How to share a vault between two different users?

semblance

I've read the document about multiple vaults and searched the forums, and I know how to create additional vaults — but I can't find anything that explains step-by-step how to share a vault between two different users.

I'm running the Mac App Store version of 1Password 4, and in my case there is one Mac and each user has their own OS X account.

Stephen_C

There are two threads—here and here—which might help you.

Stephen

semblance

OK, so it sounds like both users need to have a Dropbox account, and one user "shares" their 1Password folder (which is a sub-folder of their Dropbox folder) with the other Dropbox user. From what I can see, a Dropbox folder can be shared via the right-click context menu in Finder, but this opens the Dropbox web site and ultimately that's where the sharing is enabled. Once the folder is shared, the second user should be able to see it under their Dropbox folder. Then they just double click on the .agilekeychain file to open the vault in their 1Password app.

It would be nice if the 1Password documentation could explain this. I've use Dropbox for years, but I've never shared a folder before, I've just used it for syncing my personal stuff with my mobile devices. And because Dropbox "just works", I haven't logged into the Dropbox web site — not even once! — since I originally created my Dropbox account, as I never had the need to. So I'm not that familiar with it.

Now, a question: say the second user, who I want to share a vault with, uses a different OS X account on the same physical Mac as me, and that's the only place they run 1Password i.e. they don't sync to any other devices. Is there a shortcut I can use to avoid creating a new Dropbox account for them? For example, can I just give the second user file system-level write access to my 1Password folder (which happens to be inside my Dropbox folder because I do use Dropbox)?

thightower

@semblance

OK, so it sounds like both users need to have a Dropbox account, and one user "shares" their 1Password folder (which is a sub-folder of their Dropbox folder) with the other Dropbox user. From what I can see, a Dropbox folder can be shared via the right-click context menu in Finder, but this opens the Dropbox web site and ultimately that's where the sharing is enabled.

Well said,

It would be nice if the 1Password documentation could explain this. I've use Dropbox for years, but I've never shared a folder before, I've just used it for syncing my personal stuff with my mobile devices. And because Dropbox "just works", I haven't logged into the Dropbox web site — not even once! — since I originally created my Dropbox account, as I never had the need to. So I'm not that familiar with it.

Woot glad it just works for you. I seldom hear stories like that being a Moderator at Dropbox as well as 1Password. Generally 99% of the folks visiting the forum have an issue and need help. So thank for for the comment.

It sounds as if you may wish to user folder sync. For ease of use and so forth you may wish to place this in a folder outside the user directory or one that both of you have access to easily thru OS X.

semblance

OK, I tried using Folder syncing, but it is NOT working properly.

All the items I want to share are currently in the second user's primary vault — but my understanding is that primary vaults can't be shared, so I created a secondary vault with the same name for both users. Then I needed to do two things: a) export all the items out of the second user's primary vault and import them into the new secondary (shared) vault, and b) enable Folder syncing for both users pointing to the same folder.

• First I tried doing a) followed by b). I used File > Export in the second user's 1Password app, to export the data from their primary vault, then used File > Import to import it back into their secondary vault. So far, so good. Then, I set up Folder syncing by going to Preferences > Sync > Sync With > Folder, and selected a folder which both users have write access to, then logged in as myself and did the same with my secondary vault of the same name. At that point, 1Password told me it found an existing file and would merge the data, but despite this, all the items I'd imported in the second user's secondary vault did not appear in my view of the same vault. I checked the sync settings for both users and confirmed they were both syncing to the SAME file. Then I tried creating a new item in my view of the shared vault, and that DID sync to the second user's view of the vault along with all the other items that hadn't synced. So the shared vault ended up in some weird semi-synced state where some items were syncing and others weren't. I logged in and out multiple times, and re-checked the sync settings and both said "Last synced [small number] seconds ago", but they were NOT in sync.

• Then I tried starting again, and doing b) followed by a), but that turned out even worse! I first disabled syncing for both users, deleted all the items in both copies of the secondary vault, then enabled Folder syncing for both users exactly as described above so both vaults were now empty, but syncing to the same file. Then I imported all the items that I'd previously exported from the second users primary vault back in to the secondary/shared vault. But when I switched back to my 1Password app, all the items had synced BUT only headings and URLs — all the other attributes (including passwords) were gone! Then I switched back to the second user, and the corruption had synced back again i.e. both users' view of the shared vault now only had headings and URLs, and all the other data was gone for both users!

