🛡️ Bitwarden Secret Manager
To set up secrets management in Bitwarden, follow these steps:
- Create a new organisation in your Bitwarden account. This organisation will act as a container to store and organise your secrets, similar to how you manage passwords.
-
Subscribe to the Secret Manager service. This service allows you to securely store an unlimited number of secrets, such as API keys, passwords and certificates. It offers end-to-end encryption, centralised management and access control to protect your sensitive data.
-
After creating your Organization, go to Secret Manager in the tab at the top right.
- Then create your lazywarden Project.
- After setting up your Lazywarden project, you need to create the secrets that will be used in the project.
- With these secrets added, we can now modify our .env file to contain our secrets. Remember to only add the Services you use, you do not need to add all the Services you use.
#---------------------------------------------------------------------------------------
# These are the 6 variables that are mandatory requirements for Bitwarden Secret Manager
BW_URL=00000000-0000-0000-0000-000000000000
BW_USERNAME=00000000-0000-0000-0000-000000000000
BW_PASSWORD=00000000-0000-0000-0000-000000000000
ENCRYPTION_PASSWORD=00000000-0000-0000-0000-000000000000
ZIP_PASSWORD=00000000-0000-0000-0000-000000000000
ZIP_ATTACHMENT_PASSWORD=00000000-0000-0000-0000-000000000000
#---------------------------------------------------------------------------------------
# TOTP Seed for Aegis,Authy,Ente,GoogleAuth (Optional)
BW_TOTP_SECRET=
# pCloud Credentials (Optional)
PCLOUD_USERNAME=
PCLOUD_PASSWORD=
# Mega Credentials (Optional)
MEGA_EMAIL=
MEGA_PASSWORD=
# Dropbox Credentials (Optional)
DROPBOX_ACCESS_TOKEN=
DROPBOX_REFRESH_TOKEN=
DROPBOX_APP_KEY=
DROPBOX_APP_SECRET=
# Todoist Credentials (Optional)
TODOIST_TOKEN=
# CalDAV Credentials
CALDAV_URL=
CALDAV_USERNAME=
CALDAV_PASSWORD=
# Nextcloud Credentials (Optional)
NEXTCLOUD_URL=
NEXTCLOUD_USERNAME=
NEXTCLOUD_PASSWORD=
# Seafile Credentials (Optional)
SEAFILE_SERVER_URL=
SEAFILE_USERNAME=
SEAFILE_PASSWORD=
# Filebase Credentials (Optional)
FILEBASE_ACCESS_KEY=
FILEBASE_SECRET_KEY=
# KeePass Password (Optional)
KEEPASS_PASSWORD=
# Storj Credentials (Optional)
STORJ_ACCESS_KEY=
STORJ_SECRET_KEY=
STORJ_ENDPOINT=
# R2 Credentials (Optional)
R2_ACCESS_KEY_ID=
R2_SECRET_ACCESS_KEY=
R2_ENDPOINT_URL=
# Vikunja Credentials (Optional)
VIKUNJA_API_TOKEN=
VIKUNJA_URL=
# Backblaze B2 Credentials (Optional)
B2_APP_KEY_ID=
B2_APP_KEY=
If you are going to use Vikunja's service also make sure that the URL to end with the correct structure.
Example: Vikunja http://192.175.88.227:3456/api/v1
- If you have TOTP enabled on your Bitwarden account, put the seeds of your TOTP in the BW_TOTP_SECRET variable.
🔐 TOTP Activation
If you do not have TOTP enabled in your Bitwarden account, simply leave the variable in the .env file blank.
📋 Additional Variables
Continue filling in the other variables one by one. For any services for which you do not have an account, simply leave the variable blank in the .env file.
- After creating all your secrets, create a Machine Account that will hold our ACCESS_TOKEN.
- Add and save the lazywarden project to your Machine Account.
- Finally, go to Access Tokens and create one to use in our lazywarden project.
- To find the ORGANIZATION_ID variable for our .env you can get it by visiting the URL when you are in your organization or by running the following command:
bw list organizations
ORGANIZATION_ID=212A4880-22f9-1114-b00e-12345234278ac
ACCESS_TOKEN=0.345f5e9c-8730-4a4c-917b-b100003312356.Oj4XzcyGFF222212345kwzV:e5mC4d1111111128/3EQ==
Attention: Security Critical Variables
### These variables contain the passwords for encrypting the backup.
### Change the passwords according to your preferences.
#Contains the encryption password for the JSON file
ENCRYPTION_PASSWORD=p3mTd5SqDqkXQqE!Tpwv27Ecx
#Contains the encryption password for the first ZIP file
ZIP_PASSWORD=ZCGvq@gwS7QhV@&R3k*x*xN72anybyFHW2RWiBTr
# Contains the encryption password for the attached ZIP file.
# Where our files will be stored if Bitwarden Premium is enabled.
# If Bitwarden Premium is not enabled, the attachment folder will be empty.
ZIP_ATTACHMENT_PASSWORD=HBLXL9!grer@Uay2edkwTXeZx!E9DxKphNxsNak1knb3dcfx2o
# Contains the encryption password for KeePass Database (Kdbx).
KEEPASS_PASSWORD=e2zkwTXe21!E9DxKp