some things I've done with the cli

So the big one is that I imported my entire keepassx into 1P as a result of having this command-line tool now available. While I've not mastered the cli tool yet, I can finally use 1P everywhere with sync, instead of keypassx with manual sync.

The other one is to store our deploy ssh key in 1P and simply pipe the output of the key into ssh-agent: | ssh-add - . So now, instead of requiring that everybody has a copy of the private key on disk, we are now only storing it temporarily in memory while running the job, and when I logout of a build box or server, the key is one -- I'm sure it will make rolling ssh keys much easier in future.

Sadly 1P cli broke on me today so I can't give the full examples, maybe when I'm back from vacation it will be working again.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • svondutchsvondutch

    Team Member

    @skunkwerks That is awesome! Thank you for sharing that with us.

    As for piping the output of your SSH key, I'm doing something similar on Windows where I open a SSH session with credentials stored in a 1Password item named hostname:

    S=$(op login fillion [email protected] A3-XXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX) && T=hostname && D=$(op item $S $T) && U=$(echo $D | jq '.fields[] | select(.designation=="username").value') && P=$(echo $D | jq '.fields[] | select(.designation=="password").value') && putty -ssh $T -l $U -pw $P

    Looking forward to your examples. Have great vacation!

  • rickfillionrickfillion Junior Member

    Team Member

    thats super cool. Is there any chance that you could share the script you made to do the keypassx to 1Password conversion? Others might find that helpful.


  • beyerbeyer

    Team Member
    edited March 2018

    This is my first (rough but working) attempt at creating a script similar to what @svondutch is doing but using a private key attached to an item with multiple sections (which is the default when using the server category). Currently, it will check for a section named SSH and grab the hostname, username, and create a tempory file with the private key.

    if [ -z "$1" ]; then
      echo 'No 1Password item title provided.'
    S=$(op login account-shorthand)
    I=$(mktemp ~/.ssh/op.XXXXX) && trap "rm -rf $I" EXIT
    D=$(op item $S $1)
    if [[ $D == '[ERR]'* ]]; then
      echo $D
    H=$(echo $D | jq -r '.sections[] | select(.title=="SSH").fields[] | select(.t=="hostname").v')
    U=$(echo $D | jq -r '.sections[] | select(.title=="SSH").fields[] | select(.t=="username").v')
    K=$(echo $D | jq -r '.sections[] | select(.title=="Related Items").fields[] | select(.k=="reference").v')
    op document $S $K >> $I
    chmod 400 $I
    ssh [email protected]$H -i $I

    I tailored it to use ssh on macOS.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hi @beyer,

    Please rely on exit status instead of the content of output.

    D=$(op item $S $1)
    if [[ $D == '[ERR]'* ]]; then
      echo $D

    In version 0.0.2 error messages are written to stderr instead of stdout. (I'm sorry about not getting that into the CHANGELOG)

    op exits with a non-zero exit status on such errors, so you can test that way.



  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Oh, and nice use of trap in that script. Now I need to fix up one of mine for more robust cleanup of my own call to mktemp.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    I needed to recover some things from a tarsnap backup recently. Of course I keep my tarsnap keyfiles in 1Password. I've tried to make this more robust than my very immediate needs. And I've removed my personal account information from this sample.

    Also thanks to @beyer's script, I was reminded about trap.

