enpass2onepassword 0.1.0

Tool to migrate from Enpass to 1Password

enpass2onepassword

Tool to migrate from Enpass to 1Password. This tool takes an Enpass JSON export and imports it via the 1Password SDK.

Requirements

• You need Python 3 installed on your system.
• You need pip installed on your system.
• You need to know how to open a Terminal aka Shell.
  • On macOS, for example Terminal.app.
  • On Windows, for example PowerShell.
  • On Linux: You know your way.

Quick-Start

1. Follow the Preparations section below.
2. Install this tool, by running the following command in a terminal of your choosing: python3 -m pip install enpass2onepassword
3. Run this tool, by running the following command in a terminal of your choosing: enpass2onepassword
4. Fill in the information
   • Sa name: The name of your 1Password Service Account
   • Sa token: The token (aka credential) for the 1Password Service Account.
   • Op vault: The name of the empty(!) 1Password Vault.

Preparations

1. Create a new 1Password Vaul.
   • Call the Vault whatever you like, for example Enpass.
   • See the official documentation for further guidance.
2. Create a 1Password Service Account.
   • Call the Service Account whatever you like, for example enpass2onepassword
   • Use the cog ⚙️ to add the write permission to the Service Account
   • See the official documentation for further guidance.
3. Copy the Service Account Token (and/or save it to 1password).
4. Export your Enpass Vault as JSON, for example as export.json.
   • The export is unencrypted!
   • Don't forget to delete the file after a successful import!
   • Ensure, that you export the vault to a place that is not synced to another computer or that is immediately backed up.
   • A good place would be an SD card or a USB drive with an encrypted filesystem.

Usage Overview

Usage: enpass2onepassword [OPTIONS] ENPASS_JSON_EXPORT

  Adds items from an Enpass JSON export to a 1Password vault through the
  1Password API.

Options:
  -n, --op-sa-name, --sa TEXT     The 1Password service account name. You
                                  chose this when creating the 1Password
                                  service account.
                                  
                                  Can also be supplied as environment variable
                                  'OP_SERVICE_ACCOUNT_NAME'.  [default:
                                  enpass2onepassword; required]
  -t, --op-sa-token, --token TEXT
                                  The 1Password service account token. It was
                                  shown to you when you created the 1Password
                                  service account.
                                  
                                  Can also be supplied as environment variable
                                  'OP_SERVICE_ACCOUNT_TOKEN'.  [required]
  -o, --op-vault, --vault TEXT    The name of the 1Password vault. All Enpass
                                  items will be created in that 1Password
                                  vault. This 1Password vault must be empty!
                                  Also, the service account must have write
                                  permissions to it.
                                  
                                  Can also be supplied as environment variable
                                  'OP_VAULT'.  [default: Enpass; required]
  --ignore-non-empty-vault        By default, this tool will stop if it
                                  detects that there are already items in a
                                  vault. Use this flag to ignore this behavior
                                  and continue, even if there are already
                                  items in the given vault. If you use this,
                                  you should definitely make a sound backup of
                                  the vault before the import!
  --no-confirm                    By default, this tool will stop before
                                  importing anything to 1Password, and you
                                  need to confirm the import. Use this flag to
                                  ignore this behavior and import without
                                  further confirmation.
  --no-wakelock                   By default, this tool will prevent the
                                  computer to go to sleep while the import is
                                  running. Use this flag to disable this
                                  behavior.
                                  
                                  When this flag is defined, then the computer
                                  might go to sleep and interrupt your import.
                                  The import is usually resumed, when your
                                  computer resumes from sleep. The result is
                                  that you won't make the best use of the
                                  1Password rate limits.
  --silent                        By default, this tool will print status
                                  information while importing to 1Password.
                                  Use this flag to disable such reports.
  --skip INTEGER                  Skip the first number of items. This can be
                                  helpful to recover a failed import.
                                  [default: 0]
  --op-rate-limit-hourly INTEGER  1Password enforces a write request rate
                                  limit per 1Password Service Account. The
                                  hourly rate limit as of 2025-01-01 is 100
                                  requests per hour for private, family and
                                  team accounts and 1'000 requests per hour
                                  for Business accounts.
                                  
                                  See https://developer.1password.com/docs/service-accounts/rate-limits/ for more info.  [default: 100]
  --op-rate-limit-daily INTEGER   1Password enforces a write request rate
                                  limit per 1Password Account. The daily limit
                                  as of 2025-01-01 is 1'000 requests per hour
                                  for private and family accounts, 5'000 per
                                  day for Teams accounts and 50'000 requests
                                  per hour for Business accounts.
                                  
                                  See https://developer.1password.com/docs/service-accounts/rate-limits/ for more info.  [default: 1000]
  --op-client-validity INTEGER    This tool authenticates with the 1Password
                                  server in order to import entries. This
                                  authentication is only valid for a certain
                                  amount of time. With this parameter, you can
                                  adjust the time after which a this tool re-
                                  authenticates with the 1Password server.
                                  
                                  The value is in seconds.  [default: 1800]
  --help                          Show this message and exit.

Roadmap

• Improved support for credit card's expiry date, once #140 is implemented
• Support for importing attachments, once #139 is implemented
• Improved support for Secure Notes, once #141 is implemented
• Improved support for Wireless Networks, once #142 is implemented
• Support for favorites, once #143 is implemented

Tip: Load Service Account Credentials via 1Password CLI

Add the credentials of your 1Password Service Account to your private 1Password vault like so:

• Vault: Private
• Type: API Credential
• Name: Service Account Auth Token
• Username: enpass2onepassword (or whatever you chose as username)
• Password: ops_… (the secret generated by 1Password)

Note: If you choose other names, you need to adjust main.env for the following to work!

Then install the 1Password CLI and use the following command to run the migration tool:

# load the venv
. .venv/bin/activate

# unlock 1Password CLI
op signin

# specify the paths to the secrets
export OP_SERVICE_ACCOUNT_NAME="op://Private/Service Account Auth Token/username"
export OP_SERVICE_ACCOUNT_TOKEN="op://Private/Service Account Auth Token/credential"

# inject the secrets
op run -- enpass2onepassword ~/Desktop/export.json

Tip: List all categories in export

To list all the categories in the Enpass export, use the following command:

jq '[.items[].category] | unique' export.json

Tip: List all field types in export

To list all the field types in the Enpass export, use the following command:

jq '[.items[] | select(.fields != null) | .fields[]] | flatten | [.[].type] | unique' export.json

Tip: Split your export by category

To split your export by category, use the following command:

jq '{folders: .folders, items: [.items[] | select(.category == "uncategorized")]}' export.json > export_uncat.json
#                                                               ^^^^^^^^^^^^^ Change category here

Development

This project uses poetry for dependency management, building and publishing.

Run the development build:

poetry install
poetry run enpass2onepassword

Update dependencies:

poetry update

Release

Release procedure:

1. Edit the version in pyproject.toml
2. Commit the change
3. git push
4. Tag the release with the same version
5. git push --tags

The rest is taken care of by a GitHub Action.

Copyright and License

Copyright © 2025 Christian Mäder. See LICENSE for license.