On using bw list items i get a full json list of all my bitwarden entries including the plain text “password” field
For performance i am stripping out the “password” fields from the retrieved data and do store this information for re-using it
To avoid storing/logging/showing critical data on similar operations i would like to have a cli-flag like --hide-pw or --no-password or even a option to specify what fields are retrieved anyways like --fields name,id,uri to only deal with the least necessary data
My workflow is:
check if stored json cache file is older than x
if older, re-fetch the data via bw list items, strip out passwords and overwrite json cache file
If user needs password, bw get password $ID is used by pulling $ID from the cached json data
Hopefully my workflow shows that i only want to deal with the password if necessary
You can filter the json output with jq. For example, to remove the password field from the listed items:
bw list items | jq 'map(del(.login.password))'
If you want to avoid storing/logging/showing critical data in cleartext, you probably should also filter outhidden custom fields (if your vault contains items with them).
This is what I’m already doing, in fact I even take all the JSON retrieved from bw list items and immediately (without storing) only filter out name, username and id
This brings performance and avoids accidently storing secret data
But that’s exactly the reason why I think that I should not even have to care about if I leave all the critical stuff behind the CLI
Additionally this may speed up everything since from the very beginning the amount of data is drastically reduced
I only want to handle a password if really needed and not get a complete list retrieved with all of my passwords
At first I thought I will only get a password retrieved if I use explicitly bw get password, and I was very surprised to see all of my passwords in the response of ,bw list items
I’m not an expert on this but would have expected it differently