Skip to content
Latchkey

bw unlock: Get a Bitwarden Session Key in CI

bw unlock decrypts your Bitwarden vault with the master password and prints a session key that authorizes further bw commands.

After bw login authenticates the account, the vault is still locked. bw unlock produces the BW_SESSION key that every read command needs for the rest of the job.

What it does

bw unlock takes the master password, decrypts the local vault, and returns a session key. Export that key as BW_SESSION so subsequent bw get and bw sync calls can operate without prompting.

Common usage

Terminal
bw login --apikey   # uses BW_CLIENTID / BW_CLIENTSECRET
export BW_SESSION="$(bw unlock --passwordenv BW_PASSWORD --raw)"
bw sync
bw get password "deploy-token"

Options

FlagWhat it does
--rawPrint only the session key (nothing else)
--passwordenv <VAR>Read the master password from an env var
--passwordfile <path>Read the master password from a file
BW_SESSIONEnv var the other commands read the session key from

In CI

Use --raw so the session key is the only output and can be captured cleanly into BW_SESSION. Feed the master password with --passwordenv, not on the command line, so it does not appear in the process list. bw login --apikey is the non-interactive way to authenticate first.

Common errors in CI

"You are not logged in." means bw login has not run yet. "Invalid master password." means BW_PASSWORD is wrong or unset. If unlock returns nothing usable, you likely omitted --raw and captured extra prompt text into BW_SESSION.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →