A pass extension for importing data from most existing password managers
pass import
is a password store extension allowing you to import your password database to a password store repository conveniently. It natively supports import from 62 different password managers. More manager support can easily be added.
Passwords are imported into the existing default password store, therefore the password store must have been initialized before with pass init
.
By default, pass imports entries at the root of the password store and only keeps the main data (password, login, email, URL, group). This behaviour can be changed using the provided options.
Pass import handles duplicates and is compatible with browserpass. It imports OTP secret in a way that is compatible with pass-otp.
pass-import also provides a pimport
script that allows importing passwords to other password managers. For instance, you can import passwords from Lastpass to a Keepass database. It currently supports password export from 8 managers.
The following password managers are supported:
Password Manager | Formats | How to export Data | Command line |
---|---|---|---|
1password | csv v8 |
See this guide | pass import 1password file.csv |
1pif v4 |
See this guide | pass import 1password file.1pif |
|
csv v4 |
See this guide | pass import 1password file.csv |
|
csv v6 |
See this guide | pass import 1password file.csv |
|
aegis | json |
Settings> Tools: Export Plain | pass import aegis file.json |
json |
Settings> Tools: Export encrypted | pass import aegis file.json |
|
andotp | json |
Backups> Backup plain | pass import andotp file.json |
apple-keychain | keychain |
See this guide | pass import applekeychain file.txt |
bitwarden | csv |
Tools> Export Vault> File Format: .csv | pass import bitwarden file.csv |
csv |
Tools> Export Vault> File Format: .csv | pass import bitwarden file.csv |
|
json |
Tools> Export Vault> File Format: .json | pass import bitwarden file.json |
|
json |
Tools> Export Vault> File Format: .json | pass import bitwarden file.json |
|
blur | json |
Settings: Export Data: Export Blur Data | pass import blur file.json |
csv |
Settings: Export Data: Export CSV: Accounts: Export CSV | pass import blur file.csv |
|
buttercup | csv |
File > Export > Export File to CSV | pass import buttercup file.csv |
chrome | csv |
In chrome://password-manager/settings under 2Export passwordsDownload File | pass import chrome file.csv |
csv |
See this guide | pass import chrome file.csv |
|
clipperz | html |
Settings > Data > Export: HTML + JSON | pass import clipperz file.html |
csv | csv |
Nothing to do | pass import csv file.csv --cols 'url,login,,password' |
dashlane | csv |
File > Export > Unsecured Archive in CSV | pass import dashlane file.csv |
json |
File > Export > Unsecured Archive in JSON | pass import dashlane file.json |
|
encryptr | csv |
Compile from source and follow instructions from this guide | pass import encryptr file.csv |
enpass | json v6 |
Menu > File > Export > As JSON | pass import enpass file.json |
csv |
File > Export > As CSV | pass import enpass file.csv |
|
firefox | csv |
In about:logins Menu: Export logins | pass import firefox file.csv |
csv |
Add-ons Prefs: Export Passwords: CSV | pass import firefox file.csv |
|
fpm | xml |
File > Export Passwords: Plain XML | pass import fpm file.xml |
freeotp+ | json |
Settings> Export> Export JSON Format | pass import freeotp+ file.json |
gnome | libsecret |
Nothing to do | pass import gnome-keyring <label> |
gnome-auth | json |
Backup > in a plain-text JSON file | pass import gnome-authenticator file.json |
gopass | gopass |
Nothing to do | pass import gopass path/to/store |
gorilla | csv |
File > Export: Yes: CSV Files | pass import gorilla file.csv |
kedpm | xml |
File > Export Passwords: Plain XML | pass import kedpm file.xml |
keepass | kdbx |
Nothing to do | pass import keepass file.kdbx |
csv |
File > Export > Keepass (CSV) | pass import keepass file.csv |
|
xml |
File > Export > Keepass (XML) | pass import keepass file.xml |
|
keepassx | xml |
File > Export to > Keepass XML File | pass import keepassx file.xml |
keepassx2 | kdbx |
Nothing to do | pass import keepassx2 file.kdbx |
csv |
Database > Export to CSV File | pass import keepassx2 file.csv |
|
keepassxc | kdbx |
Nothing to do | pass import keepassxc file.kdbx |
csv |
