Backups and syncing

Comments

  • 1pwuser31547
    1pwuser31547
    Community Member

    Hi Lars,
    Regarding backups and syncing, I have some questions.
    Let me provide some background to my questions.

    I have an up to date 1PW.com account (downloaded app from Apple App Store) as well as standalone vaults (Primary and Secondary) which I have synced with folders as OPVault files on hardware encrypted flash drives.

    Since each local vault can be synced with only one folder, I have duplicated data of the primary vault and secondary vaults by creating other secondary vaults which I back up to another encrypted flash drive.

    I also WLAN sync the Primary vault only with my iOS devices.

    My iCloud Drive is on but I have elected not to backup the 1PW app (iOS and MAC OS) to iCloud Drive, again in an effort to keep some data local only.

    By the way thanks so much for the support of local vaults!

    I know that backups and syncing are 2 distinct things.
    However, can these OPvault files be used as a way to restore the standalone vaults if my iMAC crashes AND I can’t restore from an external hard drive and can not perform any data recovery on the iMac?
    (I assume the app and its standalone vaults are backed up in the ex drive and I could normally restore from there).

    Please tell me if I’ve understood correctly:

    In this particular case where my iMac had failed and I couldn’t somehow restore the standalone vaults, I would download the Mac app from the Apple app store, sign in with my 1PW MP and Secret Key, confirm 2FA and then the server data would be restored.

    The 1PW. com account master password is identical to the Primary vault and Secondary vault passwords to keep things simple and because I don't share any data.

    But for the standalone vaults, would I need to again create a Primary vault and Secondary vaults and THEN restore and sync with the OPVault files on the flash drive?
    Or after opening the app (as above) would I access the USB drive first and then I would be prompted to restore/sync each vault primary and secondary after providing their passwords?

    Similarly, if I obtain a new MAC OS device, could I restore the local vaults this way?

    I want to know the exact sequence of what I would need to do so I don’t accidentally delete the data in the OPVault files by syncing to empty vault data just recently created on the new device.

    If there’s a link to all this please let me know.

    Could the WLAN play any role here?
    (I understand that the Primary vault of the MAC OS has the decryption keys of the MAC OS secondary vaults escrowed in it- don’t know if this makes any difference here in restoring data).

    I assume the Primary vaults on the iOS devices (to and from which I WLAN sync to MAC OS) do not contain any escrowed, decryption data of the secondary vaults on the iMac and would only contain this type of escrowed data if secondary vaults were also present on iOS.

    I WLAN sync only the Primary vault to the iOS devices, not the secondary ones.
    In other words on my iOS devices I only have the personal vaults of the account and the Primary vault, no secondary vaults.(Again all passwords for account, primary and secondary password are the same).

    My only back up of data other than the automatic back ups that 1PW app does for standalone vaults are in the form password protected/encrypted PDF files on my hardware encrypted flash drives.
    So I could recreate manually one by one each data entry if necessary.

    I’m just looking for an easier way to restore standalone/local only vaults to a new Apple OS device in this worst case scenario of irretrievable iMac 1PW backed up data (local vaults).

    Additionally I want to know how best to duplicate the primary and secondary vault data on a new 2nd MAC OS device.
    (first Apple device functioning properly- any way to copy/transfer data from MAC to MAC OS device?)

    I know the EASIEST way to restore is from the 1PW cloud and secondly from iCloud or Dropbox but I’m looking to maintain (and easily restore) some data local-only.

    Sorry for the long winded question.
    I just want to make things clear.
    Thanks!

  • Hi @1pwuser31547

    However, can these OPvault files be used as a way to restore the standalone vaults if my iMAC crashes AND I can’t restore from an external hard drive and can not perform any data recovery on the iMac?

    If you have the OPVault files and they aren't corrupted or otherwise damaged then yes, you could set up 1Password from them on a new Mac.

    (I assume the app and its standalone vaults are backed up in the ex drive and I could normally restore from there).

    I recommend not assuming anything when it comes to backups. :) It may be worth your time to test your disaster recovery scenario before you're forced to.

    In this particular case where my iMac had failed and I couldn’t somehow restore the standalone vaults, I would download the Mac app from the Apple app store, sign in with my 1PW MP and Secret Key, confirm 2FA and then the server data would be restored.

    Right. Hopefully you've got your 2FA secret backed up somewhere and/or set up on multiple devices.

    But for the standalone vaults, would I need to again create a Primary vault and Secondary vaults and THEN restore and sync with the OPVault files on the flash drive?

    Correct.

    Or after opening the app (as above) would I access the USB drive first and then I would be prompted to restore/sync each vault primary and secondary after providing their passwords?

    No; 1Password on the new computer wouldn't know anything about these vaults until you create them and then establish syncing.

    I want to know the exact sequence of what I would need to do so I don’t accidentally delete the data in the OPVault files by syncing to empty vault data just recently created on the new device.

    It doesn't work that way but it isn't going to hurt a bit to make a copy of these OPVault files before syncing with them. The "3-2-1" backup rule often quoted in IT classrooms says:

    Keep at least three copies of your data, and store two backup copies on different storage media, with one of them located offsite.

    Could the WLAN play any role here?

    The WLAN server is the most technically complex sync option that we offer. Our support of it is limited to the troubleshooting document published here:

    If you're having trouble using the WLAN server | 1Password

    As such I personally wouldn't consider relying on it in any sort of disaster recovery situation.

    So I could recreate manually one by one each data entry if necessary.

    That sounds incredibly painful. If you are concerned I would recommend considering more robust backups of your OPVaults (e.g. by using external storage media that you rotate through, with at least one copy always being stored off-site), and forgoing the PDFs.

