Bitwarden Cheat Sheet

Overview

Bitwarden is an open-source password management platform that provides secure storage for passwords, credit cards, identities, and secure notes. It offers end-to-end encryption, cross-platform clients, browser extensions, and a CLI tool. Bitwarden can be used as a cloud-hosted service or self-hosted using the official server or community alternatives like Vaultwarden.

Bitwarden also provides Bitwarden Secrets Manager for managing application secrets, API keys, and environment variables used in development and DevOps workflows. It supports team sharing through organizations, role-based access control, event logging, and directory integration with LDAP/Active Directory for enterprise deployments.

Installation

# CLI - npm
npm install -g @bitwarden/cli

# CLI - Homebrew
brew install bitwarden-cli

# CLI - Snap
sudo snap install bw

# Verify installation
bw --version

# Self-hosted server (Docker)
# Using Vaultwarden (lightweight alternative)
docker run -d \
  --name vaultwarden \
  -v /vw-data/:/data/ \
  -p 80:80 \
  vaultwarden/server

# Official Bitwarden server
curl -Lso bitwarden.sh https://func.bitwarden.com/api/dl/?app=self-host&platform=linux
chmod +x bitwarden.sh
./bitwarden.sh install
./bitwarden.sh start

CLI Authentication

# Login with email/password
bw login user@example.com

# Login with API key
bw login --apikey
# Then provide client_id and client_secret

# Login with SSO
bw login --sso

# Unlock vault (after login)
export BW_SESSION=$(bw unlock --raw)

# Check login status
bw status

# Lock vault
bw lock

# Logout
bw logout

Vault Management

# Sync vault with server
bw sync

# List all items
bw list items

# List items in a folder
bw list items --folderid FOLDER_ID

# Search items
bw list items --search "github"

# Get a specific item
bw get item ITEM_ID
bw get item "GitHub Personal"

# Get just the password
bw get password "GitHub Personal"

# Get TOTP code
bw get totp "GitHub Personal"

# Get username
bw get username "GitHub Personal"

# Get URI
bw get uri "GitHub Personal"

# Get notes
bw get notes "SSH Key Notes"

Creating Items

# Create a login item
bw get template item | \
  jq '.type = 1 | .name = "My Login" | .login = {"username": "user@example.com", "password": "SecurePass123!", "uris": [{"uri": "https://example.com"}]}' | \
  bw encode | bw create item

# Create a secure note
bw get template item | \
  jq '.type = 2 | .name = "API Keys" | .notes = "Production API Key: abc123"' | \
  bw encode | bw create item

# Create a card item
bw get template item | \
  jq '.type = 3 | .name = "Work Card" | .card = {"cardholderName": "John Doe", "number": "4111111111111111", "expMonth": "12", "expYear": "2027", "code": "123"}' | \
  bw encode | bw create item

# Create a folder
bw get template folder | \
  jq '.name = "Work"' | \
  bw encode | bw create folder

Editing and Deleting

# Edit an item
bw get item ITEM_ID | \
  jq '.name = "Updated Name"' | \
  bw encode | bw edit item ITEM_ID

# Move item to folder
bw get item ITEM_ID | \
  jq '.folderId = "FOLDER_ID"' | \
  bw encode | bw edit item ITEM_ID

# Delete an item (soft delete to trash)
bw delete item ITEM_ID

# Permanently delete
bw delete item ITEM_ID --permanent

# Delete a folder
bw delete folder FOLDER_ID

# Restore from trash
bw restore item ITEM_ID

Password Generation

# Generate a random password
bw generate

# Custom password
bw generate -l 24 --uppercase --lowercase --number --special

# Generate passphrase
bw generate --passphrase --words 5 --separator "-"

# Minimum requirements
bw generate -l 20 --minNumber 2 --minSpecial 2

# No ambiguous characters
bw generate -l 16 --ambiguous

Organizations and Sharing

# List organizations
bw list organizations

# List organization collections
bw list org-collections --organizationid ORG_ID

# List organization members
bw list org-members --organizationid ORG_ID

# Share item with organization
bw share ITEM_ID ORG_ID --collectionids '[\"COLLECTION_ID\"]'

# Create collection
echo '{"organizationId": "ORG_ID", "name": "Engineering Secrets"}' | \
  bw encode | bw create org-collection --organizationid ORG_ID