Database > Export to CSV File | pass import keepassxc file.csv |
|
keeper | csv |
Settings > Export : Export to CSV File | pass import keeper file.csv |
lastpass | cli |
Nothing to do | pass import lastpass <login> |
csv |
More Options > Advanced > Export | pass import lastpass file.csv |
|
myki | csv |
See this guide | pass import myki file.csv |
network-manager | nm |
Also support specific networkmanager dir and ini file | pass import networkmanager |
nordpass | csv |
Settings > Export Items | pass import nordpass file.csv |
padlock | csv |
Settings > Export Data and copy text into a .csv file | pass import padlock file.csv |
pass | pass |
Nothing to do | pass import pass path/to/store |
passman | csv |
Settings > Export credentials > Export type: CSV | pass import passman file.csv |
json |
Settings > Export credentials > Export type: JSON | pass import passman file.json |
|
passpack | csv |
Settings > Export > Save to CSV | pass import passpack file.csv |
passpie | yaml v1.0 |
`passpie export file.yml` | pass import passpie file.yml |
pwsafe | xml |
File > Export To > XML Format | pass import pwsafe file.xml |
revelation | xml |
File > Export: XML | pass import revelation file.xml |
roboform | csv |
Roboform > Options > Data & Sync > Export To: CSV file | pass import roboform file.csv |
safeincloud | csv |
File > Export > Comma-Separated Values (CSV) | pass import safeincloud file.csv |
saferpass | csv |
Settings > Export Data: Export data | pass import saferpass file.csv |
upm | csv |
Database > Export | pass import upm file.csv |
zoho | csv |
Tools > Export Secrets: Zoho Vault Format CSV | pass import zoho file.csv |
csv |
Tools > Export Secrets: Zoho Vault Format CSV | pass import zoho file.csv |
The following destination password managers are supported:
Exporters Password Manager | Format | Command line |
---|---|---|
csv | csv | pimport csv src [src] |
gopass | gopass | pimport gopass src [src] |
keepass | kdbx | pimport keepass src [src] |
keepassx2 | kdbx | pimport keepassx2 src [src] |
keepassxc | kdbx | pimport keepassxc src [src] |
lastpass | cli | pimport lastpass src [src] |
pass | pass | pimport pass src [src] |
sphinx | pimport sphinx src [src] |
To import password from any supported password manager simply run:
pass import path/to/passwords
If pass-import
is not able to detect the format, you need to provide the password manager <pm>
you want to import data from:
pass import <pm> path/to/passwords
If you want to import data to a password manager other than pass
, run:
pimport <new_pm> <former_pm> path/to/passwords --out path/to/destination/pm
usage: pass import [-r path] [-p path] [-k KEY] [-a] [-f] [-c] [-C] [-P] [-d] [--sep CHAR] [--del CHAR] [--cols COLS] [--filter FILTER] [--config CONFIG]
[-l] [-h] [-V] [-v | -q]
[src ...]
Import data from most of the password manager. Passwords are imported into
the existing default password store; therefore, the password store must have
been initialised before with 'pass init'.
Password managers:
src Path to the data to import. Can also be the password manager name followed by the path to the data to import. The password manager
name can be: 1password, aegis, andotp, apple-keychain, bitwarden, blur, buttercup, chrome, clipperz, csv, dashlane, encryptr,
enpass, firefox, fpm, freeotp+, gnome, gnome-auth, gopass, gorilla, kedpm, keepass, keepassx, keepassx2, keepassxc, keeper,
lastpass, myki, network-manager, nordpass, padlock, pass, passman, passpack, passpie, pwsafe, revelation, roboform, safeincloud,
saferpass, upm, zoho.
Common optional arguments:
-r path, --root path Only import the password from a specific subfolder.
-p path, --path path Import the passwords to a specific subfolder.
-k KEY, --key KEY Path to a keyfile if required by a manager.
-a, --all Also import all the extra data present.
-f, --force Overwrite existing passwords.
-c, --clean Make the paths more command line friendly.
-C, --convert Convert invalid characters present in the paths.
-P, --pwned Check imported passwords against haveibeenpwned.com.
-d, --dry-run Do not import passwords, only show what would be imported.
Extra optional arguments:
--sep CHAR Provide a characters of replacement for the path separator. Default: '-'
--del CHAR Provide an alternative CSV delimiter character. Default: ','
--cols COLS CSV expected columns to map columns to credential attributes. Only used by the csv importer.
