Migrate from passwordstore to bitwarden
Summary
This is the story of me migrating from passwordstore to Bitwarden, the rationale, steps taken, and gotchas encountered on the way.
The history of a migration
I have been a loyal user of passwordstore since around 2013 after using Firefox’s password manager since 2011.
I appreciate I came late to password managers but that’s another story.
If I remember correctly, the motivation to switch to passwordstore was to be able to store not only passwords for web sites, and also be able to use the tool from the command-line, outside of the browser.
I started to use a portable phone in 2017 when moving to Berlin.
I appreciate I came late to smart phones but that’s another story.
The main motivation to use a smart phone was maps and public transport navigation. Then I started using it more. To the point were I felt the need for synchronizing some passwords across devices or with other people.
My choice settled on bitwarden as it’s opensource and can be self-hosted. Which BTW reminds me of time till open source alternative.
Actually my usage of portable phones evolved to needing more access to my
passwords. This is were I looked into migrating from pass
to bitwarden
completely.
There were 2 conditions:
- a command line client for Bitwarden
- a migration tool
Solution
rbw
rbw
is an unofficial bitwarden client which
provides an ssh-agent
or gpg-agent
-like process. This way I can continue to
use a bunch of other tools which rely on some command to fetch their secrets.
Unfortunately rbw doesn’t seem to get much love these days. And, while this is a risk, my hope is that the opensource community would eventually take over if needed.
passwordstore-dump
The plan was to dump password store to a CSV file that can be imported by bitwarden.
Despite some good candidates, I couldn’t find a migration tool that suited my pass messy structure.
I’d have 2 griefs against passwordstore:
- pass doesn’t impose any structure. With time and evolving use cases (http, apps, devices, accounts, hosts, etc.) this inevitably results in a messy structure, with usernames in the path or in the file, with different path conventions, with random field names, etc. I for one wasn’t disciplined enough to keep things structured.
- The GPG problem: the fact that GPG is probably not a great solution for text encryption anymore.
The structure drift made it impossible to use existing scripts so I resorted to write my quick and dirty version, with specific heuristics. And even then I needed to cleanup my pass store before actually migrating.
Learnings
Ouch
I wanted to import my pass data to a distinct folder for easier review later or to refine the migration process by easily identifying and deleting imported passwords and re-importing them.
First I struggled with the password import, as when you delete a folder, it doesn’t cascade delete its children 😠, just renames them:
pass/
├── www/ ⇒ pass/www/
├── app/ pass/app/
├── dev/ pass/app/
Second deleting a folder doesn’t delete contained entries 😠😠
And that’s bad because afterwards you can’t sort entries by creation date 😠😠😠 So I found myself with a hundreds duplicate entries and was left without any means to identify and delete them!
I ended up manipulating entries in my self-hosted instance’s database, which fortunately isn’t used by many people.
Conclusion
I’m now almost solely relying in bitwarden for all my secrets, except:
- bank stuff, but only because the pass format I adopted was too specific, so I decided I would migrate it manually
- SMTP secrets (sending emails), as my mu4e emacs-based mail setup relies on
auth-source
which doesn’t include anyrbw
integration yet
I’m also moving away from 2FA authenticators, as bitwarden supports them, and I found authenticator apps hard to use.