I’ve been using Bitwarden CLI (on linux) since a couple of weeks. It works great and It’s a great piece of software, thanks for it!
There’s one little thing that I’ve been unable to grasp: I’m using a Session Key that I use with the BW_SESSION environment variable.
When I issue a bw lock it always gives me this message:
You cannot lock your vault because you are using Key Connector. To protect your vault, you have been logged out.
And I’m, effectively, logged out.
What does that mean? Is there any recommended way to lock the CLI session? (pearhaps there’s something that I don’t fully undestand yet -I’m fairly new to Bitwarden-).
I’ve been searching about this but I’ve not been able to find anything useful to me. This “Key Connector” is supposed to be about SSO Login, but I’m logging in with master password+second step auth (or with Api Key, which I also tried out).
If you have saved your session key to an environment variable, this key is used to decrypt your vault to access items within - this happens automatically on any bw command. To lock your vault, you would need to delete that environment variable first.
e.g., on Linux: unset BW_SESSION
e.g., on Windows: BW_SESSION=
Terminating your shell session and restarting a new one will have the same effect, assuming that you exported the BW_SESSION variable within a session (i.e., you did not add it to your shell profile).
Not sure why it refers to the “Key Connector” though. I am pretty sure it is referring to a session key.
Now that I think a bit more about this (and, please, excuse me if what I’m about to say doesn’t make any sense).
Unsetting the BW_SESSION variable indeed does “lock” the vault as it “forgets” the key which encrypts the data contained in it.
However, the value of that BW_SESSION variable could end up saved somewhere in the system (if one decides to save it in a shell profile or it gets (accidentally or not) written in a command history file, for example.
I think it would be useful if bw lock rotated the Session Key (encrypting the vault with this new one) and this new Session Key wasn’t passed in any way to the user.
This way, you would end with a still locked vault, but with a key that hasn’t been able to be saved anywhere in the system.
And when you needed to unlock the vault to access it, a bw unlock would generate a new Session Key without the need to provide the second auth step (which is the point of locking the vault instead of logging it out).
I believe this is the behaviour if you manually lock the vault with the command bw lock after you have removed the BW_SESSION variable. Try this to see (it works for me):
bw unlock
export BW_SESSION="xxxxxxxxxxxxxxxxxx" #use your session key here
bw list folders #should not prompt for authentication
unset BW_SESSION
bw lock
export BW_SESSION="xxxxxxxxxxxxxxxxxx" #use the same session key you used above
bw list folders # this time, you should be prompted to authenticate, meaning sesion key has expired
It does not for me, it logs me out with the message in the OP:
$ echo $BW_SESSION
$ bw status | jq -r '.status'
locked
$ bw lock
You cannot lock your vault because you are using Key Connector. To protect your vault, you have been logged out.
bw lockalways logs me out with that message. Regardless of the value of BW_SESSION.
By the way I’m using 1.20.0 version (which, I believe, is the latest one):
Interesting - for me, if I remove the BW_SESSION variable, I of course get prompted for authentication, but if I later set the session variable to the old key, it works just fine. But if I lock the vault (with bw lock), the key no longer works. So it seems that it is necessary to execute the lock command to force the key to expire.
I did notice that I am on version 1.18 of the CLI. I won’t get a chance to do it right away, but tonight I will update to the same version as you and see if I get the same error. And admittedly, I was running this on my mac, so maybe I will try it on my linux box as well. Cheers!
just want to confirm that I am facing the same issue (@dh024: I will also add to your bug report).
FYI: This used to work for me. I logged in once (master password + 2 factor in my case) and then this script only asked for the master password to unlock:
#!/bin/bash
MY_ITEM_ID=42424242-4242......
export BW_SESSION=$(bw unlock --raw)
VPN_PW=$(bw get password $MY_ITEM_ID)
bw lock
# do something with VPN_PW
When executing this on 1.20.0 then the call to bw lock logs me out with the mentioned error message: You cannot lock your vault because you are using Key Connector. To protect your vault, you have been logged out.
This in turn leads to my script not functioning as expected anymore
