Migrating from KeepassXC, running into issues and questions

autostatic
autostatic
Community Member

Hello! At work we have to migrate from KeepassXC to 1Password but I'm running into some issues and have some questions. I'm using Xubuntu 22.04.

Command handler
KeepassXC has the option to open applications and to use templating in the invocation of the command. Does 1Password support such a feature? KeepassXC uses the cmd:// handler for this but it looks like 1Password only supports https:// and https://?

Autofill
Apparently Autofill only works with browsers and nothing else on Linux? KeepassXC has an Auto-Type feature that allows you to fill in anything anywhere that also includes templating. Are there any plans to bring the autofill functionality to Linux?

Auto-lock
Unfortunately this feature does not work on my machine. When I lock my user session 1Password remains unlocked. This has been brought up before but still doesn't seem fixed. Any plans on looking into this? Glad to help out! Current situation won't make my CISO happy :(

Drag and drop
This doesn't seem to be supported when editing an item? It would be great if Add more - Attach a file when editing an item would not open a file window but a field where you could drag and drop your files. With a button beside it to search for files yourself which then opens a file window.

Custom secret key length
I seems like the secret key lenghth is fixed? Would be great if you could use your own (larger) secret keys.

Thanks in advance for any answers or information!


1Password Version: 8.10.6
Extension Version: Not Provided
OS Version: Xubuntu 22.04
Browser:_ Not Provided

Comments

  • autostatic
    autostatic
    Community Member

    The following schemes seem to be supported:

    • http
    • https
    • ssh
    • ftp
    • sftp
    • smb

    Or are there more schemes that are supported? As in, schemes that show more than just Copy and that actually try to open a location.

  • Hey @autostatic, I apologize for our delayed response here. I'll be happy to address the questions/issues you have regarding 1Password for Linux.

    Command handler
    KeepassXC has the option to open applications and to use templating in the invocation of the command. Does 1Password support such a feature? >KeepassXC uses the cmd:// handler for this but it looks like 1Password only supports https:// and https://?

    1Password for Linux supports opening network locations (FTP, SSH, SMB) but not a command handler as you've described.

    Autofill
    Apparently Autofill only works with browsers and nothing else on Linux? KeepassXC has an Auto-Type feature that allows you to fill in anything anywhere >that also includes templating. Are there any plans to bring the autofill functionality to Linux?

    Although 1Password in your browser (extension) can auto-fill fields while browsing the web, this is not something that can be done within desktop applications. We don't have any plans to share at the moment regarding such a feature.

    With that said, filling in applications can be made easier by using Quick Access. Quick Access lets you find any item you need without leaving the app you're working in. It remembers the items you use most frequently to give you relevant suggestions. Or, you can search for items across all of your accounts and collections. Check out this guide on how to use Quick Access to fill in apps: Get to know Quick Access.

    Auto-lock
    Unfortunately this feature does not work on my machine. When I lock my user session 1Password remains unlocked. This has been brought up before but still >doesn't seem fixed. Any plans on looking into this? Glad to help out! Current situation won't make my CISO happy :(

    This is a known issue with XFCE/xflock 4 (the script that handles XFCE locking sessions) not locking properly. Essentially 1Password is listening for the right type of call to lock but xflock4 is not notifying 1Password to lock. A possible workaround would be to remap Super+L to also activate the screensaver. This can be done by navigating to your Keyboard Settings > Application Shortcuts > edit the Super+L shortcut to the following: sh -c "xfce4-screensaver-command -a; xflock4"

    This should trigger the screensaver as well as the default locking behavior when using the Super+L shortcut. I found that it takes 2-5 seconds after the screensaver appears for 1Password to lock. I understand that this may not be an ideal solution but hopefully it's a viable workaround for the time being.

    Drag and drop
    This doesn't seem to be supported when editing an item? It would be great if Add more - Attach a file when editing an item would not open a file window but >a field where you could drag and drop your files. With a button beside it to search for files yourself which then opens a file window.

    I can certainly see how this could be a useful feature! While I can't make any promises, I'll be happy to pass this suggestions along as a feature request on your behalf to our product team.

    Custom secret key length
    I seems like the secret key lenghth is fixed? Would be great if you could use your own (larger) secret keys.

    The length of your Secret Key is fixed and can't be customized. If you're interested in learning more about Secret Key security, I would suggest checking out page 11 of our security whitepaper: 1Password Security Design

    I hope this helps. Let me know if you have any further questions.

  • autostatic
    autostatic
    Community Member

    Hey @autostatic, I apologize for our delayed response here. I'll be happy to address the questions/issues you have regarding 1Password for Linux.

    Thanks for your time, much appreciated!

    1Password for Linux supports opening network locations (FTP, SSH, SMB) but not a command handler as you've described.

    Ah bummer. I think there are ways to make this work anyway, i.e. with a custom URL and maybe a custom browser extension that filters requests to this custom URL and does something with data being sent along.

    Although 1Password in your browser (extension) can auto-fill fields while browsing the web, this is not something that can be done within desktop applications. We don't have any plans to share at the moment regarding such a feature.

