Importing from 1Password

Overview

If your team currently stores development credentials in 1Password, Vault’s import tool can migrate them in bulk. The importer reads a 1Password export file, maps fields to Vault’s credential types, and creates credentials in your Vault tenant. The process preserves metadata and applies type-specific validation.

Export from 1Password

1Password supports CSV and 1PIF export formats. Vault’s importer works with both, but CSV is simpler for most use cases.

In 1Password:

Open the vault you want to export (not to be confused with GhostStack Vault).
Go to File > Export and choose CSV format.
Authenticate with your master password.
Save the export file.

The CSV file contains columns for title, username, password, URL, notes, and custom fields.

Run the import

npx @ghoststack/vault-cli import 1password \
  --file ./1password-export.csv \
  --tenant my-org \
  --token $VAULT_TOKEN \
  --dry-run

Start with --dry-run to preview what will be created. The importer shows each credential it would create, including the detected type, name, and metadata. Review the output before running the import without --dry-run.

# Preview output:
# [dry-run] Would create: stripe-api-key (api-key)
# [dry-run] Would create: prod-database (database-url)
# [dry-run] Would create: github-deploy-key (ssh-key)
# [dry-run] Would create: aws-secret (api-key)
# [dry-run] Would create: slack-webhook-url (generic-secret)
# 5 credentials would be imported.

# Run for real:
npx @ghoststack/vault-cli import 1password \
  --file ./1password-export.csv \
  --tenant my-org \
  --token $VAULT_TOKEN

Type detection

The importer automatically detects credential types based on the content:

Content pattern	Detected type
Value starts with a database scheme	`database-url`
Value starts with `-----BEGIN` PEM block	`ssh-key` or `tls-certificate`
Entry has username + password + URL	`api-key`
Notes contain OAuth/token references	`oauth-token`
Everything else	`generic-secret`

You can override the detected type with the --type-map flag:

npx @ghoststack/vault-cli import 1password \
  --file ./1password-export.csv \
  --tenant my-org \
  --token $VAULT_TOKEN \
  --type-map "Stripe API=api-key" \
  --type-map "Prod DB=database-url"

Name mapping

By default, the importer converts the 1Password item title to a Vault credential name by lowercasing, replacing spaces with hyphens, and removing special characters. “Stripe API Key (Production)” becomes stripe-api-key-production.

To customize names, use --name-map:

npx @ghoststack/vault-cli import 1password \
  --file ./1password-export.csv \
  --tenant my-org \
  --token $VAULT_TOKEN \
  --name-map "Stripe API Key (Production)=stripe-live-key"

Metadata preservation

The importer carries over metadata from 1Password:

Custom fields become metadata key-value pairs.
The 1Password vault name is stored as metadata.source.
The original item title is stored as metadata.originalName.
Tags, if present in the export, are stored as metadata.tags.

Handling duplicates

If a credential with the same name already exists in Vault, the importer skips it by default. Use --on-conflict to change this behavior:

--on-conflict=skip (default) — Skip the import for that credential.
--on-conflict=overwrite — Update the existing credential with the imported value.
--on-conflict=rename — Append a numeric suffix to the imported credential name.

Post-import steps

After importing, you should:

Review the imported credentials in the Vault dashboard.
Set appropriate lease policies for each credential.
Configure ACLs to control who can access the imported credentials.
Delete the 1Password export file. It contains plaintext secrets.
Verify each credential works by creating a test lease.

Security note

The export file from 1Password contains plaintext credentials. Handle it carefully:

Do not commit it to version control.
Delete it immediately after the import is complete.
Run the import on a trusted machine.
Use --dry-run first to confirm the mapping before writing to Vault.