Am I doing something wrong or is this whole syncing functionality thoroughly broken at this point in time?

semblance

OK, it seems at least part of the problem is down to file permissions.

Apparently it's not enough just to ensure that the folder used for Folder syncing has read/write permissions for both users, because the .agilekeychain file, which gets initially created by one of the users is still only writable by them. The problem extends to all its sub-folders and files, since .agilekeychain is actually a folder. It seems that (at least on Mavericks) the permissions you set on the parent folder are not necessarily inherited by all the sub-files/folders.

I've updated the permissions as best I can in Finder, but this seems to require knowledge of OS X filesystem ACLs which goes beyond my expertise.

Now the issue is sort of fixed — both users can see all the items, both users can create new items, and after creating a new item, the other user can see it. However, if either user modifies an existing item, then the modification doesn't sync to the other user.

So it's still not working fully. But this might be because I don't have the right "inherit" permissions and/or ACLs in the right places.

semblance

I read the link about Folder syncing a bit more carefully, and it seems that Folder syncing is designed for syncing with a folder that is used by some kind of cloud-based sync service other than Dropbox, which would mean that the sync service itself would take care of file permissions when it recreates everything in the second user's copy of the sync folder (even if that happens to be on the same physical machine).

By not using a sync service at all and attempting to sync directly using a shared folder in the filesystem, I think I'm using Folder syncing for something it simply wasn't designed to do at all. Every time one of the users creates a new item, that will create a new file inside the .agilekeychain folder which probably won't be writable by the other user, so syncing is never going to work properly this way.

It sounds like it would be easier to just create a Dropbox account for the other user, sync through Dropbox and be done with it.

semblance

OK, both users now have their own independent Dropbox accounts, and in my 1Password app I configured the shared (but still empty) vault to sync via Dropbox. Then I configured Dropbox to share the new ".agilekeychain" folder with the other Dropbox user, and when the second user accepted the invitation, the ".agilekeychain" folder appeared in their Dropbox folder, as expected

Then, I configured the second user's secondary vault, which had the same name, to sync via Dropbox as well. 1Password spotted that there was an existing ".agilekeychain" of the same name in the Dropbox folder and said it would merge the settings, as expected

But then, when I logged in as myself again and viewed the shared Vault, it only contained 1 Login — which happened to be the "Dropbox" login, as it happened to be the one I created most recently — and all the other Logins were missing. So it STILL wasn't syncing properly, despite the fact that I was doing everything the right way via a shared Dropbox folder.

So then I thought, maybe if I export and re-import everything in the second user's view of the shared Vault, it will trigger a resync and force all the missing items to appear in my view of the shared Vault.

So I logged in as the second user, exported all items, re-imported them — then guess what, everything comes back with just Headings and URLs again, with all the other data missing!!!

This thing seems so flaky right now. When I export and import it sometimes loses my data (everything disappears except Headings and URLs). When I configure a shared vault to sync via Dropbox, not all the items sync. I just seem to be going round in circles.

semblance

Got slightly better results by creating sharing the parent folder in Dropbox rather than the ".agilekeychain" folder itself — at least then, all the items initially appeared for both users.

However any changes made as one user (including editing an existing item or creating a new item), do not sync to the other user's view of the vault.

Megan

Hi @semblance,

First of all, I would just like to sincerely apologize for the delay in responding to you here. As you may have noticed, we have been a bit overwhelmed since the launch of 1Password 4 for Mac. But we're all working hard and putting in extra hours to get back to our usual snappy responses and we really appreciate your patience.

I am so sorry that you had to go through that whole process - it sounds a bit tiring!

Now, let's see if we can get this straightened out for you here. I think the most efficient way to get this done is to see a Diagnostic Report from your computer.

Please download the 1Password Troubleshooting utility and follow the instructions to generate the report.

Then attach the entire file to an email to us: support+forum@ agilebits .com

Please do not post your Diagnostics Report in the forums, but please do include a link to this thread in your email so that we can "connect the dots" when we see your Diagnostics Report in our inbox.

