← knowledge.oriz.in

Bitwarden CLI as cross-machine secrets source-of-truth

rule secretsbitwardenagesopsrecoveryindustry-standard

Bitwarden CLI — canonical secrets retrieval

Rule

Bitwarden CLI (bw) is the canonical retrieval mechanism for secrets across machines.

Layer Role Source-of-truth direction
Bitwarden vault Read-only source of truth + secondary backup Master copy in cloud
~/.age-key.txt Local cache fetched on demand Downstream from Bitwarden
Encrypted secrets/env.enc (sops+age) Local encrypted env vars Encrypted with age key from Bitwarden
BW_SESSION env var Per-shell unlock token Process-scope, ephemeral
Win env vars (setx) Per-machine credential cache PRIMARY for runtime
Smithery vault Per-keyed-MCP credential PRIMARY for MCP tools

How to retrieve on new laptop

Inside chirag127/backup/bootstrap.ps1:

.\scripts\bw-fetch-secrets.ps1

That script:

  1. npm install -g @bitwarden/cli if bw missing
  2. bw login (prompts email + password + 2FA)
  3. bw unlock --raw ? $env:BW_SESSION
  4. bw get item oriz-age-key | jq -r .notes > ~/.age-key.txt (owner-only ACL)
  5. Then sops -d secrets/env.enc > .env works

Sync direction

ONE-WAY: PRIMARY (Win env / Smithery vault / .env) ? Bitwarden vault (manual update after rotation).

The reverse direction (Bitwarden ? local) happens only at bootstrap on a new machine. Day-to-day, the PRIMARY caches are read directly.

Bitwarden item: oriz-age-key

Other secrets in Bitwarden (secondary backup)

After rotation, update Bitwarden item:

What this kills

Anti-patterns

Recovery from total loss

  1. Master password (memorized) + Bitwarden Emergency Access (configured in vault settings)
  2. USB offline backup of age key + recovery codes
  3. Yubikey for 2FA at separate physical location

Two-of-three required to fully recover.

Cross-refs