type: rule
status: active
timestamp: 2026-06-27
tags: [secrets, bitwarden, age, sops, recovery, industry-standard]

Bitwarden CLI as cross-machine secrets source-of-truth

Bitwarden CLI (bw): canonical age key retrieval + secondary secrets backup. Read-only locally; updates via Web UI

Bitwarden CLI — canonical secrets retrieval

Rule

Bitwarden CLI (bw) is the canonical retrieval mechanism for secrets across machines.

LayerRoleSource-of-truth direction
Bitwarden vaultRead-only source of truth + secondary backupMaster copy in cloud
~/.age-key.txtLocal cache fetched on demandDownstream from Bitwarden
Encrypted secrets/env.enc (sops+age)Local encrypted env varsEncrypted with age key from Bitwarden
BW_SESSION env varPer-shell unlock tokenProcess-scope, ephemeral
Win env vars (setx)Per-machine credential cachePRIMARY for runtime
Smithery vaultPer-keyed-MCP credentialPRIMARY for MCP tools

How to retrieve on new laptop

Inside chirag127/backup/bootstrap.ps1:

.\scripts\bw-fetch-secrets.ps1

That script:

  1. npm install -g @bitwarden/cli if bw missing
  2. bw login (prompts email + password + 2FA)
  3. bw unlock --raw ? $env:BW_SESSION
  4. bw get item oriz-age-key | jq -r .notes > ~/.age-key.txt (owner-only ACL)
  5. Then sops -d secrets/env.enc > .env works

Sync direction

ONE-WAY: PRIMARY (Win env / Smithery vault / .env) ? Bitwarden vault (manual update after rotation).

The reverse direction (Bitwarden ? local) happens only at bootstrap on a new machine. Day-to-day, the PRIMARY caches are read directly.

Bitwarden item: oriz-age-key

Other secrets in Bitwarden (secondary backup)

After rotation, update Bitwarden item:

What this kills

Anti-patterns

Recovery from total loss

  1. Master password (memorized) + Bitwarden Emergency Access (configured in vault settings)
  2. USB offline backup of age key + recovery codes
  3. Yubikey for 2FA at separate physical location

Two-of-three required to fully recover.

Cross-refs


Edit on GitHub · Back to index