Roadmap: Password Consolidation to gopass v3

1. Overview

Consolidate ALL password sources into the unified gopass v3 structure with domain-aligned organization and YAML metadata.

Goal: Single source of truth for all credentials, organized by domain (d000, d001) and category (personal, keys, certificates).

2. Current State

Source	Structure	Contents	Status
pass (legacy)	Flat hierarchy	Original passwords before gopass	MIGRATE
gopass v2 (ADMINISTRATIO)	Flat hierarchy	Network devices, servers, AD accounts	MIGRATE
gopass v2 (ARCANA)	Flat hierarchy	Personal/consumer passwords	MIGRATE
1Password	Vaults	Consumer accounts, family shared	EXPORT + MIGRATE
gopass v3	Domain-aligned + YAML	Target architecture	IN PROGRESS

Source

Structure

Contents

Status

pass (legacy)

Flat hierarchy

Original passwords before gopass

MIGRATE

gopass v2 (ADMINISTRATIO)

Flat hierarchy

Network devices, servers, AD accounts

MIGRATE

gopass v2 (ARCANA)

Flat hierarchy

Personal/consumer passwords

MIGRATE

1Password

Vaults

Consumer accounts, family shared

EXPORT + MIGRATE

gopass v3

Domain-aligned + YAML

Target architecture

IN PROGRESS

3. Target Architecture (v3)

v3/
├── domains/
│   ├── d000/                    # Home enterprise
│   │   ├── network/             # Switches, APs, firewalls
│   │   │   ├── devices/         # Device credentials
│   │   │   ├── radius/          # RADIUS shared secrets
│   │   │   ├── snmp/            # SNMP communities
│   │   │   └── tacacs/          # TACACS+ keys
│   │   ├── servers/             # VMs, services
│   │   ├── identity/            # AD, LDAP, SSO
│   │   ├── storage/             # NAS, backup drives
│   │   └── hardware/            # IPMI, iLO, iDRAC
│   └── d001/                    # Work enterprise (same structure)
├── keys/
│   ├── gpg/                     # GPG key passphrases
│   ├── ssh/                     # SSH key passphrases
│   ├── age/                     # age key references
│   └── encryption/              # Other encryption keys
├── certificates/                # Cert passphrases, PFX passwords
├── licenses/                    # Software licenses
└── personal/                    # Consumer passwords
    ├── email/
    ├── finance/
    ├── gaming/
    ├── government/
    ├── health/
    ├── shopping/
    ├── social/
    ├── streaming/
    └── travel/

4. YAML Structure Standard

Every v3 secret uses YAML metadata after the password:

SuperSecretPassword123!
---
url: https://example.com
username: user@example.com
email: user@example.com
totp: JBSWY3DPEHPK3PXP
notes: |
  Recovery codes stored in safe
  Account created 2024-01-15
category: finance
tags:
  - banking
  - primary

5. Phase 1: Inventory and Mapping

5.1. Tasks

# Task Priority

#	Task	Priority
1.1	Export pass inventory: `pass ls > /tmp/pass-inventory.txt`	HIGH
1.2	Export ADMINISTRATIO inventory: `gopass ls ADMINISTRATIO`	HIGH
1.3	Export ARCANA inventory: `gopass ls ARCANA`	HIGH
1.4	Export 1Password: Settings > Export > 1PUX format	HIGH
1.5	Create mapping spreadsheet: source → v3 path	HIGH
1.6	Identify duplicates across sources	MEDIUM

