Where does 1Password store the secret key on the device?

georgysavva
georgysavva
Community Member

Hi. I know that 1Password uses Apple Keychain to securely store the secret key along with other Account information on the device.
I decided to debug and understand is it the only place on the device where my secret key is stored. I turned off the 1Password app, deleted the corresponding record from the Keychain Access: com.agilebits.onepassword.b5Credentials, restarted the computer and I was able to unlock 1Password as regular only with my master password. After that I checked the Keychain Access and found previously deleted com.agilebits.onepassword.b5Credentials record. Note that I have iCloud Keychain sync disabled, so It can't be synced from other devices.

That experiment has led me to the conclusion that 1Password stores the secret key somewhere else on the disk and not only in the Apple Keychain. This concerns me in a way that it makes the secret key more accessible to other applications/programs running on the device, because as far as I know the Keychain is designed in a way that only 1Password can access that record com.agilebits.onepassword.b5Credentials, and the macOS ensures that. But if the secret key is also stored somewhere on the disk it can be read much easier by other processes.
Thanks!

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @georgysavva!

    There is a section titled Locally exposed Secret Keys in our security white paper, which I think answers your question. You can find the white paper here, page 57 in the current version of the document :+1:

  • georgysavva
    georgysavva
    Community Member

    Hi @ag_ana. Thanks for a quick reply. I checked that section and from what I've found Keychain on macOS should be the only place where you store the secret key:

    Although lightly obfuscated, the Secret Key is stored on the local device unencrypted. Where possible, the Secret Key will be put into something provided by your system for storing authentication secrets. For 1Password for Mac and 1Password for iOS that will use the iOS and OS X keychains respectively

    Then I don't understand how 1Password managed to preserve the secret key after I deleted the record from the Keychain and rebooted the computer.
    Or I am misreading the docs and it says that 1Password stores the secret key obfuscated on the disk and also, when possible, in the Keychain.

  • ag_ana
    ag_ana
    1Password Alumni

    @georgysavva:

    I am not a security expert, but reading the section you quoted, I understood that the key is saved in Keychain where possible, but it will still be stored on your locally device unencrypted, in addition to that.

  • georgysavva
    georgysavva
    Community Member

    @ag_ana I see, thanks for clarifying this. I wonder what is the point of doing so? Why do you need to store it on disk in addition to the Keychain. Isn’t the Keychain the best suitable and sufficient place?

  • ag_ana
    ag_ana
    1Password Alumni

    @georgysavva:

    If the Secret Key were not stored on your disk, you would have to enter it every time you unlock the 1Password app, in addition to your Master Password. I am not sure if that is possible by just storing it in the Keychain.

  • georgysavva
    georgysavva
    Community Member

    @ag_ana thanks for explaining this to me, know I get it! Have a good day!

  • ag_ana
    ag_ana
    1Password Alumni

    You are welcome @georgysavva! I am glad I could help :)

    If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

This discussion has been closed.