Bitwarden CLI is the best overall password manager CLI tool for most developers, offering a free tier with full vault management, scripting support, and cross-platform sync. For local-only GPG-encrypted storage, use pass (the standard Unix password manager). Choose 1Password CLI for polished team workflows, gopass for multi-store organization, or HashiCorp Vault for enterprise secrets management. Below are installation steps, usage examples, and integration patterns for each tool.

Why Use a CLI Password Manager

Command-line password managers appeal to developers for several reasons. First, they integrate naturally with shell scripts and automation pipelines. You can fetch credentials programmatically without leaving your terminal or switching contexts. Second, CLI tools typically have minimal resource overhead compared to full GUI applications. Third, they work identically across different operating systems, making them ideal for developers who work in mixed environments or remote servers.

The ability to use password managers in SSH sessions, CI/CD pipelines, and containerized environments makes CLI tools indispensable for modern development workflows.

Top CLI Password Managers

1. Bitwarden CLI

Bitwarden provides one of the most feature-complete CLI implementations among cloud-based password managers. The tool is open-source and supports all major Bitwarden features through the terminal.

Installation:

npm install -g @bitwarden/cli

Basic Usage:

# Login to your vault
bw login your@email.com

# Unlock your vault
bw unlock

# Get a password
bw get password "example.com"

# List all items
bw list items

The Bitwarden CLI supports folder organization, secure notes, and attachments. You can also use it to generate passwords directly:

bw generate -lu --length 20

This generates a 20-character password with uppercase letters. The CLI integrates well with password masking tools like pass if you prefer local-only storage while maintaining Bitwarden’s organization features.

2. 1Password CLI

1Password offers a full-featured CLI tool that works smoothly with your 1Password vault. The v2 CLI uses the company’s modern architecture and provides comprehensive functionality.

Installation:

# macOS with Homebrew
brew install 1password-cli

# Ubuntu/Debian
curl -sS https://downloads.1password.com/linux/keys/1password.asc | \
  gpg --dearmor > /tmp/1password.gpg
sudo mv /tmp/1password.gpg /etc/apt/trusted.gpg.d/
echo "deb https://downloads.1password.com/linux/debian stable main" | \
  sudo tee /etc/apt/sources.list.d/1password.list
sudo apt update && sudo apt install 1password-cli

Basic Usage:

# Sign in (opens browser for authentication)
op signin

# Get a password
op item get "example.com" --field password

# List vaults
op vault list

# Create a new item
op item create --category "Login" \
  --title "My API Key" \
  --label "username" "api_user" \
  --label "password" "your-secret-key"

The 1Password CLI supports Connect servers for self-hosted deployments, making it suitable for teams that need local control over their password data.

3. pass

The standard Unix password manager, pass stores passwords in encrypted GPG files within a simple directory structure. It’s the most minimal approach to CLI password management and integrates deeply with the Unix philosophy.

Installation:

# macOS
brew install pass

# Ubuntu/Debian
sudo apt install pass

Basic Usage:

# Initialize with your GPG key
pass init "your-gpg-key-id"

# Insert a password
pass insert example.com

# Generate a password
pass generate example.com 20

# Copy password to clipboard
pass -c example.com

# Show password (displayed in terminal)
pass example.com

The pass tool uses a straightforward directory structure where each password is an encrypted file. This simplicity means you can back up your entire password vault using standard file synchronization tools:

# Sync with git
pass git init
pass git remote add origin git@github.com:yourusername/password-store.git

You can also use extensions like pass-tomb to add encrypted tomb files for additional security, or pass-otp for time-based one-time passwords.

4. gopass

Built on top of pass, gopass adds organizational features, multi-file support, and a more user-friendly interface while maintaining compatibility with the standard pass ecosystem.

Installation:

# macOS
brew install gopass

# Linux
sudo apt install gopass

Basic Usage:

# Initialize a new store
gopass init

# Add a password with notes
gopass insert -n example.com
# Or use the interactive editor
gopass edit example.com

# Generate with custom options
gopass generate example.com -c -l 24

# List all entries
gopass ls

# Show password with context
gopass show example.com

gopass handles multiple stores and supports team configurations, making it suitable for organizational use cases.

5. Vault (by HashiCorp)

HashiCorp Vault is an enterprise-grade secrets management tool that goes beyond simple password storage. While it’s designed for infrastructure and application secrets, developers increasingly use it for credential management.

Installation:

# Download from https://www.vaultproject.io/downloads
# or use homebrew
brew install hashicorp/tap/vault

Basic Usage:

# Start Vault in development mode
vault server -dev

# Enable the key-value secrets engine
vault secrets enable -path=secret kv

# Store a secret
vault kv put secret/myapp username=admin password=secret123

# Retrieve a secret
vault kv get secret/myapp

# Retrieve specific field
vault kv get -field=password secret/myapp

Vault excels in team environments where you need audit logs, fine-grained access control, and integration with infrastructure-as-code tools.

Choosing the Right Tool

Consider these factors when selecting a CLI password manager:

Cloud vs. local storage is the first decision. Bitwarden and 1Password offer cloud synchronization across devices. The pass and gopass tools store everything locally, giving you complete control but requiring manual sync setup.

Team requirements matter if you need shared credentials. Bitwarden, 1Password Connect, or HashiCorp Vault provide the necessary collaboration features. For personal use, pass offers simplicity without ongoing costs.

For automation needs, all tools support script integration, but Vault is purpose-built for application automation. Bitwarden’s CLI has the most extensive scripting capabilities among consumer-focused options.

Each tool has a different security model. pass and gopass use GPG encryption with local storage, while Bitwarden and 1Password use their own encryption protocols with cloud storage.

Integrating CLI Password Managers into Your Workflow

Here’s an example of using a CLI password manager in a deployment script:

#!/bin/bash
# Deploy script excerpt

# Fetch database credentials securely
DB_PASSWORD=$(bw get password "production-database")

# Use in database migration
psql -h db.example.com -U app_user -d myapp -c "ALTER USER app_user WITH PASSWORD '$DB_PASSWORD'"

# Clear from memory
unset DB_PASSWORD

This approach keeps credentials out of your shell history and environment files while maintaining automation capabilities.

Conclusion

Bitwarden CLI offers excellent cross-platform support and a generous free tier. 1Password CLI provides a polished experience with strong security features. The pass tool remains the standard for Unix enthusiasts who prefer local-only storage. HashiCorp Vault suits teams needing enterprise secrets management. The best password manager is one you’ll actually use consistently.

Built by theluckystrike — More at zovo.one