1.1

Export pass inventory: pass ls > /tmp/pass-inventory.txt

HIGH

1.2

Export ADMINISTRATIO inventory: gopass ls ADMINISTRATIO

HIGH

1.3

Export ARCANA inventory: gopass ls ARCANA

HIGH

1.4

Export 1Password: Settings > Export > 1PUX format

HIGH

1.5

Create mapping spreadsheet: source → v3 path

HIGH

1.6

Identify duplicates across sources

MEDIUM

5.2. Mapping Rules

Source Pattern v3 Destination

Source Pattern	v3 Destination
`ADMINISTRATIO/network/*`	`v3/domains/d000/network/devices/`
`ADMINISTRATIO/servers/*`	`v3/domains/d000/servers/`
`ADMINISTRATIO/domus/ad/*`	`v3/domains/d000/identity/`
`ARCANA/finance/*`	`v3/personal/finance/`
`ARCANA/email/*`	`v3/personal/email/`
`1Password/Login/*`	`v3/personal/<category>/` (based on URL)
`1Password/Credit Card/*`	`v3/personal/finance/cards/`
`1Password/Secure Note/*`	`v3/personal/documents/`

ADMINISTRATIO/network/*

v3/domains/d000/network/devices/

ADMINISTRATIO/servers/*

v3/domains/d000/servers/

ADMINISTRATIO/domus/ad/*

v3/domains/d000/identity/

ARCANA/finance/*

v3/personal/finance/

ARCANA/email/*

v3/personal/email/

1Password/Login/*

v3/personal/<category>/ (based on URL)

1Password/Credit Card/*

v3/personal/finance/cards/

1Password/Secure Note/*

v3/personal/documents/

6. Phase 2: 1Password Export and Conversion

6.1. Export from 1Password

# 1. In 1Password desktop app:
# Settings > Export > Select vault > 1PUX format
# Save as: ~/1password-export-$(date +%Y%m%d).1pux

# 2. Convert to CSV for processing
# (1PUX is JSON-based, can be parsed directly)
unzip ~/1password-export-*.1pux -d /tmp/1password-data/

6.2. Convert to gopass Format

#!/bin/bash
# convert-1password.sh - Process 1Password export

INPUT_DIR="/tmp/1password-data"
OUTPUT_DIR="/tmp/gopass-import"

mkdir -p "$OUTPUT_DIR"

# Parse export.data (JSON) and generate gopass-compatible files
# Each login becomes: password + YAML metadata

jq -r '.accounts[].vaults[].items[] | select(.categoryUUID == "001") |
  {title: .overview.title,
   url: .overview.url,
   username: (.details.loginFields[] | select(.designation == "username") | .value),
   password: (.details.loginFields[] | select(.designation == "password") | .value)}' \
  "$INPUT_DIR/export.data" | while read -r item; do
    # Generate gopass entry
    TITLE=$(echo "$item" | jq -r '.title' | tr ' ' '-' | tr '[:upper:]' '[:lower:]')
    echo "Processing: $TITLE"
done

6.3. Import to gopass v3

# For each converted entry:
gopass insert v3/personal/category/service-name << 'EOF'
password-here
---
url: https://example.com
username: user@example.com
imported_from: 1password
imported_date: 2026-02-17
EOF

7. Phase 3: Migrate gopass v2 Stores

7.1. ADMINISTRATIO → v3/domains/d000/

# List all entries
gopass ls ADMINISTRATIO

# For each entry, read and re-insert with YAML
gopass show ADMINISTRATIO/network/9800-wlc-01 | head -1 > /tmp/pw.txt

gopass insert v3/domains/d000/network/devices/9800-wlc-01 << EOF
$(cat /tmp/pw.txt)
---
hostname: 9800-wlc-01.inside.domusdigitalis.dev
type: wireless-controller
vendor: cisco
model: Catalyst 9800-L
management_ip: 10.50.1.15
imported_from: ADMINISTRATIO
imported_date: $(date +%Y-%m-%d)
EOF

shred -u /tmp/pw.txt

7.2. ARCANA → v3/personal/

# Map ARCANA categories to v3/personal/
# ARCANA/finance/* → v3/personal/finance/
# ARCANA/email/* → v3/personal/email/
# etc.

