Has backup been added to v8 macOS?

neil_laubenthal
neil_laubenthal
Community Member

Has the ability to make an encrypted and automated backup to a location of my choice that was in v7 (macOS) been restored to v8…and if not when can we expect this to happen?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:Backup in version 8

Comments

  • Hello @neil_laubenthal! 👋

    When it comes to backups of 1Password account vaults, 1Password 8 works the same way that 1Password 7 did: all of your data is backed up automatically to 1Password.com. Even if you lose all of your devices you can still find all of your items when you log in to your 1Password account on 1Password.com.

    You can even restore previous versions and accidentally deleted items: View and restore previous versions of items

    an encrypted and automated backup to a location of my choice that was in v7 (macOS)

    Those backups would have only included data that was saved in any old standalone vaults that you might have still been using, and not data stored in your 1Password account vault which is already backed up to 1Password.com 🙂

    -Dave

  • neil_laubenthal
    neil_laubenthal
    Community Member

    Yes…I know y’all claim that your backup is the only one that is needed…but that is a dumb claim for a security company to make. The ability to backup and restore an encrypted automated backup to my local drive will prevent me and many others from ever upgrading to v8…and will result in us using a different product when/if v7 stops being supported. The company’s trust us, we are smarter than you’ attitude is dumb. Look what happened to LastPass…and realistically the same or similar could happen to your company and leave users with no data. How do we recover when some catastrophic event corrupts your copy of the database, syncs it to all devices so users have no data, and takes your servers offline for some undetermined time? Without a local backup copy we can restore independent from ypu…users will be screwed. But apparently…your management thinks this is a great idea.

  • neil_laubenthal
    neil_laubenthal
    Community Member

    Those of us with standalone vaults have been doing local encrypted automated backups for years…and that is gone now…and the company has yet to answer the question of whether and when they will be returning.

  • Dave_1P
    edited October 28

    @neil_laubenthal

    Thank you for the feedback.

    How do we recover when some catastrophic event corrupts your copy of the database, syncs it to all devices so users have no data, and takes your servers offline for some undetermined time?

    In addition to the offline local copy of your data that the 1Password 8 app maintains on each of your individual devices, your encrypted data is also replicated to redundant copies on our end to guard against corruption or any data loss. The current system is setup to protect most users from catastrophe far better than the old standalone vault backup system since it keeps a versioned copy of your encrypted items in an offsite location that isn't vulnerable to local disaster or drive failure and it doesn't require folks who may not be technically savvy to understand how local backup/restore works.

    That being said, I can definitely understand why someone who is technically skilled would like to have the ability to create a local encrypted backup as an additional precaution. While I don't have any news to share about such as feature I've passed along your request to the product team.

    For now, if you use a backup service like Apple's Time Machine, your 1Password 8 local cached data will be backed up in your Time Machine backup as well. This may not include all files or Document items. It's what I personally use. To restore your data from a Time Machine backup (or another full disk backup) you can drag and drop the following folder from the Time Machine backup to your Mac:

    ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data

    I hope that this helps as a potential option for now. 🙂

    -Dave

    ref: PB-31481068

  • neil_laubenthal
    neil_laubenthal
    Community Member

    Dave, is that copy in ~\Library fully encrypted or does TM now have n unencrypted copy of the vaults…seems like the latter would be a tremendous security bust…so is it encrypted and the only unencrypted copy is in RAM? And…if the Library copy is fully encrypted…how can the ability to specify an automated copy someplace not be in the app since the encrypted copy is already on my machine? Like you…I use TM but I also have several other backup schemes running and obviously the ability to have multiple backup copies for versioning would be excellent. If the local copy is encrypted on disk…then using CCC or any sync/backup program would provide the backup some users want…but if so why isn’t this generally advertised by the company. You take a lot of hits here for the no backup thing…and I understand hiding some of the tech from less savvy users…but this is the first time I’ve seen this location mentioned…and as I said if it’s encrypted on disk and copyable by whatever running as admin credentials then there is at least some semblance of a backup for those of us that want it

  • Dave_1P
    edited October 28

    @neil_laubenthal

    The folder that I mentioned in my previous post holds the encrypted local database that contains all of your cached items. It's not a backup copy of your local data, it's the offline locally cached database itself for the 1Password 8 app. When you unlock 1Password 8 the contents of that local encrypted database are indeed loaded into memory so that they can be used. When you lock 1Password 8 they're removed from memory.

    but if so why isn’t this generally advertised by the company. You take a lot of hits here for the no backup thing…and I understand hiding some of the tech from less savvy users…but this is the first time I’ve seen this location mentioned…

    1Password.com is designed to be the automatic backup that protects users without them having to manually setup a third-party backup service (like Time Machine or Carbon Copy Cloner) and then having to move around files in the Group Containers folder. 1Password.com also handles backup whether you're using a Mac, iPhone, Windows PC, Android, Chromebook, or other device. It's one of the big selling points of a 1Password membership over the older standalone license model: you no longer need to worry about keeping your own backups.