Once we see the report we should be able to better assist you. Thanks in advance!

semblance

Hi @Megan — OK, but before I do that, I have one question.

Ideally I'd like the second user to have a primary vault only, and share that, so it appears as a secondary vault within my 1Password.

At first I thought that wasn't possible, but while I was trying to get the basic vault-sharing functionality working (with secondary vaults of the same name for both users), I accidentally discovered that it's possible to do the following:

In OS X / Dropbox

1. Create a dedicated shared folder under my Dropbox, say "1Password-shared" (separate to the "1Password" folder where my primary vault is stored)
2. Share this folder in Dropbox with the second user.

Log in to my 1Password:

3. Create a secondary vault, say called "Shared"
4. Configure Preferences > Sync > Dropbox to use the folder "1Password-shared". This creates a sub-folder with an agilekeychain file of the same name as the secondary vault: 1Password-shared/Shared.agilekeychain.

Log in to the second user's 1Password:

5. Keep the default (primary) vault open, and don't even create a secondary vault at all
6. Go to Preferences > Sync > Dropbox and select the file "Shared.agilkeychain".

Surprisingly, 1Password allowed me to do this. At this point, the second user's 1Password is in a state where its primary vault is configured to sync over dropbox via a file called "Shared.agilekeychain" (rather than "1Password.agilekeychain"). And the same agilekeychain file is in a folder that's shared over Dropbox with another user (me), and I have a secondary vault called "Shared" which is also configured to sync over dropbox via "Shared.agilekeychain".

This surprised me because I thought (assumed?) that the primary vault's agilekeychain file was always called "1Password.agilekeychain", and secondary vaults could only sync via an agilekeychain file with the same name as the secondary vault.

Is this intended behaviour or not?

And, by the way, it's not working in this configuration. As in, changes don't sync across. BUT, it also didn't work in the original configuration when I had both users configured to use a secondary vault both called "Shared" and both syncing via "Shared.agilekeychain".

So before generating a diagnostic report, I'd like to know: can I run it in the first, preferred configuration, in which one of the users is sharing their primary vault? Or do I have to run it in the second, less preferred configuration, which would mean creating a secondary vault for the second user and probably, in my case, keeping their primary vault empty?

semblance

OK, I think I fixed the problem — my shared vault name contains a space character, and I happened to read in another thread that there are known issues with vault names containing space characters. It wasn't actually called "Shared", that was just an example; I didn't think the actual vault name was important.

Now everything appears to be syncing perfectly and I can create/modify/delete items on either side and the changes are reflected for the other user.

However, the configuration that I now have working is the first of the two I described in my previous post, in which one of the users is sharing their primary vault. Specifically, I created a secondary vault in my 1Password — this time with no spaces — which created an agilekeychain file with the same name, and then I configured the second user's primary vault to sync in Dropbox via the same agilekeychain file, which they could see in the shared Dropbox folder.

So, is this configuration supported, or does it work only by accident?

Furthermore, I am confused about how master passwords work with shared vaults. When I created the secondary vault in my 1Password, I set its master password to be the same as the other user's existing primary vault master password (which I happen to know, because I created it). Then, when I configured the second user's primary vault to sync via the existing (secondary) vault's agilekeychain file, it did not prompt me for any password, it just said (if it's non-empty) existing data was found, do I want to merge it.

Despite this, when I open my 1Password, I only have to type in my own master password, and I can see all the vaults, including the shared one that supposedly has a different master password. Why is this?

thightower

Despite this, when I open my 1Password, I only have to type in my own master password, and I can see all the vaults, including the shared one that supposedly has a different master password. Why is this?

The primary vault allows access to all other vaults, you can open just the secondary for example but anytime you open the primary it unlocks all of them.
Maybe @megan can give some insight on this. I recall a thread from @roustem detailing some of reasons but I can't find it at the moment. :-/

As to the other items Ill let @megan continue on with them.

Stephen_C

@thightower might be thinking of this post by roustem.

Stephen

Megan

Hi @semblance,

I am so glad to hear that you managed to get things working. It sounds like you have a solid set-up there. I've confirmed with some of our tech gurus, and sharing your secondary vault as a primary for the other user should work fine.

