This is an unofficial command line client for
Bitwarden. Although it does come with its own
command line client, this client is
limited by being stateless - to use it, you're required to manually lock and
unlock the client, and pass the temporary keys around in environment variables,
which makes it very difficult to use. This client avoids this problem by
maintaining a background process which is able to hold the keys in memory,
similar to the way that ssh-agent
or gpg-agent
work. This allows the client
to be used in a much simpler way, with the background agent taking care of
maintaining the necessary state.
I consider rbw
to be essentially feature-complete for me at this point. While
I still use it on a daily basis, and will continue to fix regressions as they
occur, I am unlikely to spend time implementing new features on my own. If you
would like to see new functionality in rbw
, I am more than happy to review
and merge pull requests implementing those features.
rbw
is available in the extra
repository.
Alternatively, you can install
rbw-git
from the AUR, which
will always build from the latest master commit.
You can download a Debian package from
https://git.tozt.net/rbw/releases/deb/
. The packages are signed by
minisign
, and can be verified using
the public key RWTM0AZ5RpROOfAIWx1HvYQ6pw1+FKwN6526UFTKNImP/Hz3ynCFst3r
.
rbw
is available in the Homebrew repository. You can install it via brew install rbw
.
rbw
is available in the
NixOS repository. You can try
it out via nix-shell -p rbw
.
rbw
is available in the testing repository.
If you are not using the edge
version of alpine you have to enable the repository manually.
With a working Rust installation, rbw
can be installed via cargo install --locked rbw
. This requires that the
pinentry
program is installed (to display password prompts).
Configuration options are set using the rbw config
command. Available
configuration options:
email
: The email address to use as the account name when logging into the
Bitwarden server. Required.sso_id
: The SSO organization ID. Defaults to regular login process if unset.base_url
: The URL of the Bitwarden server to use. Defaults to the official
server at https://api.bitwarden.com/
if unset.identity_url
: The URL of the Bitwarden identity server to use. If unset,
will use the /identity
path on the configured base_url
, or
https://identity.bitwarden.com/
if no base_url
is set.ui_url
: The URL of the Bitwarden UI to use. If unset,
will default to https://vault.bitwarden.com/
.notifications_url
: The URL of the Bitwarden notifications server to use.
If unset, will use the /notifications
path on the configured base_url
,
or https://notifications.bitwarden.com/
if no base_url
is set.lock_timeout
: The number of seconds to keep the master keys in memory for
before requiring the password to be entered again. Defaults to 3600
(one
hour).sync_interval
: rbw
will automatically sync the database from the server
at an interval of this many seconds, while the agent is running. Setting
this value to 0
disables this behavior. Defaults to 3600
(one hour).pinentry
: The
pinentry
executable to use. Defaults to pinentry
.rbw
supports different configuration profiles, which can be switched
between by using the RBW_PROFILE
environment variable. Setting it to a name
(for example, RBW_PROFILE=work
or RBW_PROFILE=personal
) can be used to
switch between several different vaults - each will use its own separate
configuration, local vault, and agent.
Commands can generally be used directly, and will handle logging in or
unlocking as necessary. For instance, running rbw ls
will run rbw unlock
to
unlock the password database before generating the list of entries (but will
not attempt to log in to the server), rbw sync
will automatically run rbw login
to log in to the server before downloading the password database (but
will not unlock the database), and rbw add
will do both.
Logging into the server and unlocking the database will only be done as
necessary, so running rbw login
when you are already logged in will do
nothing, and similarly for rbw unlock
. If necessary, you can explicitly log
out by running rbw purge
, and you can explicitly lock the database by running
rbw lock
or rbw stop-agent
.
rbw help
can be used to get more information about the available
functionality.
Run rbw get <name>
to get your passwords. If you also want to get the username
or the note associated, you can use the flag --full
. You can also use the flag
--field={field}
to get whatever default or custom field you want. The --raw
flag will show the output as JSON. In addition to matching against the name,
you can pass a UUID as the name to search for the entry with that id, or a
URL to search for an entry with a matching website entry.
Note to users of the official Bitwarden server (at bitwarden.com): The
official server has a tendency to detect command line traffic as bot traffic
(see this issue for details). In
order to use rbw
with the official Bitwarden server, you will need to first
run rbw register
to register each device using rbw
with the Bitwarden
server. This will prompt you for your personal API key which you can find using
the instructions here.