Skip to main content

Password Manager Functions

chezmoi provides template functions to securely integrate with popular password managers. These functions allow you to retrieve secrets, credentials, and other sensitive data from your password manager without storing them in your dotfiles.

General Concepts

Caching

Most password manager functions cache their results during template execution, so calling the same function multiple times with the same arguments will only invoke the password manager CLI once.

Authentication

Password managers typically require authentication before accessing secrets. chezmoi will:
  1. Use existing authenticated sessions when available
  2. Prompt for authentication interactively when needed
  3. Pass through environment variables for non-interactive authentication

Configuration

Each password manager can be configured in the chezmoi config file:
~/.config/chezmoi/chezmoi.toml
[onepassword]
    command = "op"
    prompt = true

[bitwarden]
    command = "bw"

[lastpass]
    command = "lpass"

1Password

Integrate with 1Password using the 1Password CLI.

onepassword uuid [vault] [account]

Returns structured data from 1Password. 
{{ $item := onepassword "item-uuid" }}
password: {{ $item.fields.password.value }}

{{ $item := onepassword "item-uuid" "vault-name" }}
{{ $item := onepassword "item-uuid" "vault-name" "account-name" }}
{{ $item := onepassword "item-uuid" "" "account-name" }}

Accessing Fields

{{ $item := onepassword "GitHub" }}
{{ range $item.fields }}
{{   if eq .label "password" }}
Password: {{ .value }}
{{   end }}
{{ end }}

onepasswordDocument uuid [vault] [account]

Returns a document from 1Password. 
{{ onepasswordDocument "ssh-key-uuid" }}

onepasswordDetailsFields uuid [vault] [account]

Returns details fields from 1Password. 
{{ $fields := onepasswordDetailsFields "item-uuid" }}
{{ $fields.api_key.value }}

onepasswordItemFields uuid [vault] [account]

Returns item fields from 1Password. 
{{ $fields := onepasswordItemFields "item-uuid" }}
{{ range $fields }}
{{ .label }}: {{ .value }}
{{ end }}

onepasswordRead url

Reads a secret using 1Password secret reference URL. 
api_key = {{ onepasswordRead "op://vault/item/field" }}

Bitwarden

Integrate with Bitwarden using the Bitwarden CLI.

bitwarden id

Returns structured data from Bitwarden. 
{{ $item := bitwarden "item-id" }}
username: {{ $item.login.username }}
password: {{ $item.login.password }}

bitwardenFields id

Returns custom fields from a Bitwarden item. 
{{ $fields := bitwardenFields "item-id" }}
api_key: {{ $fields.api_key.value }}

bitwardenAttachment id name

Returns an attachment from a Bitwarden item. 
{{ bitwardenAttachment "item-id" "ssh-key.pub" }}

bitwardenAttachmentByRef reference name

Returns an attachment using a Bitwarden reference. 
{{ bitwardenAttachmentByRef "item-name" "attachment.txt" }}

bitwardenSecrets key

Returns a secret from Bitwarden Secrets Manager. 
token: {{ bitwardenSecrets "secret-key" }}

LastPass

Integrate with LastPass using the LastPass CLI.

lastpass id

Returns the password for a LastPass entry. 
password: {{ lastpass "GitHub" }}

lastpassRaw id

Returns structured data from LastPass. 
{{ $item := lastpassRaw "GitHub" }}
username: {{ $item.username }}
password: {{ $item.password }}
url: {{ $item.url }}

Pass (Password Store)

Integrate with pass, the standard Unix password manager.

pass path

Returns the first line (password) from a pass entry. 
password: {{ pass "github/token" }}

passRaw path

Returns the entire contents of a pass entry. 
{{ passRaw "ssh/config" }}

passFields path

Returns structured data from a pass entry. 
{{ $item := passFields "github/account" }}
username: {{ $item.username }}
token: {{ $item.token }}
Expected format: 
password-here
username: myuser
token: abc123

Configuration

~/.config/chezmoi/chezmoi.toml
[pass]
    command = "passage"  # Use pass-compatible manager

Gopass

Integrate with gopass, a pass-compatible password manager.

gopass path

Returns the first line from a gopass entry. 
password: {{ gopass "work/api-key" }}

gopassRaw path

Returns the entire contents of a gopass entry. 
{{ gopassRaw "ssh/config" }}

KeePassXC

Integrate with KeePassXC using the CLI.

keepassxc entry

Returns the password for a KeePassXC entry. 
password: {{ keepassxc "GitHub" }}

keepassxcAttribute entry attribute

Returns a specific attribute from a KeePassXC entry. 
username: {{ keepassxcAttribute "GitHub" "UserName" }}
password: {{ keepassxcAttribute "GitHub" "Password" }}
url: {{ keepassxcAttribute "GitHub" "URL" }}

keepassxcAttachment entry attachment

Returns an attachment from a KeePassXC entry. 
{{ keepassxcAttachment "SSH" "id_rsa.pub" }}

Keeper

Integrate with Keeper Security using the CLI.

keeper path

Returns the password from a Keeper record. 
password: {{ keeper "GitHub/personal" }}

keeperDataFields path

Returns structured data fields from a Keeper record. 
{{ $fields := keeperDataFields "GitHub/personal" }}
api_key: {{ $fields.api_key }}

keeperFindPassword path

Finds and returns a password from Keeper. 
password: {{ keeperFindPassword "GitHub" }}

