Backup strategy for 1P vaults in a corporate environment
I'd like to hear about which backup strategies corporate users of 1Password have put in place, and also if the 1Password team can share some advice here.
I'm interested in protecting both against user mistakes/attacks leading to important secrets being lost (in personal or shared vaults) and against possible problems with 1Password itself (account being blocked for good or bad reasons, 1P losing data or having systems down).
I know that the 1Password app allows exporting a clear-text dump of secrets. But:
- Then, what to do with the clear-text file? Printing it (not very secure, and quite heavy esp. with long secrets such as SSH keys, etc), storing it in a cloud service probably with some strong encryption (but where/how to store the key.... if not in 1P), storing on local external storage (same question of encryption + possible compliance issue with the use of removal media storage).
- Each use is responsible for their own backup, which can be tedious (and introduce weaknesses) for non-tech savvy users, esp. if the process involve encrypting the resulting backup, etc.
Given these remarks, I would find the following feature very useful: the app should allow encrypting the backup file with a symmetric key derived from the user's 1P password + secret key. If the encryption (and key derivation) is strong enough, the resulting backup could be stored anywhere, even on a public cloud; its security would be similar to the 1P access itself (at a given point in time, minus 2FA). No way to revoke access to such existing backups if the secrets are leaked, but that's also the case for the current clear-text export! To make the backup usable in the long term, 1P should commit to providing a tool to allow users to decrypt such an export (providing the password + secret key) even if they don't have an active 1P subscription.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hello @afrisch! 👋
Thank you for reaching out! Your 1Password membership already includes automatic backups to your 1Password account in the cloud. If you, or your users, accidentally delete an item you can always restore it from your 1Password account on 1Password.com:
View and restore previous versions of items
Your encrypted data is replicated to redundant copies on our end as part of a continuous backup process to guard against any data loss.
If 1Password's service is down, or disappears completely, then the 1Password app on your user's devices features a local offline cache where they'll still be able to access their passwords. While the apps do include an export tool to allow you to take your data with you in case you decide to leave 1Password for another password manager, I don't recommend exporting your passwords as a backup method since that will remove them from the secure and encrypted environment of 1Password. Any exported copy of your passwords will be in plain text and so will be readable by anyone who views it. Exports also lack several features of a real backup system such as version control.
Let me know if you have any questions. 🙂
-Dave
0 -
Hello @Dave_1P,
Thanks for your reply and a reminder about this "View previous version" feature, which certainly covers some of the situations we had in mind. I'm trying to understand its limits...
To confirm: the feature is only available on the 1Password web interface, not in the 1Password app where only the more restricted "password history" is available (one cannot get the history of the username, or of SSH keys, etc). So assuming 1password.com is down (or disappears completely), then the local app would not be enough to retrieve the full history, right?
Also, there is a "Destroy permanently" button on deleted items. After using it, is there still a way to retrieve the history of the item? I assume not (that would contradict the label on the button), but it means that e.g. a rogue employee (or an employee whose PC got hacked), who has enough permissions can really delete an item with no way to get it back. Is my understanding correct?
And more deeply, both 1password redundant backups and the data in the 1password app are under the control of 1password. Perhaps it's a bit too theoretical, but if you get hacked, or if you have a bad bug somewhere, or if future management of your company decides to go crazy on commercial terms/attitude, 1password could end up deleting both the backups and the items in the connected apps, possibly at the same time, leaving users without an external backup with no way to recover their secrets. As long as it's about password that can be regenerated, it's ok, but for some kinds of secrets (for instance decryption keys for backups that need to be readable in many years), it doesn't sound crazy to look for (secure) ways to keep backups of vaults/items "outside" the control of 1password. (And again, the "Destroy permanently" feature means the horror scenario could happen without a problem on 1password's side at all.)
0 -
Thanks for the reply. We're currently testing item history in the latest beta versions of the 1Password desktop app:
You can now view item history and restore previous versions of items in the desktop apps.
If testing goes well in the beta then the team hopes to release the feature to the stable version of the desktop app as soon as possible.
Also, there is a "Destroy permanently" button on deleted items. After using it, is there still a way to retrieve the history of the item? I assume not (that would contradict the label on the button), but it means that e.g. a rogue employee (or an employee whose PC got hacked), who has enough permissions can really delete an item with no way to get it back. Is my understanding correct?
Correct, permanently deleting an item fully removes it from 1Password. You can control which of your employees have permission to edit or delete items in a particular vault: Create, share, and manage vaults in your team - Manage permissions
And more deeply, both 1password redundant backups and the data in the 1password app are under the control of 1password. Perhaps it's a bit too theoretical, but if you get hacked, or if you have a bad bug somewhere, or if future management of your company decides to go crazy on commercial terms/attitude, 1password could end up deleting both the backups and the items in the connected apps, possibly at the same time, leaving users without an external backup with no way to recover their secrets.
There are several safeguards in place to prevent a scenario like that from happening. Any change made to the codebase requires the review/approval of multiple stakeholders and changes are tested/reviewed by other teams, including a dedicated security team. We also put any new features/changes through a staggered rollout by first releasing them to the nightly version, then the beta, and finally to the stable version. Our QA team further reviews changes to the apps before beta and stable releases.
In addition to all that, 1Password is regularly audited by independent third-parties and conforms to important international data safety standards like ISO 27001. You can read more here:
-Dave
0 -
I'd love to see a backup strategy for the data in 1Password too.
Many of the big players in the cloud lost data already.
It's a possibility that we want have in self-control.Even an automatic backup of the offline cache would be helpful. (these files could moved into backup storage)
Can you eleborate a bit more about this cache? Is there any technical documentation on how these directories and files are structured?0