DocumentationGuidesBitwarden

Use dotenvx with Bitwarden

Load dotenvx private keys from Bitwarden at runtime.

Store your DOTENV_PRIVATE_KEY* values in Bitwarden, then load them into the environment before running dotenvx.

Store a Private Key

Create a Bitwarden login item named after the dotenvx private-key environment variable.

Name: DOTENV_PRIVATE_KEY
Password: <your DOTENV_PRIVATE_KEY value>

For .env.production, name the item DOTENV_PRIVATE_KEY_PRODUCTION.

Name: DOTENV_PRIVATE_KEY_PRODUCTION
Password: <your DOTENV_PRIVATE_KEY_PRODUCTION value>

Read a Private Key

Use bw get password to read the Bitwarden item password into DOTENV_PRIVATE_KEY.

export BW_SESSION="$(bw unlock --raw)"
DOTENV_PRIVATE_KEY="$(bw get password DOTENV_PRIVATE_KEY)" dotenvx run -- npm start

dotenvx run sees DOTENV_PRIVATE_KEY, decrypts .env, and injects the decrypted values into your process.

Use Production

For .env.production, read the matching Bitwarden item into DOTENV_PRIVATE_KEY_PRODUCTION.

export BW_SESSION="$(bw unlock --raw)"
DOTENV_PRIVATE_KEY_PRODUCTION="$(bw get password DOTENV_PRIVATE_KEY_PRODUCTION)" dotenvx run -- npm start

The item name, environment variable name, and dotenvx private-key name match one-to-one.

Team Workflows

Bitwarden works well for developers who already use Bitwarden locally. For teams that want private keys stored off-device, shared by project, and available without each developer wiring local Bitwarden access, use Armor.