Initial release

Author: jstrot

LICENSE

@@ -0,0 +1,109 @@
+# qip-pass-export
+
+Script to export passwords from pass / password-store / the standard unix password manager.
+The exported passwords can be imported into Passbolt.
+
+Is is very likely they can also be imported into other password managers like Bitwarden, Vaultwarden and more, but I have not tested this myself.
+
+## Background
+
+I love [pass](https://www.passwordstore.org/) but it doesn't get much approval from the low-tech members of my family because of the complex software setup, hokey browser integration and needing to manually maintain GPG keys.
+
+I decided to move all our passwords to a self-hosted [Passbolt Pro](https://www.passbolt.com/pricing/pro) instance.
+
+To help with the migration, I made this simple `pass2csv` script in Python to export all my "pass" passwords to a CSV file that can be imported directly into Passbolt.
+
+In particular the output format is supposedly Bitwarden's own format. See "Csv (BitWarden)" from [How to import passwords in passbolt](https://help.passbolt.com/faq/start/import-passwords)
+
+> [!NOTE]
+> This script can only decrypt password files for which you are the intended recipient, e.g., you posess the corresponding GPG private keys.
+> This is NOT a brute-force decrypter, you must *own* the data.
+
+## Installation
+
+Minimum requirements:
+
+- Python 3.x (tested with 3.11)
+
+Clone the repository:
+
+```sh
+git clone https://github.com/qualIP/qip-pass-export.git
+cd qip-pass-export
+```
+
+Required Python modules are in [requirements.txt](requirements.txt) -- Really just `python-gnupg`.
+
+You can install `python-gnupg` in your Linux distribution's standard packages or with `pip`.
+
+On Debian and derivative distributions based on `apt`, this should work:
+
+```sh
+sudo apt install python3-gnupg
+```
+
+Otherwise, it is recommended to create a simple Python virtual environment, preferably under the qip-pass-export directory itself:
+
+```sh
+python3 -m venv venv
+source venv/bin/activate
+pip install -r requirements.txt
+```
+
+You may need to install your distributions Python venv module, e.g, the `python3-venv` package.
+
+## Usage
+
+### Exporting pass passwords
+
+Usage is simple, just provide paths to pass `.gpg` files and it will output a CSV file on its standard output which you can pipe to a file of your choice.
+Typically, pass stores your password files under the `~/.password-store` directory.
+
+Example: Export top-level passwords
+
+```sh
+./pass2csv ~/.password-store/*.gpg > pass.csv
+```
+
+Example: Export passwords from a sub-directory
+
+```sh
+./pass2csv ~/.password-store/sub-directory/*.gpg > pass.csv
+```
+
+Example: Export all passwords at once
+
+```sh
+find ~/.password-store -name '*.gpg' -print0 | xargs -r0 ./pass2csv > pass.csv
+```
+
+Please be patient, it takes a while to decrypt each individual file.
+
+> [!CAUTION]
+> The exported CSV file contains **plain text**, **unencrypted passwords**.
+> Once you no longer needed the CSV file, delete it and empty your trash before someone else gets a hold of it.
+> Better yet, use a tool like [wipe](https://github.com/berke/wipe) to perform a secure erase.
+
+### Import passwords into Passbolt
+
+Next, go to your Passbolt Web interface, and click on the Import button:
+
+![Screenshow of Passbolt's Import button](doc/Passbolt-import-button.png)
+
+In the Import dialog, select your CSV file.
+If you wish to preserve the original directory structure, make sure to check the "Import folders" checkbox.
+
+![Screenshow of Passbolt's Import dialog](doc/Passbolt-import-dialog.png)
+
+Hit "Import", you're done.
+
+> [!CAUTION]
+> Remember to securely erase the CSV file!
+
+## Future work
+
+Now that I'm done migrating my passwords to Passbolt, I don't foresee making any change of consequence to this software.
+
+With proper incentives :moneybag::coffee:, I may be inclined to export various other formats -- Let me know.
+
+If you're having issues using this software, please let me know by [opening an issue](https://github.com/qualIP/qip-pass-export/issues) in GitHub.

