Managing credentials securely is a fundamental skill for developers. Whether you’re handling API keys, database passwords, or SSH keys, the right password manager can streamline your workflow while maintaining strong security practices. This guide evaluates password managers based on CLI accessibility, scripting capabilities, and integration options that matter to developers.
Why Developers Need Specialized Password Management
Developers face unique challenges that generic password managers don’t address. You need to store API tokens, database credentials, SSH keys, and environment variables—not just website passwords. The best password manager for developers offers command-line interface access, support for multiple secret types, and the ability to inject credentials directly into applications and development workflows.
Beyond personal password management, teams require shared secrets for service accounts, deployment credentials, and environment-specific configurations. A developer-focused password manager should support both individual and team use cases with appropriate access controls.
Bitwarden: Open-Source with Excellent CLI Support
Bitwarden stands out as the best password manager for developers who value transparency and flexibility. As an open-source solution, you can self-host the entire stack or use their hosted service. The CLI tool provides comprehensive functionality for scripting and automation.
Installing and Configuring Bitwarden CLI
Install the Bitwarden CLI using your preferred package manager:
# Using npm
npm install -g @bitwarden/cli
# Using Homebrew
brew install bitwarden-cli
# Using Chocolatey
choco install bitwarden-cli
Authenticate from the command line:
bw login your-email@example.com
bw unlock
The CLI stores your session key in an environment variable, which you can export for programmatic access:
export BW_SESSION="your-session-key"
Storing and Retrieving Secrets
Create secure notes for API keys or arbitrary credentials:
# Create a login item with custom fields
bw create item login --name "AWS Production" \
--username "deployer" \
--password "your-api-key" \
--url "https://aws.amazon.com" \
--notes "Production deployment account"
# Generate a secure password
bw generate --length 24 --complexity
For application integration, fetch credentials programmatically:
# Get a specific item's password
bw get item "AWS Production" | jq -r '.login.password'
This approach works well for CI/CD pipelines where you need to inject secrets without exposing them in logs.
1Password: Developer-Friendly Integrations
1Password offers robust developer tools through its CLI (op CLI) and extensive integrations. While the core service is closed-source, the developer experience is polished, and the secret integration product (1Password Secrets) provides dedicated infrastructure for application secrets.
1Password CLI Setup
Install the CLI and sign in:
# macOS
brew install --cask 1password-cli
# Sign in interactively
op signin
Using 1Password in Development
Store API keys as secure notes and reference them in your application:
# Create a secret in 1Password
op create item "Secure Note" \
--title "Stripe API Key" \
--notes "Production stripe key" \
--vault "Developer"
# Reference the secret in your application
eval $(op run --env-file=.env.production -- your-command-here)
The op run command injects secrets from 1Password into environment variables before executing a command. This keeps credentials out of your shell history and process list.
Integrating with GitHub Actions
1Password provides a GitHub Action for secure secret injection:
- name: Inject secrets
uses: 1password/[email protected]
with:
# Store your SEOP_VAULT_NAME in GitHub secrets
seop-vault-name: ${{ secrets.1P_VAULT_NAME }}
seop-service-name: ${{ secrets.1P_SERVICE_NAME }}
seop-secrets: |
STRIPE_API_KEY:
secret: ${{ secrets.STRIPE_API_KEY }}
DATABASE_URL:
secret: ${{ secrets.DATABASE_URL }}
HashiCorp Vault: Enterprise-Grade Secret Management
For teams requiring sophisticated secret management, HashiCorp Vault provides the most comprehensive solution. It handles dynamic secrets, encryption as a service, and detailed audit logs. While the learning curve is steeper, Vault excels in production environments where you need fine-grained access control.
Starting a Development Vault
For local development, use the dev server:
# Start a development server (do NOT use in production)
vault server -dev
# Export the root token
export VAULT_TOKEN="your-root-token"
export VAULT_ADDR="http://127.0.0.1:8200"
Storing and Accessing Secrets
Store credentials and retrieve them via the API:
# Enable the key-value secrets engine
vault secrets enable -path=secret kv
# Store a secret
vault kv put secret/myapp/database \
username="app_user" \
password="secure-password-123" \
host="db.example.com"
# Read the secret
vault kv get secret/myapp/database
For application integration, use the Vault agent or sidecar pattern to inject secrets without hardcoding credentials:
# Generate a dynamic database credential
vault write database/roles/myapp-db \
db_name=mydb \
creation_statements="CREATE USER '{{name}}' WITH PASSWORD '{{password}}'; GRANT ALL ON mydb TO '{{name}}';" \
default_ttl="1h" \
max_ttl="24h"
# Generate temporary credentials
vault read database/creds/myapp-db
Vault’s dynamic secrets generate unique credentials for each request, eliminating the risk of shared passwords and enabling instant revocation.
Choosing the Right Solution
Select based on your specific needs:
| Tool | Best For | CLI Quality | Self-Hosting |
|---|---|---|---|
| Bitwarden | Individual developers, small teams | Excellent | Yes |
| 1Password | Teams wanting polished UX | Very Good | No |
| HashiCorp Vault | Enterprise, complex requirements | Good | Yes |
For most developers, Bitwarden provides the best balance of features, cost, and flexibility. The open-source nature means you can audit the code, and the CLI is powerful enough for most automation needs. Small teams benefit from 1Password’s intuitive interface, while organizations with strict compliance requirements should consider HashiCorp Vault.
Regardless of which tool you choose, enable two-factor authentication on your password manager account. The master password protects your secrets, but 2FA adds a critical additional layer of defense.
Related Reading
- Best Hardware Security Key for Developers: A Practical Guide
- Bitwarden Vault Export Backup Guide: Complete Technical.
- Telegram vs Signal: Which Is Actually Safer? A Technical.
Built by theluckystrike — More at zovo.one