A companion utility for the Bitwarden Desktop Client that creates a popup window to quickly copy usernames, passwords, and verification codes while inside any other app.
Inspired by 1Password's Quick Access feature.
- Download the Bitwarden CLI
- Download (or build from source) the Quickwarden executable.
- Login with your Bitwarden Account's API keys
- Your API keys can be found on the Bitwarden website under
Account Settings -> Security -> Keys -> API Key
. - You can optionally have your API Keys saved in Electron's
localstorage
between restarts. (See Security) - You will always have to enter your Master Password between restarts.
- Your API keys can be found on the Bitwarden website under
Description | Keybind |
---|---|
Popup the Quickwarden Window | Ctrl/Cmd + Shift + Space |
Close the Window | Escape |
Search | Just start typing... |
Move Selection Up/Down | Up/Down Arrow |
Copy Username | Ctrl/Cmd + C |
Copy Password | Ctrl/Cmd + Shift + C |
Copy Verification Code (TOTP) | Ctrl + Alt + C on Windows/LinuxCmd + Ctrl + C on MacOS |
- Clone the repository.
- Run
npm i
to install all npm dependencies. - Run
npm run make
to build an executable. - The executable can be found in the
out/make/
directory.- e.g., on MacOS:
out/make/zip/darwin/arm64/Quickwarden-darwin-arm64-1.0.0.zip
- e.g., on MacOS:
Your Bitwarden Account is likely the key to a lot of things in your life that you would like to keep very secure. For that reason, you should not give just any app your Bitwarden credentials without excersizing extreme caution.
Quickwarden is completely open source and will remain that way. I encourage everyone to read the source code themselves (I have attempted to make it as easy to read as possible) and build from source to verify that your executable was created from the source that you read.
Quickwarden uses Bitwarden's API keys to login to the Bitwarden CLI. I chose to use API keys instead of a username because the Bitwarden CLI does not currently support some of Bitwarden's 2FA options, including the one I use. As far as I can tell, API keys are also more secure because they can be revoked by the user and still require the Master Password to login.
Quickwarden can optionally save your API keys in Electron's localstorage to make logging in between restarts faster. Electron's localstorage is not encrypted. Potentially a malicious application could scan for these keys. However, these keys are useless without the Master Password and the Master Password is never saved to disk. I am open to suggestions on how to better save these keys.
Your Master Password is the true key to your Bitwarden Account. For that reason, Quickwarden has been written to discard it as soon as it logs in.
- When the "Log in" button is pressed, the login window calls the
loginWithApi()
function and passes it the Master Password. - The
loginWithApi()
function first gets routed through IPC to immediately invoke theloginWithApi()
function on the main thread. - The IPC invocation is handled on the main thread and immediately calls the bitwarden API function
loginWithApi()
. - The bitwarden API function takes the Master Password and calls the Bitwarden CLI command
bw unlock --raw --passwordenv BW_PASSWORD
withBW_PASSWORD
set to the Master Password. - From then on, the program only uses the session ID that is created when unlocking the vault. This session ID is valid until
bw lock
is ran (upon a Quickwarden restart) and is also not saved to disk.
No other code touches the Master Password.
If you have further security concerns that I have not addressed here or have suggestions on how to make Quickwarden more secure, please create an issue or a pull request.