Nicolas Martyanoff — Brain dump

Exporting 1Password data for backup

Storing credentials and confidential data in a secure location is important, and I have been happy with 1Password for years.

But having all this critical information stored in a single location is dangerous; losing access to my 1Password account would be quite annoying, forcing me to reinitialize passwords on dozens of websites and making me lose a lot of information.

Fortunately it is possible to export all data from 1Password. It does not seem to be doable directly from their web interface, but their command-line tool supports it.

You will need first to connect your account. For example for a personal account:

op account add --address my.1password.com --email YOUR_EMAIL_ADDRESS

Note that you will not stay signed-in, and will have to re-enter your password later using: eval $(op signin).

There is no command to directly export all entries, but it can be done with a small script. If you are not familiar with GPG, feel free to refer to my GnuPG introduction.

#!/bin/sh

set -eu
set -o pipefail

# Configuration
gpg_key_id="YOUR_GPG_KEY_ID"

# Command line
if [ $# -lt 1 ]; then
    echo "usage: $0 <output-file>" >&2
    exit 1
fi

output_file=$1

# Keep permissions tight
umask 177

# Sign in to the 1Password account
eval $(op signin)

# Create a temporary file to store the list of item ids (this list does not
# contain any confidential data).
item_file=$(mktemp)
trap "rm -f $item_file" EXIT

# Export a list containing the identifier and vault identifier of each item
op --format json item list | jq -r '.[] | .id + " " + .vault.id' >$item_file

# Export all items, encrypt all data and store them in the output file
while read item_id vault_id; do
    op --format json item get $item_id --vault $vault_id
done < $item_file | gpg --encrypt --sign --recipient $gpg_key_id >|$output

The resulting file can then be stored anywhere, without any specific protection since it is encrypted.