--filter FILTER Export whole entries matching a JSONPath filter expression. Default: (none) This field can be: - a string JSONPath expression - an
absolute path to a file containing a JSONPath filter expression. List of supported filter: https://github.com/h2non/jsonpath-ng
Example: - '$.entries[*].tags[?@="Defaults"]' : Export only entries with a tag matching 'Defaults'
--config CONFIG Set a config file. Default: '.import'
Help related optional arguments:
-l, --list List the supported password managers.
-h, --help Show this help message and exit.
-V, --version Show the program version and exit.
-v, --verbose Set verbosity level, can be used more than once.
-q, --quiet Be quiet.
More information may be found in the pass-import(1) man page.
Usage for pimport
can been seen with pimport -h
or man pimport
.
Import password from KeePass
pass import keepass.xml
(*) Importing passwords from keepass to pass
. Passwords imported from: keepass.xml
. Passwords exported to: ~/.password-store
. Number of password imported: 6
. Passwords imported:
Social/mastodon.social
Social/twitter.com
Social/news.ycombinator.com
Servers/ovh.com/bynbyjhqjz
Servers/ovh.com/jsdkyvbwjn
Bank/aib
This is the same than: pimport pass keepass.xml --out ~/.password-store
Import password to a different password store
export PASSWORD_STORE_DIR="~/.mypassword-store"
pass init <gpg-id>
pass import keepass.kdbx
Import password to a subfolder
pass import bitwarden.json -p Import/
(*) Importing passwords from bitwarden to pass
. Passwords imported from: bitwarden.json
. Passwords exported to: ~/.password-store
. Root path: Import
. Number of password imported: 6
. Passwords imported:
Import/Social/mastodon.social
Import/Social/twitter.com
Import/Social/news.ycombinator.com
Import/Servers/ovh.com/bynbyjhqjz
Import/Servers/ovh.com/jsdkyvbwjn
Import/Bank/aib
Other examples:
- If the manager is not correctly detected, you can pass it at source argument:
pass import dashlane dashlane.csv
- Import NetworkManager password on default dir:
pass import networkmanager
- Import a NetworkManager INI file:
pass import nm.ini
- Import a One password 1PIF:
pass import 1password.1pif
- Import a One password CSV:
pass import 1password.csv
- Import a Passman JSON file:
pass import passman.json
- Import Lastpass file to a keepass db:
pimport keepass lastpass.csv --out keepass.kdbx
- Import a password store to a CSV file:
pimport csv ~/.password-store --out file.csv
- Export Bitwarden to SPHINX: pimport sphinx bitwarden.json -o sphinx.cfg
Before importing data to pass, your password-store repository must exist and your GPG keyring must be usable. In other words, you need to ensure that:
- All the public gpgids are present in the keyring.
- All the public gpgids are trusted enough (
ultimate
). - At least one private key is present in the keyring.
Otherwise, you will get the following error:
invalid credentials, password encryption/decryption aborted.
To set the trust on a GPG key, one can run gpg --edit-key <gpgid>
. Next type trust
and select 5 = I trust ultimately
.
Direct import
Passwords should not be written in plain text form on the drive. Therefore, when possible, you should import it directly from the encrypted data. For instance, with an encrypted keepass database:
pass import keepass file.kdbx
Secure erasure
Otherwise, if your password manager does not support it, you should take care of securely removing the plain text password database:
pass import lastpass data.csv
shred -u data.csv
Encrypted file
Alternatively, pass-import can decrypt gpg encrypted file before importing it. For example:
pass import lastpass lastpass.csv.gpg
Mandatory Access Control (MAC)
AppArmor profiles for pass
and pass-import
are available in apparmor.d
. If your distribution support AppArmor, you can clone the apparmor.d and run: make && sudo make install pass pass-import
to only install these apparmor security profiles.
Network
pass-import only needs to establish network connection to support cloud based password manager. If you do not use these importers you can ensure pass-import is not using the network by removing the network
rules in the apparmor profile of pass-import.
Password Update
You might also want to update the passwords imported using pass-update
.
Some configurations can be read from a configuration file called .import
if it is present at the root of the password repository. The configuration read from this file will be overwritten by their corresponding command-line option if present.
Example of the .import
configuration file for the default password repository in ~/.password-store/.import
:
---
# Separator string
separator: '-'
# The list of string that should be replaced by other string. Only activated
# if the `clean` option is enabled.
cleans:
' ': '-'
'&': 'and'
'@': At
"'": ''
'[': ''
']': ''
# The list of protocols. To be removed from the title.
protocols:
- http://
- https://
# The list of invalid characters. Replaced by the separator.
invalids:
- '<'
- '>'
- ':'
- '"'
- '/'
- '\\'
- '|'
- '?'
