Categories
SecOps

How to export 1Password data

Export 1Password passwords using a command-line utility on Linux.

Create and change the working directory to a location on an encrypted filesystem.

Import a code signing public key for 1Password.

$ gpg --keyserver keyserver.ubuntu.com --recv-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: key AC2D62742012EA22: public key "Code signing for 1Password " imported
gpg: Total number processed: 1
gpg:               imported: 1

Inspect imported key.

$ gpg --list-key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
pub   rsa4096 2017-05-18 [SC] [expires: 2025-05-16]
      3FEF9748469ADBE15DA7CA80AC2D62742012EA22
uid           [ unknown] Code signing for 1Password <codesign@1password.com>

Mark this key as trusted. This is very subjective, so you can skip this step, you will just get a warning later as there is no indication that the signature belongs to the owner.

$ gpg --trusted-key AC2D62742012EA22 --list-key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: key AC2D62742012EA22 marked as ultimately trusted
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2025-05-16
pub   rsa4096 2017-05-18 [SC] [expires: 2025-05-16]
      3FEF9748469ADBE15DA7CA80AC2D62742012EA22
uid           [ultimate] Code signing for 1Password 

Download 1Password command-line tool.

$ wget --quiet https://cache.agilebits.com/dist/1P/op/pkg/v1.9.2/op_linux_amd64_v1.9.2.zip

Extract archive.

$ unzip op_linux_amd64_v1.9.2.zip 
Archive:  op_linux_amd64_v1.9.2.zip
 extracting: op.sig                  
  inflating: op                      

Verify downloaded utility.

$ gpg --verify op.sig op
gpg: Signature made Fri May  7 16:20:21 2021 CEST
gpg:                using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: Good signature from "Code signing for 1Password <codesign@1password.com>" [ultimate]

Display help information.

$ ./op --help
The 1Password command-line tool provides commands to manage and
administer a 1Password account.

Sign in to an account to get started. Run `op signin --help` to learn
more.

HOW TO SPECIFY OBJECTS

You can specify all objects by name or UUID. You can also specify some
objects by other attributes:

* Items: item link
* Login or Password items: domain name
* Users: email address

When you specify an item by name or domain, there may be more than one
item that matches. To be more specific, use the `--vault` option to
only look in one vault at a time, or use a unique ID (UUID) instead.

CACHE ITEM AND VAULT INFORMATION

The command-line tool can use its daemon process to cache items, vault
information, and the keys to access information in an account. To use
the cache, use the `--cache` option with a command. When working with
items, the cache is most effective after it has a list of the items in a
vault.

The daemon stores encrypted information in memory using the same
encryption methods as on 1Password.com. It can read the information to
pass to the command-line tool but can’t decrypt it. The tool starts the
daemon automatically and it terminates itself after 24 hours of
inactivity.

USE ALTERNATIVE CHARACTER ENCODING

By default, the command-line tool processes input and output with UTF-8
encoding. You can use an alternative character encoding with the
`--encoding` option. Supported alternative character encoding types:

* `gbk`
* `shift-jis`

Usage:
  op [command]

Available Commands:
  add         Grant access to groups or vaults
  completion  Generate shell completion information
  confirm     Confirm a user
  create      Create an object
  delete      Remove an object
  edit        Edit an object
  encode      Encode the JSON needed to create an item
  forget      Remove a 1Password account from this device
  get         Get details about an object
  help        Get help for a command
  list        List objects and events
  manage      Manage group access to 1Password integrations
  reactivate  Reactivate a suspended user
  remove      Revoke access to groups or vaults
  signin      Sign in to a 1Password account
  signout     Sign out of a 1Password account
  suspend     Suspend a user
  update      Check for and download updates

Flags:
      --account shorthand   use the account with this shorthand
      --cache               store and use cached information
      --config directory    use this configuration directory
      --encoding type       use this character encoding type
  -h, --help                get help for op
      --session token       authenticate with this session token
  -v, --version             version for op

Use "op [command] --help" for more information about a command.

Sign in to the 1Password. Key, password, and session values in this example are fake.

$ ./op signin my.1password.com milosz@example.org
Enter the Secret Key for milosz@sleeplessbeastie.eu at my.1password.com: X3-ABF8R4-W1OXVB-YRL4Q-43K2P-CQGGP-TN3ZS
Enter the password for milosz@example.org at my.1password.com: ***********
export OP_SESSION_my="RkL-Xi9daF_v5Sz2VgE97FekVMVDHO-xUJSpZYe3Tia"
# This command is meant to be used with your shell's eval function.
# Run 'eval $(op signin my)' to sign in to your 1Password account.
# Use the --raw flag to only output the session token.

This time you can simply export OP_SESSION_my variable.

$ export OP_SESSION_my="RkL-Xi9daF_v5Sz2VgE97FekVMVDHO-xUJSpZYe3Tia"

I will focus solely on items (passwords) and ignore documents to keep this entry as short as possible.

$ ./op list --help
To list objects and events, use one of the `list` subcommands.

Usage:
  op list [command]

Available Commands:
  connect     List 1Password Connect servers and tokens
  documents   Get a list of documents
  events      Get a list of events from the Activity Log
  groups      Get a list of groups
  items       Get a list of items
  templates   Get a list of templates
  users       Get the list of users
  vaults      Get a list of vaults

Flags:
  -h, --help   get help with list

Global Flags:
      --account shorthand   use the account with this shorthand
      --cache               store and use cached information
      --config directory    use this configuration directory
      --encoding type       use this character encoding type
      --session token       authenticate with this session token

Use "op list [command] --help" for more information about a command.

