pass import

A pass extension for importing data from most existing password managers

Description

pass import is a password store extension allowing you to import your password database to a password store repository conveniently. It natively supports import from 62 different password managers. More manager support can easily be added.

Passwords are imported into the existing default password store, therefore the password store must have been initialized before with pass init.

By default, pass imports entries at the root of the password store and only keeps the main data (password, login, email, URL, group). This behaviour can be changed using the provided options.

Pass import handles duplicates and is compatible with browserpass. It imports OTP secret in a way that is compatible with pass-otp.

pass-import also provides a pimport script that allows importing passwords to other password managers. For instance, you can import passwords from Lastpass to a Keepass database. It currently supports password export from 8 managers.

The following password managers are supported:

Password Manager	Formats	How to export Data	Command line
1password	csv v8	See this guide	pass import 1password file.csv
	1pif v4	See this guide	pass import 1password file.1pif
	csv v4	See this guide	pass import 1password file.csv
	csv v6	See this guide	pass import 1password file.csv
aegis	json	Settings> Tools: Export Plain	pass import aegis file.json
	json	Settings> Tools: Export encrypted	pass import aegis file.json
andotp	json	Backups> Backup plain	pass import andotp file.json
apple-keychain	keychain	See this guide	pass import applekeychain file.txt
bitwarden	csv	Tools> Export Vault> File Format: .csv	pass import bitwarden file.csv
	csv	Tools> Export Vault> File Format: .csv	pass import bitwarden file.csv
	json	Tools> Export Vault> File Format: .json	pass import bitwarden file.json
	json	Tools> Export Vault> File Format: .json	pass import bitwarden file.json
blur	json	Settings: Export Data: Export Blur Data	pass import blur file.json
	csv	Settings: Export Data: Export CSV: Accounts: Export CSV	pass import blur file.csv
buttercup	csv	File > Export > Export File to CSV	pass import buttercup file.csv
chrome	csv	In chrome://password-manager/settings under 2Export passwordsDownload File	pass import chrome file.csv
	csv	See this guide	pass import chrome file.csv
clipperz	html	Settings > Data > Export: HTML + JSON	pass import clipperz file.html
csv	csv	Nothing to do	pass import csv file.csv --cols 'url,login,,password'
dashlane	csv	File > Export > Unsecured Archive in CSV	pass import dashlane file.csv
	json	File > Export > Unsecured Archive in JSON	pass import dashlane file.json
encryptr	csv	Compile from source and follow instructions from this guide	pass import encryptr file.csv
enpass	json v6	Menu > File > Export > As JSON	pass import enpass file.json
	csv	File > Export > As CSV	pass import enpass file.csv
firefox	csv	In about:logins Menu: Export logins	pass import firefox file.csv
	csv	Add-ons Prefs: Export Passwords: CSV	pass import firefox file.csv
fpm	xml	File > Export Passwords: Plain XML	pass import fpm file.xml
freeotp+	json	Settings> Export> Export JSON Format	pass import freeotp+ file.json
gnome	libsecret	Nothing to do	pass import gnome-keyring <label>
gnome-auth	json	Backup > in a plain-text JSON file	pass import gnome-authenticator file.json
gopass	gopass	Nothing to do	pass import gopass path/to/store
gorilla	csv	File > Export: Yes: CSV Files	pass import gorilla file.csv
kedpm	xml	File > Export Passwords: Plain XML	pass import kedpm file.xml
keepass	kdbx	Nothing to do	pass import keepass file.kdbx
	csv	File > Export > Keepass (CSV)	pass import keepass file.csv
	xml	File > Export > Keepass (XML)	pass import keepass file.xml
keepassx	xml	File > Export to > Keepass XML File	pass import keepassx file.xml
keepassx2	kdbx	Nothing to do	pass import keepassx2 file.kdbx
	csv	Database > Export to CSV File	pass import keepassx2 file.csv
keepassxc	kdbx	Nothing to do	pass import keepassxc file.kdbx
	csv	Database > Export to CSV File	pass import keepassxc file.csv
keeper	csv	Settings > Export : Export to CSV File	pass import keeper file.csv
lastpass	cli	Nothing to do	pass import lastpass <login>
	csv	More Options > Advanced > Export	pass import lastpass file.csv
myki	csv	See this guide	pass import myki file.csv
network-manager	nm	Also support specific networkmanager dir and ini file	pass import networkmanager
nordpass	csv	Settings > Export Items	pass import nordpass file.csv
padlock	csv	Settings > Export Data and copy text into a .csv file	pass import padlock file.csv
pass	pass	Nothing to do	pass import pass path/to/store
passman	csv	Settings > Export credentials > Export type: CSV	pass import passman file.csv
	json	Settings > Export credentials > Export type: JSON	pass import passman file.json
passpack	csv	Settings > Export > Save to CSV	pass import passpack file.csv
passpie	yaml v1.0	`passpie export file.yml`	pass import passpie file.yml
pwsafe	xml	File > Export To > XML Format	pass import pwsafe file.xml
revelation	xml	File > Export: XML	pass import revelation file.xml
roboform	csv	Roboform > Options > Data & Sync > Export To: CSV file	pass import roboform file.csv
safeincloud	csv	File > Export > Comma-Separated Values (CSV)	pass import safeincloud file.csv
saferpass	csv	Settings > Export Data: Export data	pass import saferpass file.csv
upm	csv	Database > Export	pass import upm file.csv
zoho	csv	Tools > Export Secrets: Zoho Vault Format CSV	pass import zoho file.csv
	csv	Tools > Export Secrets: Zoho Vault Format CSV	pass import zoho file.csv

