 +75,7 @@ import { DefaultConfigService } from "@bitwarden/common/platform/services/config
 import { ContainerService } from "@bitwarden/common/platform/services/container.service";
 import { CryptoService } from "@bitwarden/common/platform/services/crypto.service";
 import { EncryptServiceImplementation } from "@bitwarden/common/platform/services/cryptography/encrypt.service.implementation";
+import { FallbackBulkEncryptService } from "@bitwarden/common/platform/services/cryptography/fallback-bulk-encrypt.service";
 import { DefaultEnvironmentService } from "@bitwarden/common/platform/services/default-environment.service";
 import { FileUploadService } from "@bitwarden/common/platform/services/file-upload/file-upload.service";
 import { KeyGenerationService } from "@bitwarden/common/platform/services/key-generation.service";
@ -605,6 +606,7 @@ export class ServiceContainer {
      this.stateService,
      this.autofillSettingsService,
      this.encryptService,
+      new FallbackBulkEncryptService(this.encryptService),
      this.cipherFileUploadService,
      this.configService,
      this.stateProvider,
--- a/apps/web/src/app/auth/emergency-access/services/emergency-access.service.spec.ts
+++ b/apps/web/src/app/auth/emergency-access/services/emergency-access.service.spec.ts
@ -4,6 +4,8 @@ import mock from "jest-mock-extended/lib/Mock";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { ListResponse } from "@bitwarden/common/models/response/list.response";
 import { UserKeyResponse } from "@bitwarden/common/models/response/user-key.response";
+import { BulkEncryptService } from "@bitwarden/common/platform/abstractions/bulk-encrypt.service";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
 import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@ -31,15 +33,18 @@ describe("EmergencyAccessService", () => {
  let apiService: MockProxy<ApiService>;
  let cryptoService: MockProxy<CryptoService>;
  let encryptService: MockProxy<EncryptService>;
+  let bulkEncryptService: MockProxy<BulkEncryptService>;
  let cipherService: MockProxy<CipherService>;
  let logService: MockProxy<LogService>;
  let emergencyAccessService: EmergencyAccessService;
+  let configService: ConfigService;

  beforeAll(() => {
    emergencyAccessApiService = mock<EmergencyAccessApiService>();
    apiService = mock<ApiService>();
    cryptoService = mock<CryptoService>();
    encryptService = mock<EncryptService>();
+    bulkEncryptService = mock<BulkEncryptService>();
    cipherService = mock<CipherService>();
    logService = mock<LogService>();

@ -48,8 +53,10 @@ describe("EmergencyAccessService", () => {
      apiService,
      cryptoService,
      encryptService,
+      bulkEncryptService,
      cipherService,
      logService,
+      configService,
    );
  });

--- a/apps/web/src/app/auth/emergency-access/services/emergency-access.service.ts
+++ b/apps/web/src/app/auth/emergency-access/services/emergency-access.service.ts
@ -9,6 +9,9 @@ import {
  KdfConfig,
  PBKDF2KdfConfig,
 } from "@bitwarden/common/auth/models/domain/kdf-config";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { BulkEncryptService } from "@bitwarden/common/platform/abstractions/bulk-encrypt.service";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
 import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@ -45,8 +48,10 @@ export class EmergencyAccessService
    private apiService: ApiService,
    private cryptoService: CryptoService,
    private encryptService: EncryptService,
+    private bulkEncryptService: BulkEncryptService,
    private cipherService: CipherService,
    private logService: LogService,
+    private configService: ConfigService,
  ) {}

  /**
@ -225,10 +230,18 @@ export class EmergencyAccessService
    );
    const grantorUserKey = new SymmetricCryptoKey(grantorKeyBuffer) as UserKey;

-    const ciphers = await this.encryptService.decryptItems(
+    let ciphers: CipherView[] = [];
+    if (await this.configService.getFeatureFlag(FeatureFlag.PM4154_BulkEncryptionService)) {
+      ciphers = await this.bulkEncryptService.decryptItems(
        response.ciphers.map((c) => new Cipher(c)),
        grantorUserKey,
      );
+    } else {
+      ciphers = await this.encryptService.decryptItems(
+        response.ciphers.map((c) => new Cipher(c)),
+        grantorUserKey,
+      );
+    }
    return ciphers.sort(this.cipherService.getLocaleSortingFunction());
  }

