Skip to content

doy/rbw

Repository files navigation

rbw

This is an unofficial command line client for Bitwarden. Although it does come with its own command line client, this client is limited by being stateless - to use it, you're required to manually lock and unlock the client, and pass the temporary keys around in environment variables, which makes it very difficult to use. This client avoids this problem by maintaining a background process which is able to hold the keys in memory, similar to the way that ssh-agent or gpg-agent work. This allows the client to be used in a much simpler way, with the background agent taking care of maintaining the necessary state.

Maintenance

I consider rbw to be essentially feature-complete for me at this point. While I still use it on a daily basis, and will continue to fix regressions as they occur, I am unlikely to spend time implementing new features on my own. If you would like to see new functionality in rbw, I am more than happy to review and merge pull requests implementing those features.

Installation

Arch Linux

rbw is available in the extra repository. Alternatively, you can install rbw-git from the AUR, which will always build from the latest master commit.

Debian/Ubuntu

You can download a Debian package from https://git.tozt.net/rbw/releases/deb/ . The packages are signed by minisign, and can be verified using the public key RWTM0AZ5RpROOfAIWx1HvYQ6pw1+FKwN6526UFTKNImP/Hz3ynCFst3r.

Fedora/EPEL

rbw is available in Fedora and EPEL 9 (for RHEL and compatible distributions).

You can install it using sudo dnf install rbw.

Homebrew

rbw is available in the Homebrew repository. You can install it via brew install rbw.

Nix

rbw is available in the NixOS repository. You can try it out via nix-shell -p rbw.

Alpine

rbw is available in the testing repository. If you are not using the edge version of alpine you have to enable the repository manually.

Other

With a working Rust installation, rbw can be installed via cargo install --locked rbw. This requires that the pinentry program is installed (to display password prompts).

Configuration

Configuration options are set using the rbw config command. Available configuration options:

  • email: The email address to use as the account name when logging into the Bitwarden server. Required.
  • sso_id: The SSO organization ID. Defaults to regular login process if unset.
  • base_url: The URL of the Bitwarden server to use. Defaults to the official server at https://api.bitwarden.com/ if unset.
  • identity_url: The URL of the Bitwarden identity server to use. If unset, will use the /identity path on the configured base_url, or https://identity.bitwarden.com/ if no base_url is set.
  • ui_url: The URL of the Bitwarden UI to use. If unset, will default to https://vault.bitwarden.com/.
  • notifications_url: The URL of the Bitwarden notifications server to use. If unset, will use the /notifications path on the configured base_url, or https://notifications.bitwarden.com/ if no base_url is set.
  • lock_timeout: The number of seconds to keep the master keys in memory for before requiring the password to be entered again. Defaults to 3600 (one hour).
  • sync_interval: rbw will automatically sync the database from the server at an interval of this many seconds, while the agent is running. Setting this value to 0 disables this behavior. Defaults to 3600 (one hour).
  • pinentry: The pinentry executable to use. Defaults to pinentry.

Profiles

rbw supports different configuration profiles, which can be switched between by using the RBW_PROFILE environment variable. Setting it to a name (for example, RBW_PROFILE=work or RBW_PROFILE=personal) can be used to switch between several different vaults - each will use its own separate configuration, local vault, and agent.

Usage

Commands can generally be used directly, and will handle logging in or unlocking as necessary. For instance, running rbw ls will run rbw unlock to unlock the password database before generating the list of entries (but will not attempt to log in to the server), rbw sync will automatically run rbw login to log in to the server before downloading the password database (but will not unlock the database), and rbw add will do both.

Logging into the server and unlocking the database will only be done as necessary, so running rbw login when you are already logged in will do nothing, and similarly for rbw unlock. If necessary, you can explicitly log out by running rbw purge, and you can explicitly lock the database by running rbw lock or rbw stop-agent.

rbw help can be used to get more information about the available functionality.

Run rbw get <name> to get your passwords. If you also want to get the username or the note associated, you can use the flag --full. You can also use the flag --field={field} to get whatever default or custom field you want. The --raw flag will show the output as JSON. In addition to matching against the name, you can pass a UUID as the name to search for the entry with that id, or a URL to search for an entry with a matching website entry.

Note to users of the official Bitwarden server (at bitwarden.com): The official server has a tendency to detect command line traffic as bot traffic (see this issue for details). In order to use rbw with the official Bitwarden server, you will need to first run rbw register to register each device using rbw with the Bitwarden server. This will prompt you for your personal API key which you can find using the instructions here.

Related projects