You are correct, the Master Password of your primary vault will unlock all your secondary vaults. To open just your secondary vault, click 1Password > Switch to Vault while 1Password is locked.

I hope this answers your questions (it seems, as usual, @thightower and @Stephen_C have been a great source of information) but please let me know if you need any further clarification. :)

semblance

Thanks @Megan, that's great news to know that sharing one user's primary vault as another user's secondary vault is OK, since this is how I intend to use it! Hopefully, more than just it "should work fine", it's a fully supported use-case and will be part of the set of tests that are run when the app is enhanced etc. I don't want this behaviour to break one day if I'm relying on it.

Regarding master passwords, I read that thread but I'm still confused... how it can be that, once the shared vault is set up, a single vault can be opened with two different master passwords — one by each user? I presume the vault's data is still encrypted with a single key, but can that key now be unlocked by two different master passwords, and is all the crypto material required to achieve that stored in the one shared agilekeychain structure? So it's effectively like a safe with two doors?

Furthermore, when you initially generate the secondary vault, you are prompted to give it a master password. What is this for? Assuming you're setting up shared vaults the way you're supposed to — and not just fumbling around in the dark as I was — what are you supposed to type here?

Should it be the same as the either of the two users' master passwords? And if not, is it just a temporary password used only to import the vault, which gets thrown away after that because each user is then using their own master password? Or does it become a third password capable of opening the vault along with both users' master passwords? The document about multiple vaults is no help at all here; it just says "4. Give the vault its own password".

Also, what happens when either of the two users of a shared vault change their master passwords?

And finally, when I logged in as the second user and configured their primary vault to Dropbox sync via the shared vault's agilekeychain file, why wasn't the second user prompted for the initial password that was set when the shared vault was created? Did that not happen because in my case, I'd given the shared vault an initial password which happened to be the same as the second user's existing master password? Was I wrong to do that? If I'd given the shared vault a different password when I created it, would the second user have been prompted for that password when they imported it (actually, configured their primary vault to sync with it)?

The documentation on vault sharing leaves so many questions unanswered... not just in terms of how shared vaults work, but how they're meant to work, what the intended scenarios are (e.g. sharing secondary-as-secondary vs. primary-as-secondary), how they work with respect to master passwords, how vault sharing utilizes Dropbox folder sharing, what Dropbox folder sharing actually is (it was new to me), how you set that up and which Dropbox folder you should actually share (e.g. your existing /Dropbox/1Password folder, or can it/should it preferably be some other folder.)

What's needed is some detailed, step-by-step and explicit instructions that tell you unambiguously how to set up shared vaults the way they were intended, what the expected end-state(s) are, exactly how those end-states are expected to behave, and what known bugs there are (like no spaces in vault names, not being able to double-click agilekeychain files, etc).

The existing documentation is such long way from achieving that in my opinion — just look in this thread at all the different places I tripped up.

semblance

Update: I've just found the page http://learn.agilebits.com/1Password4/Mac/en/Tutorials/share-vault.html which answers some of my questions. Apologies I hadn't read that page before, I'd seen http://learn.agilebits.com/1Password4/Mac/en/Features/multiple-vaults.html and thought it was the same page. Oops! Anyway, even after reading that, some of my questions still unanswered. Also there appears to be a page http://help.agilebits.com that's more out-of-date than http://learn.agilebits.com/.

thightower

@semblance

The ....help.... pages were mainly for 1Password 3
and ...learn... are for 1Password 4

Thats just been my observation. That also explains why both are still active.

Megan

Hi @semblance,

Hopefully, more than just it "should work fine", it's a fully supported use-case and will be part of the set of tests that are run when the app is enhanced etc. I don't want this behaviour to break one day if I'm relying on it.

We are working on making vaults more flexible and more accessible in the future, so we certainly don't plan to remove functionality like this.

how it can be that, once the shared vault is set up, a single vault can be opened with two different master passwords

The Master Password for your primary keychain will unlock all your secondary vaults. This does not mean that your secondary vault has 2 Master Passwords, but we use the encryption keys of the primary vault to encrypt attributes of the secondary vault. This way if you unlock the primary vault, you get access to all secondary vaults. (So you can have easy switching between your secondary vaults without having to constantly having to enter multiple Master Passwords.) Anyone that you share a secondary vault with will have to use that vault's Master Password to access it. They will not be able to use the Master Password of your primary vault to unlock it.

