Bitwarden

chezmoi includes support for Bitwarden using the Bitwarden CLI to expose data as a template function.

Log in to Bitwarden using a normal method

$ bw login $BITWARDEN_EMAIL # or
$ bw login --apikey # or
$ bw login --sso

If required, unlock your Bitwarden vault (API key and SSO logins always require an explicit unlock step):

$ bw unlock

Set the BW_SESSION environment variable, as instructed.

Bitwarden Session One-liner

The BW_SESSION value can be set directly. The exact combination differs based on whether you are currently logged into Bitwarden and how you log into Bitwarden.

$ # You are already logged in with any method
$ export BW_SESSION=$(bw unlock --raw)
$ # You are not logged in and log in with an email
$ export BW_SESSION=$(bw login $BITWARDEN_EMAIL --raw)
$ # You are not logged in and login with SSO or API key
$ export BW_SESSION=$(bw login --sso && bw unlock --raw)

The structured data from bw get is available as the bitwarden template function in your config files, for example:

username = {{ (bitwarden "item" "example.com").login.username }}
password = {{ (bitwarden "item" "example.com").login.password }}

Custom fields can be accessed with the bitwardenFields template function. For example, if you have a custom field named token you can retrieve its value with:

{{ (bitwardenFields "item" "example.com").token.value }}

Attachments can be accessed with the bitwardenAttachment and bitwardenAttachmentByRef template function. For example, if you have an attachment named id_rsa, you can retrieve its value with:

{{ bitwardenAttachment "id_rsa" "bf22e4b4-ae4a-4d1c-8c98-ac620004b628" }}

or

{{ bitwardenAttachmentByRef "id_rsa" "item" "example.com" }}