/pass-import

A pass extension for importing data from most existing password managers

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

pass import

A pass extension for importing data from most existing password managers

Description

pass import is a password store extension allowing you to import your password database to a password store repository conveniently. It natively supports import from 62 different password managers. More manager support can easily be added.

Passwords are imported into the existing default password store, therefore the password store must have been initialized before with pass init.

By default, pass imports entries at the root of the password store and only keeps the main data (password, login, email, URL, group). This behaviour can be changed using the provided options.

Pass import handles duplicates and is compatible with browserpass. It imports OTP secret in a way that is compatible with pass-otp.

pass-import also provides a pimport script that allows importing passwords to other password managers. For instance, you can import passwords from Lastpass to a Keepass database. It currently supports password export from 8 managers.

The following password managers are supported:

Password Manager Formats How to export Data Command line
1password csv v8 See this guide pass import 1password file.csv
1pif v4 See this guide pass import 1password file.1pif
csv v4 See this guide pass import 1password file.csv
csv v6 See this guide pass import 1password file.csv
aegis json Settings> Tools: Export Plain pass import aegis file.json
json Settings> Tools: Export encrypted pass import aegis file.json
andotp json Backups> Backup plain pass import andotp file.json
apple-keychain keychain See this guide pass import applekeychain file.txt
bitwarden csv Tools> Export Vault> File Format: .csv pass import bitwarden file.csv
csv Tools> Export Vault> File Format: .csv pass import bitwarden file.csv
json Tools> Export Vault> File Format: .json pass import bitwarden file.json
json Tools> Export Vault> File Format: .json pass import bitwarden file.json
blur json Settings: Export Data: Export Blur Data pass import blur file.json
csv Settings: Export Data: Export CSV: Accounts: Export CSV pass import blur file.csv
buttercup csv File > Export > Export File to CSV pass import buttercup file.csv
chrome csv In chrome://password-manager/settings under 2Export passwordsDownload File pass import chrome file.csv
csv See this guide pass import chrome file.csv
clipperz html Settings > Data > Export: HTML + JSON pass import clipperz file.html
csv csv Nothing to do pass import csv file.csv --cols 'url,login,,password'
dashlane csv File > Export > Unsecured Archive in CSV pass import dashlane file.csv
json File > Export > Unsecured Archive in JSON pass import dashlane file.json
encryptr csv Compile from source and follow instructions from this guide pass import encryptr file.csv
enpass json v6 Menu > File > Export > As JSON pass import enpass file.json
csv File > Export > As CSV pass import enpass file.csv
firefox csv In about:logins Menu: Export logins pass import firefox file.csv
csv Add-ons Prefs: Export Passwords: CSV pass import firefox file.csv
fpm xml File > Export Passwords: Plain XML pass import fpm file.xml
freeotp+ json Settings> Export> Export JSON Format pass import freeotp+ file.json
gnome libsecret Nothing to do pass import gnome-keyring <label>
gnome-auth json Backup > in a plain-text JSON file pass import gnome-authenticator file.json
gopass gopass Nothing to do pass import gopass path/to/store
gorilla csv File > Export: Yes: CSV Files pass import gorilla file.csv
kedpm xml File > Export Passwords: Plain XML pass import kedpm file.xml
keepass kdbx Nothing to do pass import keepass file.kdbx
csv File > Export > Keepass (CSV) pass import keepass file.csv
xml File > Export > Keepass (XML) pass import keepass file.xml
keepassx xml File > Export to > Keepass XML File pass import keepassx file.xml
keepassx2 kdbx Nothing to do pass import keepassx2 file.kdbx
csv Database > Export to CSV File pass import keepassx2 file.csv
keepassxc kdbx Nothing to do pass import keepassxc file.kdbx
csv Database > Export to CSV File pass import keepassxc file.csv
keeper csv Settings > Export : Export to CSV File pass import keeper file.csv
lastpass cli Nothing to do pass import lastpass <login>
csv More Options > Advanced > Export pass import lastpass file.csv
myki csv See this guide pass import myki file.csv
network-manager nm Also support specific networkmanager dir and ini file pass import networkmanager
nordpass csv Settings > Export Items pass import nordpass file.csv
padlock csv Settings > Export Data and copy text into a .csv file pass import padlock file.csv
pass pass Nothing to do pass import pass path/to/store
passman csv Settings > Export credentials > Export type: CSV pass import passman file.csv
json Settings > Export credentials > Export type: JSON pass import passman file.json
passpack csv Settings > Export > Save to CSV pass import passpack file.csv
passpie yaml v1.0 `passpie export file.yml` pass import passpie file.yml
pwsafe xml File > Export To > XML Format pass import pwsafe file.xml
revelation xml File > Export: XML pass import revelation file.xml
roboform csv Roboform > Options > Data & Sync > Export To: CSV file pass import roboform file.csv
safeincloud csv File > Export > Comma-Separated Values (CSV) pass import safeincloud file.csv
saferpass csv Settings > Export Data: Export data pass import saferpass file.csv
upm csv Database > Export pass import upm file.csv
zoho csv Tools > Export Secrets: Zoho Vault Format CSV pass import zoho file.csv
csv Tools > Export Secrets: Zoho Vault Format CSV pass import zoho file.csv