--- a/libs/angular/src/services/jslib-services.module.ts
+++ b/libs/angular/src/services/jslib-services.module.ts
@ -131,6 +131,7 @@ import { BraintreeService } from "@bitwarden/common/billing/services/payment-pro
 import { StripeService } from "@bitwarden/common/billing/services/payment-processors/stripe.service";
 import { AppIdService as AppIdServiceAbstraction } from "@bitwarden/common/platform/abstractions/app-id.service";
 import { BroadcasterService } from "@bitwarden/common/platform/abstractions/broadcaster.service";
+import { BulkEncryptService } from "@bitwarden/common/platform/abstractions/bulk-encrypt.service";
 import { ConfigApiServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config-api.service.abstraction";
 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { CryptoFunctionService as CryptoFunctionServiceAbstraction } from "@bitwarden/common/platform/abstractions/crypto-function.service";
@ -166,6 +167,7 @@ import { ConfigApiService } from "@bitwarden/common/platform/services/config/con
 import { DefaultConfigService } from "@bitwarden/common/platform/services/config/default-config.service";
 import { ConsoleLogService } from "@bitwarden/common/platform/services/console-log.service";
 import { CryptoService } from "@bitwarden/common/platform/services/crypto.service";
+import { BulkEncryptServiceImplementation } from "@bitwarden/common/platform/services/cryptography/bulk-encrypt.service.implementation";
 import { MultithreadEncryptServiceImplementation } from "@bitwarden/common/platform/services/cryptography/multithread-encrypt.service.implementation";
 import { DefaultBroadcasterService } from "@bitwarden/common/platform/services/default-broadcaster.service";
 import { DefaultEnvironmentService } from "@bitwarden/common/platform/services/default-environment.service";
@ -437,6 +439,7 @@ const safeProviders: SafeProvider[] = [
      stateService: StateServiceAbstraction,
      autofillSettingsService: AutofillSettingsServiceAbstraction,
      encryptService: EncryptService,
+      bulkEncryptService: BulkEncryptService,
      fileUploadService: CipherFileUploadServiceAbstraction,
      configService: ConfigService,
      stateProvider: StateProvider,
@ -450,6 +453,7 @@ const safeProviders: SafeProvider[] = [
        stateService,
        autofillSettingsService,
        encryptService,
+        bulkEncryptService,
        fileUploadService,
        configService,
        stateProvider,
@ -463,6 +467,7 @@ const safeProviders: SafeProvider[] = [
      StateServiceAbstraction,
      AutofillSettingsServiceAbstraction,
      EncryptService,
+      BulkEncryptService,
      CipherFileUploadServiceAbstraction,
      ConfigService,
      StateProvider,
@ -832,6 +837,11 @@ const safeProviders: SafeProvider[] = [
    useClass: MultithreadEncryptServiceImplementation,
    deps: [CryptoFunctionServiceAbstraction, LogService, LOG_MAC_FAILURES],
  }),
+  safeProvider({
+    provide: BulkEncryptService,
+    useClass: BulkEncryptServiceImplementation,
+    deps: [CryptoFunctionServiceAbstraction, LogService],
+  }),
  safeProvider({
    provide: EventUploadServiceAbstraction,
    useClass: EventUploadService,
--- a/libs/common/src/enums/feature-flag.enum.ts
+++ b/libs/common/src/enums/feature-flag.enum.ts
@ -14,6 +14,7 @@ export enum FeatureFlag {
  EnableDeleteProvider = "AC-1218-delete-provider",
  ExtensionRefresh = "extension-refresh",
  RestrictProviderAccess = "restrict-provider-access",
+  PM4154_BulkEncryptionService = "PM-4154-bulk-encryption-service",
  UseTreeWalkerApiForPageDetailsCollection = "use-tree-walker-api-for-page-details-collection",
  EmailVerification = "email-verification",
  InlineMenuFieldQualification = "inline-menu-field-qualification",
@ -49,6 +50,7 @@ export const DefaultFeatureFlagValue = {
  [FeatureFlag.EnableDeleteProvider]: FALSE,
  [FeatureFlag.ExtensionRefresh]: FALSE,
  [FeatureFlag.RestrictProviderAccess]: FALSE,
+  [FeatureFlag.PM4154_BulkEncryptionService]: FALSE,
  [FeatureFlag.UseTreeWalkerApiForPageDetailsCollection]: FALSE,
  [FeatureFlag.EmailVerification]: FALSE,
  [FeatureFlag.InlineMenuFieldQualification]: FALSE,
--- a/libs/common/src/platform/abstractions/bulk-encrypt.service.ts
+++ b/libs/common/src/platform/abstractions/bulk-encrypt.service.ts
@ -0,0 +1,10 @@
+import { Decryptable } from "../interfaces/decryptable.interface";
+import { InitializerMetadata } from "../interfaces/initializer-metadata.interface";
+import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key";
+
+export abstract class BulkEncryptService {
+  abstract decryptItems<T extends InitializerMetadata>(
+    items: Decryptable<T>[],
+    key: SymmetricCryptoKey,
+  ): Promise<T[]>;
+}
--- a/libs/common/src/platform/abstractions/encrypt.service.ts
+++ b/libs/common/src/platform/abstractions/encrypt.service.ts
@ -13,6 +13,11 @@ export abstract class EncryptService {
  abstract rsaEncrypt(data: Uint8Array, publicKey: Uint8Array): Promise<EncString>;
  abstract rsaDecrypt(data: EncString, privateKey: Uint8Array): Promise<Uint8Array>;
  abstract resolveLegacyKey(key: SymmetricCryptoKey, encThing: Encrypted): SymmetricCryptoKey;
+  /**
+   * @deprecated Replaced by BulkEncryptService, remove once the feature is tested and the featureflag PM-4154-multi-worker-encryption-service is removed
+   * @param items The items to decrypt
+   * @param key The key to decrypt the items with
+   */
  abstract decryptItems<T extends InitializerMetadata>(
    items: Decryptable<T>[],
    key: SymmetricCryptoKey,
--- a/libs/common/src/platform/services/cryptography/bulk-encrypt.service.implementation.ts
+++ b/libs/common/src/platform/services/cryptography/bulk-encrypt.service.implementation.ts
