From 5d2d95fe42f86d5473f9f0e564f942ca90aaa39b Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Tue, 10 Feb 2026 10:48:55 -0800 Subject: [PATCH] Rewrite restore guide to not assume indri/sifaka are available MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The disaster scenario is house fire + 1Password cloud down — indri and sifaka may both be gone. Reframed to require only a borg repo copy and the Emergency Kit, with indri access as an optional shortcut. Co-Authored-By: Claude Opus 4.6 --- docs/how-to/restore-1password-backup.md | 54 ++++++++++--------------- 1 file changed, 21 insertions(+), 33 deletions(-) diff --git a/docs/how-to/restore-1password-backup.md b/docs/how-to/restore-1password-backup.md index 6125c9e..97ac4cc 100644 --- a/docs/how-to/restore-1password-backup.md +++ b/docs/how-to/restore-1password-backup.md @@ -8,14 +8,14 @@ tags: # Restore 1Password Backup -How to recover a 1Password `.1pux` export from a [[borgmatic]] backup on [[sifaka]]. +How to recover a 1Password `.1pux` export from a [[borgmatic]] backup. This procedure assumes the worst case — [[indri]] and [[sifaka]] may both be gone. All you need is a copy of the borg repository and your Emergency Kit. ## Prerequisites -- SSH access to [[indri]] -- `age` installed (`brew install age`) -- `openssl` installed (ships with macOS) +- A copy of the borg backup repository (from [[sifaka]], or an off-site copy — TBD) +- `borg`, `age`, and `openssl` installed on any machine - Your **1Password Emergency Kit** (fire safety box) — contains the master password and secret key +- The borg repo passphrase (printed on the Emergency Kit, or from `/Users/erichblume/.borg/config.yaml` if [[indri]] is accessible) ## When to Use This @@ -23,15 +23,19 @@ Use this procedure when you've lost access to 1Password and need to recover cred ## Procedure -### 1. Extract From Borgmatic +### 1. Extract From Borg Repository -List recent archives to find one containing the backup: +If you have direct access to the borg repository (e.g. mounted from [[sifaka]] or restored from off-site), extract directly: ```bash -ssh indri 'borgmatic list --last 5' +mkdir -p /tmp/op-restore && cd /tmp/op-restore +BORG_PASSPHRASE="" borg list /path/to/borg/repo --last 5 +BORG_PASSPHRASE="" borg extract \ + "/path/to/borg/repo::" \ + Users/erichblume/Documents/1password-backup/ ``` -Extract the 1Password backup files from the chosen archive: +If [[indri]] is available, you can use borgmatic instead: ```bash ssh indri 'cd /tmp && mkdir -p op-restore && cd op-restore && \ @@ -41,29 +45,14 @@ ssh indri 'cd /tmp && mkdir -p op-restore && cd op-restore && \ Users/erichblume/Documents/1password-backup/' ``` -Verify the files were extracted: +Verify you have a `.age` file (~30-45 MB) and a `.key.enc` file (~200 bytes). -```bash -ssh indri 'ls -lh /tmp/op-restore/Users/erichblume/Documents/1password-backup/' -``` - -You should see a `.age` file (~30-45 MB) and a `.key.enc` file (~200 bytes). - -### 2. Copy Files to Your Workstation - -```bash -mkdir -p /tmp/op-restore -scp "indri:/tmp/op-restore/Users/erichblume/Documents/1password-backup/1password-export-*.age" \ - "indri:/tmp/op-restore/Users/erichblume/Documents/1password-backup/1password-export-*.key.enc" \ - /tmp/op-restore/ -``` - -### 3. Decrypt the Age Private Key +### 2. Decrypt the Age Private Key The private key is encrypted with `openssl aes-256-cbc`. The passphrase is `{master_password}:{secret_key}` from your Emergency Kit. ```bash -cd /tmp/op-restore +cd /tmp/op-restore/Users/erichblume/Documents/1password-backup openssl enc -d -aes-256-cbc -pbkdf2 \ -in 1password-export-*.key.enc \ -out key.txt @@ -71,13 +60,13 @@ openssl enc -d -aes-256-cbc -pbkdf2 \ Enter the passphrase when prompted: `{master_password}:{secret_key}` (colon-separated, no spaces around the colon). -### 4. Decrypt the Export +### 3. Decrypt the Export ```bash age -d -i key.txt < 1password-export-*.age > export.1pux ``` -### 5. Verify +### 4. Verify The `.1pux` file is a zip archive. Verify it looks correct: @@ -87,22 +76,21 @@ ls -lh export.1pux # Should be ~30-45 MB unzip -l export.1pux | head -20 # Should list files/ entries ``` -### 6. Import Into 1Password +### 5. Import Into 1Password Open 1Password and use **File > Import** to restore from the `.1pux` file. -### 7. Clean Up +### 6. Clean Up Remove all temporary files — the decrypted export and key contain secrets: ```bash rm -rf /tmp/op-restore -ssh indri 'rm -rf /tmp/op-restore' ``` -## If You Don't Have the Borg Passphrase +## Notes on the Borg Passphrase -The borg repo passphrase is stored in `/Users/erichblume/.borg/config.yaml` on [[indri]]. If indri is unavailable but [[sifaka]] is accessible, the borg repo at `/Volumes/backups/borg/` uses `repokey` encryption — the key is stored in the repo itself, so you only need the passphrase (not a separate keyfile). +The borg repo uses `repokey` encryption — the key is stored in the repo itself, so you only need the passphrase (not a separate keyfile). The passphrase should be recorded on your Emergency Kit. If not, it lives in `/Users/erichblume/.borg/config.yaml` on [[indri]] (which may not be available in a disaster scenario). ## Related