Europeans who want to keep their sensitive data beyond the reach of Chinese, American, or Russian governments might consider Proton Pass as an alternative to password managers that store data in non-European data centres.
1Password is a Canadian company and customers can choose to locate their data in Canada, US or Europe. Customer vaults are stored on AWS though—an American provider subject to U.S. laws and potential government overreach, as the CLOUD Act grants US authorities access to cloud data hosted by US companies, wherever that data is located. 1Password use “true end to end encryption” but the secrecy surrounding the governments’ requests to providers using high-end encryption remains an area of attention.
Proton is a Swiss company, storing its fully encrypted data in Swiss and German data centres, that they fully manage.
Overview
1Password can export vaults’ content to a non-encrypted file in 1PUX format, which Proton Pass can then import.
The process is straightforward but there are limitations:
- The export function processes all entries across all vaults. Shared vaults will be migrated by each account having access to them, leading to shared entries being duplicated in Proton Pass.
- Proton Pass cannot import some 1Password categories, including Notes and License keys. These will have to be manually recreated.
- The Proton Pass import process will list entries that could not be imported (eg ignored categories). The import log is only visible once and not saved, so it should be copied for later reference.
- The 1PUX file is not encrypted. It should be saved on a local drive (not synchronised with any cloud) and deleted immediately after import (including from the bin).
Step 1 – Proton account password
Be sure to memorise your Proton account password before loosing access to the 1Password vault containing it. That password will have to be entered multiple times, similarly to the 1Password password. It should be secure and memorable.
Do not reuse your 1Password for your Proton account
There is a possibility that 1Password vaults keep existing after your account is deleted (local or cloud backups, exfiltrated during cyber attacks on cloud providers, …) and that future technology would be able to crack its encryption. Changing the password “resets” access to the vault.
Step 2 – Shared vaults
Proton Pass vaults need to exist before the import process start.
The fist step is to decide with the other members of the 1Password family how shared vaults are being exported. A simple approach is for a member to export/import all vaults then remove the access of the other family members to the shared vaults. Once they start their own/export/import process, these vaults will not be visible and therefore not processed a second time.
Step 3 – Export
Start in 1Password’s File → Export menu entry. Select the account then the 1PUX export format after entering the account password. Select a folder that is not synchronised with any cloud provider.
Step 4 – Import
For a reason that is not easy to understand, the import function has to be started from the Proton Pass browser extension by clicking on the extension icon, then the Proton Pass icon at the left of the search field, Settings, Import and finally 1Password.
Select the file and start the import.
At the end of the process, the import result is shown with the list of 1Password entries that have not been imported. It is critical to immediately copy this list into a document to review and recreate manually the useful entries in Proton Pass.
The 1PUX file should be deleted immediately after import, then deleted from the bin/trash, as it contains all 1Password usernames and passwords unencrypted.
Step 5 – Settings
The last step is to install Proton Pass on all relevant devices, and to configure their operating system and browsers to use exclusively Proton Pass to suggest and save passwords, to handle passkeys and 2FA codes.
That’s it.