@ -0,0 +1,164 @@
+import { firstValueFrom, fromEvent, filter, map, takeUntil, defaultIfEmpty, Subject } from "rxjs";
+import { Jsonify } from "type-fest";
+
+import { BulkEncryptService } from "../../abstractions/bulk-encrypt.service";
+import { CryptoFunctionService } from "../../abstractions/crypto-function.service";
+import { LogService } from "../../abstractions/log.service";
+import { Decryptable } from "../../interfaces/decryptable.interface";
+import { InitializerMetadata } from "../../interfaces/initializer-metadata.interface";
+import { Utils } from "../../misc/utils";
+import { SymmetricCryptoKey } from "../../models/domain/symmetric-crypto-key";
+
+import { getClassInitializer } from "./get-class-initializer";
+
+// TTL (time to live) is not strictly required but avoids tying up memory resources if inactive
+const workerTTL = 60000; // 1 minute
+const maxWorkers = 8;
+const minNumberOfItemsForMultithreading = 400;
+
+export class BulkEncryptServiceImplementation implements BulkEncryptService {
+  private workers: Worker[] = [];
+  private timeout: any;
+
+  private clear$ = new Subject<void>();
+
+  constructor(
+    protected cryptoFunctionService: CryptoFunctionService,
+    protected logService: LogService,
+  ) {}
+
+  /**
+   * Decrypts items using a web worker if the environment supports it.
+   * Will fall back to the main thread if the window object is not available.
+   */
+  async decryptItems<T extends InitializerMetadata>(
+    items: Decryptable<T>[],
+    key: SymmetricCryptoKey,
+  ): Promise<T[]> {
+    if (key == null) {
+      throw new Error("No encryption key provided.");
+    }
+
+    if (items == null || items.length < 1) {
+      return [];
+    }
+
+    if (typeof window === "undefined") {
+      this.logService.info("Window not available in BulkEncryptService, decrypting sequentially");
+      const results = [];
+      for (let i = 0; i < items.length; i++) {
+        results.push(await items[i].decrypt(key));
+      }
+      return results;
+    }
+
+    const decryptedItems = await this.getDecryptedItemsFromWorkers(items, key);
+    return decryptedItems;
+  }
+
+  /**
+   * Sends items to a set of web workers to decrypt them. This utilizes multiple workers to decrypt items
+   * faster without interrupting other operations (e.g. updating UI).
+   */
+  private async getDecryptedItemsFromWorkers<T extends InitializerMetadata>(
+    items: Decryptable<T>[],
+    key: SymmetricCryptoKey,
+  ): Promise<T[]> {
+    if (items == null || items.length < 1) {
+      return [];
+    }
+
+    this.clearTimeout();
+
+    const hardwareConcurrency = navigator.hardwareConcurrency || 1;
+    let numberOfWorkers = Math.min(hardwareConcurrency, maxWorkers);
+    if (items.length < minNumberOfItemsForMultithreading) {
+      numberOfWorkers = 1;
+    }
+
+    this.logService.info(
+      `Starting decryption using multithreading with ${numberOfWorkers} workers for ${items.length} items`,
+    );
+
+    if (this.workers.length == 0) {
+      for (let i = 0; i < numberOfWorkers; i++) {
+        this.workers.push(
+          new Worker(
+            new URL(
+              /* webpackChunkName: 'encrypt-worker' */
+              "@bitwarden/common/platform/services/cryptography/encrypt.worker.ts",
+              import.meta.url,
+            ),
+          ),
+        );
+      }
+    }
+
+    const itemsPerWorker = Math.floor(items.length / this.workers.length);
+    const results = [];
+
+    for (const [i, worker] of this.workers.entries()) {
+      const start = i * itemsPerWorker;
+      const end = start + itemsPerWorker;
+      const itemsForWorker = items.slice(start, end);
+
+      // push the remaining items to the last worker
+      if (i == this.workers.length - 1) {
+        itemsForWorker.push(...items.slice(end));
+      }
+
+      const request = {
+        id: Utils.newGuid(),
+        items: itemsForWorker,
+        key: key,
+      };
+
+      worker.postMessage(JSON.stringify(request));
+      results.push(
+        firstValueFrom(
+          fromEvent(worker, "message").pipe(
+            filter((response: MessageEvent) => response.data?.id === request.id),
+            map((response) => JSON.parse(response.data.items)),
+            map((items) =>
+              items.map((jsonItem: Jsonify<T>) => {
+                const initializer = getClassInitializer<T>(jsonItem.initializerKey);
+                return initializer(jsonItem);
+              }),
+            ),
+            takeUntil(this.clear$),
+            defaultIfEmpty([]),
+          ),
+        ),
+      );
+    }
+
+    const decryptedItems = (await Promise.all(results)).flat();
+    this.logService.info(
+      `Finished decrypting ${decryptedItems.length} items using ${numberOfWorkers} workers`,
+    );
+
+    this.restartTimeout();
+
+    return decryptedItems;
+  }
+
+  private clear() {
+    this.clear$.next();
+    for (const worker of this.workers) {
+      worker.terminate();
+    }
+    this.workers = [];
+    this.clearTimeout();
+  }
+
+  private restartTimeout() {
+    this.clearTimeout();
+    this.timeout = setTimeout(() => this.clear(), workerTTL);
+  }
+
+  private clearTimeout() {
+    if (this.timeout != null) {
+      clearTimeout(this.timeout);
+    }
+  }
+}
--- a/libs/common/src/platform/services/cryptography/encrypt.service.implementation.ts
+++ b/libs/common/src/platform/services/cryptography/encrypt.service.implementation.ts
@ -185,6 +185,9 @@ export class EncryptServiceImplementation implements EncryptService {
    return this.cryptoFunctionService.rsaDecrypt(data.dataBytes, privateKey, algorithm);
  }

