This is an unofficial command line client for Bitwarden. Although Bitwarden does come with its own command line client, it is limited by being stateless - to use it, you're required to manually lock and unlock the client, and pass the temporary keys around in environment variables, which makes it very difficult to use. rbw avoids this problem by maintaining a background process which is able to hold the keys in memory, similar to the way that ssh-agent or gpg-agent work. This allows the client to be used in a much simpler way, with the background agent taking care of maintaining the necessary state.

Since the original developer of this project has not been active in the last months, I took the project and heavily refactored it.

There were all the signs of a project that grew over time without chance to receive some maintenance.

Around 20%-30% of program's logic was duplicated. There was no clear separation of concerns, etc. Now it's not perfect of course but I will work towards making it easily auditable and maintainable.

I don't blame the author as this is all free time and unpaid labor, and on top of that, he actually provided the community with a great tool.

NOTE: This fork has not 100% error messages backwards compatibility. Some of them have changed.

I couldn't do anything about it, as it was way easier to do things this way. However it should not impact any actual tool built on rbw, but beware, the bug is behind the corner!

Oh and there also is my confirm ssh feature baked in the code, which is totally optional.

I DO NOT consider rbw to be essentially feature-complete, BUT in this first phase I will accept PRs that fix bugs or enhance code readability.

The first big elephant in the room to address is the fact that the client should read no DB and therefore all search/get/etc. operations must be performed by the daemon, while the protocol must provide such "opcodes" to do it.

The rest of this README is untouched from the original's, so if you install rbw from repositories, you will not install this version but the older one. Same for the listed tools.

I am working to get this new version in the repositories, but it's not immediate.

rbw is available in the extra repository. Alternatively, you can install rbw-git from the AUR, which will always build from the latest master commit.

rbw is officially packaged for Debian as rust-rbw and is available in testing (forky). You can install it using sudo apt install rbw.

Alternatively, you can download a Debian package from https://git.tozt.net/rbw/releases/deb/ . The packages are signed by minisign, and can be verified using the public key RWTM0AZ5RpROOfAIWx1HvYQ6pw1+FKwN6526UFTKNImP/Hz3ynCFst3r.

rbw is available in Fedora and EPEL 9 (for RHEL and compatible distributions).

You can install it using sudo dnf install rbw.

rbw is available in the Homebrew repository. You can install it via brew install rbw.

rbw is available in the NixOS repository. You can try it out via nix-shell -p rbw.

rbw is available in the community repository. You can install it with apk add rbw.

With a working Rust installation, rbw can be installed via cargo install --locked rbw. This requires that the pinentry program is installed (to display password prompts).

Configuration options are set using the rbw config command. Available configuration options:

• email: The email address to use as the account name when logging into the Bitwarden server. Required.
• sso_id: The SSO organization ID. Defaults to regular login process if unset.
• base_url: The URL of the Bitwarden server to use. Defaults to the official server at https://api.bitwarden.com/ if unset.
• identity_url: The URL of the Bitwarden identity server to use. If unset, will use the /identity path on the configured base_url, or https://identity.bitwarden.com/ if no base_url is set.
• ui_url: The URL of the Bitwarden UI to use. If unset, will default to https://vault.bitwarden.com/.
• notifications_url: The URL of the Bitwarden notifications server to use. If unset, will use the /notifications path on the configured base_url, or https://notifications.bitwarden.com/ if no base_url is set.
• lock_timeout: The number of seconds to keep the master keys in memory for before requiring the password to be entered again. Defaults to 3600 (one hour).
• sync_interval: rbw will automatically sync the database from the server at an interval of this many seconds, while the agent is running. Setting this value to 0 disables this behavior. Defaults to 3600 (one hour).
• pinentry: The pinentry executable to use. Defaults to pinentry.
• confirm_ssh: If set to true will ask for confirmation for SSH signature requests. If unset defaults to not asking.

rbw supports different configuration profiles, which can be switched between by using the RBW_PROFILE environment variable. Setting it to a name (for example, RBW_PROFILE=work or RBW_PROFILE=personal) can be used to switch between several different vaults - each will use its own separate configuration, local vault, and agent.

Commands can generally be used directly, and will handle logging in or unlocking as necessary. For instance, running rbw ls will run rbw unlock to unlock the password database before generating the list of entries (but will not attempt to log in to the server), rbw sync will automatically run rbw login to log in to the server before downloading the password database (but will not unlock the database), and rbw add will do both.

Logging into the server and unlocking the database will only be done as necessary, so running rbw login when you are already logged in will do nothing, and similarly for rbw unlock. If necessary, you can explicitly log out by running rbw purge, and you can explicitly lock the database by running rbw lock or rbw stop-agent.

rbw help can be used to get more information about the available functionality.

Run rbw get <name> to get your passwords. If you also want to get the username or the note associated, you can use the flag --full. You can also use the flag --field={field} to get whatever default or custom field you want. The --raw flag will show the output as JSON. In addition to matching against the name, you can pass a UUID as the name to search for the entry with that id, or a URL to search for an entry with a matching website entry.

Note to users of the official Bitwarden server (at bitwarden.com): The official server has a tendency to detect command line traffic as bot traffic (see this issue for details). In order to use rbw with the official Bitwarden server, you will need to first run rbw register to register each device using rbw with the Bitwarden server. This will prompt you for your personal API key which you can find using the instructions here.

rbw-agent includes a built-in SSH agent for signing SSH authentication challenges directly. To use it, ensure that rbw is running (in order to make it start handling ssh agent requests), and then point your SSH client to the SSH agent socket:

rbw unlock
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/rbw/ssh-agent-socket"

If you're using a profile, the socket will be located at "XDG_RUNTIME_DIR/rbw-<profile>/ssh-agent-socket".

rbw supports the following 2FA mechanisms :

• Email
• Authenticator App
• Yubico OTP security key (https://support.yubico.com/hc/en-us/articles/360013712639-Testing-Yubico-OTP)

WebAuthn / Passkey and Duo security are unsupported 2FA mechanisms.

If you use only unsupported 2FA mechanism, you need to add a supported 2FA mechanism on your bitwarden account to use rbw. It allows you to use rbw with a supported mechanism, and use other clients with you preferred 2FA mechanism.

• rofi-rbw: A rofi frontend for Bitwarden
• bw-ssh: Manage SSH key passphrases in Bitwarden
• rbw-menu: Tiny menu picker for rbw
• ulauncher-rbw: Ulauncher rbw extension
• fuzzel-rbw: A fuzzel frontend for Bitwarden