    However, if you personally do need a local backup then making sure that the folder that I specified is part of your Mac's full disk backup is an option. 🙂

    -Dave

  • neil_laubenthal
    neil_laubenthal
    Community Member

    So…just to make sure I understand completely…the 'official' or 'master' copy of the vault lives on the 1PW servers and is manipulated real time by whatever changes I make on whatever device I'm using…but that an offline encrypted copy exists on every device synced to that 1password.com account and is located in Library. And if I make a change in my vault that change appears first on the 1PW server copy and is then immediately synced to all my other devices offline cached copy including the one I'm currently using? And…if for some reason I make a change on my device while it is offline for some reason…that change gets synced back to the 1PW server on resumption of connectivity and then synced to my other devices. I don't see much of a distinction between a "offline locally cached database" and "a copy of the database which might be called a backup"…but in the aggregate, am I correct in assuming that if I use TM or CarbonCopyCloner or whatever to sync this Library locally cached copy to some other location with versioning then I'll have what is essentially a backup copy of the entire database every hour or day or however often the sync process runs. Then say that 1PW server is offline for some reason for a week following a database corruption on your end (unlikely I know but bear with me) that was synced to my device before the database went offline…resulting in no data on my device. I could then import the copy my sync process made to another location back into 1PW on my device and continue along with my now unsynced vault. Then at some point the 1PW server corruption is restored and it is back online…my device would sync with the new presumably older copy on the server and changes would go both ways until the server matched what was on my device…then the server would sync the now updated server copy of the vault to all my other devices.

    Yeah…the backups the company has in place are probably adequate…but since password vault data is the most critical thing we have it's vital to be able as the user to restore without any access to 1password.com.

    To restore, I would just need to import the aforementioned since process copy to my device (in the absence of 1password.com still)…does that require both Master Password and Secret Key?

    Do I have all that right…following the above process I can make my own additional backups and then restore them if necessary in the absence of 1password.com and then whenever it was again available with whatever backup copy of the vault that was restored on your end and changes would sync back and forth between that new 'master copy' and my device and thence to my other devices? That really seems like a local backup and restore capability to me…and while I agree that the likelihood of needing to do so is extremely unlikely…it's still possible and the old IT security guy in me believes in being able to bootstrap myself from as close to nothing as possible back to full operation.

  • @neil_laubenthal

    When you edit or create an item using the 1Password for Mac app that item is saved to the local database, encrypted, and then synced to 1Password.com and then from there to your other devices. This process occurs instantly and invisibly. If you restore a old copy of the local offline database from an old Time Machine backup then it will sync with 1Password.com as soon as you connect that Mac to the internet.

    To restore, I would just need to import the aforementioned since process copy to my device (in the absence of 1password.com still)…does that require both Master Password and Secret Key?

    You'll be prompted for your account password, which protects your data locally, to unlock 1Password and decrypt your data.

    -Dave

  • neil_laubenthal
    neil_laubenthal
    Community Member

    Thanks…that removes my major objection to v8. Since the local copy is encrypted only with the Master Password and not the Secret Key…why is there not a backup schedule and restore option in the app to some local destination…and why can’t DropBox or iCloud be used? I know the company’s position is now the Secret Key is so much better…but as a practical matter it provides little additional actual security over Master and a strong DropBox password…so offering both options to users seems like an obvious feature to have…even if a subscription is required since the app is no longer for sale. Offering both storage options would increase flexibility to the users and while I can see the company thinking the Secret Key is better…frequently better is the enemy of good enough

  • @neil_laubenthal

    An easy way to think about the account password and the Secret Key is as follows:

    • The account password protects your data on your devices.
    • The Secret Key protects your data off your devices.

    Old standalone vaults did indeed allow you to use Dropbox or iCloud to store your data with a single password but modern 1Password account vaults are much more secure since they're protected using both your account password and Secret Key. A regular user's password is usually about 40 bits of entropy (a measure of how strong a password is) because passwords need to be memorized, this puts a ceiling on the security of an old standalone vault. On the other hand, the Secret Key (which does not have to be memorized) has 128 bits of entropy which makes it impossible to guess or crack using today's technology.

    You can read more about the way that the Secret Key protects your data against brute force and other attacks here: About your Secret Key

    The Secret Key is also the reason why 1Password is more secure than other password managers: How 1Password Keeps Your Data Safe, Even In the Event of a Breach

    -Dave

  • suffice
    suffice
    Community Member

    @Dave_1P

    As an interested by-stander, I am not-at-all trying to be snarky. What I write below is based on what has been stated earlier in this thread. If I am misinterpreting, please correct and help me to better understand. And no, I am not trying to pin down anything or anyone for the sake of arguing (I am not smart enough to do that anyway). I chose to use 1Password on its own merit, as best I could. I think it is a terrific product, and a terrific Team, and I have no plans to change. But these types of discussions make me curious, and reinforces the fact that it is my responsibility to be vigilant about the safety/security of my data.