The following destination password managers are supported:

Exporters Password Manager Format Command line
csv csv pimport csv src [src]
gopass gopass pimport gopass src [src]
keepass kdbx pimport keepass src [src]
keepassx2 kdbx pimport keepassx2 src [src]
keepassxc kdbx pimport keepassxc src [src]
lastpass cli pimport lastpass src [src]
pass pass pimport pass src [src]
sphinx pimport sphinx src [src]

Usage

Basic use

To import password from any supported password manager simply run:

pass import path/to/passwords

If pass-import is not able to detect the format, you need to provide the password manager <pm> you want to import data from:

pass import <pm> path/to/passwords

If you want to import data to a password manager other than pass, run:

pimport <new_pm> <former_pm> path/to/passwords --out path/to/destination/pm

Help

usage: pass import [-r path] [-p path] [-k KEY] [-a] [-f] [-c] [-C] [-P] [-d] [--sep CHAR] [--del CHAR] [--cols COLS] [--filter FILTER] [--config CONFIG]
                   [-l] [-h] [-V] [-v | -q]
                   [src ...]

  Import data from most of the password manager. Passwords are imported into
  the existing default password store; therefore, the password store must have
  been initialised before with 'pass init'.

Password managers:
  src                   Path to the data to import. Can also be the password manager name followed by the path to the data to import. The password manager
                        name can be: 1password, aegis, andotp, apple-keychain, bitwarden, blur, buttercup, chrome, clipperz, csv, dashlane, encryptr,
                        enpass, firefox, fpm, freeotp+, gnome, gnome-auth, gopass, gorilla, kedpm, keepass, keepassx, keepassx2, keepassxc, keeper,
                        lastpass, myki, network-manager, nordpass, padlock, pass, passman, passpack, passpie, pwsafe, revelation, roboform, safeincloud,
                        saferpass, upm, zoho.

Common optional arguments:
  -r path, --root path  Only import the password from a specific subfolder.
  -p path, --path path  Import the passwords to a specific subfolder.
  -k KEY, --key KEY     Path to a keyfile if required by a manager.
  -a, --all             Also import all the extra data present.
  -f, --force           Overwrite existing passwords.
  -c, --clean           Make the paths more command line friendly.
  -C, --convert         Convert invalid characters present in the paths.
  -P, --pwned           Check imported passwords against haveibeenpwned.com.
  -d, --dry-run         Do not import passwords, only show what would be imported.

Extra optional arguments:
  --sep CHAR            Provide a characters of replacement for the path separator. Default: '-'
  --del CHAR            Provide an alternative CSV delimiter character. Default: ','
  --cols COLS           CSV expected columns to map columns to credential attributes. Only used by the csv importer.
  --filter FILTER       Export whole entries matching a JSONPath filter expression. Default: (none) This field can be: - a string JSONPath expression - an
                        absolute path to a file containing a JSONPath filter expression. List of supported filter: https://github.com/h2non/jsonpath-ng
                        Example: - '$.entries[*].tags[?@="Defaults"]' : Export only entries with a tag matching 'Defaults'
  --config CONFIG       Set a config file. Default: '.import'

Help related optional arguments:
  -l, --list            List the supported password managers.
  -h, --help            Show this help message and exit.
  -V, --version         Show the program version and exit.
  -v, --verbose         Set verbosity level, can be used more than once.
  -q, --quiet           Be quiet.