Also, when you initially generate the secondary vault, you are prompted to give it a master password. Assuming you're setting up shared vaults the way you're supposed to do it, and not just fumbling around in the dark as I was, what are you supposed to type here?

The Master Password for the secondary vault should be treated the same as the Master Password for your primary vault: make it nice and strong and random. For ideas on what makes a great Master Password, you can always read our blog post, Towards Better Master Passwords here. All users will use the same Master Password to access this vault. Any changes to this Master Password will sync across the keychain.

And finally, why wasn't the second user prompted for the shared vault's initial master password when they configured their primary vault to Dropbox sync via the shared vault's agilekeychain file? Did that happen just because the initial password I'd given the shared vault was the same as the second user's master password?

You're correct. The standard steps for adding a shared vault into 1Password is to double-click the keychain to open it. However, there was a bug recently (that has since been squashed) that prevented this behaviour. The workaround was to create a vault with the same Master Password and set up syncing to the location of the shared keychain, as you did. :)

I know multiple vaults can be confusing, but I hope this helps to clear things up a bit! If you have any further questions, please do not hesitate to ask!

semblance

Thanks @Megan for the detailed reply. I think I'm starting to get it now.

The Master Password for your primary keychain will unlock all your secondary vaults. This does not mean that your secondary vault has 2 Master Passwords, but we use the encryption keys of the primary vault to encrypt attributes of the secondary vault. This way if you unlock the primary vault, you get access to all secondary vaults. (So you can have easy switching between your secondary vaults without having to constantly having to enter multiple Master Passwords.)

OK, so is the following summary correct?

• When you create a secondary vault, you must give it its own vault-specific Master Password.

• If another user "imports" the secondary vault, they have to provide that vault-specific Master Password. But once imported, some kind of magic happens which means that whenever they subsequently unlock their primary vault, it's then able to unlock the secondary vault as well without providing the vault-specific Master Password.

• From now on, the secondary vault still has the same vault-specific Master Password it originally had — and that will still allow another user (or an attacker) to unlock the secondary vault. But under normal circumstances, the secondary vault's own Master Password will no longer get used, because both users can unlock it by first unlocking their primary vaults with their primary vaults' Master Passwords. The only time the secondary vault's own Master Password would get used is if a user needs to re-import the secondary vault for some reason, or perhaps if a different user needs to import the secondary vault.

Anyone that you share a secondary vault with will have to use that vault's Master Password to access it.

But its when they import it — normally a one-off step — not each time they access it, right?

The Master Password for the secondary vault should be treated the same as the Master Password for your primary vault: make it nice and strong and random. For ideas on what makes a great Master Password, you can always read our blog post, Towards Better Master Passwords here. All users will use the same Master Password to access this vault.

OK, but would you also say it's best practice to make the secondary vault's Master Password different to your or anyone else's primary Master Password, if you intend to share it? Because neither user should need to know the other user's primary Master Password.

I suppose if you're creating a secondary vault, but you're not intending to share it with anyone, then you might as well make its Master Password the same as your primary vault's Master Password. But then again, maybe not: since you never use the secondary vault's own Master Password any more, you might easily forget that it has one! You might one day change your primary vault's Master Password to something stronger and better, and since that would continue to unlock both your primary and secondary vault, you might forget that your secondary vault still has the older, weaker Master Password!! That would not be good.

In fact, thinking about it — if I understand correctly — then unlike normal Master Passwords, there's actually no requirement to make a secondary vault's Master Password human-memorable at all. It's never going to be used again by the person who created that vault, and its only used once by each user who imports that vault, right?

Am I right in thinking that I could actually set a very long, secure and completely random Master Password for my secondary vault, and then store that in my primary vault? Because I (as the secondary vault creator) will probably never have to type it again, and if another user imports my vault, then I can just show them the super-random vault-specific Master Password on my iPad, and they'll only have to type it in once, ever?

