CLI Session Key

Hi everybody.

Just testing out the CLI and wondered if there is a command to request the current session key?!

Can anybody help?


I got my hands on my session key while logging in, with bw login. The key is printed in the console. I guess it is a manual process to save such a key into an environmental variable for your shell.

Upon setting up the environmental variable for BW_SESSION properly in .bashrc (or .zshrc if one uses Zsh), there is no further need of 2FA or master password verification. The documentation was specifically vague for the implication of setting up such env_var for a good reason, as “is not well-suited for persisting on an unprotected disk.” Ref: Source paragraph from the Doc

Though, I have to admit the following console output is not intuitive to understand:

? Email address: [email protected]
? Master password: [hidden]
? Two-step login code: xxxxxx
You are logged in!

To unlock your vault, set your session key to the `BW_SESSION` environment variable. ex:
$ export BW_SESSION="And_a_long_long_SECRETE_session_key"

In PowerShell, you can pass the session key to a variable with some command like

$sessionkey=(bw login [username] --raw)

Cf. here.

I can get this to work for me with sync like

bw sync --session $sessionkey

But I’m having trouble using --session $sessionkey with the export command. No matter what I do, CLI keeps asking me to resupply the master password for the export.

Would there be any thoughts on getting --session $sessionkey to work with the export command?

I asked Bitwarden support that same question. According to them the “export” command doesn’t honor the --session option (or the equivalent environment variable) like all of the other commands. He claimed that’s an intentional feature. Apparently, they think that’s “a security measure”, and suggested I store the master password somewhere and pass that to the command instead. I find it very worrying that somebody from Bitwarden would suggest some something wildly insecure like that as a work-around for a bug they don’t want to fix.

This is not a bug and definitely a designed feature.

Just like the desktop UI, the CLI requires the master password to be passed to export even if you have an active session. This is a mitigation against the risk that a session is left active and logged in unintentionally. Allowing an attacker to use that to get hold of all your vault data. Same reason why most OS ask you to enter your current password again when you change your password even though you have already logged in.

As a customer I am very happy they have implemented this way. I would be concerned if you could export the entire vault without re-confirming you are authorised by re-entering the master password.

In case it helps, below is the script I use to export my vault for backup. The exported data is encrypted using openssl with vault master password. You must have Bash, Bitwarden CLI and openssl installed for this script to work.

export LC_CTYPE=C
export LC_ALL=C
echo -n "Enter account  : "
echo -n "Enter password : "
read -s BW_PASS
export BW_SESSION=$(bw login $BW_ACCOUNT $BW_PASS --raw)
TIMESTAMP=$(date "+%Y%m%d%H%M%S")
bw --raw export $BW_PASS --format json | openssl enc -aes-256-cbc -salt -k $BW_PASS -out $ENC_OUTPUT_FILE
bw logout > /dev/null
unset BW_PASS