Why does CLI export ask for password?

I’m trying to write a bash script the export of my vault, and I can’t figure out why the CLI export command always asks for the master password even though I’m logged in, the vault is unlocked, and I’m passing a valid session key via the BW_SESSION env variable. None of the other commands require a password, but export does.

For example, this works fine:

export BW_SESSION=$(bw unlock --raw)
bw sync
openssl enc -pbkdf2 -aes-256-cbc -salt -a -e -in <(bw list items --pretty) -out bwexport.aes.new
bw lock

I’m prompted once for the master password by the bw unlock command. Then openssl prompts me for the encryption passphrase.

But, if I change list items --pretty to export --raw --format json, not only does unlock prompt for the master password, the export command will also prompt for master password — then leave the terminal in a broken state that prevents openssl from prompting for the encryption passphrase.

Why can it list all the items but not export?

1 Like

This is still an issue for me. Piping bw export --raw to openssl is a mess. Both the openssl dialog and the bw dialog asking for passwords are on the same line and the user cannot proceed. Your method works, however! Any downsides compared to using bw export?

1 Like

I wonder if the logic of this operation was meant to be consistent with the GUI clients. If you export in any other client, you are always presented with a master password reprompt, which makes sense. I’m not so sure that it makes sense for the CLI though…

Does export support BW_SESSION environment variable or not? If it does not, this needs to be implemented ASAP. Supplying passwords on command-line invocation is a major security risk. Environment variables are also a security risk, but better than nothing. Bitwarden team should also strongly consider to implement standard input descriptor password/secret entry (e.g. via pipe) for CLI application as it is done in any sane secret-related software in the UNIX world as this delivers most security.

While the CLI was excruciatingly clumsy and difficult to use, at least it used to (sort of) work. I can’t get the CLI app to work at all lately:

$ bw login
? Email address: xxxxxxxxxxxxxxxxxxxxxxx
? Master password: [hidden]
[object Object]
$ bw unlock
You are not logged in.

While I’ve been happy with everything else about BW, the CLI app is a big disappointment. I’m not sure how much of that to blame on the use of Java and how much was just unfortunate design choices.

If the CLI app doesn’t get fixed, I may have to switch to something else. I’m not comfortable with no way to backup my passwords in a format that can be accessed without requireing BW.

The BW CLI is working fine for me. Just confirmed on Windows, MacOS, and Linux.

I don’t find the CLI “difficult to use” at all. I can see where your task would be difficult, however, given that you are trying to use the CLI for something it was not designed to do. That is, the documentation is very clear that you must either supply a password with the export command, or you will be prompted for it. Why don’t you put in a feature request to change that functionality if you prefer something else? I think that would be more productive than just badmouthing BW. :slightly_frowning_face:

I contacted BW reporting the issues I’ve run into and was basically told “tough luck” it works the way it works.

In what way am I trying to use the CLI for something it was not designed to do?

Any ideas why the CLI would have stopped working completely? No matter how many times I log in, all other commands say that I’m not logged in. What was I doing wrong in the example I posted?

Sorry Grant - without any details, it is impossible for me to say why the CLI is not working on your system. Given that I tried it on three different computers/operating systems, I doubt it is an issue on the BW side. Have you tried reinstalling the CLI?

Regarding your script - as the BW support team confirmed, you only have two options to authenticate your master password when exporting your vault: either provide it in the script (obviously this has security implications that need to be addressed) or provide it when prompted. You said you couldn’t figure out why a password is needed, but it is explicitly stated in the CLI documentation. Hence, it looks like you want to use the export command in a way it was not designed to be used.