Keeping secrets safe yet accessible in your development workflow can be a friction point. Enter bwenv ― a nifty CLI tool that bridges your Bitwarden CLI vault and your shell environment via direnv. It lets you load secrets from Bitwarden folders directly into a .envrc (and thus your environment) in a secure, automated way. 
In this article we’ll cover:
• Why bwenv is useful
• How it works (high-level)
• How to install and use it (including a simple example)
• When / for whom it’s a good fit
• Some caveats & tips
⸻
Why bwenv is Useful
Here are a few benefits of using bwenv in your developer workflow:
- Centralised secret management
If you already use Bitwarden to store your secrets (API keys, credentials, config values, etc) you don’t want to copy/paste them into .env files ad-hoc. With bwenv you point at a Bitwarden folder, and the values become environment variables automatically. This reduces duplication and risk of forgotten updates.
- Integrates with direnv for dynamic loading
The power of direnv is that environment variables (and other shell context) load automatically when you cd into a directory and .envrc is allowed. bwenv plays into this by generating (or managing) the .envrc that uses your Bitwarden secrets. That means when you enter your project folder you instantly pick up secrets, and when you leave it they can be unloaded.
- Keeps secrets out of version control
Because you’re loading secrets live into your shell environment, you avoid committing them into your repository or long-lived config files. The .envrc generated by bwenv doesn’t contain literal secret strings (unless you pick debug mode) but rather instructs loading them from Bitwarden.
- Reduced manual steps & less chance of mis-config
With a script that handles unlocking the Bitwarden vault, selecting the folder, generating the .envrc, you avoid manual errors (forgot to set PATH, wrong variable names, missing session, etc). bwenv supports interactive folder selection and generation. 
⸻
How bwenv Works (High-level)
Here’s a short run-through of the mechanism behind bwenv:
1. You install bwenv (via make install) which copies helper scripts (for direnv) and the bwenv CLI. 
2. You ensure you have the prerequisites: the Bitwarden CLI and jq (a JSON processor). 
3. You run something like bwenv init (or bwenv interactive). This will ask for a Bitwarden folder (either by name or interactively by listing your folders). The script will (if needed) unlock the vault, read items from the selected folder, fetch their custom fields, and build a .envrc file. 
4. You run direnv allow in your project directory. direnv loads the .envrc, exports the environment variables (setting them in your shell session).
5. When you’re done (or want to clean up) you can run bwenv remove, which deletes the generated .envrc. 
Under the hood, bwenv uses the environment variable BW_SESSION (used by the Bitwarden CLI) to securely access the vault. And it has debug modes (show steps only, or show actual secret values) to help you inspect what’s happening. 
⸻
Installation & Usage Example
Here’s a concrete example of how you might set up and use bwenv in a project.
Prerequisites
• You’ve already installed the Bitwarden CLI (bw).
• You’ve already installed jq.
• You have direnv installed and configured for your shell (e.g., Zsh or Bash).
• You have a Bitwarden folder (say “Project-X”) with items whose custom fields correspond to environment variables (e.g., API_KEY, DB_PASSWORD, etc).
Installation
# clone or download the repository or just use the Makefile
make install
# On Linux/macOS you’ll then add to PATH:
make setup-path
# Or manually:
export PATH="$HOME/.local/bin:$PATH"
(From the README) 
Initialize secrets for your project
Navigate to your project root and run:
bwenv init
It will prompt you for the Bitwarden folder. Suppose you enter Project-X. It will then unlock your vault if needed, fetch the items in “Project-X”, and generate a .envrc in the current directory.
Example:
# After init…
direnv allow
Now your shell session (in that directory) has the exported environment variables. You can verify:
echo $API_KEY
echo $DB_PASSWORD
Interactive selection
Alternatively, you could use:
bwenv interactive
This will list available Bitwarden folders and you can pick one by number. Then proceed to allow direnv. 
Remove when done
If you want to clean up:
bwenv remove
This deletes the .envrc that was generated. 
Debug modes
If you want to see more verbose output or actual secret values (be careful!) you can use:
bwenv --debug=2 init
Or silence output:
bwenv --quiet init
There’s a mapping to environment variable BWENV_DEBUG as well:
• BWENV_DEBUG=1 = steps only (default)
• BWENV_DEBUG=2 = show secrets
• BWENV_DEBUG=0 = silent mode 
⸻
When / For Whom is bwenv a Good Fit?
Here are some scenarios where bwenv shines, and also some where it might not be ideal.
✅ Good fit
• You’re already using Bitwarden (via the CLI) for storing secrets.
• You have multiple projects where each project has its own set of secrets stored in a Bitwarden folder.
• You want secrets to be dynamically loaded when you enter a project directory (using direnv) rather than manually exporting each time.
• You want to avoid committing secrets, .env files with sensitive values, or manual copying of values.
• You’re comfortable with CLI tools, shell configuration, and want to automate your workflow.
⚠️ Might not be ideal / Considerations
• If you don’t use Bitwarden (or don’t want the CLI) then it’s not useful.
• If your workflow uses different secret management (Vault, AWS Secrets Manager, Kubernetes secrets, etc) then other integrations might be more direct.
• You need to trust that the .envrc generation is secure and handled with care (since environment vars are still in memory).
• On shared machines / CI environments you’ll need to consider how the Bitwarden session is unlocked and handled (possible interactive prompts, or using BW_SESSION).
• If you are working in an environment where secrets need even stronger isolation (e.g., containers with minimal tooling) you might want a different pattern rather than direnv.
⸻
Tips & Best Practices
• Make sure your Bitwarden folder naming convention is consistent so you don’t accidentally pick the wrong folder when using interactive mode.
• Don’t run the debug mode (--debug=2) in a shared screen session unless you’re sure no one else can see the secret output.
• In your .envrc, you may want to restrict what’s loaded (for example you might delete or rename variables you don’t need). bwenv generates based on all custom fields in the folder, so tailor your items.
• Keep your direnv configuration secure (e.g., enabling direnv allow only when you trust the .envrc).
• If you’re scripting or automating, you can use bwenv test to verify dependencies and configuration. 
• For CI/CD you may need a non-interactive mode (using environment variables for your Bitwarden session). You might extend or wrap bwenv for your pipeline.
• Consider storing metadata in your Bitwarden items (custom fields with consistent naming) so the mapping to env vars is predictable.
⸻
Final Thoughts
bwenv is a thoughtful tool for developers who want to streamline secret-management in a shell / project-directory context while using Bitwarden + direnv. It removes a lot of the manual friction of “I need to export this secret”, “did I update the .env file?”, or “am I using the right folder for this project?” and replaces it with a mostly one-time setup plus convenient direnv behavior.
If your workflow aligns with its assumptions (Bitwarden CLI, direnv, shell development) then it’s definitely worth giving a try.
If you end up using bwenv, I’d love to hear what you think — what works, what you change, or how you adapt it in your workflow.
Top comments (0)