README.md

@@ -0,0 +1,111 @@
+#!/usr/bin/env python
+'''
+pass2csv: Exports passwords from pass to CSV format
+
+This software is distributed by qualIP Software under the GNU GENERAL PUBLIC
+LICENSE v3 in the hope that others may find it useful too.
+
+The original source and a copy of the GPLv3 license can be found here:
+https://github.com/qualIP/qip-pass-export
+'''
+
+# flake8: noqa: E501
+
+from pathlib import Path
+import argparse
+import csv
+import io
+import os
+import re
+import sys
+import types
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        prog='pass2csv',
+        description='Exports passwords from pass to CSV format',
+
+    )
+    parser.add_argument('-V', '--version', action='version', version='%(prog)s 1.0')
+    parser.add_argument('passfiles', metavar="passfile", nargs='+', type=Path, help='Password file(s) (*.gpg) to export')
+    args = parser.parse_args()
+
+    try:
+        import gnupg
+    except ImportError as err:
+        print(err, file=sys.stderr)
+        print('The python-gnupg module is required to run this software.', file=sys.stderr)
+        sys.exit(1)
+    gpg = gnupg.GPG()
+    gpg.encoding = 'utf-8'
+
+    # https://help.passbolt.com/faq/start/import-passwords
+    # Using Csv (BitWarden) format
+    csv_fields = (
+        'description',     # YES
+        'folder',          # YES
+        'favorite',        # no
+        'type',            # no
+        'name',            # YES
+        'notes',           # YES
+        'fields',          # no
+        'reprompt',        # no
+        'login_uri',       # YES
+        'login_username',  # YES
+        'login_password',  # YES
+        'login_totp',      # no
+    )
+    csvwriter = csv.DictWriter(sys.stdout, fieldnames=csv_fields)
+    csvwriter.writeheader()
+
+    for passfile in args.passfiles:
+        relfile = passfile
+        try:
+            relfile = relfile.absolute().relative_to(Path.home() / '.password-store')
+        except ValueError:
+            try:
+                relfile = relfile.absolute().relative_to(Path.home())
+            except ValueError:
+                pass
+        if passfile.suffix == '.gpg':
+            with open(passfile, 'rb') as fp:
+                indata = gpg.decrypt_file(fp)
+            assert indata.ok
+            indata = str(indata)
+            indata = io.StringIO(indata)
+            csvrow = types.SimpleNamespace(**{k: '' for k in csv_fields})
+            csvrow.notes = []
+            for iline, line in enumerate(indata, start=1):
+                line = line.rstrip('\r\n')
+                if iline == 1:
+                    csvrow.login_password = line
+                    continue
+                m = not csvrow.login_uri \
+                    and re.match(r'(?i)^(?:URL|URI)(?: *1)? *: *(?P<content>.*)$', line)
+                if m:
+                    content = m.group('content').strip()
+                    if content:
+                        if not re.match(r'(?i)^[a-z]+://', content):
+                            content = 'https://' + content
+                        csvrow.login_uri = content
+                    continue
+                m = not csvrow.login_username \
+                    and re.match(r'(?i)^(?:Login|Username) *: *(?P<content>.*)$', line)
+                if m:
+                    content = m.group('content').strip()
+                    if content:
+                        csvrow.login_username = content
+                    continue
+                csvrow.notes.append(line)
+            csvrow.name = relfile.stem
+            csvrow.folder = os.fspath(relfile.parent)
+            csvrow.notes = '\n'.join(csvrow.notes)
+            csvwriter.writerow(csvrow.__dict__)
+            csvrow = None
+        else:
+            raise NotImplementedError(os.fspath(passfile))
+
+
+if __name__ == '__main__':
+    main()

doc/Passbolt-import-button.png

@@ -0,0 +1 @@
+python-gnupg