Secondhand Software

How to migrate from Pass to KeePassXC

<2025-08-23 Sat>

I found myself needing to migrate from passwords generated and stored using Password Store to an existing KeePassXC vault. Annoyingly, though the pass command will list all passwords, it does so using tree which makes it difficult to loop over the output: 

$ pass list
Password Store
├── Business
│   ├── some-silly-business-site.com
│   └── another-business-site.net
├── Email
│   ├── donenfeld.com
│   └── zx2c4.com
└── France
    ├── bank
    ├── freebox
    └── mobilephone

I wrote a Python script that I stored in the .password-store directory and ran with: 

find ./ -name "*.gpg" -exec ./handle_path.py {} \; > DELETEME.csv

This script finds all .gpg files and runs the python script on each passing in the path of each file. The file name will be in the form "./path/to/file/title.gpg". 

#!/usr/bin/env python3
import sys
import subprocess

# argv[1] will be of form "./path/to/file/title.gpg" so grab the
# filename without leading ./ or .gpg extension
secret_name = sys.argv[1][2:-4]
# Look up the password with pass
result = subprocess.run(["pass", secret_name], capture_output=True, encoding="utf-8")
fields = secret_name.split('/')
# Group will be any leading fields separated by /
group = "/".join(fields[:-1])
# Title will be the last field separated by /
title = fields[-1]
# Prepend pass_import to group so it's clear when merging which
# are imports. Strip any newline character from result.stdout.
print(f"pass_import/{group}\t{title}\t{result.stdout.rstrip()}")

I was originally using a comma as a field separator but pass generated passwords (see code here) by default include the full POSIX :punct: character set which includes comma. So, instead I use tab to deliniate fields.

A word of caution

For this use case I only had one line in most of my pass entries. So I could clean up the DELETEME.csv file by hand. If you have multiple lines in a lot of your entries you will need to do something like alter the pass call in the python file to 'pass secretname | head -n 1' else the csv will be messed up.

From there you can import the csv to a new KeePassXC vault which can then be merged with an existing vault if you like.

Don't forget to "shred -u DELETEME.csv" when you're finished!