|
| 1 | +# 1Password Encrypted Vault Backup App |
| 2 | + |
| 3 | +This web app enables secure backup and restoration of 1Password vaults, encrypting the backup with a user-provided passcode and storing sensitive keys in a dedicated 1Password vault. It uses the 1Password JS SDK and CLI for vault operations, with encryption handled via Argon2 and AES-256-CBC. |
| 4 | + |
| 5 | +## Overview |
| 6 | + |
| 7 | +This app allows you to: |
| 8 | +- Connect to a 1Password account using a service account token. |
| 9 | +- List and select vaults for backup. |
| 10 | +- Encrypt and save vault data to a downloadable file. |
| 11 | +- Store encryption keys in a secure 1Password vault. |
| 12 | +- Restore vaults from an encrypted backup file to a destination account. |
| 13 | + |
| 14 | +## Requirements |
| 15 | + |
| 16 | +- [Docker](https://docs.docker.com/get-started/get-docker/) |
| 17 | +- [1Password Service Account](https://developer.1password.com/docs/service-accounts/get-started) with: |
| 18 | + - Read access for listing vaults and items (backup). |
| 19 | + - Vault creation and item creation permissions (restore). |
| 20 | + |
| 21 | +## Installation |
| 22 | + |
| 23 | +1. [Install Docker](https://docs.docker.com/get-started/get-docker/). |
| 24 | +2. Clone or download this project. |
| 25 | +3. Navigate to the project folder and run: |
| 26 | + |
| 27 | +``` |
| 28 | +docker compose up -d |
| 29 | +``` |
| 30 | + |
| 31 | +## Usage |
| 32 | + |
| 33 | +### Backup |
| 34 | +1. Open `https://localhost:3002` in your browser. |
| 35 | +2. Click **Backup** in the sidebar. |
| 36 | +3. Enter your 1Password service account token and click **Connect**. |
| 37 | +4. Select vaults to back up and provide a passcode (minimum 8 characters). |
| 38 | +5. Click **Backup Selected Vaults** or **Backup All Vaults**. |
| 39 | +6. Save the generated encryption keys to a new 1Password vault or download them. |
| 40 | +7. Download the encrypted `backup.1pbackup` file. |
| 41 | + |
| 42 | +### Restore |
| 43 | +1. Open `https://localhost:3002` and click **Restore**. |
| 44 | +2. Upload the `backup.1pbackup` file and enter the service account token, passcode, and system key. |
| 45 | +3. Select vaults to restore from the backup. |
| 46 | +4. Click **Restore Selected Vaults**. |
| 47 | +5. Verify the restored vaults in the destination account. |
| 48 | + |
| 49 | +## Special Handling with CLI |
| 50 | + |
| 51 | +- **Vault Creation**: Uses 1Password CLI (`op vault create`) to create new vaults for restored data and key storage, as vault creation is not supported by the SDK. |
| 52 | + |
| 53 | +## Security Features |
| 54 | + |
| 55 | +- Runs on HTTPS with a self-signed certificate (local testing). |
| 56 | +- Uses Argon2 for key derivation and AES-256-CBC for backup encryption. |
| 57 | +- Verifies backup integrity with HMAC-SHA256. |
| 58 | +- Saves encryption keys (passcode and system key) in a secure 1Password vault. |
| 59 | +- Uses `p-limit` to prevent overwhelming the 1Password API. |
| 60 | +- Implements retry logic for API rate limits or conflicts. |
| 61 | + |
| 62 | +## Troubleshooting |
| 63 | + |
| 64 | +- Ensure Docker is running and the container is active (`docker logs <container-name>`). |
| 65 | +- Verify service account token permissions (read for backup, create for restore/keys). |
| 66 | +- Check `https://localhost:3002` is accessible; accept the self-signed certificate if prompted. |
| 67 | +- Confirm passcode and system key match the backup file during restoration. |
| 68 | +- Ensure the backup file is not corrupted or tampered with (HMAC verification failure). |
| 69 | + |
| 70 | +## Limitations |
| 71 | + |
| 72 | +- Passkeys cannot be backed up or restored (use 1Password desktop/mobile apps). |
| 73 | +- SDK does not support archived items for backup/restore. |
| 74 | +- Restored vault names are appended with "(Restored)". |
| 75 | +- Fixed concurrency limits (2 vaults, 1 item at a time) may need tuning for large backups. |
0 commit comments