service/vault.md

 The vault service, based on [Vaultwarden][], serves as a secrets storage
-application.
+application for the whole organisation.
+
+Individuals still may use their own password manager, but it is
+strongly encouraged that all users start using Vaultwarden for the
+TPO-related secrets storage. TPA still uses [pass](service/password-manager) for now.
 
 [Vaultwarden]: https://github.com/dani-garcia/vaultwarden
 
@@ -115,6 +119,15 @@ In order to recover a user, the organization policy "Account recovery administra
 
 Note: Users already in the organization will not be retroactively enrolled in password reset, and will be required to self-enroll. Most users have not been enrolled in this configuration, but as of November 1st, they have been contacted to self-enroll. Enrollment in recovery can be determined by the key icon under the "Policies" column in the Members section of the Admin Console
 
+## Converting passwords from pass
+
+If you want to move passwords from the old ["pass" password
+manager](service/password-manager), you can try to use anarcat's [pass2rbw](https://gitlab.com/anarcat/scripts/-/blob/c9fc81fd83653ebd746eca897de7cab08b7650f6/pass2rbw.py) script, which
+requires the [rbw](https://github.com/doy/rbw/) command line tool.
+
+We do *not* currently recommend TPA migrate from `pass` to Bitwarden,
+but this might be useful for others.
+
 ## Pager playbook
 
 ### Check running version