Hard deletion policy
My threat model has changed such that highly-sensitive info is no longer suitable for storage in 1password. Specifically I need to protect against
- local device compromise
- 1password code compromise (via an insider or supply chain attack).
- use of 1password in an less-than-100%-secure environment (public spaces)
Before I get an onslaught of responses indicating that the responsibility lies on me to use a secure device/environment, that's easier said than done. Most of my data is low sensitivity and I'm happy to take the risk with that. Other data is highly-sensitive and requires additonal protection/layers. I do not want to keep highly-sensitive data alongside low-sensitive data.
Thus I have deleted highly-sensitive data from my account, or added more protection (e.g., moving TOTP keys outside 1password, to a hardware device).
I will acknowledge that the correct solution is to rotate rather than destroy (e.g. rotate TOTP keys). But that's not what this question is about.
I need to ensure the highly-sensitive data is 100% deleted and unrecoverable in the case of account compromise.
Can you elaborate on the following questions:
1) When I delete an item, what is the policy around hard deletion? It seems like items are still recoverable for over a year.
2) When I View Recently Deleted Items -> Destroy Item , what guarantees can you give me that the item has in fact been wiped from disk. I'm interested in the details here, and feel free to refer me to your cloud provider's documentation.
3) How can I wipe/destroy an item's history. When I go to item -> Item History I there's a button to view but not destroy the historic version.
4) What is the advice around storing data of different sensitivity levels with 1password? I want to be able to use 1password to unlock low-sensitive information in insecure environments (like a possibly compromised machine/public space) but also use it to unlock high-sensitive information in secure environments (like a hardened machine at home). Consider this a feature request. You could do this by double-encrypting highly-sensitive information with a second master password for example.
Much appreciated.
Anon
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
-
I think Ben suggested to reach out via email to get a faster answer, since the security team can be contacted directly over there :+1:
0 -
local device compromise
AKA using 1Password, personal vaults, on a corporate device.
0 -
Certainly if you know or suspect your employer monitors activities on their devices in ways you wouldn't want your personal data monitored, it would be prudent to avoid accessing personal data (1Password or otherwise) on such a device.
Ben
0