Export 1Password passwords using a command-line utility on Linux.
Create and change the working directory to a location on an encrypted filesystem.
Import a code signing public key for 1Password.
$ gpg --keyserver keyserver.ubuntu.com --recv-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: key AC2D62742012EA22: public key "Code signing for 1Password <codesign@1password.com>" imported gpg: Total number processed: 1 gpg: imported: 1
Inspect imported key.
$ gpg --list-key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
pub rsa4096 2017-05-18 [SC] [expires: 2025-05-16]
3FEF9748469ADBE15DA7CA80AC2D62742012EA22
uid [ unknown] Code signing for 1Password <codesign@1password.com>
Mark this key as trusted. This is very subjective, so you can skip this step, you will just get a warning later as there is no indication that the signature belongs to the owner.
$ gpg --trusted-key AC2D62742012EA22 --list-key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: key AC2D62742012EA22 marked as ultimately trusted
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2025-05-16
pub rsa4096 2017-05-18 [SC] [expires: 2025-05-16]
3FEF9748469ADBE15DA7CA80AC2D62742012EA22
uid [ultimate] Code signing for 1Password <codesign@1password.com>
Download 1Password command-line tool.
$ wget --quiet https://cache.agilebits.com/dist/1P/op/pkg/v1.9.2/op_linux_amd64_v1.9.2.zip
Extract archive.
$ unzip op_linux_amd64_v1.9.2.zip
Archive: op_linux_amd64_v1.9.2.zip extracting: op.sig inflating: op
Verify downloaded utility.
$ gpg --verify op.sig op
gpg: Signature made Fri May 7 16:20:21 2021 CEST gpg: using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22 gpg: Good signature from "Code signing for 1Password <codesign@1password.com>" [ultimate]
Display help information.
$ ./op --help
The 1Password command-line tool provides commands to manage and
administer a 1Password account.
Sign in to an account to get started. Run `op signin --help` to learn
more.
HOW TO SPECIFY OBJECTS
You can specify all objects by name or UUID. You can also specify some
objects by other attributes:
* Items: item link
* Login or Password items: domain name
* Users: email address
When you specify an item by name or domain, there may be more than one
item that matches. To be more specific, use the `--vault` option to
only look in one vault at a time, or use a unique ID (UUID) instead.
CACHE ITEM AND VAULT INFORMATION
The command-line tool can use its daemon process to cache items, vault
information, and the keys to access information in an account. To use
the cache, use the `--cache` option with a command. When working with
items, the cache is most effective after it has a list of the items in a
vault.
The daemon stores encrypted information in memory using the same
encryption methods as on 1Password.com. It can read the information to
pass to the command-line tool but can’t decrypt it. The tool starts the
daemon automatically and it terminates itself after 24 hours of
inactivity.
USE ALTERNATIVE CHARACTER ENCODING
By default, the command-line tool processes input and output with UTF-8
encoding. You can use an alternative character encoding with the
`--encoding` option. Supported alternative character encoding types:
* `gbk`
* `shift-jis`
Usage:
op [command]
Available Commands:
add Grant access to groups or vaults
completion Generate shell completion information
confirm Confirm a user
create Create an object
delete Remove an object
edit Edit an object
encode Encode the JSON needed to create an item
forget Remove a 1Password account from this device
get Get details about an object
help Get help for a command
list List objects and events
manage Manage group access to 1Password integrations
reactivate Reactivate a suspended user
remove Revoke access to groups or vaults
signin Sign in to a 1Password account
signout Sign out of a 1Password account
suspend Suspend a user
update Check for and download updates
Flags:
--account shorthand use the account with this shorthand
--cache store and use cached information
--config directory use this configuration directory
--encoding type use this character encoding type
-h, --help get help for op
--session token authenticate with this session token
-v, --version version for op
Use "op [command] --help" for more information about a command.
Sign in to the 1Password. Key, password, and session values in this example are fake.
$ ./op signin my.1password.com milosz@example.org
Enter the Secret Key for milosz@sleeplessbeastie.eu at my.1password.com: X3-ABF8R4-W1OXVB-YRL4Q-43K2P-CQGGP-TN3ZS Enter the password for milosz@example.org at my.1password.com: *********** export OP_SESSION_my="RkL-Xi9daF_v5Sz2VgE97FekVMVDHO-xUJSpZYe3Tia" # This command is meant to be used with your shell's eval function. # Run 'eval $(op signin my)' to sign in to your 1Password account. # Use the --raw flag to only output the session token.
This time you can simply export OP_SESSION_my variable.
$ export OP_SESSION_my="RkL-Xi9daF_v5Sz2VgE97FekVMVDHO-xUJSpZYe3Tia"
I will focus solely on items (passwords) and ignore documents to keep this entry as short as possible.
$ ./op list --help
To list objects and events, use one of the `list` subcommands.
Usage:
op list [command]
Available Commands:
connect List 1Password Connect servers and tokens
documents Get a list of documents
events Get a list of events from the Activity Log
groups Get a list of groups
items Get a list of items
templates Get a list of templates
users Get the list of users
vaults Get a list of vaults
Flags:
-h, --help get help with list
Global Flags:
--account shorthand use the account with this shorthand
--cache store and use cached information
--config directory use this configuration directory
--encoding type use this character encoding type
--session token authenticate with this session token
Use "op list [command] --help" for more information about a command.