List items.

$ ./op list items | jq .
[...]
  {
    "uuid": "zirgso2ug7ldlEjh2oct67zvfu",
    "templateUuid": "001",
    "trashed": "N",
    "createdAt": "2020-03-19T13:26:37Z",
    "updatedAt": "2020-03-19T13:26:37Z",
    "changerUuid": "8WDGJPNLF6SNVDQWJMJ2ROFTXY",
    "itemVersion": 1,
    "vaultUuid": "3kfkxlxlufxi6okid4o3iv4h3y",
    "overview": {
      "URLs": [
        {
          "l": "",
          "u": "https://example.com/"
        }
      ],
      "ainfo": "milosz",
      "pbe": 55.317352,
      "pgrng": true,
      "ps": 73.67636,
      "tags": [],
      "title": "Example",
      "url": "https://example.com/"
    }
  },
[...]

It looks like we know how to list objects, so it is time to get some details.

$ ./op get --help
To get details about an object, use one of the `get` subcommands.

Usage:
  op get [command]

Available Commands:
  account     Get details about your account
  document    Download a document
  group       Get details about a group
  item        Get item details
  template    Get an item template
  totp        Get the one-time password for an item
  user        Get details about a user
  vault       Get details about a vault

Flags:
  -h, --help   get help with get

Global Flags:
      --account shorthand   use the account with this shorthand
      --cache               store and use cached information
      --config directory    use this configuration directory
      --encoding type       use this character encoding type
      --session token       authenticate with this session token

Use "op get [command] --help" for more information about a command.

Get details for the earlier mentioned object.

$ ./op get item tzguh2oirgld7zvfjholvt62uu | jq .
{
  "uuid": "zirgso2ug7ldlEjh2oct67zvfu",
  "templateUuid": "001",
  "trashed": "N",
  "createdAt": "2020-03-19T13:26:37Z",
  "updatedAt": "2020-03-19T13:26:37Z",
  "changerUuid": "8WDGJPNLF6SNVDQWJMJ2ROFTXY",
  "itemVersion": 1,
  "vaultUuid": "3kfkxlxlufxi6okid4o3iv4h3y",
  "details": {
    "fields": [
      {
        "designation": "",
        "id": "user_email",
        "name": "user[email]",
        "type": "",
        "value": "milosz@example.org"
      },
      {
        "designation": "username",
        "id": "user_username",
        "name": "user[username]",
        "type": "T",
        "value": "milosz"
      },
      {
        "designation": "password",
        "id": "user_password",
        "name": "user[password]",
        "type": "P",
        "value": "mypassword"
      },
      {
        "designation": "",
        "id": "user_accepted_terms",
        "name": "user[accepted_terms]",
        "type": "C",
        "value": "1"
      }
    ],
    "htmlForm": {
      "htmlAction": "",
      "htmlID": "",
      "htmlMethod": "",
      "htmlName": ""
    },
    "notesPlain": "",
    "password": "",
    "passwordHistory": [],
    "sections": [
      {
        "fields": [
          {
            "k": "string",
            "n": "ad3d4a186a913e7f140897ad576b3d64",
            "t": "Name",
            "v": "Milosz"
          }
        ],
        "name": "Section_6bda06c01e3e4655915cd784a64ae716",
        "title": "Saved on example.com"
      }
    ]
  },
  "overview": {
    "URLs": [
      {
        "l": "",
        "u": "https://example.com/"
      }
    ],
    "ainfo": "milosz",
    "pbe": 55.317352,
    "pgrng": true,
    "ps": 73.67636,
    "tags": [],
    "title": "Example",
    "url": "https://example.com/"
  }
}

Now we can create a backup directory.

$ mkdir items

Combine earlier mentioned commands to export passwords. Beware, data is not encrypted.

$ ./op list items | jq -r '.[].uuid' | xargs -I{} bash -c './op get item {} | tee items/{}.json >/dev/null'

List items.

$ ls items/
d6wpkzihitupaup1shl6jzqupm.json  pceufc5yfonivwcwotzjrxy3li.json  z7cte6pizcmtixn3vulzcu66km.json
daufly3re3fu7ystq5rt4btpue.json  pnrqfpg6v3gay5p4c74gheip2m.json  zbo4ogf6ocmkp4hqj6zfnqnd7y.json
dyerdinfmfnwre4qd4qnyge3ju.json  pqp334lzry26cvqakv6haaflc4.json  zwigbinyr4q6okftlmf4uvmx4q.json
e4zwdocn4nqgjvkalt7zztet6i.json  pqdo3oyzhcgp4wnw2uw6uoyw2a.json  zxkprmwgtb62sn5ypt7vkoatyi.json
ebjp3sn7uysptnfyolwwqbgq3y.json  p5vo4otszsizglikpxqge4cawu.json  eg7mvfynqczljeuwvfytjpoxma.json 

You can easily search JSON files to locate a single file or multiple files matching a specific entry title.

$ jq -r -c '.overview | select(.title | ascii_downcase | contains("magazine")) | [input_filename, .title,.url]' items/*.json
["items/p5vo4otszsizglikpxqge4cawu.json","Linux Magazine com","https://www.linux-magazine.com/"]
["items/d6wpkzihitupaup1shl6jzqupm.json","Linux Magazine pl","https://linux-magazine.pl/"]

Unset OP_SESSION_my variable.

$ unset OP_SESSION_my

This utility makes 1Password backups possible, but it comes at a price, as you are responsible for downloaded data.