Skip to content
PowerShell client for 1Password
Branch: master
Clone or download


PowerShell client for 1Password


  • Cross-platform (Windows/OSX/Linux, PowerShell v4.0+)
  • agilekeychain and opvault support
  • Login, Password, Secure Note, and Generic Account decryption
  • Metadata for all entries
  • Tab completion (agilekeychain only)
  • Output formats
    • PSCredential
    • SecureString
    • Plaintext
    • Clipboard
  • Complete Get-Help documentation


Install from the PowerShell Gallery (Windows-only, PS v5+):

PS> Install-Module -Name 1Poshword

Direct download:

'1Poshword.psd1','1Poshword.psm1','lib.ps1','pbkdf2.cs' |% {
    Invoke-WebRequest$_ -OutFile ./$_

Import-Module ./1Poshword.psd1


Lists 1Password entries. Alias g1p.

PS> g1p

Name               Type       LastUpdated          Location
----               ----       -----------          --------
Twitter            Login      11/29/15 11:53:44 PM
Github             Login      11/29/15 11:58:12 PM
Gmail - Personal   Login      11/30/15 12:11:50 AM
Gmail - Work       Login      2/8/16 4:23:38 PM
SSH                Password   2/10/16 1:30:34 PM
Gmail Backup Codes SecureNote 6/8/16 8:41:44 AM


PS> g1p twitter | fl *

Name          : Twitter
Id            : E61537A747044159BE8F2A412614C83F
VaultPath     : /Users/lincoln/Dropbox/1Password/1Password.agilekeychain
SecurityLevel : SL5
KeyId         : 
KeyData       : 
Location      :
Type          : Login
CreatedAt     : 10/27/15 8:53:36 PM
LastUpdated   : 11/29/15 11:53:44 PM
EncryptedData : U2FsdGVkX198K5razrhlihDvUrIC2FTp29PcqQpmO48MApG758vljLe+z...


Derypts a particular 1Password entry to a variety of formats. Alias 1p.

Add flag -PasswordOnly (alias -po) to output only an entry's password field.

(Yes, "unprotect" is weird, but that's the approved verb for decryption so we're going with it.)

Output Note
PSCredential Default for
  • Login
  • Generic Account
PS> 1p twitter
1Password vault password: ***************

UserName Password

LincolnAtkinson System.Security.SecureString

SecureString Default for
  • Secure Note
  • Password
PS> 1p ssh
1Password vault password: ***************


PS> 1p github -plain
1Password vault password: ***************

latkin p@ssw0rd1

PS> 1p 'Gmail - Personal' -clip
1Password vault password: ***************


Password-only output
# output password as SecureString
PS> 1p twitter -po

output password as plaintext

PS> 1p twitter -plain -po

copy password to clipboard

PS> 1p twitter -clip -po

Custom vault path
# at import
PS> Import-Module 1Poshword.psd1 -args <.agilekeychain or .opvault path>


PS> 1p entryname -VaultPath <.agilekeychain or .opvault path>

change default

PS> Set-1PDefaultVaultPath <.agilekeychain or .opvault path>

Specify password programmatically
PS> $p = Read-Host -AsSecureString 'Speak, friend, and enter'
Speak, friend, and enter: ***************

PS> 1p github $p -plain

latkin p@ssw0rd1

PS> g1p twitter | 1p
"Reveal" behavior
PS> 1p 'gmail backup codes' -plain | less


1Pass, as the original inspiration for this. The first draft of 1Poshword was mostly just a transcription of 1Pass.

Medo, for the C# Pbkdf2-with-arbitrary-HMAC implementation.

AgileBits, for the excellent docs describing the opvault data format.

This project is not supported or endorsed by AgileBits. "1Password" is a registered trademark of Agile Web Solutions, Inc.

You can’t perform that action at this time.