gopass show ARCANA/finance/bank-account | head -1 > /tmp/pw.txt

gopass insert v3/personal/finance/bank-name << EOF
$(cat /tmp/pw.txt)
---
url: https://bank.com
username: myuser
account_type: checking
imported_from: ARCANA
imported_date: $(date +%Y-%m-%d)
EOF

shred -u /tmp/pw.txt

8. Phase 4: Verification and Cleanup

8.1. Verify All Entries Migrated

# Count entries in each store
echo "=== ENTRY COUNTS ==="
echo "pass (legacy):     $(pass ls | grep -c '──')"
echo "ADMINISTRATIO:     $(gopass ls ADMINISTRATIO | grep -c '──')"
echo "ARCANA:            $(gopass ls ARCANA | grep -c '──')"
echo "v3:                $(gopass ls v3 | grep -c '──')"

8.2. Spot-Check Critical Entries

# Verify critical entries work
gopass show v3/domains/d000/identity/administrator
gopass show v3/domains/d000/network/devices/9800-wlc-01
gopass show v3/personal/finance/primary-bank

8.3. Deprecate Legacy Stores

# After full verification, remove legacy mounts
# WARNING: Only after confirming ALL entries migrated!

# Option 1: Unmount (keeps data, removes from gopass)
gopass mounts rm ADMINISTRATIO
gopass mounts rm ARCANA

# Option 2: Full delete (destructive)
# rm -rf ~/.local/share/gopass/stores/ADMINISTRATIO
# rm -rf ~/.local/share/gopass/stores/ARCANA

8.4. Secure Delete 1Password Export

# CRITICAL: Shred the plaintext export
shred -vzn 3 ~/1password-export-*.1pux
rm -rf /tmp/1password-data/
rm -rf /tmp/gopass-import/

9. Phase 5: Multi-Remote Sync

9.1. Configure v3 Remotes

cd ~/.local/share/gopass/stores/v3

# Add multiple remotes for redundancy
git remote add github git@github.com:EvanusModestus/gopass-v3.git
git remote add gitlab git@gitlab.com:EvanusModestus/gopass-v3.git
git remote add gitea git@gitea.inside.domusdigitalis.dev:evanusmodestus/gopass-v3.git

# Push to all
git push github main
git push gitlab main
git push gitea main

9.2. Sync Script

#!/bin/bash
# gopass-sync-all.sh

cd ~/.local/share/gopass/stores/v3

for remote in github gitlab gitea; do
    echo "Syncing to $remote..."
    git push $remote main 2>/dev/null && echo "  ✓ $remote" || echo "  ✗ $remote (failed)"
done

10. Success Criteria

All pass entries migrated to v3
All ADMINISTRATIO entries migrated to v3/domains/d000/
All ARCANA entries migrated to v3/personal/
All 1Password entries migrated to v3/personal/
Every v3 entry has YAML metadata
v3 synced to 3+ git remotes
Legacy stores unmounted
1Password export securely deleted
gopass audit passes

11. Timeline

Phase	Description	Effort
Phase 1	Inventory and mapping	1 hour
Phase 2	1Password export and conversion	2 hours
Phase 3	gopass v2 migration	2 hours
Phase 4	Verification and cleanup	1 hour
Phase 5	Multi-remote sync setup	30 min

Phase

Description

Effort

Phase 1

Inventory and mapping

1 hour

Phase 2

1Password export and conversion

2 hours

Phase 3

gopass v2 migration

2 hours

Phase 4

Verification and cleanup

1 hour

Phase 5

Multi-remote sync setup

30 min

Total: ~6.5 hours

12. Related Documentation

gopass v3 Structure Reference (secrets-infrastructure)
gopass Operations (secrets-infrastructure)
gopass + YubiKey GPG Runbook (secrets-infrastructure)

13. Revision History

Date	Author	Changes
2026-02-17	EvanusModestus	Initial roadmap creation

Date

Author

Changes

2026-02-17

EvanusModestus

Initial roadmap creation