Home
Welcome to the cryptomator-bitwarden wiki!
The plug-in is feature complete.
cryptomator-bitwarden is a plug-in that extends the functionality of Cryptomator. With this plug-in configured, Cryptomator can use Bitwarden Secrets Manager as a backend to store and retrieve passwords for vaults:
Updated versions of cryptomator-bitwarden are published as releases in this same GitHub repository.
Below each release, in the Assets section, there is a jar-file called cryptomator-bitwarden-RELEASE_TAG.jar that is the ready-to-use plug-in.
Releases follow the release cycle of the Bitwarden SDK.
The following is required to use the plug-in:
- Cryptomator's
pluginDiris available since release 1.6.0 Beta 2. - You need to set up a Service Account in the Bitwarden Secrets Manager.
- To configure and enable the plug-in for Cryptomator, you need to provide two environment variables, that let the plug-in login to Bitwarden Secrets Manager. See below.
The jar-file cryptomator-bitwarden-RELEASE_TAG.jar needs to be copied to Cryptomator. The default values for the pluginDir on an unchanged Crytomator installation on the different operating systems are:
| OS | Default Dir |
|---|---|
| Mac | ~/Library/Application Support/Cryptomator/Plugins |
| Linux | ~/.local/share/Cryptomator/plugins |
| Windows | %homepath%\AppData\Roaming\Cryptomator\Plugins |
Two environment variables are needed to configure and enable the plug-in:
| Var | Hints |
|---|---|
| BITWARDEN_ACCESS_TOKEN | Generate it in your Bitwarden Service Account |
| BITWARDEN_ORGANIZATION_ID | Create a new organization for your Bitwarden Account. The organization id is visible as part of the URL, when you click on the organization |
Optionally, starting with release 1.0.1 of the plug-in, you can configure the plug-in to use the Bitwarden Secrets Manager API and identity endpoints within the EU. Available endpoints are:
| Endpoints |
|---|
| US("https://api.bitwarden.com", "https://identity.bitwarden.com") |
| EU("https://api.bitwarden.eu", "https://identity.bitwarden.eu") |
To use the EU endpoints, you need to provide two additional environment variables with the given values:
| Var | Value |
|---|---|
| BITWARDEN_API_URL | https://api.bitwarden.eu |
| BITWARDEN_IDENTITY_URL | https://identity.bitwarden.eu |
When you omit these or do not provide these exactly as described above, the US endpoints are used as a fall back.
After starting Cryptomator, the new password backend can be choosen on the General tab of the Cryptomator preferences as shown in the screenshot above.
A note on how Cryptomator enables password backends (the cryptomator-bitwarden plug-in is one of them) on statup: Cryptomator checks on startup, what backends are available. Every available backend gets configured and will show up in the prefs dialog. If it's not there, Cryptomator hadn't configured it and won't be able to use it.
Plug-in releases are signed. It is wise and more secure to check out for their integrity.
You can check that the version of the cryptomator-bitwarden plug-in that you want to install is original and unmodified by verifying the file's signature.
For example, to check the signature of the file cryptomator-bitwarden-1.0.1.jar, you can use this command:
$ gpg --verify cryptomator-bitwarden-1.0.1.jar.asc cryptomator-bitwarden-1.0.1.jar
You should see something like the following output:
gpg: Signature made Thu May 8 08:39:10 2025 CEST
gpg: using RSA key 54CF8E1F55CE7E977A0E41895BFB2076ABC48776
gpg: Good signature from "Ralph Plawetzki <[email protected]>" [unknown]