    Quoting you: “For now, if you use a backup service like Apple's Time Machine, your 1Password 8 local data will be backed up in your Time Machine backup as well. It's what I personally use.”

    But what you stated begs the question: Why then should you want or even think of backing up your personal vault? You have spoken for the masses (and I assumed you were including yourself along with all othe rest of us), that 1Password has made it water-tight under all circumstances, for everyone. It now appears that you are actually agreeing with
    @neil_ laubenthal about the need to have your own local backup.

    Would you please provide more context for why you personally use a local backup? If you are doing that, makes me wander maybe I need to buy a computer (mobile only, here) to better protect myself, just in case, after all? Makes me wonder how many other 1Password Team members might be backing up locally as well?

    Confused.

  • @suffice

    I personally use Time Machine to back up my Mac which also incidentally happens to back up the 1Password app's local data since Time Machine is a full-disk backup solution. I didn't go out of my way to setup a backup specifically for 1Password.

    Since your 1Password account already backs up your data for you there's no need to setup another backup solution. I mentioned Time Machine for those who would like the option. 🙂

    -Dave

  • suffice
    suffice
    Community Member

    @Dave_1P

    Thank you. Makes perfect sense.

  • It's my pleasure, thank you for the questions. 🙂

    -Dave

  • suffice
    suffice
    Community Member

    @Dave_1P

    Going a bit further.

    To me, bitrot is possible and should not be ignored, regardless of where digital data is stored.

    I do not want to waste your time on a rabbit trail. I at least would like to briefly think out loud, try/keep it simple (I know enough to be dangerous and lacking substantive chops) and see if there are options to resolve or mitigate (in the extremely unlikely event of non-negotiable bitrot). I certainly am not claiming expertise at any level. I could be way off base. Please correct/simplify my errors/misunderstandings as needed.

    Example: What if Sign-in process “stops working” for a Login Item in 1Password account?

    I doubt if 1Password would pick up internal bitrot change (let alone the feasibility of its automatic updating the modification date). Even then, you would not know what changed (URL, username, password)?

    What could bitrot look like? I can only guess.

    • Unable to open the Login Item
    • Empty
    • Unprintable character(s)

    URL could easily be reconstructed. Username and password, not so easy.

    Beyond that, you have encrypted versioning (if that is enabled for AWS 1Password bucket) and/or Agilebits internal backups (I think I read that somewhere) of the universe of 1Password Accounts, neither of which (I don’t think) would help in this scenario of a specific Item. That would risk overlaying intended changes that you had made since the last backup. For same reasons, it seems that encrypted redundant backups would not help in this scenario.

    If using the macOS 1Password cached Vault(s), I’m thinking even TIme Machine would face the same problem (I am assuming the versions would be encrypted, too), and CCC backups too?
    Also, it seems that even if 1PEX were to eventually become reality, you would still be overlaying existing vault(s) along with the risk of overlaying intended changes since the last encrypted backup. Then too, I think I read that 1PEX would be usable only for exports to other password manager(s), so that might be a mute point.

    => It seems that the only feasible/semi-feasible recourses would be:

    1. For those with macOS, routinely extract 1PUX and build up inventory of dated versions to peruse in proper order. From what I understand, this would require MrC Converter Suite to convert to CSV files.

    2. For everyone (desktop and/or mobile), use Web Sign-in to your 1Password Account, looking for anomalies in the specific Login Item’s history in proper order. From my understanding, that process would be restricted by 1Password’s existing 1-year Time-to-Live policy for each Item History event. In order to offer a feasible recourse, it seems that the Time-to-Live policy would have to be abandoned in favor of unlimited events.

    Am I missing something (many things)? Thoughts?

    Thank you.

  • suffice
    suffice
    Community Member

    Correction to Point 2, at the bottom:

    “looking/beginning with the first instance of ‘correct looking’ Login Item’s history in most recent order”

  • @suffice

    Thank you for the reply. We maintain redundant copies and backups on our end to guard against any data loss or corruption. In addition, the servers that we use verify the integrity of encrypted user data using checksums to protect against issues such as "bit rot". Checksums allow for the detection of errors that may be introduced by the transmission or storage of data.

    We also invite regular audits of our infrastructure and security and maintain certifications such as SOC 2 to ensure that we're following industry best practices when it comes to protecting everyone's data: Security audits of 1Password

    -Dave

  • neil_laubenthal
    neil_laubenthal
    Community Member

    Dave…one final question on this one. Is there some technical reason that the currently existing backup capability in v7 that could be used to restore v7 vaults was taken out of v8…or is this one of those you're trying to make it easy for the user and remove a capability that you think is unnecessary but some user obviously think is necessary. I'm not being snarky either…and in reality you probably have redundant copies and multiple data centers on your end and if that's true then you've probably handled 99.99% of the capability to restore users…but removing a capability that would allow users to up that to 99.99999% seems tech savvy user unfriendly even if the company is convinced that users don't need to do their own backups and that it is removing a previously version feature/capability. That seems counterproductive unless the entire code base for v8 was rewritten from scratch.

This discussion has been closed.