# Confirm organization member
bw confirm org-member MEMBER_ID --organizationid ORG_ID

Bitwarden Secrets Manager

# Install Secrets Manager CLI
npm install -g @bitwarden/sdk-napi

# Or use the bws CLI
# Download from https://bitwarden.com/download/

# Authenticate
export BWS_ACCESS_TOKEN="0.your-access-token"

# List secrets
bws secret list

# Get a secret
bws secret get SECRET_ID

# Create a secret
bws secret create "DATABASE_URL" "postgres://user:pass@host:5432/db" PROJECT_ID

# Update a secret
bws secret edit SECRET_ID --value "new-connection-string"

# Delete a secret
bws secret delete SECRET_ID

# List projects
bws project list

# Create a project
bws project create "Production Secrets"

Advanced Usage

Attachments

# Create attachment
bw create attachment --file ./cert.pem --itemid ITEM_ID

# List attachments
bw get item ITEM_ID | jq '.attachments'

# Download attachment
bw get attachment ATTACHMENT_ID --itemid ITEM_ID --output ./cert.pem

# Delete attachment
bw delete attachment ATTACHMENT_ID --itemid ITEM_ID

Export and Import

# Export vault (encrypted JSON)
bw export --format encrypted_json --password "export-password" --output vault-backup.json

# Export as CSV (unencrypted - be careful)
bw export --format csv --output vault.csv

# Export organization vault
bw export --organizationid ORG_ID --format json --output org-backup.json

# Import from other managers
bw import lastpass export.csv
bw import 1password1pux export.1pux
bw import keepass export.xml
bw import chrome passwords.csv

Scripting with Bitwarden CLI

#!/bin/bash
# Script to inject secrets into environment

# Unlock vault
export BW_SESSION=$(bw unlock --raw --passwordenv BW_MASTER_PASSWORD)

# Get secrets
export DB_PASSWORD=$(bw get password "Production Database")
export API_KEY=$(bw get notes "Production API Key")
export AWS_ACCESS_KEY=$(bw get username "AWS Credentials")
export AWS_SECRET_KEY=$(bw get password "AWS Credentials")

# Run application with secrets
exec "$@"

Self-Hosted Configuration (Vaultwarden)

# docker-compose.yml
services:
  vaultwarden:
    image: vaultwarden/server
    restart: always
    volumes:
      - ./vw-data:/data
    environment:
      DOMAIN: "https://vault.example.com"
      SIGNUPS_ALLOWED: "false"
      ADMIN_TOKEN: "your-admin-token"
      SMTP_HOST: "smtp.example.com"
      SMTP_PORT: "587"
      SMTP_FROM: "vault@example.com"
      SMTP_USERNAME: "vault@example.com"
      SMTP_PASSWORD: "smtp-password"
      SMTP_SECURITY: "starttls"
      LOG_LEVEL: "info"
    ports:
      - "80:80"

Configuration

# CLI configuration
bw config server https://vault.example.com

# Environment variables
export BW_CLIENTID="user.client-id"
export BW_CLIENTSECRET="client-secret"
export BW_PASSWORD="master-password"
export BW_SESSION="session-key"
export BITWARDENCLI_APPDATA_DIR="/path/to/data"

Troubleshooting

Issue	Solution
Vault is locked	Run bw unlock and export the session key
Not logged in	Run bw login first, then bw unlock
CLI session expired	Re-run export BW_SESSION=$(bw unlock --raw)
Sync not updating	Force sync with bw sync --force
Self-hosted SSL errors	Ensure valid SSL certificate; check DOMAIN env var
Import fails	Check import format matches the source; use correct format flag
Organization access denied	Verify membership and collection permissions
TOTP not working	Check system clock is synchronized; verify TOTP seed