The following destination password managers are supported:

Exporters Password Manager	Format	Command line
csv	csv	pimport csv src [src]
gopass	gopass	pimport gopass src [src]
keepass	kdbx	pimport keepass src [src]
keepassx2	kdbx	pimport keepassx2 src [src]
keepassxc	kdbx	pimport keepassxc src [src]
lastpass	cli	pimport lastpass src [src]
pass	pass	pimport pass src [src]
sphinx		pimport sphinx src [src]

Usage

Basic use

To import password from any supported password manager simply run:

pass import path/to/passwords

If pass-import is not able to detect the format, you need to provide the password manager <pm> you want to import data from:

pass import <pm> path/to/passwords

If you want to import data to a password manager other than pass, run:

pimport <new_pm> <former_pm> path/to/passwords --out path/to/destination/pm

Help

usage: pass import [-r path] [-p path] [-k KEY] [-a] [-f] [-c] [-C] [-P] [-d] [--sep CHAR] [--del CHAR] [--cols COLS] [--filter FILTER] [--config CONFIG]
                   [-l] [-h] [-V] [-v | -q]
                   [src ...]

  Import data from most of the password manager. Passwords are imported into
  the existing default password store; therefore, the password store must have
  been initialised before with 'pass init'.

Password managers:
  src                   Path to the data to import. Can also be the password manager name followed by the path to the data to import. The password manager
                        name can be: 1password, aegis, andotp, apple-keychain, bitwarden, blur, buttercup, chrome, clipperz, csv, dashlane, encryptr,
                        enpass, firefox, fpm, freeotp+, gnome, gnome-auth, gopass, gorilla, kedpm, keepass, keepassx, keepassx2, keepassxc, keeper,
                        lastpass, myki, network-manager, nordpass, padlock, pass, passman, passpack, passpie, pwsafe, revelation, roboform, safeincloud,
                        saferpass, upm, zoho.

Common optional arguments:
  -r path, --root path  Only import the password from a specific subfolder.
  -p path, --path path  Import the passwords to a specific subfolder.
  -k KEY, --key KEY     Path to a keyfile if required by a manager.
  -a, --all             Also import all the extra data present.
  -f, --force           Overwrite existing passwords.
  -c, --clean           Make the paths more command line friendly.
  -C, --convert         Convert invalid characters present in the paths.
  -P, --pwned           Check imported passwords against haveibeenpwned.com.
  -d, --dry-run         Do not import passwords, only show what would be imported.

Extra optional arguments:
  --sep CHAR            Provide a characters of replacement for the path separator. Default: '-'
  --del CHAR            Provide an alternative CSV delimiter character. Default: ','
  --cols COLS           CSV expected columns to map columns to credential attributes. Only used by the csv importer.
  --filter FILTER       Export whole entries matching a JSONPath filter expression. Default: (none) This field can be: - a string JSONPath expression - an
                        absolute path to a file containing a JSONPath filter expression. List of supported filter: https://github.com/h2non/jsonpath-ng
                        Example: - '$.entries[*].tags[?@="Defaults"]' : Export only entries with a tag matching 'Defaults'
  --config CONFIG       Set a config file. Default: '.import'

Help related optional arguments:
  -l, --list            List the supported password managers.
  -h, --help            Show this help message and exit.
  -V, --version         Show the program version and exit.
  -v, --verbose         Set verbosity level, can be used more than once.
  -q, --quiet           Be quiet.

