bw unlock: Get a Bitwarden Session Key in CI
bw unlock decrypts your Bitwarden vault with the master password and prints a session key that authorizes further bw commands.
After bw login authenticates the account, the vault is still locked. bw unlock produces the BW_SESSION key that every read command needs for the rest of the job.
What it does
bw unlock takes the master password, decrypts the local vault, and returns a session key. Export that key as BW_SESSION so subsequent bw get and bw sync calls can operate without prompting.
Common usage
bw login --apikey # uses BW_CLIENTID / BW_CLIENTSECRET
export BW_SESSION="$(bw unlock --passwordenv BW_PASSWORD --raw)"
bw sync
bw get password "deploy-token"Options
| Flag | What it does |
|---|---|
| --raw | Print only the session key (nothing else) |
| --passwordenv <VAR> | Read the master password from an env var |
| --passwordfile <path> | Read the master password from a file |
| BW_SESSION | Env var the other commands read the session key from |
In CI
Use --raw so the session key is the only output and can be captured cleanly into BW_SESSION. Feed the master password with --passwordenv, not on the command line, so it does not appear in the process list. bw login --apikey is the non-interactive way to authenticate first.
Common errors in CI
"You are not logged in." means bw login has not run yet. "Invalid master password." means BW_PASSWORD is wrong or unset. If unlock returns nothing usable, you likely omitted --raw and captured extra prompt text into BW_SESSION.