    Ok, good to know. But also here I think it should be possible to cook up something like described above and then do something smart with xdotool and window id's.

    With that said, filling in applications can be made easier by using Quick Access. Quick Access lets you find any item you need without leaving the app you're working in. It remembers the items you use most frequently to give you relevant suggestions. Or, you can search for items across all of your accounts and collections. Check out this guide on how to use Quick Access to fill in apps: Get to know Quick Access.

    Thanks for the link! Quick Access is not really an option for me though, it would mean I'll have to copy and paste dozens of times when working. And my workflow is very much keyboard centered so using Quick Access would be quite an adaptation.

    This is a known issue with XFCE/xflock 4 (the script that handles XFCE locking sessions) not locking properly. Essentially 1Password is listening for the right type of call to lock but xflock4 is not notifying 1Password to lock. A possible workaround would be to remap Super+L to also activate the screensaver. This can be done by navigating to your Keyboard Settings > Application Shortcuts > edit the Super+L shortcut to the following: sh -c "xfce4-screensaver-command -a; xflock4"

    This should trigger the screensaver as well as the default locking behavior when using the Super+L shortcut. I found that it takes 2-5 seconds after the screensaver appears for 1Password to lock. I understand that this may not be an ideal solution but hopefully it's a viable workaround for the time being.

    Awesome, thanks!! Going to implement that right away. Or maybe switch DE's because I have my gripes with XFCE.

    I can certainly see how this could be a useful feature! While I can't make any promises, I'll be happy to pass this suggestions along as a feature request on your behalf to our product team.

    That's OK, thanks! For some applications and services we have to store multiple files with sensitive data and it would be great to be able to just select those and drag and drop them into 1Password.

    The length of your Secret Key is fixed and can't be customized. If you're interested in learning more about Secret Key security, I would suggest checking out page 11 of our security whitepaper: 1Password Security Design

    I'll check out the white paper, thanks. The drawback of a fixed key length is that an attacker already knows the length and structure of such a key. But then it's not optional which is already a good thing.

  • You're most welcome @autostatic, I'm glad I was able to answer your questions.

    Thanks for the link! Quick Access is not really an option for me though, it would mean I'll have to copy and paste dozens of times when working. And my workflow is very much keyboard centered so using Quick Access would be quite an adaptation.

    Quick Access allows you to use keyboard shortcuts. For instance, you can quickly copy and paste a username and password by using Ctrl+C to copy the username and Ctrl+Shift+C to copy the password. With that said, I understand if this still doesn't fit your workflow but just wanted to mention it incase it helps!

    Let me know if you have any further questions!

    Ali

  • autostatic
    autostatic
    Community Member

    Hello @AliH1P, thanks for the heads up. In the meanwhile I've cooked up a very crude command handler by running a small Flask app on port 5000. The Flask app renders a form with some small Javascript that autosubmits the form with a POST request. I have 1Password autofill that form to http://localhost:5000/ and with the help of Jinja2 the Flask app renders a working command from the form data which is then being executed by the subprocess module. Another option would be to create my own Firefox extension and use the native messaging possibilities to try interacting with the 1Password extension. Maybe something for the future.

    Also, after doing a clean Xubuntu install 1Password now properly locks when I lock te screen. I think that with the other install with the non-locking 1Password I did something with the screensaver that caused 1Password to not lock on locking my screen.

  • Hey @autostatic, you're most welcome. That's certainly an interesting solution!

    Regarding Xubuntu unlock, perhaps a recent OS update may have resolved things as I can reproduce the issue on my current Xubuntu VM where settings are mostly default. In any case, I'm glad to hear everything is working with a clean install!

    Let me know if there's anything else we can help with.

    Ali

  • autostatic
    autostatic
    Community Member

    Hello @AliH1P, you're right, when locking the screen 1Password does not lock. It only locks when the screensaver gets activated so for XFCE you indeed really need the command you proposed.

  • Hey @autostatic, thanks for the update. Hopefully the command will suffice as a workaround for the time being.

  • autostatic
    autostatic
    Community Member

    Repository for the command handler: https://codeberg.org/autostatic/1password-command-handler

    Bear in mind this is a hacky and crude implementation. It might work for others but it could also blow up in your face (i.e. there's zero input checking) or simply fail.

  • autostatic
    autostatic
    Community Member

    I've added a keyboard shortcut wrapper kbd_shortcut.py that can be set as a command for a keyboard shortcut in your WM or keyboard settings. And yes, it's just as crude as the command handler.

    It works by generating a list of all entries and attempting to find a match between the active window name and the 1Password item title. It then checks if there is a "command" field, fetches it and outputs it in the active window. If there's no "command" field it will output the "password" field.

    Better would be if the command would check for a "window_name" field and match against that but this is where 1Password loses out to a local vault solution like KeepassXC, it would make the command horribly slow as it would have to fetch all "window_name" fields until a match is found. Or maybe I could try something with tags, that's metadata which is fast to pull in.

This discussion has been closed.