Question about data security during sync
Hello.
Since 1Password asks for the master password when setting up sync, I've been wondering: does 1Password Android Beta decrypt and reencrypt items during Dropbox sync, or does it just copy encrypted files to/from Dropbox? If items are indeed de/encrypted during sync, how do you ensure keys cannot be recovered from the phone?
Comments
-
This is a really good question. The simple answer to the question
does 1Password Android Beta decrypt and reencrypt items during Dropbox sync, or does it just copy encrypted files to/from Dropbox?
is "both". But the simple answer isn't very useful. So here comes the more complicated answer:
Synching is performed in stages. The actual transfer of data to and from Dropbox (which takes place when you have the appropriate network connection and your Dropbox credentials) is simply a transfer of encrypted data. So no decryption keys or passwords (other than being connected to your Dropbox account) is needed during this time.
When 1Password "translates" the data from the format that is stored on Dropbox to its internal format, there is decryption and re-encryption. This part of the synching operation does not require a network connection.
To understand how that "translation" happens we need to get a deeper understanding of the relationship between keys and Master Passwords. Your data is not encrypted with your Master Password. It is encrypted with a randomly chosen key that is created when your database is created. Your Master Password is used to encrypt that key (I'm skipping a few steps here for simplicity). The data on your device will have a different master key than the key used in the Agile Keychain stored on Dropbox. (One of the several reasons why these are different keys is the Agile Keychain uses 128 bit AES keys, while our newer formats use 256 bit keys.)
When you first set up synching and giving it your Master Password, 1Password on your device will decrypt the master key from the Dropbox data. It is store that, encrypted with the local master key, along with your passwords locally. So when you unlock 1Password on your device, it has access to both the local master key and the master key for the Dropbox data and it can then translate between the two. Both of these keys, of course, are protected by your Master Password.
By the way, this is pretty much how synching works in 1Password 4 on Mac and iOS as well. Windows (Beta) is a bit different in that it doesn't make a strict separation between local format and "sync format".
0 -
Thanks for the explanation, clear and to the point.
0 -
Let us know if you have any other questions. :)
0