I recently switched from KeePass to Bitwarden and I’m trying to recreate a workflow I previously used.
With KeePass + KPScript, I had a PowerShell script that automatically retrieved the password for a VeraCrypt container and mounted it. During this workflow, KeePass asked me to enter my master password to unlock the database, and afterwards fetched the necessary secret.
Now I’m using Bitwarden, and I see that the Bitwarden CLI (bw) could theoretically be used for something similar. However, it requires logging in with the Bitwarden master password. I intentionally chose a very long and complex master password that I cannot memorize, so entering it manually in a script or storing it somewhere defeats the purpose.
What I would like to achieve is roughly this:
Run a PowerShell script
Retrieve the VeraCrypt container password from Bitwarden
Automatically mount the container
Bitwarden vault shall not be unlocked all the time
I want some sort of mechanism that requires my presence before temporarily unlocking my vault, e. g. some sort of PIN.
Ideally without needing to manually enter the Bitwarden master password every time. The only more or less feasible approach seems to be using the --passwordfile option (see here) - but to be honest, I don’t feel well with my master password lying around
I’m curious how others handle similar workflows.
Questions:
Has anyone implemented an automated workflow like this with Bitwarden?
Are there recommended approaches for securely using the Bitwarden CLI in scripts?
Is there a common pattern for unlocking the vault in automation scenarios?
Any ideas or experiences would be greatly appreciated. Thanks!
There are a few options for logging in, but if you do not feel comfortable storing your master password on your hard drive, you probably also ought not feel comfortable storing an API key on the hard drive.
Consider what you are asking. You would like a script to be able to decrypt your vault without your presence. All by itself this creates a risk that another script, perhaps provided by a malicious party, could do the same if installed next to your script.
The way my colleagues and I work around this is to have a dedicated PC for privileged operations that is only accessible from specific locations, that requires MFA to login to the server, and that we nearly never run web browsers on (the exception being software install/updates).
My bad, I forgot to mention that in my initial post - I’ve added this piece of information: of course, I do not want the script the unlock my vault completely on its own. Instead, I’d like to enter some PIN, etc. to temporarily unlock my vault so that it can fetch the secret
Which part of this work flow is the most important to automate? Would the auto-type feature (which is actively being developed, and will hopefully be released soon) provide an alternative option for achieving the same objective?
You may not be using the best approach for generating a master password. Because of the resistance provided by Bitwarden’s KDF, your master password entropy only needs to be around 50 bits to raise the cost of a brute-force attack into the millions of dollars. Thus, best practice for master passwords is to use a randomly generated 4-word passphrase (e.g., jalapeno-uncrushed-critter-lisp). With a little practice, such a passphrase can readily be memorized and manually typed, while being practically uncrackable.
Thank you for your thoughts, guys - very much appreciated!
You may not be using the best approach for generating a master password. Because of the resistance provided by Bitwarden’s KDF, your master password entropy only needs to be around 50 bits to raise the cost of a brute-force attack into the millions of dollars. Thus, best practice for master passwords is to use a randomly generated 4-word passphrase (e.g., jalapeno-uncrushed-critter-lisp). With a little practice, such a passphrase can readily be memorized and manually typed, while being practically uncrackable.
Okay, so I will change my master password and use a passphrase.
Would the auto-type feature (which is actively being developed, and will hopefully be released soon) provide an alternative option for achieving the same objective?
Sorry, I don’t know anything about this feature - if it will be combined with a scripting-friendly way of launching Bitwarden Desktop (I just assume that it will be part of Bitwarden Desktop), then maybe: as of now, there is no nice way to launch Bitwarden from a script, because there is no global shortcut to bring up the currently running but minimized Bitwarden Desktop instance. Or you receive a “Another instance of Bitwarden is already running” error when simply trying to launch a new instance of Bitwarden Desktop.
There are a few options for logging in, but if you do not feel comfortable storing your master password on your hard drive, you probably also ought not feel comfortable storing an API key on the hard drive.
I have a question regarding the API key - imagine the following scenario:
I grab the API key and run bw login -–apikey once → gives an ambient but locked Bitwarden context
My script always runs bw unlock (which will prompt for my new master password), fetch the secret from within the Bitwarden vault, and bw lock.
Is this considered an anti-pattern due to the always-present Bitwarden login (since I’m never calling bw logout)? Or to put it differently, should my script always also run bw login -–apikey and bw logout?
If yes, I’m thinking about storing the API key within a PowerShell SecretStore. What are your thoughts about this scenario?
In bitwarden parlance, Logged in means that your encrypted vault has been downloaded to your device. Unlocked means that your vault has been decrypted. General consensus is that Logged in, but locked is just about as secure as logged out.
Those of us who use Biometrics keep our vault logged in, but locked.
I’ve a follow-up question: I changed my master password and wrote a PowerShell script which uses BW CLI to unlock the vault and fetch the secret while relying on an ambient BW login session. This works nicely at home where I can successfully connect to my self-hosted BW server. In the office, however, BW CLI fails to retrieve the secret.
Does BW CLI not have an offline copy of my vault (as the desktop app and web extensions do) and always needs to be able to connect to the server?