Dashlane

Integrate with Dashlane using the CLI.

dashlanePassword title

Returns the password for a Dashlane entry. 
password: {{ dashlanePassword "GitHub" }}

dashlaneNote title

Returns the contents of a Dashlane secure note. 
{{ dashlaneNote "SSH Config" }}

AWS Secrets Manager

Integrate with AWS Secrets Manager.

awsSecretsManager secret-id

Returns and parses a secret from AWS Secrets Manager as JSON. 
{{ $secret := awsSecretsManager "prod/api/key" }}
api_key: {{ $secret.api_key }}

awsSecretsManagerRaw secret-id

Returns the raw secret string from AWS Secrets Manager. 
token: {{ awsSecretsManagerRaw "prod/token" }}

Azure Key Vault

Integrate with Azure Key Vault.

azureKeyVault secret-name

Returns a secret from Azure Key Vault. 
api_key: {{ azureKeyVault "api-key" }}

Doppler

Integrate with Doppler secrets management.

doppler project config secret

Returns a secret from Doppler. 
token: {{ doppler "my-project" "dev" "API_TOKEN" }}

dopplerProjectJson project config

Returns all secrets from a Doppler project as JSON. 
{{ $secrets := dopplerProjectJson "my-project" "dev" }}
api_key: {{ $secrets.API_KEY }}

Hashicorp Vault

Integrate with Hashicorp Vault.

vault path

Returns structured data from Vault. 
{{ $secret := vault "secret/data/github" }}
token: {{ $secret.data.token }}

Keyring

Integrate with system keyrings (macOS Keychain, Windows Credential Manager, Linux Secret Service).

keyring service account

Returns a password from the system keyring. 
password: {{ keyring "github" "myusername" }}

Generic Secret

Integrate with generic external secret commands.

secret args

Executes a configured secret command and returns the output. 
token: {{ secret "get" "api-token" }}

secretJSON args

Executes a configured secret command and parses the output as JSON. 
{{ $secret := secretJSON "get" "credentials" }}
username: {{ $secret.username }}
password: {{ $secret.password }}

Configuration

~/.config/chezmoi/chezmoi.toml
[secret]
    command = "my-secret-tool"
    args = ["--format", "json"]

Practical Examples

Git Configuration with 1Password

dot_gitconfig.tmpl
[user]
    name = {{ .name }}
    email = {{ .email }}

[github]
    user = {{ (onepassword "GitHub").fields.username.value }}

[credential "https://github.com"]
    helper = !echo "password={{ (onepassword "GitHub").fields.password.value }}"

SSH Configuration with Bitwarden

private_dot_ssh_config.tmpl
Host github.com
    User git
    IdentityFile ~/.ssh/github

Host work-server
    HostName {{ (bitwarden "work-server").login.uris.0.uri }}
    User {{ (bitwarden "work-server").login.username }}

API Keys from Pass

dot_env.tmpl
export GITHUB_TOKEN="{{ pass "github/token" }}"
export NPM_TOKEN="{{ pass "npm/token" }}"
export AWS_ACCESS_KEY_ID="{{ (passFields "aws/credentials").access_key_id }}"
export AWS_SECRET_ACCESS_KEY="{{ (passFields "aws/credentials").secret_access_key }}"

Multi-Provider Strategy

dot_config_app_credentials.toml.tmpl
{{ if lookPath "op" }}
token = {{ onepasswordRead "op://vault/item/token" | quote }}
{{ else if lookPath "bw" }}
token = {{ (bitwarden "item-id").login.password | quote }}
{{ else if lookPath "pass" }}
token = {{ pass "app/token" | quote }}
{{ else }}
{{ warnf "No password manager found" }}
token = ""
{{ end }}

Conditional Secret Retrieval

run_once_install-creds.sh.tmpl
#!/bin/bash

{{ if stat (joinPath .chezmoi.homeDir ".ssh" "id_rsa") }}
echo "SSH key already exists"
{{ else }}
{{ if lookPath "op" }}
echo "Installing SSH key from 1Password"
cat > ~/.ssh/id_rsa << 'EOF'
{{ onepasswordDocument "SSH Key" }}
EOF
chmod 600 ~/.ssh/id_rsa
{{ end }}
{{ end }}

Security Best Practices

  1. Never commit secrets: Template files should only contain function calls, not actual secrets
  2. Use encryption: Enable encryption for the chezmoi source directory if needed
  3. Audit access: Regularly review which secrets are being accessed
  4. Rotate credentials: Use password manager features to rotate credentials regularly
  5. Limit scope: Only retrieve secrets that are actually needed
  6. Use secret references: Prefer secret references (like 1Password’s op://) when supported

Troubleshooting

Authentication Issues

# Check password manager CLI is authenticated
op account list
bw login --check
lpass status

# Re-authenticate if needed
op signin
bw login
lpass login

Testing Secret Retrieval

# Test a template with secrets
chezmoi execute-template '{{ onepassword "item-id" }}'

# Dry run to see what would be applied
chezmoi apply --dry-run --verbose

Debugging

# Enable verbose output
chezmoi apply --verbose

# Check configuration
chezmoi cat-config

# Test specific secret
op item get "item-name" --format json

Build docs developers (and LLMs) love

Get started for freeTalk to us