Home directory hosted using NFS mount in corporate environment

Fooligan

Should I be concerned using 1Password 8 on my Linux workstation at work since our homes are mounted NFS directories? I understand their reason to have a single home so that it is shared across all servers and VMs. But, I am concerned that my secret key is now saved (with a long history of snapshots) in the corporate NetApp.

I was poking around and I can see the there is some information in the SQLite DB ~/.config/1Password/1password.sqlite.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

PeterG_1P

Thanks for this question, @Fooligan. I'm going to reach out to some of our specialists here to discuss the security implications of the situation you've described. I'll hope to have more for you shortly. Thank you for the chance to address this!

Fooligan

Thanks @PeterG_1P. Let me know if you need more details.

AliH1P

Hey @Fooligan, thanks for your patience. We've discussed this internally and ultimately we recommend against using 1Password in such an environment.

To elaborate, let's take a step back to a higher-level view. 1Password uses a couple key ingredients to protect your data:

1. Your account password - this protects you against attackers who might gain access to your device. If they don't have the password and can't crack it, they can't get in. This is why a strong password is important.

2. Your Secret Key - this protects you against attackers elsewhere. For example, if someone tried to access your 1Password.com account and used some kind of automated password-guessing software against our servers, it actually wouldn't matter if they successfully guessed your password. That's because we only unlock your data when your password is combined with your Secret Key, and guessing the combination of these things together is incredibly difficult to do. About your Secret Key.

With this in mind, this security model is only effective while 1Password is used on a secured device. Since your 1Password files including your Secret Key are available on a network, it adds additional risk to your account. For instance, if your corporate network was subject to an attack and a malicious actor gained access to your 1Password data, they could potentially brute force your account password to view your data. Additionally, you mentioned snapshots which could potentially allow someone to restore and gain access to your data that way.

I'm not very familiar with NetApp but if it was possible to exclude the ~/.config/1Password/1password.sqlite that may help alleviate some security risk. Overall, I believe your concern was definitely warranted and we recommend against using 1Password in this type of environment.

Let me know your thoughts or if you have any further questions.

Ali

Fooligan

Hi @AliH1P,

Thanks for the thoughtful reply and I agree with your conclusion. I am glad that I asked the question. NetApp is a software and hardware appliance that is hosted locally at our site and provides highly available network attached storage. It can be configured for all types of storage needs. As you mentioned, I do not want to trust my 1Password data on at rest in that system.

At the same time, I have a lot of important data in 1Password that I don't want to lose access to.

OPTION 1: I could create a local home directory for my user account in /home.local/my_username. I could then create a 1Password folder in that location with permissions of 700. I could then symlink that location to /home/my_username/.config/1Password. The NetApp should see that as a broken symlink since it is across filesystems. That way it would not save any data in that directory. Do you think that would work? Are there any other locations in my home directory that would expose my 1Password data?

OPTION 2: A more nuclear option is to use a purely local account where my home directory is fully in /home.local. But, that would break my current development workflow. I am sure I could find workarounds though.

Thanks again.

Fooligan

UPDATE

OPTION 1 will not work. They have a local service installed that does the snapshots. So, it is able to follow the symlink.

OPTION 2 seems to be the only viable path if I want to safely use 1Password. Darn.

Fooligan

UPDATE 2

I take it back on OPTION 1. It actually did work. I can see that the snapshot directory only has a reference to the symlink and not the actual data. Logging into another system shows that the link is broken.

So, I am wondering if you think OPTION 1 is a viable solution?

Thank you!

GreyM1P

@Fooligan

I don't have much experience with NetApp (or having my ~ folder on a share, for that matter), but based on my experience with Linux and UNIX-based systems, I don't immediately see any major problems with this. As long as you're using symlinks and not hard links, this looks like it'll work. I'd be really interested to hear about your experience with this, so could you let us know how it works out for you? It may help us advise other customers too, particularly in business settings.