+  /**
+   * @deprecated Replaced by BulkEncryptService (PM-4154)
+   */
  async decryptItems<T extends InitializerMetadata>(
    items: Decryptable<T>[],
    key: SymmetricCryptoKey,
--- a/libs/common/src/platform/services/cryptography/fallback-bulk-encrypt.service.ts
+++ b/libs/common/src/platform/services/cryptography/fallback-bulk-encrypt.service.ts
@ -0,0 +1,33 @@
+import { BulkEncryptService } from "../../abstractions/bulk-encrypt.service";
+import { EncryptService } from "../../abstractions/encrypt.service";
+import { Decryptable } from "../../interfaces/decryptable.interface";
+import { InitializerMetadata } from "../../interfaces/initializer-metadata.interface";
+import { SymmetricCryptoKey } from "../../models/domain/symmetric-crypto-key";
+
+/**
+ * @deprecated For the feature flag from PM-4154, remove once feature is rolled out
+ */
+export class FallbackBulkEncryptService implements BulkEncryptService {
+  private featureFlagEncryptService: BulkEncryptService;
+
+  constructor(protected encryptService: EncryptService) {}
+
+  /**
+   * Decrypts items using a web worker if the environment supports it.
+   * Will fall back to the main thread if the window object is not available.
+   */
+  async decryptItems<T extends InitializerMetadata>(
+    items: Decryptable<T>[],
+    key: SymmetricCryptoKey,
+  ): Promise<T[]> {
+    if (this.featureFlagEncryptService != null) {
+      return await this.featureFlagEncryptService.decryptItems(items, key);
+    } else {
+      return await this.encryptService.decryptItems(items, key);
+    }
+  }
+
+  async setFeatureFlagEncryptService(featureFlagEncryptService: BulkEncryptService) {
+    this.featureFlagEncryptService = featureFlagEncryptService;
+  }
+}
--- a/libs/common/src/platform/services/cryptography/multithread-encrypt.service.implementation.ts
+++ b/libs/common/src/platform/services/cryptography/multithread-encrypt.service.implementation.ts
@ -12,6 +12,9 @@ import { getClassInitializer } from "./get-class-initializer";
 // TTL (time to live) is not strictly required but avoids tying up memory resources if inactive
 const workerTTL = 3 * 60000; // 3 minutes