More information may be found in the pass-import(1) man page.

Usage for pimport can been seen with pimport -h or man pimport.

Examples

Import password from KeePass

pass import keepass.xml
(*) Importing passwords from keepass to pass
 .  Passwords imported from: keepass.xml
 .  Passwords exported to: ~/.password-store
 .  Number of password imported: 6
 .  Passwords imported:
       Social/mastodon.social
       Social/twitter.com
       Social/news.ycombinator.com
       Servers/ovh.com/bynbyjhqjz
       Servers/ovh.com/jsdkyvbwjn
       Bank/aib

This is the same than: pimport pass keepass.xml --out ~/.password-store

Import password to a different password store

export PASSWORD_STORE_DIR="~/.mypassword-store"
pass init <gpg-id>
pass import keepass.kdbx

Import password to a subfolder

pass import bitwarden.json -p Import/
(*) Importing passwords from bitwarden to pass
 .  Passwords imported from: bitwarden.json
 .  Passwords exported to: ~/.password-store
 .  Root path: Import
 .  Number of password imported: 6
 .  Passwords imported:
      Import/Social/mastodon.social
      Import/Social/twitter.com
      Import/Social/news.ycombinator.com
      Import/Servers/ovh.com/bynbyjhqjz
      Import/Servers/ovh.com/jsdkyvbwjn
      Import/Bank/aib

Other examples:

• If the manager is not correctly detected, you can pass it at source argument: pass import dashlane dashlane.csv
• Import NetworkManager password on default dir: pass import networkmanager
• Import a NetworkManager INI file: pass import nm.ini
• Import a One password 1PIF: pass import 1password.1pif
• Import a One password CSV: pass import 1password.csv
• Import a Passman JSON file: pass import passman.json
• Import Lastpass file to a keepass db: pimport keepass lastpass.csv --out keepass.kdbx
• Import a password store to a CSV file: pimport csv ~/.password-store --out file.csv
• Export Bitwarden to SPHINX: pimport sphinx bitwarden.json -o sphinx.cfg

GPG keyring

Before importing data to pass, your password-store repository must exist and your GPG keyring must be usable. In other words, you need to ensure that:

• All the public gpgids are present in the keyring.
• All the public gpgids are trusted enough (ultimate).
• At least one private key is present in the keyring.

Otherwise, you will get the following error: invalid credentials, password encryption/decryption aborted.

To set the trust on a GPG key, one can run gpg --edit-key <gpgid>. Next type trust and select 5 = I trust ultimately.

Security consideration

Direct import

Passwords should not be written in plain text form on the drive. Therefore, when possible, you should import it directly from the encrypted data. For instance, with an encrypted keepass database:

pass import keepass file.kdbx

Secure erasure

Otherwise, if your password manager does not support it, you should take care of securely removing the plain text password database:

pass import lastpass data.csv
shred -u data.csv

Encrypted file

Alternatively, pass-import can decrypt gpg encrypted file before importing it. For example:

pass import lastpass lastpass.csv.gpg

Mandatory Access Control (MAC)

AppArmor profiles for pass and pass-import are available in apparmor.d. If your distribution support AppArmor, you can clone the apparmor.d and run: make && sudo make install pass pass-import to only install these apparmor security profiles.

Network

pass-import only needs to establish network connection to support cloud based password manager. If you do not use these importers you can ensure pass-import is not using the network by removing the network rules in the apparmor profile of pass-import.

Password Update

You might also want to update the passwords imported using pass-update.

Configuration file

Some configurations can be read from a configuration file called .import if it is present at the root of the password repository. The configuration read from this file will be overwritten by their corresponding command-line option if present.

