1Poshword

PowerShell client for 1Password

• Cross-platform (Windows/OSX/Linux, PowerShell v4.0+)
• agilekeychain and opvault support
• Login, Password, Secure Note, and Generic Account decryption
• Metadata for all entries
• Tab completion (agilekeychain only)
• Output formats
  • PSCredential
  • SecureString
  • Plaintext
  • Clipboard
• Complete Get-Help documentation

Quickstart

Install from the PowerShell Gallery (Windows-only, PS v5+):

PS> Install-Module -Name 1Poshword

Direct download:

'1Poshword.psd1','1Poshword.psm1','lib.ps1','pbkdf2.cs' |% {
    Invoke-WebRequest https://raw.githubusercontent.com/latkin/1poshword/master/$_ -OutFile ./$_
}

Import-Module ./1Poshword.psd1

Get-1PEntry

Lists 1Password entries. Alias g1p.

PS> g1p

Name               Type       LastUpdated          Location
----               ----       -----------          --------
Twitter            Login      11/29/15 11:53:44 PM https://twitter.com/
Github             Login      11/29/15 11:58:12 PM https://github.com/login
Gmail - Personal   Login      11/30/15 12:11:50 AM https://accounts.google.com/ServiceLogin
Gmail - Work       Login      2/8/16 4:23:38 PM    https://accounts.google.com/ServiceLogin
SSH                Password   2/10/16 1:30:34 PM
Gmail Backup Codes SecureNote 6/8/16 8:41:44 AM
...

Details

PS> g1p twitter | fl *

Name          : Twitter
Id            : E61537A747044159BE8F2A412614C83F
VaultPath     : /Users/lincoln/Dropbox/1Password/1Password.agilekeychain
SecurityLevel : SL5
KeyId         : 
KeyData       : 
Location      : https://twitter.com/
Type          : Login
CreatedAt     : 10/27/15 8:53:36 PM
LastUpdated   : 11/29/15 11:53:44 PM
EncryptedData : U2FsdGVkX198K5razrhlihDvUrIC2FTp29PcqQpmO48MApG758vljLe+z...

Unprotect-1PEntry

Derypts a particular 1Password entry to a variety of formats. Alias 1p.

Add flag -PasswordOnly (alias -po) to output only an entry's password field.

(Yes, "unprotect" is weird, but that's the approved verb for decryption so we're going with it.)

Output	Note
PSCredential	Default for Login Generic Account	PS> 1p twitter 1Password vault password: *************** UserName Password LincolnAtkinson System.Security.SecureString
SecureString	Default for Secure Note Password	PS> 1p ssh 1Password vault password: *************** System.Security.SecureString
Plaintext		PS> 1p github -plain 1Password vault password: *************** latkin p@ssw0rd1
Clipboard		PS> 1p 'Gmail - Personal' -clip 1Password vault password: ***************

Tips

Password-only output	# output password as SecureString PS> 1p twitter -po output password as plaintext PS> 1p twitter -plain -po copy password to clipboard PS> 1p twitter -clip -po
Custom vault path	# at import PS> Import-Module 1Poshword.psd1 -args <.agilekeychain or .opvault path> per-command PS> 1p entryname -VaultPath <.agilekeychain or .opvault path> change default PS> Set-1PDefaultVaultPath <.agilekeychain or .opvault path>
Specify password programmatically	PS> $p = Read-Host -AsSecureString 'Speak, friend, and enter' Speak, friend, and enter: *************** PS> 1p github $p -plain latkin p@ssw0rd1
Piping	PS> g1p twitter | 1p
"Reveal" behavior	PS> 1p 'gmail backup codes' -plain | less

Thanks

1Pass, as the original inspiration for this. The first draft of 1Poshword was mostly just a transcription of 1Pass.

Medo, for the C# Pbkdf2-with-arbitrary-HMAC implementation.

AgileBits, for the excellent docs describing the opvault data format.

This project is not supported or endorsed by AgileBits. "1Password" is a registered trademark of Agile Web Solutions, Inc.