Bitwarden CLI as cross-machine secrets source-of-truth
Bitwarden CLI — canonical secrets retrieval
Rule
Bitwarden CLI (bw) is the canonical retrieval mechanism for secrets across machines.
| Layer | Role | Source-of-truth direction |
|---|---|---|
| Bitwarden vault | Read-only source of truth + secondary backup | Master copy in cloud |
~/.age-key.txt |
Local cache fetched on demand | Downstream from Bitwarden |
Encrypted secrets/env.enc (sops+age) |
Local encrypted env vars | Encrypted with age key from Bitwarden |
BW_SESSION env var |
Per-shell unlock token | Process-scope, ephemeral |
Win env vars (setx) |
Per-machine credential cache | PRIMARY for runtime |
| Smithery vault | Per-keyed-MCP credential | PRIMARY for MCP tools |
How to retrieve on new laptop
Inside chirag127/backup/bootstrap.ps1:
.\scripts\bw-fetch-secrets.ps1
That script:
npm install -g @bitwarden/cliifbwmissingbw login(prompts email + password + 2FA)bw unlock --raw?$env:BW_SESSIONbw get item oriz-age-key | jq -r .notes > ~/.age-key.txt(owner-only ACL)- Then
sops -d secrets/env.enc > .envworks
Sync direction
ONE-WAY: PRIMARY (Win env / Smithery vault / .env) ? Bitwarden vault (manual update after rotation).
The reverse direction (Bitwarden ? local) happens only at bootstrap on a new machine. Day-to-day, the PRIMARY caches are read directly.
Bitwarden item: oriz-age-key
- Type: Login or Secure Note
- Name:
oriz-age-key - Notes field: the age private key (full
AGE-SECRET-KEY-1...string, multi-line OK)
Other secrets in Bitwarden (secondary backup)
After rotation, update Bitwarden item:
hai-api-key? from hai Desktop App tray (also in Win env +.env)github-pat-admin? from github.com/settings/tokens (also in.env)firecrawl-key,apify-token, etc. ? from each MCP signup (Smithery vault is PRIMARY)ovsx-pat,vsce-pat? VSIX publishing (Win env +.env)
What this kills
- Manual age-key transfer via USB/email/Slack — replaced by Bitwarden retrieval
- Multiple copies of secrets across machines — Bitwarden is the cross-machine sync
- Forgetting where a key was last rotated — Bitwarden timestamps + audit log
Anti-patterns
- ? Commit
~/.age-key.txtto any repo (gitignored, but human error possible) - ? Echo
BW_SESSIONto logs/stdout - ? Run
bw loginnon-interactively with password in env var (usebw unlockafter one-time login) - ? Bidirectional sync (Bitwarden ? local) — too much conflict risk
- ? Self-host Vaultwarden without an offsite backup (single point of failure)
Recovery from total loss
- Master password (memorized) + Bitwarden Emergency Access (configured in vault settings)
- USB offline backup of age key + recovery codes
- Yubikey for 2FA at separate physical location
Two-of-three required to fully recover.
Cross-refs
setup-repo-as-bootstrap— chirag127/backup repo containsbw-fetch-secrets.ps1mcp-env-sync-both-layers— MCP creds in BOTH Win env AND Smithery (NOT Bitwarden primary)mcp-no-key-in-repo-keyed-in-smithery— never commit any key to public repo