Bitwarden CLI: password management from the terminal and CI/CD automation

In the previous article we deployed our own Vaultwarden server. Today — how to work with it from the console and integrate it into automation.

Bitwarden CLI (the bw utility) — the official open-source command-line tool. It allows you to find credentials right in the terminal and securely pass secrets into scripts and pipelines (GitHub Actions, GitLab CI, etc.). Completely free and compatible with self-hosted Vaultwarden.

1. Installation

# Via NPM (any OS)
npm install -g @bitwarden/cli

# macOS
brew install bitwarden-cli

# Linux (Ubuntu/Debian)
sudo snap install bw

Check:

bw --version

2. Connecting to your server

By default the CLI points to the Bitwarden cloud. Switch to Vaultwarden:

bw config server https://vault.yourdomain.com

3. Authentication: two scenarios

Scenario A: Interactive login (personal PC)

bw login

Scenario B: Non-interactive login (CI/CD)

Generate API keys in the web interface: Account Settings → Security → API Keys, then:

export BW_CLIENTID="user.xxxxx-xxxx-xxxx"
export BW_CLIENTSECRET="xxxxxxxxxxxxxx"

bw login --apikey

4. Unlocking the vault and BW_SESSION

login only authenticates to the server — the data is still encrypted. To decrypt it:

bw unlock

The system will return a session token:

export BW_SESSION="AI39...=="

Copy and execute that line. While the $BW_SESSION variable is set, the utility decrypts passwords locally in memory without asking for the master password for every command.

In scripts — in one line:

export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw)

5. Basic commands

Copy password to clipboard (Linux):

bw get password github | xclip -selection clipboard

6. CI/CD script template

#!/usr/bin/env bash
set -e

# 1. Server address
bw config server https://vault.yourdomain.com

# 2. Login with API keys (BW_CLIENTID and BW_CLIENTSECRET — in CI environment variables)
bw login --apikey

# 3. Unlock
export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw)

# 4. Get secret by item ID
# Find ID beforehand: bw list items --search "my-db"
DB_PASS=$(bw get item "8a562df1-443b-4892-baee-b123456789ab" | jq -r '.login.password')

echo "Starting deployment..."
# ./deploy.sh --pass=$DB_PASS

# 5. End the session
bw logout

Security guidelines

1. Do not store BW_SESSION on disk — only in the memory of the current session or CI/CD process.
2. Always call bw logout at the end of scripts — it clears local encrypted caches.
3. Mask output in CI/CD — use secret-masking mechanisms (::add-mask:: in GitHub Actions) so passwords don’t appear in public logs.

Conclusion

Bitwarden CLI turns Vaultwarden into a full-fledged secrets store for infrastructure. Hardcoding passwords in config files and Git repositories — it’s over.

If Vaultwarden isn’t deployed yet — start with the previous article: Vaultwarden in 30 minutes.