Add how-to guide for restoring 1Password backup from borgmatic

Verified end-to-end: extracted .age + .key.enc from borg archive, decrypted age key with openssl, decrypted .1pux with age, confirmed valid 31MB zip containing vault data. Added cross-links from disaster-recovery, 1password, borgmatic, backups, and how-to index. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-10 10:44:23 -08:00 · 2026-02-10 10:44:23 -08:00 · d3be0b0e92
commit d3be0b0e92
parent b5746e62c2
7 changed files with 131 additions and 6 deletions
--- a/docs/changelog.d/doc-restore-1password-backup.doc.md
+++ b/docs/changelog.d/doc-restore-1password-backup.doc.md
@ -0,0 +1 @@
+Add how-to guide for restoring 1Password backup from borgmatic, with cross-links from disaster recovery, borgmatic, 1password, and backup policy docs
--- a/docs/how-to/how-to.md
+++ b/docs/how-to/how-to.md
@ -42,6 +42,7 @@ Task-oriented instructions for common BlumeOps operations. These guides assume y
 |-------|-------------|
 | [[restart-indri]] | Safely shut down and restart indri |
 | [[manage-flyio-proxy]] | Deploy, shutoff, and troubleshoot the public proxy |
+| [[restore-1password-backup]] | Recover 1Password credentials from borgmatic backup |
 | [[troubleshooting]] | Diagnose and fix common issues |

 ## Plans
--- a/docs/how-to/restore-1password-backup.md
+++ b/docs/how-to/restore-1password-backup.md
@ -0,0 +1,112 @@
+---
+title: Restore 1Password Backup
+tags:
+  - how-to
+  - operations
+  - backup
+---
+
+# Restore 1Password Backup
+
+How to recover a 1Password `.1pux` export from a [[borgmatic]] backup on [[sifaka]].
+
+## Prerequisites
+
+- SSH access to [[indri]]
+- `age` installed (`brew install age`)
+- `openssl` installed (ships with macOS)
+- Your **1Password Emergency Kit** (safety deposit box) — contains the master password and secret key
+
+## When to Use This
+
+Use this procedure when you've lost access to 1Password and need to recover credentials from the encrypted backup created by `mise run op-backup`.
+
+## Procedure
+
+### 1. Extract From Borgmatic
+
+List recent archives to find one containing the backup:
+
+```bash
+ssh indri 'borgmatic list --last 5'
+```
+
+Extract the 1Password backup files from the chosen archive:
+
+```bash
+ssh indri 'cd /tmp && mkdir -p op-restore && cd op-restore && \
+  BORG_PASSCOMMAND="cat /Users/erichblume/.borg/config.yaml" \
+  /opt/homebrew/bin/borg extract \
+  "/Volumes/backups/borg/::<archive-name>" \
+  Users/erichblume/Documents/1password-backup/'
+```
+
+Verify the files were extracted:
+
+```bash
+ssh indri 'ls -lh /tmp/op-restore/Users/erichblume/Documents/1password-backup/'
+```
+
+You should see a `.age` file (~30-45 MB) and a `.key.enc` file (~200 bytes).
+
+### 2. Copy Files to Your Workstation
+
+```bash
+mkdir -p /tmp/op-restore
+scp "indri:/tmp/op-restore/Users/erichblume/Documents/1password-backup/1password-export-*.age" \
+    "indri:/tmp/op-restore/Users/erichblume/Documents/1password-backup/1password-export-*.key.enc" \
+    /tmp/op-restore/
+```
+
+### 3. Decrypt the Age Private Key
+
+The private key is encrypted with `openssl aes-256-cbc`. The passphrase is `{master_password}:{secret_key}` from your Emergency Kit.
+
+```bash
+cd /tmp/op-restore
+openssl enc -d -aes-256-cbc -pbkdf2 \
+  -in 1password-export-*.key.enc \
+  -out key.txt
+```
+
+Enter the passphrase when prompted: `{master_password}:{secret_key}` (colon-separated, no spaces around the colon).
+
+### 4. Decrypt the Export
+
+```bash
+age -d -i key.txt < 1password-export-*.age > export.1pux
+```
+
+### 5. Verify
+
+The `.1pux` file is a zip archive. Verify it looks correct:
+
+```bash
+file export.1pux        # Should say "Zip archive data"
+ls -lh export.1pux      # Should be ~30-45 MB
+unzip -l export.1pux | head -20  # Should list files/ entries
+```
+
+### 6. Import Into 1Password
+
+Open 1Password and use **File > Import** to restore from the `.1pux` file.
+
+### 7. Clean Up
+
+Remove all temporary files — the decrypted export and key contain secrets:
+
+```bash
+rm -rf /tmp/op-restore
+ssh indri 'rm -rf /tmp/op-restore'
+```
+
+## If You Don't Have the Borg Passphrase
+
+The borg repo passphrase is stored in `/Users/erichblume/.borg/config.yaml` on [[indri]]. If indri is unavailable but [[sifaka]] is accessible, the borg repo at `/Volumes/backups/borg/` uses `repokey` encryption — the key is stored in the repo itself, so you only need the passphrase (not a separate keyfile).
+
+## Related
+
+- [[borgmatic]] - Backup system
+- [[1password]] - Credential management
+- [[backups]] - Backup policy and schedule
+- [[disaster-recovery]] - Overall disaster recovery
--- a/docs/reference/operations/disaster-recovery.md
+++ b/docs/reference/operations/disaster-recovery.md
@ -6,14 +6,17 @@ tags:

 # Disaster Recovery

-TBD. Current state:
+Recovery procedures for BlumeOps infrastructure.

- [[borgmatic]] provides daily backups to [[sifaka|Sifaka]]
- Infrastructure can be rebootstrapped using the blumeops repo
- Detailed DR procedures not yet documented
+## Procedures
+
+| Scenario | Guide |
+|----------|-------|
+| Lost 1Password access | [[restore-1password-backup]] |
+| Indri reboot/power loss | [[restart-indri]] |

 ## Components

 - [[borgmatic]] - Backup restoration
- [[1password]] - Credential recovery
+- [[1password]] - Credential recovery (backed up via `mise run op-backup`)
 - [[forgejo]] - Source of truth for infrastructure code
--- a/docs/reference/services/1password.md
+++ b/docs/reference/services/1password.md
@ -34,7 +34,13 @@ The `blumeops` vault contains all infrastructure credentials.

 Services reference 1Password items via `ExternalSecret` manifests.

+## Disaster Recovery Backup
+
+The `mise run op-backup` task encrypts a `.1pux` vault export and transfers it to [[indri]] for inclusion in [[borgmatic]] backups. See [[restore-1password-backup]] for the full recovery procedure.
+
 ## Related

 - [[argocd]] - Uses secrets for git access
 - [[postgresql]] - Database credentials
+- [[restore-1password-backup]] - Recovery from backup
+- [[borgmatic]] - Backup system
--- a/docs/reference/services/borgmatic.md
+++ b/docs/reference/services/borgmatic.md
@ -57,3 +57,4 @@ Dashboard: "Borgmatic Backups" in [[grafana]]
 - [[backups|Backups]] - Full backup policy
 - [[sifaka|Sifaka]] - Backup target
 - [[postgresql]] - Database backups
+- [[restore-1password-backup]] - Recover 1Password from backup
--- a/docs/reference/storage/backups.md
+++ b/docs/reference/storage/backups.md
@ -24,7 +24,7 @@ Daily automated backups from [[indri]] to [[sifaka|Sifaka]] NAS.
 | `~/code/personal/zk` | Zettelkasten notes | Critical |
 | `/opt/homebrew/var/forgejo` | Git repositories | Critical |
 | `~/.config/borgmatic` | Backup config | High |
-| `~/Documents` | Personal documents | High |
+| `~/Documents` | Personal documents (includes [[1password]] encrypted export) | High |

 ### Databases

@ -72,3 +72,4 @@ Dashboard: "Borgmatic Backups" in [[grafana]]
 - [[borgmatic]] - Backup system details
 - [[sifaka|Sifaka]] - Backup storage
 - [[postgresql]] - Database backups
+- [[restore-1password-backup]] - Recover 1Password from backup
				`@ -0,0 +1 @@`
				`Add how-to guide for restoring 1Password backup from borgmatic, with cross-links from disaster recovery, borgmatic, 1password, and backup policy docs`