gopass Migration Plan
|
Migration Status: COMPLETE (2026-02-09)
|
Target Structure (v2)
v2/
├── OPUS/ # Work credentials
│ └── chla/ # CHLA (chla.usc.edu)
│ ├── ad/
│ │ ├── erosado
│ │ └── chlxsbg
│ └── network/
│ └── cisco-tacacs
│
├── DOMUS/ # Personal infrastructure
│ ├── ad/ # Active Directory
│ │ ├── administrator
│ │ ├── evanusmodestus
│ │ ├── gabriel
│ │ └── dsrm
│ │
│ ├── network/ # Network devices
│ │ ├── pfsense-admin
│ │ ├── switch-admin
│ │ ├── wlc-admin
│ │ └── 9800-wlc-01
│ │
│ ├── servers/ # Server credentials
│ │ ├── ise-admin
│ │ ├── keycloak-admin
│ │ ├── vault-01
│ │ ├── gitea
│ │ └── ipsk-mgr-01
│ │
│ ├── storage/ # Storage systems
│ │ ├── synology
│ │ ├── synology-api
│ │ └── synology-quickconnect
│ │
│ ├── wifi/ # Wireless networks
│ │ ├── domus-secure
│ │ └── domus-iot
│ │
│ └── devices/ # Standalone devices
│ └── ipmi-01
│
├── ARCANA/ # Secrets & keys
│ ├── api/ # API keys
│ │ ├── domus/
│ │ │ ├── ise-ers
│ │ │ ├── ise-dataconnect
│ │ │ ├── cloudflare-dns
│ │ │ └── certmgr-deploy
│ │ └── cloud/
│ │ └── (future)
│ │
│ ├── crypto/ # Encryption
│ │ ├── age-primary
│ │ ├── borg-key
│ │ ├── borg-passphrase
│ │ ├── seagate-primary
│ │ ├── seagate-secondary
│ │ ├── veracrypt-portable
│ │ └── custos-inaugural
│ │
│ ├── ssh/ # SSH keys
│ │ ├── personal/
│ │ │ ├── github
│ │ │ ├── gitlab
│ │ │ ├── bitbucket
│ │ │ ├── codeberg
│ │ │ ├── azure
│ │ │ ├── d000
│ │ │ └── d001
│ │ └── domus/
│ │ ├── vault-01-deploy
│ │ ├── ise-02
│ │ └── gitea
│ │
│ ├── radius/ # RADIUS secrets
│ │ └── shared-secrets
│ │
│ ├── certificates/ # PKI secrets
│ │ └── certbot-svc
│ │
│ └── recovery/ # Recovery codes
│ └── (future)
│
├── COMMERCIA/ # Financial (unchanged)
│ ├── banking/
│ │ ├── accounts/
│ │ └── cards/
│ ├── licenses/
│ │ └── vim-adventures
│ ├── services/
│ └── vendors/
│
├── PERSONAE/ # Personal (unchanged structure)
│ ├── email/
│ ├── gaming/
│ ├── identity/
│ ├── logins/
│ │ └── obsidian-md # Moved from obsidian.md/
│ ├── medical/
│ ├── shopping/
│ ├── social/
│ ├── streaming/ # New category
│ ├── travel/ # New category
│ └── web/
│
└── COMMUNIS/ # Shared/family (new)
├── household/
├── subscriptions/
└── emergency/Migration Mapping
OPUS (Work) - 3 entries
| Current Path | New Path | Status |
|---|---|---|
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
DOMUS (Personal Infrastructure) - 22 entries
AD Accounts
| Current Path | New Path | Status |
|---|---|---|
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
SKIP (duplicate of above) |
[x] |
|
SKIP (legacy AD CS, deprecated) |
[x] |
Network Devices
| Current Path | New Path | Status |
|---|---|---|
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
REVIEW (what is this?) |
[ ] |
|
|
[ ] |
Servers
| Current Path | New Path | Status |
|---|---|---|
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
SKIP (duplicate of keycloak-admin?) |
[ ] |
Storage
| Current Path | New Path | Status |
|---|---|---|
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
ARCANA (Secrets) - 18 entries
API Keys
| Current Path | New Path | Status |
|---|---|---|
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
Crypto/Encryption
| Current Path | New Path | Status |
|---|---|---|
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
SSH Keys
| Current Path | New Path | Status |
|---|---|---|
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
|
|
[ ] |
Migration Script
#!/bin/bash
# gopass-migrate-v2.sh
# Run: bash gopass-migrate-v2.sh
# Safe: Uses copy, not move. Originals preserved.
set -euo pipefail
echo "=== gopass v2 Migration ==="
echo ""
# Initialize v2 store if not exists
if ! gopass mounts | grep -q "^v2"; then
echo "Initializing v2 store..."