    #!/usr/bin/env bash
    # Fetch a tarsnap keyfile from a 1Password Document, and then do tarsnap stuff
    # with that key file.
    ### Your account details
    OP_ACCOUNT=reynholm-industries          # Your 1password domain name here
    OP_USER='[email protected]'   # Your email address here
    sk_path=${HOME}/nobackup/opsk-A3-ABCDEF # file containing your secret key
    ### Your file and executable paths
    # Note that as we are passing secrets to various programs, either $PATH
    # needs to be highly restricted, or we should specify the exact paths for
    # these things
    op_cmd=$GOPATH/bin/op               # probably not where you keep it
    ts_cmd="/opt/local/bin/tarsnap"     # where is your tarsnap binary
    # Bash associative arrays require bash 4. macOS /usr/bin/bash is 3
    if ((BASH_VERSINFO[0] < 4))
        echo "You need bash version 4 or greater to run this script" 1>&2
        exit 1
    declare -A op_uuids 
    ### Lookup for tarsnap keyfile in 1Password.
    # If for example your keyfile for host "winky" has item UUID xjfhspk7l5ez3o2fvn6djjaqba
    # you would set up 
    #   op_uuids[winky]=xjfhspk7l5ez3o2fvn6djjaqba
    PROGNAME=$(basename $0)
    function usage
        cat << EO_USAGE
        $PROGNAME ts_nickname
        - ts_nickname: Nickname for set of tarsnap archives to fetch from
    function cleanup
        [ -z $TMPFILE ] || rm -rf $TMPFILE
        [ -z $S ] || $op_cmd logout $S
    trap cleanup EXIT 
    function error_exit
        echo "${PROGNAME}: $1" 1>&2
        exit 1
    [ ${#@} == 1 ] || { usage ; error_exit "Bad number of arguments" ; }
    ## Check that things at hard coded paths exist
    [ -x $ts_cmd ] || error_exit "No executable at $ts_cmd"
    [ -x $op_cmd ] || error_exit "No executable at $op_cmd"
    [ -r $sk_path ] || error_exit "Cannot read Secret Key file $sk_path"
    [ -z $ts_key_uuid ] && error_exit "No uuid for $1"
    TMPFILE=$(mktemp) # where we will put the tarsap keyfile
    # Although we are only making one request to the account, it is still
    # good form to first set up a session and then "reuse" that session token
    # stored in $S if only used once. This also allows us to logout of that
    # session when we are done
    read sk < $sk_path
    ## /bin/test on macOS doesn't know about =~ So leaving this out.
    # [ $sk =~ ^A[23]-[A-Z0-9]{6}-[-A-Z0-9]{29} ] || error_exit "Malformed Secret Key"
    S=$($op_cmd login $OP_ACCOUNT $OP_USER $sk) || error_exit "Failed to log in"
    $op_cmd document download $S $ts_key_uuid > $TMPFILE || error_exit "Couldn't fetch tarsnap key'"
    $op_cmd logout $S ; unset S
    ### do_tarsnap() takes one argument, the path to a keyfile.
    ## This is where you might customize what you want do with tarsnap.
    ## There is no need for it to be a separate function for this simple example,
    ## but you may wish to create a more complex function that might appear in a 
    ## different sourced file.
    function do_tarsnap {
        $ts_cmd --keyfile $1 --list-archives 
        ## There is a reason I wrote this sample script in the first place
        # DEST_DIR=$HOME/Documents/Kreacher-salvage
        # $ts_cmd -r --keyfile $1 -f 20170523-030135-daily-/usr/local/etc > $DEST_DIR/usr-local-etc.tar
        # $ts_cmd -r --keyfile $1 -f 20170523-030135-daily-/var/named > $DEST_DIR/var-named.tar
    do_tarsnap $TMPFILE
  • beyerbeyer

    Team Member

    Thanks for posting this @jpgoldberg! I will definitely make some changes to the scripts I'm using.

  • ashneo76ashneo76
    edited June 2017

    My Zsh completion file is:

    [~] cat ~/.oh-my-zsh/completions/_op
    #compdef op
    _op() {
      _arguments \
        "--help[Show help options]" \
        "--version[Print version information and exit]" \
        "1: :_op_cmds" \
        "*:: :->op_cmd_args"
      case $state in
          case $words[1] in
    _op_cmds() {
      local -a commands
        "account:Get account attributes."
        "create:Create a new vault or item."
        "delete:Deletes an entity from your 1Password account."
        "document:Download a document."
        "documents:Get a list of documents."
        "events:Get audit events."
        "item:Get item details."
        "items:Get a list of items."
        "login:Log in to the 1Password service by optaining a session."
        "logout:Log out of 1Password by removing or invalidating a session."
        "reactivate:Re-activates a suspended user."
        "suspend:Suspends a user."
        "template:Get item template."
        "totp:Get time-based one-time password (TOTP)."
        "user:Get user attributes."
        "users:Get a list of users."
        "vault:Get vault attributes."
        "vaults:Get a list of vaults."
      _describe 'command' commands
    _op "[email protected]"
    # vim: ft=zsh sw=2 ts=2 et
  • rickfillionrickfillion Junior Member

    Team Member

    oh that's cool, @ashneo76!

  • Thank you. I will keep updating it as I learn more about the different commands and subcommands.

  • rickfillionrickfillion Junior Member

    Team Member


This discussion has been closed.