Support 1Password 1PIF format

[droidmonkey]

Summary

1Password OPVault is non-obvious to gain access to. Add support to the standard 1PIF export format from 1Password.

BitWarden has implemented a version of it here: https://github.com/bitwarden/jslib/blob/master/src/importers/onepassword1PifImporter.ts

A discussion about the 1PIF format is here: https://discussions.agilebits.com/discussion/80050/documentation-for-1pif-export-format

1Password recommended conversion tool from 1PIF to CSV: https://www.dropbox.com/sh/a3skeey2zqimdlv/AAD87q6N_EJZ1YoPe5SA35a1a?dl=0

[Zettt]

Thank you for creating this. Let me know if I can be of any help.

[droidmonkey]

I don't think we should necessarily do anything. You can use the conversion tool today to convert 1PIF to CSV files. Then you can import CSV to KeePassXC.

[mdaniel]

To continue from your other comment:

I'm on their subscription plan. As far as I'm aware, there's no real way to access the vault at all.

There are a couple of answers to that question: the first is that the functionality for interacting with .opvault format was required before the subscription was a thing -- and I bet there are still a non-trivial number of users out there like me who are 1Password the software users who are not 1Password the service users.

Another part of the answer is that as a subscriber to their cloud offering, you have the ability to use 1Password X or onepassword cli on "unsupported" platforms such as Linux or ChromeBook (err, I shouldn't run my mouth about the CLI on a ChromeBook, but it's not a ludicrous idea, either), so in that way the ability to read OpVault format isn't solving a problem cloud offering users have

And, then further down the pedantic answer hierarchy, having an implementation that reads their specification empowers users to do more with their data, since I would be very surprised if 1PIF captures all the specifics of an item, including attachments, TOTP tokens, any custom fields, etc.

At the bottom of the pedantry answer chain is that the 1Password apps of course store a local cache of the data, it just isn't in the documented .opvault format -- it's now in sqlite databases, but still apparently using the opdata01 encoding/encryption scheme inside the database (at least on the machine I have at work that uses the cloud offering). I would expect a sufficiently interested party would be able to adapt the code to read that packaging scheme, too

[juanii]

and I bet there are still a non-trivial number of users out there like me who are 1Password the software users who are not 1Password the service users.

+1. Guess it's lots of us wanting to jump ships disappointed with the subscription model and seeing most new features are implemented only for cloud vaults.

And, then further down the pedantic answer hierarchy, having an implementation that reads their specification empowers users to do more with their data, since I would be very surprised if 1PIF captures all the specifics of an item, including attachments, TOTP tokens, any custom fields, etc.

Be very surprised :) 1PIF retains all the custom fields, icons, TOTP tokens, attachments, folders, tags and everything I can think of. As you might already know 1PIF lacks of proper documentation and it might initially be seen like a big problem. But while writing a 1PIF import plugin for KeePass I did some research on the topic, analyzing 1PIF files from 1Password v3 through v7 and dissecting some open source conversion tools (mainly the great MrC's converter suite). And that experience taught me that the OPVault format (once decrypted and the opdata converted to regular JSON) is veeeeeery close[1] to the 1PIF format exported from 1Password for Windows[2]. With minor changes to the input data, I'd say you can reuse most if not all of the parsing code. I'd love to take a look into this, maybe after I finish the OPVault import plugin for KeePass.

[1] Probably not a coincidence, Windows' 1PIF export was introduced shortly before the official introduction of the OPVault format.

[2] Oddly enough, 1PIF files exported by 1Password for Mac are different from the files exported by 1Password for Windows. It's probably related to [1] since the Mac 1PIF format is way older. To address this, MrC's conversion suite takes a very simple approach to convert the Mac format to the Windows format by just renaming some properties and rearranging the JSON tree a little bit.

[droidmonkey]

Since 1Password allows for export to CSV from the 1Password GUI we will not be implementing this feature. The opvault format can also be easily generated by selecting 1Password -> New vault on this PC... then create a vault. Then you can do 1Password -> Import -> Select 1PIF file. From there you can import into KeePassXC.