gopass init --store v2
fi
echo "--- OPUS (Work) ---"
gopass cp ad/chla.usc.edu/erosado v2/OPUS/chla/ad/erosado 2>/dev/null || echo " erosado: skipped"
gopass cp ad/chla.usc.edu/chlxsbg v2/OPUS/chla/ad/chlxsbg 2>/dev/null || echo " chlxsbg: skipped"
gopass cp work/cisco-tacacs v2/OPUS/chla/network/cisco-tacacs 2>/dev/null || echo " cisco-tacacs: skipped"
echo ""
echo "--- DOMUS/ad ---"
gopass cp ad/inside.domusdigitalis.dev/evanusmodestus v2/DOMUS/ad/evanusmodestus 2>/dev/null || echo " evanusmodestus: skipped"
gopass cp ad/inside.domusdigitalis.dev/gabriel v2/DOMUS/ad/gabriel 2>/dev/null || echo " gabriel: skipped"
gopass cp ADMINISTRATIO/servers/home-dc01/Administrator v2/DOMUS/ad/administrator 2>/dev/null || echo " administrator: skipped"
gopass cp ADMINISTRATIO/servers/home-dc01/dsrm v2/DOMUS/ad/dsrm 2>/dev/null || echo " dsrm: skipped"
echo ""
echo "--- DOMUS/network ---"
gopass cp infra/inside.domusdigitalis.dev/pfsense-admin v2/DOMUS/network/pfsense-admin 2>/dev/null || echo " pfsense-admin: skipped"
gopass cp infra/inside.domusdigitalis.dev/switch-admin v2/DOMUS/network/switch-admin 2>/dev/null || echo " switch-admin: skipped"
gopass cp infra/inside.domusdigitalis.dev/wlc-admin v2/DOMUS/network/wlc-admin 2>/dev/null || echo " wlc-admin: skipped"
gopass cp ADMINISTRATIO/network/9800-wlc-01 v2/DOMUS/network/9800-wlc-01 2>/dev/null || echo " 9800-wlc-01: skipped"
echo ""
echo "--- DOMUS/servers ---"
gopass cp infra/inside.domusdigitalis.dev/ise-admin v2/DOMUS/servers/ise-admin 2>/dev/null || echo " ise-admin: skipped"
gopass cp infra/inside.domusdigitalis.dev/keycloak-admin v2/DOMUS/servers/keycloak-admin 2>/dev/null || echo " keycloak-admin: skipped"
gopass cp ADMINISTRATIO/servers/vault-01 v2/DOMUS/servers/vault-01 2>/dev/null || echo " vault-01: skipped"
gopass cp ADMINISTRATIO/servers/gitea v2/DOMUS/servers/gitea 2>/dev/null || echo " gitea: skipped"
gopass cp ADMINISTRATIO/servers/ipsk-mgr-01 v2/DOMUS/servers/ipsk-mgr-01 2>/dev/null || echo " ipsk-mgr-01: skipped"
gopass cp ADMINISTRATIO/network/ise-02 v2/DOMUS/servers/ise-cli 2>/dev/null || echo " ise-cli: skipped"
echo ""
echo "--- DOMUS/storage ---"
gopass cp ADMINISTRATIO/servers/synology v2/DOMUS/storage/synology 2>/dev/null || echo " synology: skipped"
gopass cp ADMINISTRATIO/servers/synology-api v2/DOMUS/storage/synology-api 2>/dev/null || echo " synology-api: skipped"
gopass cp ADMINISTRATIO/servers/synology-quickconnect v2/DOMUS/storage/synology-quickconnect 2>/dev/null || echo " synology-quickconnect: skipped"
echo ""
echo "--- DOMUS/wifi ---"
gopass cp wifi/inside.domusdigitalis.dev/domus-secure v2/DOMUS/wifi/domus-secure 2>/dev/null || echo " domus-secure: skipped"
gopass cp wifi/inside.domusdigitalis.dev/domus-iot v2/DOMUS/wifi/domus-iot 2>/dev/null || echo " domus-iot: skipped"
echo ""
echo "--- DOMUS/devices ---"
gopass cp ADMINISTRATIO/devices/ipmi-01 v2/DOMUS/devices/ipmi-01 2>/dev/null || echo " ipmi-01: skipped"
echo ""
echo "--- ARCANA/api ---"
gopass cp ARCANA/api/ise-02 v2/ARCANA/api/domus/ise-ers 2>/dev/null || echo " ise-ers: skipped"
gopass cp ARCANA/api/ise-dataconnect v2/ARCANA/api/domus/ise-dataconnect 2>/dev/null || echo " ise-dataconnect: skipped"
gopass cp ARCANA/api/cloudflare-dns v2/ARCANA/api/domus/cloudflare-dns 2>/dev/null || echo " cloudflare-dns: skipped"
gopass cp ARCANA/api/vault-01-deploy v2/ARCANA/api/domus/certmgr-deploy 2>/dev/null || echo " certmgr-deploy: skipped"
