changing encryption key and password

cyberhck
cyberhck
Community Member

I'm using 1password, but I'd feel more safe using it if I understood a bit more about it.

I'm aware of multiple questions already where, I did a search, but most of them seemed outdated.

Let's say I created a new application, set a good password and got an encryption key (which is called secret key),

Is this actually an encryption key? Or this key encrypts another key on your end? If so, how does the remote password protocol come into play?

From what I understood, when I try to get my vault items, I need to provide my password and secret key (but none of them really leave my computer), is my password also used when encrypting my data? Because last time I checked, changing password didn't change my secret key, which means that password can't be a password to my encryption key.

Now what happens when I change my password? Is the data decrypted and then encrypted with new combination?

How do I change my encryption key if I suspect it might have been compromised? How would this work? Is there a button to do this which basically decrypts, creates a new secret key and encrypts everything? Or do I have to recreate the entire vault by exporting password?

Is there any technical details somewhere I can read so I can feel safer using 1password.

For now only worry of mine is: https://1password.community/discussion/124767/how-to-verify-your-frontend-application and this thread.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Referrer: forum-search:changing encryption key

Comments

  • [Deleted User]
    [Deleted User]
    Community Member
    edited November 2021

    @cyberhck Each vault has a randomly generated vault key which is used to encrypt the items in that vault. Each user has a public/private key pair which is used to give access to the vaults to which they require access.

    The vault keys for each vault to which they have access are encrypted with their public key and saved in their 1Password account. Their private key is encrypted with their Key Encryption Key and saved in their 1Password account.

    When you login to your 1Password account the Secure Remote Password protocol is used to confirm to your client app that its the legitimate server and to confirm to the server that you have the Secret Key and Account Password. It also sets-up an encrypted tunnel within the existing HTTPS connection which is used to transfer your encrypted vaults, the vault keys encrypted with your public key and your private key encrypted with your Key Encryption Key.

    Your local client app uses your Secret Key and Account Password to generate your Key Encryption Key and decrypt your private key. It then uses your private key to decrypt the vault keys.

    Changing your account password doesn't rotate your Secret Key, your public/private key or any vault keys. You can separately change your Secret Key if you think it has been compromised. If you are part of a 1Password Family or Team then you can ask a Family Organizer to recover your account and this will rotate your public/private key.

    https://1password.com/files/1Password-White-Paper.pdf

    All of this relies on the 1Password servers and client apps working as described in the White Paper. 1Password cannot protect you from malware on your device, but it's critical that they maintain control of the client software downloaded by your device to prevent supply chain type attacks. Others can perhaps respond on how that is achieved on various platforms.

  • Thanks to rootzero for the assist! :smile:

    Let us know if you have any further questions @cyberhck.

This discussion has been closed.