As always, make sure you keep good backups of anything critical in case you have to roll back, but you can be assured that your 1Password data will always be backed up to 1Password.com for safe keeping.

I'd love to hear how you get on, if you decide to give this a go. We'll be here if you need any help at any time. :)

Fooligan

Hi @GreyM1P

Short story: This solution is working as expected. My ~/.config/1Password data directory is not available on any systems other than my personal Linux workstation. I am now comfortable that logging out of 1Password clears my data off of the device.

Environment Summary

1. Most users are issued a managed Dell Windows PC. As a developer, I requested a Linux workstation in addition to the standard Windows client. I am granted sudo access to the workstation so that I can maintain it and install what I need to do my job.
2. Every user has admin privileges on their client Windows PCs, but all software is strictly scanned to enforce security policy. In this case, the standard 1Password install is sufficient (and not blocked) since all account data is local to the device.
3. Every user has a Linux account so that they can login to a grid of Linux servers.
4. All of the home directories for the Linux accounts are NFS mounted. This is a convenience so that you can access your ~ data no matter the system you are logged into. This also includes personal Linux workstations like mine. The standard 1Password install is not recommended (based on this discussion) for desktop environments.
5. All Linux accounts have 2 weeks of snapshot protection for their home directories that resides in ~/.snapshots.

Solution

1. Log out of 1Password, quit the application, and remove /home/username/.config/1Password.
2. Create a new 1Password data directory on the local file system outside of /home (I chose /home.local/username/1Password).
3. Symlink: ln -s /home.local/username/1Password /home/username/.config/1Password.
4. Open 1Password and log in.
5. All of the 1Password data now lives in /home.local/username/1Password.

Local 1Password Data Directory

[email protected]:/home.local/username$ ls -l          
total 8
drwx------ 13 username group 4096 Dec 16 16:31  1Password

NFS 1Password Data Directory

[email protected]:~/.config$ ls -l 1Password
lrwxrwxrwx 1 username group 30 Dec 16 16:20 1Password -> /home.local/username/1Password

Snapshot Structure

[email protected]:~/.snapshot$ ls
daily.2022-12-11_0010  daily.2022-12-15_0010   hourly.2022-12-17_0805  hourly.2022-12-17_1205  weekly.2022-12-11_0015
daily.2022-12-12_0010  daily.2022-12-16_0010   hourly.2022-12-17_0905  hourly.2022-12-17_1305
daily.2022-12-13_0010  daily.2022-12-17_0010   hourly.2022-12-17_1005  hourly.2022-12-17_1405
daily.2022-12-14_0010  hourly.2022-12-17_0705  hourly.2022-12-17_1105  weekly.2022-12-04_0015

Local Snapshot Data Directory

[email protected]:~/.snapshot/daily.2022-12-17_0010/.config$ ls -l 1Password
lrwxrwxrwx 1 username group 30 Dec 16 16:20 1Password -> /home.local/username/1Password

Other System Snapshot Data Directory

[email protected]:~/.snapshot/daily.2022-12-17_0010/.config$ ls -l 1Password
lrwxrwxrwx 1 username group 30 Dec 16 16:20 1Password -> broken_link

AliH1P

Hey @Fooligan, thanks for your in depth response! I'm glad to hear you've found a solution that works for you 😄

After some further internal discussion regarding this topic, I wanted to bring up an additional point. Our general recommendation is to only use personal 1Password accounts on devices that you actually own. Ultimately, there is always going to be added risk when using your personal account on a work device as we can't be sure what your workplace has access to on your work device.

If you're comfortable with that it, it sounds like you've found a working solution to mitigate the initial concerns you had.

Let me know if you have any further questions!

Ali

Fooligan

Thanks @AliH1P,

Understood. I wish that our company provided better tools to manage secrets, but there isn't anything officially supported.

AliH1P

You're most welcome @Fooligan! I understand how that can make things difficult but I'm glad you were able to find a solution that works for you.

Don't hesitate to reach out if you ever have any questions 😄

Ali