echo ""
echo "--- ARCANA/crypto ---"
gopass cp ARCANA/encryption/vault-01-age v2/ARCANA/crypto/age-primary 2>/dev/null || echo " age-primary: skipped"
gopass cp storage/ds3018xs/borg-key v2/ARCANA/crypto/borg-key 2>/dev/null || echo " borg-key: skipped"
gopass cp storage/ds3018xs/borg-passphrase v2/ARCANA/crypto/borg-passphrase 2>/dev/null || echo " borg-passphrase: skipped"
gopass cp ARCANA/storage/seagate-primary v2/ARCANA/crypto/seagate-primary 2>/dev/null || echo " seagate-primary: skipped"
gopass cp ARCANA/storage/seagate-secondary v2/ARCANA/crypto/seagate-secondary 2>/dev/null || echo " seagate-secondary: skipped"
gopass cp ARCANA/storage/veracrypt-portable v2/ARCANA/crypto/veracrypt-portable 2>/dev/null || echo " veracrypt-portable: skipped"
gopass cp ARCANA/custos-inaugural v2/ARCANA/crypto/custos-inaugural 2>/dev/null || echo " custos-inaugural: skipped"
echo ""
echo "--- ARCANA/ssh/personal ---"
gopass cp ARCANA/ssh/github v2/ARCANA/ssh/personal/github 2>/dev/null || echo " github: skipped"
gopass cp ARCANA/ssh/gitlab v2/ARCANA/ssh/personal/gitlab 2>/dev/null || echo " gitlab: skipped"
gopass cp ARCANA/ssh/bitbucket v2/ARCANA/ssh/personal/bitbucket 2>/dev/null || echo " bitbucket: skipped"
gopass cp ARCANA/ssh/codeberg v2/ARCANA/ssh/personal/codeberg 2>/dev/null || echo " codeberg: skipped"
gopass cp ARCANA/ssh/azure v2/ARCANA/ssh/personal/azure 2>/dev/null || echo " azure: skipped"
gopass cp ARCANA/ssh/d000 v2/ARCANA/ssh/personal/d000 2>/dev/null || echo " d000: skipped"
gopass cp ARCANA/ssh/d001 v2/ARCANA/ssh/personal/d001 2>/dev/null || echo " d001: skipped"
echo ""
echo "--- ARCANA/ssh/domus ---"
gopass cp ARCANA/ssh/vault-01-deploy v2/ARCANA/ssh/domus/vault-01-deploy 2>/dev/null || echo " vault-01-deploy: skipped"
gopass cp ARCANA/ssh/ise-02 v2/ARCANA/ssh/domus/ise-02 2>/dev/null || echo " ise-02: skipped"
gopass cp ARCANA/ssh/gitea v2/ARCANA/ssh/domus/gitea 2>/dev/null || echo " gitea: skipped"
echo ""
echo "--- ARCANA/radius & certificates ---"
gopass cp svc/inside.domusdigitalis.dev/radius-shared-secrets v2/ARCANA/radius/shared-secrets 2>/dev/null || echo " shared-secrets: skipped"
gopass cp svc/inside.domusdigitalis.dev/certbot-svc v2/ARCANA/certificates/certbot-svc 2>/dev/null || echo " certbot-svc: skipped"
echo ""
echo "--- COMMERCIA ---"
gopass cp COMMERCIA/licenses/vim-adventures v2/COMMERCIA/licenses/vim-adventures 2>/dev/null || echo " vim-adventures: skipped"
echo ""
echo "--- PERSONAE ---"
gopass cp obsidian.md/evanusmodestus v2/PERSONAE/logins/obsidian-md 2>/dev/null || echo " obsidian-md: skipped"
echo ""
echo "=== Migration Complete ==="
echo ""
echo "Verify: gopass ls v2/"
echo ""
echo "Once verified, you can:"
echo " 1. Make v2 the primary: gopass mounts"
echo " 2. Remove old entries after confirming v2 works"Post-Migration
Make v2 Primary (after verification)
Option 1: Rename stores
# Backup current
mv ~/.local/share/gopass/stores/root ~/.local/share/gopass/stores/legacy
# Promote v2
mv ~/.local/share/gopass/stores/v2 ~/.local/share/gopass/stores/root
# Remount
gopass mountsOption 2: Keep both, use v2 as default
# Access v2 entries directly
gopass show v2/DOMUS/ad/evanusmodestus
# Or set alias in shell
alias gp='gopass show v2/'Entries to Review
These entries need manual decision:
| Entry | Question |
|---|---|
|
What is this? Network device GUI password? |
|
Duplicate of |
|
Duplicate of |
|
What metadata is stored here? |