More information may be found in the pass-import(1) man page.

Usage for pimport can been seen with pimport -h or man pimport.

Examples

Import password from KeePass

pass import keepass.xml
(*) Importing passwords from keepass to pass
 .  Passwords imported from: keepass.xml
 .  Passwords exported to: ~/.password-store
 .  Number of password imported: 6
 .  Passwords imported:
       Social/mastodon.social
       Social/twitter.com
       Social/news.ycombinator.com
       Servers/ovh.com/bynbyjhqjz
       Servers/ovh.com/jsdkyvbwjn
       Bank/aib

This is the same than: pimport pass keepass.xml --out ~/.password-store

Import password to a different password store

export PASSWORD_STORE_DIR="~/.mypassword-store"
pass init <gpg-id>
pass import keepass.kdbx

Import password to a subfolder

pass import bitwarden.json -p Import/
(*) Importing passwords from bitwarden to pass
 .  Passwords imported from: bitwarden.json
 .  Passwords exported to: ~/.password-store
 .  Root path: Import
 .  Number of password imported: 6
 .  Passwords imported:
      Import/Social/mastodon.social
      Import/Social/twitter.com
      Import/Social/news.ycombinator.com
      Import/Servers/ovh.com/bynbyjhqjz
      Import/Servers/ovh.com/jsdkyvbwjn
      Import/Bank/aib

Other examples:

  • If the manager is not correctly detected, you can pass it at source argument: pass import dashlane dashlane.csv
  • Import NetworkManager password on default dir: pass import networkmanager
  • Import a NetworkManager INI file: pass import nm.ini
  • Import a One password 1PIF: pass import 1password.1pif
  • Import a One password CSV: pass import 1password.csv
  • Import a Passman JSON file: pass import passman.json
  • Import Lastpass file to a keepass db: pimport keepass lastpass.csv --out keepass.kdbx
  • Import a password store to a CSV file: pimport csv ~/.password-store --out file.csv
  • Export Bitwarden to SPHINX: pimport sphinx bitwarden.json -o sphinx.cfg

GPG keyring

Before importing data to pass, your password-store repository must exist and your GPG keyring must be usable. In other words, you need to ensure that:

  • All the public gpgids are present in the keyring.
  • All the public gpgids are trusted enough (ultimate).
  • At least one private key is present in the keyring.

Otherwise, you will get the following error: invalid credentials, password encryption/decryption aborted.

To set the trust on a GPG key, one can run gpg --edit-key <gpgid>. Next type trust and select 5 = I trust ultimately.

Security consideration

Direct import

Passwords should not be written in plain text form on the drive. Therefore, when possible, you should import it directly from the encrypted data. For instance, with an encrypted keepass database:

pass import keepass file.kdbx

Secure erasure

Otherwise, if your password manager does not support it, you should take care of securely removing the plain text password database:

pass import lastpass data.csv
shred -u data.csv

Encrypted file

Alternatively, pass-import can decrypt gpg encrypted file before importing it. For example:

pass import lastpass lastpass.csv.gpg

Mandatory Access Control (MAC)

AppArmor profiles for pass and pass-import are available in apparmor.d. If your distribution support AppArmor, you can clone the apparmor.d and run: make && sudo make install pass pass-import to only install these apparmor security profiles.

Network

pass-import only needs to establish network connection to support cloud based password manager. If you do not use these importers you can ensure pass-import is not using the network by removing the network rules in the apparmor profile of pass-import.

Password Update

You might also want to update the passwords imported using pass-update.

Configuration file

Some configurations can be read from a configuration file called .import if it is present at the root of the password repository. The configuration read from this file will be overwritten by their corresponding command-line option if present.