- '*'
- '\0'
Requirements
pass 1.7.0
or greater.- Python 3.8+
python3-setuptools
to build and install it.python3-yaml
(apt install python3-yaml
orpip3 install pyaml
, orpython3 -m pip install pyaml
if on MacOS running python installed viabrew
)
Optional Requirements
Dependency | Required for | apt | pip |
---|---|---|---|
pass | Password Store import/export | apt install pass |
N/A |
lpass | Lastpass cli based import/export | apt install lpass |
N/A |
defusedxml | Recommended XML library | apt install python3-defusedxml |
pip3 install defusedxml |
pykeepass | Keepass import from KDBX file | N/A | pip3 install pykeepass |
secretstorage | Gnome Keyring import | apt install python3-secretstorage |
pip3 install secretstorage |
cryptography | AndOTP or Aegis encrypted import | apt install python3-cryptography |
pip3 install cryptography |
file-magic | Detection of file decryption | apt install python-magic |
pip3 install file-magic |
pwdsphinx | Export to SPHINX | N/A(coming soon) | pip3 install pwdsphinx |
filter | Filter exports | N/A | pip3 install jsonpath-ng |
ArchLinux
pass-import
is available in the Arch User Repository.
yay -S pass-import # or your preferred AUR install method
Debian/Ubuntu
pass-import
is available under my own debian repository with the package name pass-extension-import
. Both the repository and the package are signed with my GPG key: 06A26D531D56C42D66805049C5469996F0DF68EC
.
wget -qO - https://pkg.pujol.io/debian/gpgkey | gpg --dearmor | sudo tee /usr/share/keyrings/pujol.io.gpg >/dev/null
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/pujol.io.gpg] https://pkg.pujol.io/debian/repo all main' | sudo tee /etc/apt/sources.list.d/pkg.pujol.io.list
sudo apt-get update
sudo apt-get install pass-extension-import
NixOS
nix-env -iA nixos.passExtensions.pass-import
Using pip
pip install pass-import
From git
git clone https://github.com/roddhjav/pass-import/
cd pass-import
python3 setup.py install
Stable version
wget https://github.com/roddhjav/pass-import/releases/download/v3.5/pass-import-3.5.tar.gz
tar xzf pass-import-3.5.tar.gz
cd pass-import-3.5
python3 setup.py install
Releases and commits are signed using 06A26D531D56C42D66805049C5469996F0DF68EC
.
You should check the key's fingerprint and verify the signature:
wget https://github.com/roddhjav/pass-import/releases/download/v3.5/pass-import-3.5.tar.gz.asc
gpg --recv-keys 06A26D531D56C42D66805049C5469996F0DF68EC
gpg --verify pass-import-3.5.tar.gz.asc
Local install
Alternatively, from git or from a stable version you can do a local install with:
cd pass-import
python3 setup.py install --user
Important
For local install you need to:
- Set
PASSWORD_STORE_ENABLE_EXTENSIONS
totrue
for the local extension to be enabled. - Set
PASSWORD_STORE_EXTENSIONS_DIR
to local the install path of python
Example:
export PASSWORD_STORE_ENABLE_EXTENSIONS=true
export PASSWORD_STORE_EXTENSIONS_DIR="$(python -m site --user-site)/usr/lib/password-store/extensions/"
One can use pass-import as a python library. Simply import the classes of the password manager you want to import and export. Then use them in a context manager. For instance, to import password from a cvs Lastpass exported file to password-store:
from pass_import.managers.lastpass import LastpassCSV
from pass_import.managers.passwordstore import PasswordStore
with LastpassCSV('lastpass-export.csv') as importer:
importer.parse()
with PasswordStore('~/.password-store') as exporter:
exporter.data = importer.data
exporter.clean(True, True)
for entry in exporter.data:
exporter.insert(entry)
Alternatively, you can import the same Lastpass file to a Keepass database:
from pass_import.managers.keepass import Keepass
from pass_import.managers.lastpass import LastpassCSV
with LastpassCSV('lastpass-export.csv') as importer:
importer.parse()
with Keepass('keepass.kdbx') as exporter:
exporter.data = importer.data
exporter.clean(True, True)
for entry in exporter.data:
exporter.insert(entry)
Feedback, contributors, pull requests are all very welcome. Please read the CONTRIBUTING.rst
file for more details on the contribution process.