Any changes to this Master Password will sync across the keychain.

Good. But can you confirm that if I change the secondary vault's own Master Password, this won't break the magic trust that's already been set up that allows all the users who created/imported the secondary vault to access it via their primary vault's Master Password?

The standard steps for adding a shared vault into 1Password is to double-click the keychain to open it. However, there was a bug recently (that has since been squashed) that prevented this behaviour. The workaround was to create a vault with the same Master Password and set up syncing to the location of the shared keychain, as you did.

Actually, I knew about that bug, but I avoided importing the secondary vault by double-clicking for a different reason (even after that bug was fixed): because I wanted the second user's primary vault to be merged and shared with my secondary vault.

If I'd double clicked Shared.agilekeychain as the other user, then it would have created a secondary vault called "Shared". Instead, I simply logged in as the second user, and configured the sync settings for their primary vault to point at Shared.agilekeychain. After that, their primary vault is sharing with me, but it shows up in my 1Password as a secondary vault called "Shared".

I know multiple vaults can be confusing, but I hope this helps to clear things up a bit! If you have any further questions, please do not hesitate to ask!

I really appreciate the time you've spent responding to my questions @Megan. This vault sharing does an awesome piece of technology, but it's quite hard to understand at first.

And I especially appreciate it as I clearly failed to RTFM in the first place... thanks!!

jpgoldberg

You've understood correctly @semblance. And this is significant. As you've learned in the process that what seems simple on the surface actually has a lot of subtleties when you start to look at it more carefully.

Indeed, when I started using secondary vaults (that were not for sharing), I did exactly as you suggested. I didn't create memorable passwords for them. I actually used 1Password's Strong Password Generator and selected "pronounceable" so that I would get something that wouldn't be too difficult to type if it ever had to be.

There is no magic involved, though it does seem that way. A Master Password for a vault does not directly encrypt the data in the vault. The actual encryption keys are chosen at random when the vault is first created. Your Master Password is used to decrypt those keys. (Indeed, there is actually such a long chain of keys, that I remember it with this:

Each item key’s encrypted with the master key
And the master key’s encrypted with the derived key
And the derived key comes from the MP
Oh hear the word of the XOR
Them keys, them keys, them random keys (3x)
Oh hear the word of the XOR

(And actually that is only half of it.) So the magic is that we can keep a copy of the encryption keys for your secondary vault within your primary vault. By storing the keys instead of the Master Password for that vault, we make sure that no Master Password is ever stored in any form whatsoever. It's also much quicker and "lighter" this way. 1Password doesn't have to run through the deliberately computationally expensive process of deriving a key from a Master Password.

semblance

OK that's great, thanks @jpgoldberg — nice song :-)

sjk

Hey, @semblance.

Glad you got some great help with understanding all this!

Is it just coincidence that you wrote:

If I'd double clicked Shared.agilekeychain as the other user, then it would have created a secondary vault called "Shared". Instead, I simply logged in as the second user, and configured the sync settings for their primary vault to point at Shared.agilekeychain. After that, their primary vault is sharing with me, but it shows up in my 1Password as a secondary vault called "Shared".

… right about when I wrote:

If you've already run 1P4 on your new Mac and have a primary vault configured, then opening a keychain externally (e.g. by double-clicking) will offer you to "Create New Vault" from it and keep it in sync with Folder Sync. If you want to merge a keychain with an existing vault then opening it from the Folder choice under Preferences… > Sync will offer that option.

? :)

Thanks for an extra reminder that our documentation can better clarify when accessing a keychain creates a new vault vs. merges data with an existing vault.

semblance

Hi @sjk Yes! Well, actually I'd mentioned it earlier in this thread.

But it goes a little further than opening an existing keychain merges its data. What's nice is that if you merge your primary with an existing keychain which is another user's secondary vault, then you end up in a situation where user A's primary is shared with user B's secondary.

The 1Password vault architecture seems very flexible.

sjk

Missed your mentioning it earlier, @semblance. Evidently I hadn't read your posts as closely as I'd thought. :)

Thanks for that shared vault example.

Multiple vaults being separate from now-optional sync stores does open a lot of possibilities.

Topic now closed, with your approval. :)