    Additionally I want to know how best to duplicate the primary and secondary vault data on a new 2nd MAC OS device.

    (first Apple device functioning properly- any way to copy/transfer data from MAC to MAC OS device?)

    You'd need Dropbox, which is the only option supported that is capable of syncing multiple standalone vaults between Macs.

    How to sync 1Password with Dropbox

    Please note that the free tier of Dropbox allows for a limited number of devices, so you may need a membership with them if you wish to sync standalone vaults with more than a few devices.

    I know the EASIEST way to restore is from the 1PW cloud and secondly from iCloud or Dropbox but I’m looking to maintain (and easily restore) some data local-only.

    Syncing multiple standalone vaults is only supported via Dropbox. Outside of that you'd be maintaining this setup manually, which is not something we can support, and certainly takes the word "easy" entirely out of the equation.

    Using 1Password membership to store all of your 1Password data is going to be the best way to move forward. It comes with automatic off-site backups, local caches of your data on each device, and makes setting up a new device very easy.

    Ben

  • 1pwuser31547
    1pwuser31547
    Community Member

    Thanks Ben for the info and advice.

    Is it possible to copy/download on to a flash drive the back ups of the local vaults that are created by 1PW in the iMac?
    Are these automatic back ups in a different form than the OPvault files that I use for folder sync?

  • Ben
    Ben
    edited September 2019

    Is it possible to copy/download on to a flash drive the back ups of the local vaults that are created by 1PW in the iMac?

    Yes; those files would be in the ~/Library/Group Containers/2BUA8C4S2C.com.agilebits/Library/Application Support/1Password/Backups folder. These would be zipped SQLite files (database files). They can be restored by the 1Password for Mac application, but are not usable as OPVaults out-of-the-box.

    Are these automatic back ups in a different form than the OPvault files that I use for folder sync?

    Membership data is not backed up as files, but rather in a database. They aren't downloadable, as such.

    Ben

  • 1pwuser31547
    1pwuser31547
    Community Member

    “These would be zipped SQLite files (database files). They can be restored by the 1Password for Mac application, but are not usable as OPVaults out-of-the-box”

    So to clarify, I could use these backed up SQLite files (copied to flash drive) to restore the database on a new MAC with 1PW opened?
    Would I follow all the same steps as above or would just need to download 1 PW app, sign in, restore the membership data and then use the SQLite files to restore the local vaults in one step?
    Is this preferable to using the OPvault files?

  • @1pwuser31547

    So to clarify, I could use these backed up SQLite files (copied to flash drive) to restore the database on a new MAC with 1PW opened?

    Yes.

    Would I follow all the same steps as above or would just need to download 1 PW app, sign in, restore the membership data and then use the SQLite files to restore the local vaults in one step?

    The process would be different. You'd copy the .1p4_zip file(s) into the ~/Library/Group Containers/2BUA8C4S2C.com.agilebits/Library/Application Support/1Password/Backups folder, and then you could use the File > Restore menu in 1Password for Mac to restore from one of those files.

    Is this preferable to using the OPvault files?

    Apples and oranges, to a degree. OPVault files are sync files, whereas these are backups (snapshots in time). :) So, it depends on what you're trying to accomplish. Trying to back up and restore? Use the backup files. Trying to sync? Use OPvault.

    Does that help?

    Ben

  • 1pwuser31547
    1pwuser31547
    Community Member

    That’s great. I see the files.
    Thanks so much!
    I see that the back ups are done regularly (daily?) and you can manually back up.

    So for example, if I simply want to update a new MAC device (my old device still functioning with 1 PW up to date), in my case with multiple secondary vaults, it would be easier to first manually back up (creating most recent zip file) from 1 PW on old MAC , transfer to flash drive, then restore to new device rather than have to manually add all the vaults and restore from OPvault files.
    Am I understanding correctly?

    Are these zip files password protected in that they could only be accessed with the proper owner’s 1PW login credentials after opening their MAC app ( like the OP Vault files)?

  • 1pwuser31547
    1pwuser31547
    Community Member

    Ben, as a follow up, would it best security practice to store these zip files in an encrypted container on my MAC and delete the old ones (put them in an another encrypted container and then delete since with SSD there’s no such thing as “secure” empty trash)?

    Since I have several copies in several locations of up to date zip files, for future scheduled backups, can I turn them off and manually back up into an encrypted container each time I update the database on 1PW?

    Is this possible or recommended or just security theater😞?

    I have full disk encryption (file vault turned on), but obviously when I’m logged on the iMAC everything is decrypted.

  • Am I understanding correctly?

    Yes, I think so. :+1:

    Are these zip files password protected in that they could only be accessed with the proper owner’s 1PW login credentials after opening their MAC app ( like the OP Vault files)?

    They are encrypted using your Master Password. They are protected to the same level the "live" data or an OPVault is.

    Ben, as a follow up, would it best security practice to store these zip files in an encrypted container on my MAC and delete the old ones (put them in an another encrypted container and then delete since with SSD there’s no such thing as “secure” empty trash)?

    I wouldn't bother with any of that. The files are already encrypted.

    Since I have several copies in several locations of up to date zip files, for future scheduled backups, can I turn them off and manually back up into an encrypted container each time I update the database on 1PW?

    Thanks so much!

    My pleasure. :)

    Ben

  • 1pwuser31547
    1pwuser31547
    Community Member

    I appreciate the follow up.
    Thanks so much for clearing all this up for me.

  • ag_ana
    ag_ana
    1Password Alumni

    On behalf of Ben, you are welcome! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

This discussion has been closed.