When using Bitwarden CLI all state is stored in the local data.json file which is located in Storage | Bitwarden Help Center.
When user unlocks Bitwarden CLI, one additional "__PROTECTED__<user_id>_user_auto": "<some_generated_data>"
key gets added in the local data.json file and user is presented with the BW_SESSION value as described in Password Manager CLI | Bitwarden Help Center. At this unlocked point the unlocked data.json file (data.json file with the added “PROTECTED” key) and the BW_SESSION value enable full read access to the local data.json vault secrets. You can copy this data.json file to another machine, set the same BW_SESSION value in terminal and read the data.json vault secrets.
After unlocking user is recommended to set export BW_SESSION=<session_key>
to read the vault data without having to input additional passwords. This command by default will get stored to the disk in ~/.bash_history
, ~/.zsh_history
, etc.
This means that both the unlocked data.json file and the BW_SESSION value get stored to the disk at some point by default.
This is somewhat mitigated when user uses bw lock
which simply removes the “PROTECTED” key from the data.json file. But it is still very easy to unintentionally store both the unlocked data.json and the BW_SESSION value to the disk permanently. Consider versioned backups. For many macOS Time Machine users their backup disks will contain both BW_SESSION values and unlocked data.json files which can be used to read the vault data without additional encryption. Malware writers and data exfiltrators can add data.json files and BW_SESSION strings to their priority extractions.
Users should be warned about these additional risks when using Bitwarden CLI.