Example of the .import configuration file for the default password repository in ~/.password-store/.import:

---

# Separator string
separator: '-'

# The list of string that should be replaced by other string. Only activated
# if the `clean` option is enabled.
cleans:
  ' ': '-'
  '&': 'and'
  '@': At
  "'": ''
  '[': ''
  ']': ''

# The list of protocols. To be removed from the title.
protocols:
  - http://
  - https://

# The list of invalid characters. Replaced by the separator.
invalids:
  - '<'
  - '>'
  - ':'
  - '"'
  - '/'
  - '\\'
  - '|'
  - '?'
  - '*'
  - '\0'

Installation

Requirements

• pass 1.7.0 or greater.
• Python 3.8+
• python3-setuptools to build and install it.
• python3-yaml (apt install python3-yaml or pip3 install pyaml, or python3 -m pip install pyaml if on MacOS running python installed via brew)

Optional Requirements

Dependency	Required for	apt	pip
pass	Password Store import/export	apt install pass	N/A
lpass	Lastpass cli based import/export	apt install lpass	N/A
defusedxml	Recommended XML library	apt install python3-defusedxml	pip3 install defusedxml
pykeepass	Keepass import from KDBX file	N/A	pip3 install pykeepass
secretstorage	Gnome Keyring import	apt install python3-secretstorage	pip3 install secretstorage
cryptography	AndOTP or Aegis encrypted import	apt install python3-cryptography	pip3 install cryptography
file-magic	Detection of file decryption	apt install python-magic	pip3 install file-magic
pwdsphinx	Export to SPHINX	N/A(coming soon)	pip3 install pwdsphinx
filter	Filter exports	N/A	pip3 install jsonpath-ng

ArchLinux

pass-import is available in the Arch User Repository.

yay -S pass-import  # or your preferred AUR install method

Debian/Ubuntu

pass-import is available under my own debian repository with the package name pass-extension-import. Both the repository and the package are signed with my GPG key: 06A26D531D56C42D66805049C5469996F0DF68EC.

wget -qO - https://pkg.pujol.io/debian/gpgkey | gpg --dearmor | sudo tee /usr/share/keyrings/pujol.io.gpg >/dev/null
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/pujol.io.gpg] https://pkg.pujol.io/debian/repo all main' | sudo tee /etc/apt/sources.list.d/pkg.pujol.io.list
sudo apt-get update
sudo apt-get install pass-extension-import

NixOS

nix-env -iA nixos.passExtensions.pass-import

Using pip

pip install pass-import

From git

git clone https://github.com/roddhjav/pass-import/
cd pass-import
python3 setup.py install

Stable version

wget https://github.com/roddhjav/pass-import/releases/download/v3.5/pass-import-3.5.tar.gz
tar xzf pass-import-3.5.tar.gz
cd pass-import-3.5
python3 setup.py install

Releases and commits are signed using 06A26D531D56C42D66805049C5469996F0DF68EC. You should check the key's fingerprint and verify the signature:

wget https://github.com/roddhjav/pass-import/releases/download/v3.5/pass-import-3.5.tar.gz.asc
gpg --recv-keys 06A26D531D56C42D66805049C5469996F0DF68EC
gpg --verify pass-import-3.5.tar.gz.asc

Local install

Alternatively, from git or from a stable version you can do a local install with:

cd pass-import
python3 setup.py install --user

Important

For local install you need to:

1. Set PASSWORD_STORE_ENABLE_EXTENSIONS to true for the local extension to be enabled.
2. Set PASSWORD_STORE_EXTENSIONS_DIR to local the install path of python

Example:

export PASSWORD_STORE_ENABLE_EXTENSIONS=true
export PASSWORD_STORE_EXTENSIONS_DIR="$(python -m site --user-site)/usr/lib/password-store/extensions/"

The import Library

One can use pass-import as a python library. Simply import the classes of the password manager you want to import and export. Then use them in a context manager. For instance, to import password from a cvs Lastpass exported file to password-store:

from pass_import.managers.lastpass import LastpassCSV
from pass_import.managers.passwordstore import PasswordStore

with LastpassCSV('lastpass-export.csv') as importer:
    importer.parse()

    with PasswordStore('~/.password-store') as exporter:
        exporter.data = importer.data
        exporter.clean(True, True)
        for entry in exporter.data:
            exporter.insert(entry)

Alternatively, you can import the same Lastpass file to a Keepass database:

from pass_import.managers.keepass import Keepass
from pass_import.managers.lastpass import LastpassCSV

with LastpassCSV('lastpass-export.csv') as importer:
    importer.parse()

    with Keepass('keepass.kdbx') as exporter:
        exporter.data = importer.data
        exporter.clean(True, True)
        for entry in exporter.data:
            exporter.insert(entry)

Contribution

Feedback, contributors, pull requests are all very welcome. Please read the CONTRIBUTING.rst file for more details on the contribution process.