ulauncher-bitwarden
A Ulauncher extension to search your Bitwarden vault and copy passwords to the clipboard.
Features
- Quickly search through the database entries by name, and copy passwords/usernames/URLs/TOTPs to the clipboard
- Works also with self hosted Bitwarden servers.
- Support vaults with a passphrase also with MFA codes. The extension does not keep the password in the memory. It rather uses SessionID generated by the Bitwarden CLI client.
Requirements
- Install a recent version of Bitwarden CLI
- Make sure you can execute
bwin a terminal
Installation
Open Ulauncher preferences window -> Extensions -> "Add extension" and paste the following url:
https://github.com/kbialek/ulauncher-bitwardenConfiguration
Bitwarden Server UrlUser e-mail addressEnable MFA login- if you use MFA authentication with your Bitwarden account selectyes, otherwise leavenoInactivity lock timeout- forces you to re-enter the passphrase after you haven't used the extension for a while. By default it's set to 300 seconds (5 minutes). If you'd rather not re-enter it, you can set the value to 0, but that's probably not a great idea. NOTE: The cached passphrase is only stored in memory, so you'll need to re-enter it if you reboot your computer or restart Ulauncher.Session store command- optional command called after successful login or unlock. Bitwarden session key is passed over stdin. You can use it to run a command which will store session key in "some" secure location, and later read the session key when directly callingbwin the cli. It's totally up to you how and where you will store the session key.
Usage
Open Ulauncher and type in "bw " to start the extension. If your password database is locked with a passphrase, it'll ask you to enter it:
Once unlocked, search the database for "mail" logins:
Look at the GMail entry:
Exporting Session Key
The extension keeps the session key in memory. This is a problem when one wants to use bw directly from the
command line. Vault must be unlocked and bw-cli creates a new session key and at this same time invalidates
the session key stored by the extension.
To overcome this problem the extension is now able to export the session key after a successful login or unlock. Please keep in mind, that this weakens your vault's security, as the session key is easier to intercept when it's stored outside of the extension memory.
Exporting session key into a file
I do not recommend this solution because it leaves valid session key in the file until vault is explicitly locked.
To store session key in a file use the following script.
#!/bin/bash
BW_SESSION_FILE=$HOME/.bw-session
touch $BW_SESSION_FILE
chmod 600 $BW_SESSION_FILE
cat /dev/stdin > $BW_SESSION_FILESession store command property must be set to absolute path of the script.
Now you can use it in the command line
export BW_SESSION=$(cat ~/.bw-session)
bw list itemsExporting session key into Kernel Key Management
Linux kernel comes with key management facility, that can be used to store user secrets. For more details read this page.
To store session key in the kernel memory use this script.
File $HOME/bin/bw-store-session
#!/bin/bash
BW_SESSION_FILE=$HOME/.bw-session
touch $BW_SESSION_FILE
chmod 600 $BW_SESSION_FILE
KEY_ID=$(cat /dev/stdin | keyctl padd user bw-session @u)
keyctl timeout $KEY_ID 36000
echo $KEY_ID > $BW_SESSION_FILEPlease note that it sets key timeout, therefore the key will expire, which is great from security perspective.
Key ID will be stored in $HOME/.bw-session file.
Session store command property must be set to absolute path of the script.
We need one more script to read the key from the kernel memory.
File $HOME/bin/bw-read-session
#!/bin/bash
BW_SESSION_FILE=$HOME/.bw-session
KEY_ID=$(cat $BW_SESSION_FILE)
keyctl print $KEY_IDNow you can easily read the session key into an environment variable
export BW_SESSION=$(bw-read-session)Inspiration and thanks
This is a fork of well crafted ulauncher-keepassxc extension. Thank you @pbkhrv!