If data are e2ee, then how does item sharing works?
My understanding is that 1Password.com database is end-to-end encrypted. That is, no one can access the data unless they have the encryption key and password. I am wondering how does 1P handle the case when sharing items through 1P.com sharing feature (where you could share a link with someone to an item). I presume items being shared, are moved/copied to another database that is not end-to-end encrypted (but hopefully encrypted at rest?) so you can enable sharing?
Can you please elaborate exactly on how this works and being a little transparent of what happens when:
1. Choose to share a specific item (does it move/copied to a shared database?).
2. What happens when we stop sharing that item (if it was copied to a shared database, is deleted from there?)
3. How are the shared data being protected when at rest?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
It is explained in more detail starting on page 24 here:
https://1passwordstatic.com/files/security/1password-white-paper.pdf0 -
Hey there @raphaelcp
As @m33x mentioned (thank you!), we cover this in our Security White Paper, but you can find specific information about item sharing here:
☞ About the security of sharing items using a unique link
In short, to answer your three questions:
- Choose to share a specific item (does it move/copied to a shared database?).
Your original items are not shared. When you share an item using a unique link, a copy of the item is created, with the password history removed. Only the copy is shared, not the original item.
If you change an item’s details after you’ve already shared a copy, your changes won’t be shared unless you share the item again.
- What happens when we stop sharing that item (if it was copied to a shared database, is deleted from there?)
Your shared items are end-to-end encrypted. When you share an item using a unique link, the item is encrypted at rest and in transit. All encryption is performed on your device, and all decryption is performed on the device of the recipient:
- 1Password generates a random share secret on your device.
- A copy of your 1Password item is encrypted with that share secret and uploaded.
- 1Password creates a URL from a link to the encrypted item and share secret.
- You share the URL with someone.
The share secret is never sent to the server, so no one at 1Password can decrypt the item. If you stop sharing an item before it's due to expire, the encrypted copy on the sharing server is destroyed.
- How are the shared data being protected when at rest?
Your shared items are securely stored on a dedicated server. When you share an item using a unique link, an encrypted copy of the item is stored securely on a dedicated server in Frankfurt, Germany. The server is only used for this purpose and does not store any other 1Password data.
I hope that answers your questions fully, but please do let me know if I can be of any further help. :)
— Grey
0