eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add how-to guide for restoring 1Password backup from borgmatic #141

Merged
eblume merged 4 commits from doc/restore-1password-backup into main 2026-02-10 10:55:01 -08:00
Conversation 0 Commits 4 Files changed 8 +21 -33
1 changed files with 21 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 5d2d95fe42 - Show all commits

Rewrite restore guide to not assume indri/sifaka are available

Prev Next 
The disaster scenario is house fire + 1Password cloud down — indri
and sifaka may both be gone. Reframed to require only a borg repo
copy and the Emergency Kit, with indri access as an optional shortcut.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Erich Blume 2026-02-10 10:48:55 -08:00
commit 5d2d95fe42

54
docs/how-to/restore-1password-backup.md
View file

@ -8,14 +8,14 @@ tags:
# Restore 1Password Backup
How to recover a 1Password `.1pux` export from a [[borgmatic]] backup on [[sifaka]].
How to recover a 1Password `.1pux` export from a [[borgmatic]] backup. This procedure assumes the worst case — [[indri]] and [[sifaka]] may both be gone. All you need is a copy of the borg repository and your Emergency Kit.
## Prerequisites
- SSH access to [[indri]]
- `age` installed (`brew install age`)
- `openssl` installed (ships with macOS)
- A copy of the borg backup repository (from [[sifaka]], or an off-site copy — TBD)
- `borg`, `age`, and `openssl` installed on any machine
- Your **1Password Emergency Kit** (fire safety box) — contains the master password and secret key
- The borg repo passphrase (printed on the Emergency Kit, or from `/Users/erichblume/.borg/config.yaml` if [[indri]] is accessible)
## When to Use This
@ -23,15 +23,19 @@ Use this procedure when you've lost access to 1Password and need to recover cred
## Procedure
### 1. Extract From Borgmatic
### 1. Extract From Borg Repository
List recent archives to find one containing the backup:
If you have direct access to the borg repository (e.g. mounted from [[sifaka]] or restored from off-site), extract directly:
```bash
ssh indri 'borgmatic list --last 5'
mkdir -p /tmp/op-restore && cd /tmp/op-restore
BORG_PASSPHRASE="<your-borg-passphrase>" borg list /path/to/borg/repo --last 5
BORG_PASSPHRASE="<your-borg-passphrase>" borg extract \
"/path/to/borg/repo::<archive-name>" \
Users/erichblume/Documents/1password-backup/
```
Extract the 1Password backup files from the chosen archive:
If [[indri]] is available, you can use borgmatic instead:
```bash
ssh indri 'cd /tmp && mkdir -p op-restore && cd op-restore && \
@ -41,29 +45,14 @@ ssh indri 'cd /tmp && mkdir -p op-restore && cd op-restore && \
Users/erichblume/Documents/1password-backup/'
```
Verify the files were extracted:
Verify you have a `.age` file (~30-45 MB) and a `.key.enc` file (~200 bytes).
```bash
ssh indri 'ls -lh /tmp/op-restore/Users/erichblume/Documents/1password-backup/'
```
You should see a `.age` file (~30-45 MB) and a `.key.enc` file (~200 bytes).
### 2. Copy Files to Your Workstation
```bash
mkdir -p /tmp/op-restore
scp "indri:/tmp/op-restore/Users/erichblume/Documents/1password-backup/1password-export-*.age" \
"indri:/tmp/op-restore/Users/erichblume/Documents/1password-backup/1password-export-*.key.enc" \
/tmp/op-restore/
```
### 3. Decrypt the Age Private Key
### 2. Decrypt the Age Private Key
The private key is encrypted with `openssl aes-256-cbc`. The passphrase is `{master_password}:{secret_key}` from your Emergency Kit.
```bash
cd /tmp/op-restore
cd /tmp/op-restore/Users/erichblume/Documents/1password-backup
openssl enc -d -aes-256-cbc -pbkdf2 \
-in 1password-export-*.key.enc \
-out key.txt
@ -71,13 +60,13 @@ openssl enc -d -aes-256-cbc -pbkdf2 \
Enter the passphrase when prompted: `{master_password}:{secret_key}` (colon-separated, no spaces around the colon).
### 4. Decrypt the Export
### 3. Decrypt the Export
```bash
age -d -i key.txt < 1password-export-*.age > export.1pux
```
### 5. Verify
### 4. Verify
The `.1pux` file is a zip archive. Verify it looks correct:
@ -87,22 +76,21 @@ ls -lh export.1pux # Should be ~30-45 MB
unzip -l export.1pux | head -20 # Should list files/ entries
```
### 6. Import Into 1Password
### 5. Import Into 1Password
Open 1Password and use **File > Import** to restore from the `.1pux` file.
### 7. Clean Up
### 6. Clean Up
Remove all temporary files — the decrypted export and key contain secrets:
```bash
rm -rf /tmp/op-restore
ssh indri 'rm -rf /tmp/op-restore'
```
## If You Don't Have the Borg Passphrase
## Notes on the Borg Passphrase
The borg repo passphrase is stored in `/Users/erichblume/.borg/config.yaml` on [[indri]]. If indri is unavailable but [[sifaka]] is accessible, the borg repo at `/Volumes/backups/borg/` uses `repokey` encryption — the key is stored in the repo itself, so you only need the passphrase (not a separate keyfile).
The borg repo uses `repokey` encryption — the key is stored in the repo itself, so you only need the passphrase (not a separate keyfile). The passphrase should be recorded on your Emergency Kit. If not, it lives in `/Users/erichblume/.borg/config.yaml` on [[indri]] (which may not be available in a disaster scenario).
## Related