This is an unofficial command line client for Bitwarden. Although it does come with its own command line client, this client is limited by being stateless - to use it, you're required to manually lock and unlock the client, and pass the temporary keys around in environment variables, which makes it very difficult to use. This client avoids this problem by maintaining a background process which is able to hold the keys in memory, similar to the way that ssh-agent or gpg-agent work. This allows the client to be used in a much simpler way, with the background agent taking care of maintaining the necessary state.


I consider rbw to be essentially feature-complete for me at this point. While I still use it on a daily basis, and will continue to fix regressions as they occur, I am unlikely to spend time implementing new features on my own. If you would like to see new functionality in rbw, I am more than happy to review and merge pull requests implementing those features.


Arch Linux

rbw is available in the community repository. Alternatively, you can install rbw-git from the AUR, which will always build from the latest master commit.


You can download a Debian package from https://git.tozt.net/rbw/releases/deb/ . The packages are signed by minisign, and can be verified using the public key RWTM0AZ5RpROOfAIWx1HvYQ6pw1+FKwN6526UFTKNImP/Hz3ynCFst3r.


With a working Rust installation, rbw can be installed via cargo install rbw. This requires that the pinentry program is installed (to display password prompts).


Configuration options are set using the rbw config command. Available configuration options:

  • email: The email address to use as the account name when logging into the Bitwarden server. Required.
  • base_url: The URL of the Bitwarden server to use. Defaults to the official server at https://api.bitwarden.com/ if unset.
  • identity_url: The URL of the Bitwarden identity server to use. If unset, will use the /identity path on the configured base_url, or https://identity.bitwarden.com/ if no base_url is set.
  • lock_timeout: The number of seconds to keep the master keys in memory for before requiring the password to be entered again. Defaults to 3600 (one hour).
  • pinentry: The pinentry executable to use. Defaults to pinentry.


Commands can generally be used directly, and will handle logging in or unlocking as necessary. For instance, running rbw ls will run rbw unlock to unlock the password database before generating the list of entries (but will not attempt to log in to the server), rbw sync will automatically run rbw login to log in to the server before downloading the password database (but will not unlock the database), and rbw add will do both.

Logging into the server and unlocking the database will only be done as necessary, so running rbw login when you are already logged in will do nothing, and similarly for rbw unlock. If necessary, you can explicitly log out by running rbw purge, and you can explicitly lock the database by running rbw lock or rbw stop-agent.

rbw help can be used to get more information about the available functionality.

Run rbw get <name> to get your passwords. If you also want to get the username or the note associated, you can use the flag --full.

Note to users of the official Bitwarden server (at bitwarden.com): The official server has a tendency to detect command line traffic as bot traffic (see this issue for details). In order to use rbw with the official Bitwarden server, you will need to first run rbw register to register each device using rbw with the Bitwarden server. This will prompt you for your personal API key which you can find using the instructions here.

  • rofi-rbw: A rofi frontend for Bitwarden