Example of the .import configuration file for the default password repository in ~/.password-store/.import:

---

# Separator string
separator: '-'

# The list of string that should be replaced by other string. Only activated
# if the `clean` option is enabled.
cleans:
  ' ': '-'
  '&': 'and'
  '@': At
  "'": ''
  '[': ''
  ']': ''

# The list of protocols. To be removed from the title.
protocols:
  - http://
  - https://

# The list of invalid characters. Replaced by the separator.
invalids:
  - '<'
  - '>'
  - ':'
  - '"'
  - '/'
  - '\\'
  - '|'
  - '?'
  - '*'
  - '\0'

Installation

Requirements

  • pass 1.7.0 or greater.
  • Python 3.8+
  • python3-setuptools to build and install it.
  • python3-yaml (apt install python3-yaml or pip3 install pyaml, or python3 -m pip install pyaml if on MacOS running python installed via brew)

Optional Requirements

Dependency Required for apt pip
pass Password Store import/export apt install pass N/A
lpass Lastpass cli based import/export apt install lpass N/A
defusedxml Recommended XML library apt install python3-defusedxml pip3 install defusedxml
pykeepass Keepass import from KDBX file N/A pip3 install pykeepass
secretstorage Gnome Keyring import apt install python3-secretstorage pip3 install secretstorage
cryptography AndOTP or Aegis encrypted import apt install python3-cryptography pip3 install cryptography
file-magic Detection of file decryption apt install python-magic pip3 install file-magic
pwdsphinx Export to SPHINX N/A(coming soon) pip3 install pwdsphinx
filter Filter exports N/A pip3 install jsonpath-ng

ArchLinux

pass-import is available in the Arch User Repository.

yay -S pass-import  # or your preferred AUR install method

Debian/Ubuntu

pass-import is available under my own debian repository with the package name pass-extension-import. Both the repository and the package are signed with my GPG key: 06A26D531D56C42D66805049C5469996F0DF68EC.

wget -qO - https://pkg.pujol.io/debian/gpgkey | gpg --dearmor | sudo tee /usr/share/keyrings/pujol.io.gpg >/dev/null
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/pujol.io.gpg] https://pkg.pujol.io/debian/repo all main' | sudo tee /etc/apt/sources.list.d/pkg.pujol.io.list
sudo apt-get update
sudo apt-get install pass-extension-import

NixOS

nix-env -iA nixos.passExtensions.pass-import

Using pip

pip install pass-import

From git

git clone https://github.com/roddhjav/pass-import/
cd pass-import
python3 setup.py install

Stable version

wget https://github.com/roddhjav/pass-import/releases/download/v3.5/pass-import-3.5.tar.gz
tar xzf pass-import-3.5.tar.gz
cd pass-import-3.5
python3 setup.py install

Releases and commits are signed using 06A26D531D56C42D66805049C5469996F0DF68EC. You should check the key's fingerprint and verify the signature:

wget https://github.com/roddhjav/pass-import/releases/download/v3.5/pass-import-3.5.tar.gz.asc
gpg --recv-keys 06A26D531D56C42D66805049C5469996F0DF68EC
gpg --verify pass-import-3.5.tar.gz.asc

Local install

Alternatively, from git or from a stable version you can do a local install with:

cd pass-import
python3 setup.py install --user

Important

For local install you need to:

  1. Set PASSWORD_STORE_ENABLE_EXTENSIONS to true for the local extension to be enabled.
  2. Set PASSWORD_STORE_EXTENSIONS_DIR to local the install path of python

Example:

export PASSWORD_STORE_ENABLE_EXTENSIONS=true
export PASSWORD_STORE_EXTENSIONS_DIR="$(python -m site --user-site)/usr/lib/password-store/extensions/"

The import Library

One can use pass-import as a python library. Simply import the classes of the password manager you want to import and export. Then use them in a context manager. For instance, to import password from a cvs Lastpass exported file to password-store:

from pass_import.managers.lastpass import LastpassCSV
from pass_import.managers.passwordstore import PasswordStore

with LastpassCSV('lastpass-export.csv') as importer:
    importer.parse()

    with PasswordStore('~/.password-store') as exporter:
        exporter.data = importer.data
        exporter.clean(True, True)
        for entry in exporter.data:
            exporter.insert(entry)

Alternatively, you can import the same Lastpass file to a Keepass database:

from pass_import.managers.keepass import Keepass
from pass_import.managers.lastpass import LastpassCSV

with LastpassCSV('lastpass-export.csv') as importer:
    importer.parse()

    with Keepass('keepass.kdbx') as exporter:
        exporter.data = importer.data
        exporter.clean(True, True)
        for entry in exporter.data:
            exporter.insert(entry)

Contribution

Feedback, contributors, pull requests are all very welcome. Please read the CONTRIBUTING.rst file for more details on the contribution process.