Feature name

Bitwarden Directory Connector accept passwords from files or environment variables

Feature function

Bitwarden Directory Connector currently only accepts passwords interactively or on the command line. Interactive input is not always possible (running in automated systems) and command line is insecure, since the value is then available to all other processes on the same host via process listing. Most programs that require secrets to be input solve this by allowing to set the password in a file that can be appropriately protected or in an environment variable that can be programmatically set so that it is not revealed in a process listing.

Related topics + references

There is already a PR that implements minimal changes to accomplish this: Add options for giving passwords and secrets as file contents or in an environment variable by psiniemi · Pull Request #82 · bitwarden/directory-connector · GitHub

Corresponding changes already merged to jslib in May: Enable alternative ways for settings passwords by psiniemi · Pull Request #101 · bitwarden/jslib · GitHub

For background: we run this hourly on our CI server and have done so including this feature since May. We have the secrets for Azure and Bitwarden stored in AWS Secrets Manager and without this feature we would have to reveal the passwords to all other processes on the same host, which since this is a CI server, are numerous. If any of those processes were to be compromised, it could lead to all of our user data and secrets being compromised.

We are preparing a Directory Connector release very soon (this week or next) and this should be included in that, thanks again!