This is an unofficial command line client for
Bitwarden. Although it does come with its own
command line client, this client is
limited by being stateless - to use it, you're required to manually lock and
unlock the client, and pass the temporary keys around in environment variables,
which makes it very difficult to use. This client avoids this problem by
maintaining a background process which is able to hold the keys in memory,
similar to the way that ssh-agent
or gpg-agent
work. This allows the client
to be used in a much simpler way, with the background agent taking care of
maintaining the necessary state.
I consider rbw
to be essentially feature-complete for me at this point. While
I still use it on a daily basis, and will continue to fix regressions as they
occur, I am unlikely to spend time implementing new features on my own. If you
would like to see new functionality in rbw
, I am more than happy to review
and merge pull requests implementing those features.
rbw
is available in the community
repository.
Alternatively, you can install
rbw-git
from the AUR, which
will always build from the latest master commit.
You can download a Debian package from
https://git.tozt.net/rbw/releases/deb/
. The packages are signed by
minisign
, and can be verified using
the public key RWTM0AZ5RpROOfAIWx1HvYQ6pw1+FKwN6526UFTKNImP/Hz3ynCFst3r
.
With a working Rust installation, rbw
can be installed via cargo install rbw
. This requires that the
pinentry
program is installed (to display password prompts).
Configuration options are set using the rbw config
command. Available
configuration options:
email
: The email address to use as the account name when logging into the Bitwarden server. Required.base_url
: The URL of the Bitwarden server to use. Defaults to the official server athttps://api.bitwarden.com/
if unset.identity_url
: The URL of the Bitwarden identity server to use. If unset, will use the/identity
path on the configuredbase_url
, orhttps://identity.bitwarden.com/
if nobase_url
is set.lock_timeout
: The number of seconds to keep the master keys in memory for before requiring the password to be entered again. Defaults to3600
(one hour).pinentry
: The pinentry executable to use. Defaults topinentry
.
Commands can generally be used directly, and will handle logging in or
unlocking as necessary. For instance, running rbw ls
will run rbw unlock
to
unlock the password database before generating the list of entries (but will
not attempt to log in to the server), rbw sync
will automatically run rbw login
to log in to the server before downloading the password database (but
will not unlock the database), and rbw add
will do both.
Logging into the server and unlocking the database will only be done as
necessary, so running rbw login
when you are already logged in will do
nothing, and similarly for rbw unlock
. If necessary, you can explicitly log
out by running rbw purge
, and you can explicitly lock the database by running
rbw lock
or rbw stop-agent
.
rbw help
can be used to get more information about the available
functionality.
Run rbw get <name>
to get your passwords. If you also want to get the username
or the note associated, you can use the flag --full
. You can also use the flag
--field={field}
to get whatever default or custom field you want. The --raw
flag will show the output as JSON.
Note to users of the official Bitwarden server (at bitwarden.com): The
official server has a tendency to detect command line traffic as bot traffic
(see this issue for details). In
order to use rbw
with the official Bitwarden server, you will need to first
run rbw register
to register each device using rbw
with the Bitwarden
server. This will prompt you for your personal API key which you can find using
the instructions here.