+/**
+ * @deprecated Replaced by BulkEncryptionService (PM-4154)
+ */
 export class MultithreadEncryptServiceImplementation extends EncryptServiceImplementation {
  private worker: Worker;
  private timeout: any;
--- a/libs/common/src/vault/services/cipher.service.spec.ts
+++ b/libs/common/src/vault/services/cipher.service.spec.ts
@ -1,6 +1,8 @@
 import { mock } from "jest-mock-extended";
 import { BehaviorSubject, of } from "rxjs";

+import { BulkEncryptService } from "@bitwarden/common/platform/abstractions/bulk-encrypt.service";
+
 import { FakeAccountService, mockAccountServiceWith } from "../../../spec/fake-account-service";
 import { FakeStateProvider } from "../../../spec/fake-state-provider";
 import { makeStaticByteArray } from "../../../spec/utils";
@ -114,6 +116,7 @@ describe("Cipher Service", () => {
  const i18nService = mock<I18nService>();
  const searchService = mock<SearchService>();
  const encryptService = mock<EncryptService>();
+  const bulkEncryptService = mock<BulkEncryptService>();
  const configService = mock<ConfigService>();
  accountService = mockAccountServiceWith(mockUserId);
  const stateProvider = new FakeStateProvider(accountService);
@ -136,6 +139,7 @@ describe("Cipher Service", () => {
      stateService,
      autofillSettingsService,
      encryptService,
+      bulkEncryptService,
      cipherFileUploadService,
      configService,
      stateProvider,
--- a/libs/common/src/vault/services/cipher.service.ts
+++ b/libs/common/src/vault/services/cipher.service.ts
@ -1,6 +1,9 @@
 import { firstValueFrom, map, Observable, skipWhile, switchMap } from "rxjs";
 import { SemVer } from "semver";

+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { BulkEncryptService } from "@bitwarden/common/platform/abstractions/bulk-encrypt.service";
+
 import { ApiService } from "../../abstractions/api.service";
 import { SearchService } from "../../abstractions/search.service";
 import { AutofillSettingsServiceAbstraction } from "../../autofill/services/autofill-settings.service";
@ -102,6 +105,7 @@ export class CipherService implements CipherServiceAbstraction {
    private stateService: StateService,
    private autofillSettingsService: AutofillSettingsServiceAbstraction,
    private encryptService: EncryptService,
+    private bulkEncryptService: BulkEncryptService,
    private cipherFileUploadService: CipherFileUploadService,
    private configService: ConfigService,
    private stateProvider: StateProvider,
@ -397,12 +401,19 @@ export class CipherService implements CipherServiceAbstraction {

    const decCiphers = (
      await Promise.all(
-        Object.entries(grouped).map(([orgId, groupedCiphers]) =>
-          this.encryptService.decryptItems(
+        Object.entries(grouped).map(async ([orgId, groupedCiphers]) => {
+          if (await this.configService.getFeatureFlag(FeatureFlag.PM4154_BulkEncryptionService)) {
+            return await this.bulkEncryptService.decryptItems(
              groupedCiphers,
              keys.orgKeys[orgId as OrganizationId] ?? keys.userKey,
-          ),
-        ),
+            );
+          } else {
+            return await this.encryptService.decryptItems(
+              groupedCiphers,
+              keys.orgKeys[orgId as OrganizationId] ?? keys.userKey,
+            );
+          }
+        }),
      )
    )
      .flat()
@ -515,7 +526,12 @@ export class CipherService implements CipherServiceAbstraction {

    const ciphers = response.data.map((cr) => new Cipher(new CipherData(cr)));
    const key = await this.cryptoService.getOrgKey(organizationId);
-    const decCiphers = await this.encryptService.decryptItems(ciphers, key);
+    let decCiphers: CipherView[] = [];
+    if (await this.configService.getFeatureFlag(FeatureFlag.PM4154_BulkEncryptionService)) {
+      decCiphers = await this.bulkEncryptService.decryptItems(ciphers, key);
+    } else {
+      decCiphers = await this.encryptService.decryptItems(ciphers, key);
+    }

    decCiphers.sort(this.getLocaleSortingFunction());
    return decCiphers;