List items.
$ ./op list items | jq .
[...]
{
"uuid": "zirgso2ug7ldlEjh2oct67zvfu",
"templateUuid": "001",
"trashed": "N",
"createdAt": "2020-03-19T13:26:37Z",
"updatedAt": "2020-03-19T13:26:37Z",
"changerUuid": "8WDGJPNLF6SNVDQWJMJ2ROFTXY",
"itemVersion": 1,
"vaultUuid": "3kfkxlxlufxi6okid4o3iv4h3y",
"overview": {
"URLs": [
{
"l": "",
"u": "https://example.com/"
}
],
"ainfo": "milosz",
"pbe": 55.317352,
"pgrng": true,
"ps": 73.67636,
"tags": [],
"title": "Example",
"url": "https://example.com/"
}
},
[...]
It looks like we know how to list objects, so it is time to get some details.
$ ./op get --help
To get details about an object, use one of the `get` subcommands.
Usage:
op get [command]
Available Commands:
account Get details about your account
document Download a document
group Get details about a group
item Get item details
template Get an item template
totp Get the one-time password for an item
user Get details about a user
vault Get details about a vault
Flags:
-h, --help get help with get
Global Flags:
--account shorthand use the account with this shorthand
--cache store and use cached information
--config directory use this configuration directory
--encoding type use this character encoding type
--session token authenticate with this session token
Use "op get [command] --help" for more information about a command.
Get details for the earlier mentioned object.
$ ./op get item tzguh2oirgld7zvfjholvt62uu | jq .
{
"uuid": "zirgso2ug7ldlEjh2oct67zvfu",
"templateUuid": "001",
"trashed": "N",
"createdAt": "2020-03-19T13:26:37Z",
"updatedAt": "2020-03-19T13:26:37Z",
"changerUuid": "8WDGJPNLF6SNVDQWJMJ2ROFTXY",
"itemVersion": 1,
"vaultUuid": "3kfkxlxlufxi6okid4o3iv4h3y",
"details": {
"fields": [
{
"designation": "",
"id": "user_email",
"name": "user[email]",
"type": "",
"value": "milosz@example.org"
},
{
"designation": "username",
"id": "user_username",
"name": "user[username]",
"type": "T",
"value": "milosz"
},
{
"designation": "password",
"id": "user_password",
"name": "user[password]",
"type": "P",
"value": "mypassword"
},
{
"designation": "",
"id": "user_accepted_terms",
"name": "user[accepted_terms]",
"type": "C",
"value": "1"
}
],
"htmlForm": {
"htmlAction": "",
"htmlID": "",
"htmlMethod": "",
"htmlName": ""
},
"notesPlain": "",
"password": "",
"passwordHistory": [],
"sections": [
{
"fields": [
{
"k": "string",
"n": "ad3d4a186a913e7f140897ad576b3d64",
"t": "Name",
"v": "Milosz"
}
],
"name": "Section_6bda06c01e3e4655915cd784a64ae716",
"title": "Saved on example.com"
}
]
},
"overview": {
"URLs": [
{
"l": "",
"u": "https://example.com/"
}
],
"ainfo": "milosz",
"pbe": 55.317352,
"pgrng": true,
"ps": 73.67636,
"tags": [],
"title": "Example",
"url": "https://example.com/"
}
}
Now we can create a backup directory.
$ mkdir items
Combine earlier mentioned commands to export passwords. Beware, data is not encrypted.
$ ./op list items | jq -r '.[].uuid' | xargs -I{} bash -c './op get item {} | tee items/{}.json >/dev/null'
List items.
$ ls items/
d6wpkzihitupaup1shl6jzqupm.json pceufc5yfonivwcwotzjrxy3li.json z7cte6pizcmtixn3vulzcu66km.json daufly3re3fu7ystq5rt4btpue.json pnrqfpg6v3gay5p4c74gheip2m.json zbo4ogf6ocmkp4hqj6zfnqnd7y.json dyerdinfmfnwre4qd4qnyge3ju.json pqp334lzry26cvqakv6haaflc4.json zwigbinyr4q6okftlmf4uvmx4q.json e4zwdocn4nqgjvkalt7zztet6i.json pqdo3oyzhcgp4wnw2uw6uoyw2a.json zxkprmwgtb62sn5ypt7vkoatyi.json ebjp3sn7uysptnfyolwwqbgq3y.json p5vo4otszsizglikpxqge4cawu.json eg7mvfynqczljeuwvfytjpoxma.json
You can easily search JSON files to locate a single file or multiple files matching a specific entry title.
$ jq -r -c '.overview | select(.title | ascii_downcase | contains("magazine")) | [input_filename, .title,.url]' items/*.json
["items/p5vo4otszsizglikpxqge4cawu.json","Linux Magazine com","https://www.linux-magazine.com/"] ["items/d6wpkzihitupaup1shl6jzqupm.json","Linux Magazine pl","https://linux-magazine.pl/"]
Unset OP_SESSION_my variable.
$ unset OP_SESSION_my
This utility makes 1Password backups possible, but it comes at a price, as you are responsible for downloaded data.