Add how-to guide for restoring 1Password backup from borgmatic (#141)

## Summary - New how-to guide at `docs/how-to/restore-1password-backup.md` with step-by-step procedure for extracting and decrypting a 1Password `.1pux` export from borgmatic backup - **End-to-end verified**: extracted from today's borg archive, decrypted age key with openssl, decrypted .1pux with age → valid 31MB zip with vault data - Cross-links added from: disaster-recovery, 1password, borgmatic, backups policy, and how-to index - Updated disaster-recovery.md from TBD stub to include a procedures table ## Deployment and Testing - [x] Verified full extraction + decryption flow against live borgmatic archive - [x] `docs-check-links` passes — all wiki-links valid - [ ] Review guide for clarity and completeness Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/141
2026-02-10 10:55:00 -08:00 · 2026-02-10 10:55:00 -08:00 · 54afa0750b
commit 54afa0750b
parent b5746e62c2
8 changed files with 120 additions and 7 deletions
--- a/docs/changelog.d/doc-restore-1password-backup.doc.md
+++ b/docs/changelog.d/doc-restore-1password-backup.doc.md
@ -0,0 +1 @@
+Add how-to guide for restoring 1Password backup from borgmatic, with cross-links from disaster recovery, borgmatic, 1password, and backup policy docs
--- a/docs/how-to/how-to.md
+++ b/docs/how-to/how-to.md
@ -42,6 +42,7 @@ Task-oriented instructions for common BlumeOps operations. These guides assume y
 |-------|-------------|
 | [[restart-indri]] | Safely shut down and restart indri |
 | [[manage-flyio-proxy]] | Deploy, shutoff, and troubleshoot the public proxy |
+| [[restore-1password-backup]] | Recover 1Password credentials from borgmatic backup |
 | [[troubleshooting]] | Diagnose and fix common issues |

 ## Plans
--- a/docs/how-to/restore-1password-backup.md
+++ b/docs/how-to/restore-1password-backup.md
@ -0,0 +1,100 @@
+---
+title: Restore 1Password Backup
+tags:
+  - how-to
+  - operations
+  - backup
+---
+
+# Restore 1Password Backup
+
+How to recover a 1Password `.1pux` export from a [[borgmatic]] backup. This procedure assumes the worst case — [[indri]] and [[sifaka]] may both be gone. All you need is a copy of the borg repository and your Emergency Kit.
+
+## Prerequisites
+
+- A copy of the borg backup repository (from [[sifaka]], or an off-site copy — TBD)
+- `borg`, `age`, and `openssl` installed on any machine
+- Your **1Password Emergency Kit** (fire safety box) — contains the master password and secret key
+- The borg repo passphrase (printed on the Emergency Kit, or from `/Users/erichblume/.borg/config.yaml` if [[indri]] is accessible)
+
+## When to Use This
+
+Use this procedure when you've lost access to 1Password and need to recover credentials from the encrypted backup created by `mise run op-backup`.
+
+## Procedure
+
+### 1. Extract From Borg Repository
+
+If you have direct access to the borg repository (e.g. mounted from [[sifaka]] or restored from off-site), extract directly:
+
+```bash
+mkdir -p /tmp/op-restore && cd /tmp/op-restore
+BORG_PASSPHRASE="<your-borg-passphrase>" borg list /path/to/borg/repo --last 5
+BORG_PASSPHRASE="<your-borg-passphrase>" borg extract \
+  "/path/to/borg/repo::<archive-name>" \
+  Users/erichblume/Documents/1password-backup/
+```
+
+If [[indri]] is available, you can use borgmatic instead:
+
+```bash
+ssh indri 'cd /tmp && mkdir -p op-restore && cd op-restore && \
+  BORG_PASSCOMMAND="cat /Users/erichblume/.borg/config.yaml" \
+  /opt/homebrew/bin/borg extract \
+  "/Volumes/backups/borg/::<archive-name>" \
+  Users/erichblume/Documents/1password-backup/'
+```
+
+Verify you have a `.age` file (~30-45 MB) and a `.key.enc` file (~200 bytes).
+
+### 2. Decrypt the Age Private Key
+
+The private key is encrypted with `openssl aes-256-cbc`. The passphrase is `{master_password}:{secret_key}` from your Emergency Kit.
+
+```bash
+cd /tmp/op-restore/Users/erichblume/Documents/1password-backup
+openssl enc -d -aes-256-cbc -pbkdf2 \
+  -in 1password-export-*.key.enc \
+  -out key.txt
+```
+
+Enter the passphrase when prompted: `{master_password}:{secret_key}` (colon-separated, no spaces around the colon).
+
+### 3. Decrypt the Export
+
+```bash
+age -d -i key.txt < 1password-export-*.age > export.1pux
+```
+
+### 4. Verify
+
+The `.1pux` file is a zip archive. Verify it looks correct:
+
+```bash
+file export.1pux        # Should say "Zip archive data"
+ls -lh export.1pux      # Should be ~30-45 MB
+unzip -l export.1pux | head -20  # Should list files/ entries
+```
+
+### 5. Import Into 1Password
+
+Open 1Password and use **File > Import** to restore from the `.1pux` file.
+
+### 6. Clean Up
+
+Remove all temporary files — the decrypted export and key contain secrets:
+
+```bash
+rm -rf /tmp/op-restore
+```
+
+## Notes on the Borg Passphrase
+
+The borg repo uses `repokey` encryption — the key is stored in the repo itself, so you only need the passphrase (not a separate keyfile). The passphrase is recorded on your Emergency Kit alongside the 1Password credentials.
+
+## Related
+
+- [[borgmatic]] - Backup system
+- [[1password]] - Credential management
+- [[backups]] - Backup policy and schedule
+- [[disaster-recovery]] - Overall disaster recovery
--- a/docs/reference/operations/disaster-recovery.md
+++ b/docs/reference/operations/disaster-recovery.md
@ -6,14 +6,17 @@ tags:

