Tool to migrate from Enpass to 1Password. This tool takes an Enpass JSON export and imports it via the 1Password SDK.
- You need Python 3 installed on your system.
- You need
pipinstalled on your system. - You need to know how to open a Terminal aka Shell.
- On macOS, for example Terminal.app.
- On Windows, for example PowerShell.
- On Linux: You know your way.
- Follow the Preparations section below.
- Install
uv. - Then, in a terminal of your choosing, run the following command:
uvx enpass2onepassword ~/Documents/no_backup/enpass_export.json - Fill in the information
- Sa name: The name of your 1Password Service Account
- Sa token: The token (aka credential) for the 1Password Service Account.
- Op vault: The name of the empty(!) 1Password Vault.
- Create a new 1Password Vault.
- Call the Vault whatever you like, for example
Enpass. - See the official documentation for further guidance.
- Call the Vault whatever you like, for example
- Create a 1Password Service Account.
- Call the Service Account whatever you like, for example
enpass2onepassword - Use the cog ⚙️ to add the write permission to the Service Account
- See the official documentation for further guidance.
- Call the Service Account whatever you like, for example
- Copy the Service Account Token (and/or save it to 1Password).
- Export your Enpass Vault as JSON, for example as
export.json.⚠️ The export is unencrypted!- Don't forget to delete the file after a successful import!
- Ensure, that you export the vault to a place that is not synced to another computer
and which is not backed up automatically.
- If you use Time Machine on macOS, create a folder
no_backupin your Documents. Then open the System Settings. Under General click on Time Machine. Now click on Options…. Use the+-button to add the folder you just created to the Exclude from Backups list.
- If you use Time Machine on macOS, create a folder
- A good place would also be an SD card or a USB drive with an encrypted filesystem.
Usage: enpass2onepassword [OPTIONS] ENPASS_JSON_EXPORT
Adds items from an Enpass JSON export to a 1Password vault through the
1Password API.
Options:
-n, --op-sa-name, --sa TEXT The 1Password service account name. You
chose this when creating the 1Password
service account.
Can also be supplied as environment variable
'OP_SERVICE_ACCOUNT_NAME'. [default:
enpass2onepassword; required]
-t, --op-sa-token, --token TEXT
The 1Password service account token. It was
shown to you when you created the 1Password
service account.
Can also be supplied as environment variable
'OP_SERVICE_ACCOUNT_TOKEN'. [required]
-o, --op-vault, --vault TEXT The name of the 1Password vault. All Enpass
items will be created in that 1Password
vault. This 1Password vault must be empty!
Also, the service account must have write
permissions to it.
Can also be supplied as environment variable
'OP_VAULT'. [default: Enpass; required]
--ignore-non-empty-vault By default, this tool will stop if it
detects that there are already items in a
vault. Use this flag to ignore this behavior
and continue, even if there are already
items in the given vault. If you use this,
you should definitely make a sound backup of
the vault before the import!
--no-confirm By default, this tool will stop before
importing anything to 1Password, and you
need to confirm the import. Use this flag to
ignore this behavior and import without
further confirmation.
--no-wakelock By default, this tool will prevent the
computer to go to sleep while the import is
running. Use this flag to disable this
behavior.
When this flag is defined, then the computer
might go to sleep and interrupt your import.
The import is usually resumed, when your
computer resumes from sleep. The result is
that you won't make the best use of the
1Password rate limits.
--silent By default, this tool will print status
information while importing to 1Password.
Use this flag to disable such reports.
--skip INTEGER Skip the first number of items. This can be
helpful to recover a failed import.
[default: 0]
--op-rate-limit-hourly INTEGER 1Password enforces a write request rate
limit per 1Password Service Account. The
hourly rate limit as of 2025-01-01 is 100
requests per hour for private, family and
team accounts and 1'000 requests per hour
for Business accounts.
See https://developer.1password.com/docs/service-accounts/rate-limits/ for more info. [default: 100]
--op-rate-limit-daily INTEGER 1Password enforces a write request rate
limit per 1Password Account. The daily limit
as of 2025-01-01 is 1'000 requests per hour
for private and family accounts, 5'000 per
day for Teams accounts and 50'000 requests
per hour for Business accounts.
See https://developer.1password.com/docs/service-accounts/rate-limits/ for more info. [default: 1000]
--op-client-validity INTEGER This tool authenticates with the 1Password
server in order to import entries. This
authentication is only valid for a certain
amount of time. With this parameter, you can
adjust the time after which a this tool re-
authenticates with the 1Password server.
The value is in seconds. [default: 1800]
--help Show this message and exit.
Add the credentials of your 1Password Service Account to your private 1Password vault like so:
- Vault: Private
- Type: API Credential
- Name:
Service Account Auth Token - Username:
enpass2onepassword(or whatever you chose as username) - Password:
ops_…(the secret generated by 1Password)
Note: If you choose other names, you need to adjust the commands below to make it work!
Then install the 1Password CLI and use the following command to run the migration tool:
# unlock 1Password CLI
op signin
# specify the paths to the secrets
export OP_VAULT="Enpass"
export OP_SERVICE_ACCOUNT_NAME="$(op read 'op://Private/Service Account Auth Token/username')"
export OP_SERVICE_ACCOUNT_TOKEN="$(op read 'op://Private/Service Account Auth Token/password')"
# inject the secrets
uvx enpass2onepassword ~/Desktop/export.jsonIf that does not work, it may help to replace Private with the vault's UUID (which is a value like johaxupyjfamyo2ivigxs64y8n) in the above snippet.
Run the following command to update the tool to the latest version.
uv tool upgrade enpass2onepassword- Improved support for credit card's expiry date, once #140 is implemented
- Support for importing attachments, once #139 is implemented
- Improved support for Secure Notes, once #141 is implemented
- Improved support for Wireless Networks, once #142 is implemented
- Support for favorites, once #143 is implemented
These tips require that jq is installed on your computer.
To list all the categories in the Enpass export, use the following command:
jq '[.items[].category] | unique' export.jsonTo list all the field types in the Enpass export, use the following command:
jq '[.items[] | select(.fields != null) | .fields[]] | flatten | [.[].type] | unique' export.jsonTo split your export by category, use the following command:
jq '{folders: .folders, items: [.items[] | select(.category == "uncategorized")]}' export.json > export_uncat.json
# ^^^^^^^^^^^^^ Change category herejq '{folders: .folders, items: [.items[] | select(.note != "")]}' enpass_complete.json > export_hasnote.jsonThis project uses uv for dependency management, building and publishing.
Run the development build:
uv sync
uv run enpass2onepasswordUpdate dependencies:
uv lock --upgradeThis project uses MegaLinter. To run MegaLinter locally:
npx mega-linter-runnerThis requires a valid Docker-compatible container runtime to be available, like Podman.
Also, it required a Node installation with npm.
Release procedure:
- Edit the version in
pyproject.toml - Commit the change
git pushgit tag 0.1.0git push --tags
The rest is taken care of by the Release GitHub Action.
Copyright © 2025 Christian Mäder.
See LICENSE for license.
![@renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=64&v=4){kind=small}