 # Disaster Recovery

-TBD. Current state:
+Recovery procedures for BlumeOps infrastructure.

- [[borgmatic]] provides daily backups to [[sifaka|Sifaka]]
- Infrastructure can be rebootstrapped using the blumeops repo
- Detailed DR procedures not yet documented
+## Procedures
+
+| Scenario | Guide |
+|----------|-------|
+| Lost 1Password access | [[restore-1password-backup]] |
+| Indri reboot/power loss | [[restart-indri]] |

 ## Components

 - [[borgmatic]] - Backup restoration
- [[1password]] - Credential recovery
+- [[1password]] - Credential recovery (backed up via `mise run op-backup`)
 - [[forgejo]] - Source of truth for infrastructure code
--- a/docs/reference/services/1password.md
+++ b/docs/reference/services/1password.md
@ -34,7 +34,13 @@ The `blumeops` vault contains all infrastructure credentials.

 Services reference 1Password items via `ExternalSecret` manifests.

+## Disaster Recovery Backup
+
+The `mise run op-backup` task encrypts a `.1pux` vault export and transfers it to [[indri]] for inclusion in [[borgmatic]] backups. See [[restore-1password-backup]] for the full recovery procedure.
+
 ## Related

 - [[argocd]] - Uses secrets for git access
 - [[postgresql]] - Database credentials
+- [[restore-1password-backup]] - Recovery from backup
+- [[borgmatic]] - Backup system
--- a/docs/reference/services/borgmatic.md
+++ b/docs/reference/services/borgmatic.md
@ -57,3 +57,4 @@ Dashboard: "Borgmatic Backups" in [[grafana]]
 - [[backups|Backups]] - Full backup policy
 - [[sifaka|Sifaka]] - Backup target
 - [[postgresql]] - Database backups
+- [[restore-1password-backup]] - Recover 1Password from backup
--- a/docs/reference/storage/backups.md
+++ b/docs/reference/storage/backups.md
@ -24,7 +24,7 @@ Daily automated backups from [[indri]] to [[sifaka|Sifaka]] NAS.
 | `~/code/personal/zk` | Zettelkasten notes | Critical |
 | `/opt/homebrew/var/forgejo` | Git repositories | Critical |
 | `~/.config/borgmatic` | Backup config | High |
-| `~/Documents` | Personal documents | High |
+| `~/Documents` | Personal documents (includes [[1password]] encrypted export) | High |

 ### Databases

@ -72,3 +72,4 @@ Dashboard: "Borgmatic Backups" in [[grafana]]
 - [[borgmatic]] - Backup system details
 - [[sifaka|Sifaka]] - Backup storage
 - [[postgresql]] - Database backups
+- [[restore-1password-backup]] - Recover 1Password from backup
				`@ -0,0 +1 @@`
				`Add how-to guide for restoring 1Password backup from borgmatic, with cross-links from disaster recovery, borgmatic, 1password, and backup policy docs`