My work vault is being opened with my personal vault

JimLeask
JimLeask
Community Member

I have a personal vault with items I share with my family, and a work vault that I want to keep for just work items. These vaults both have different passwords of course, however, if I open my personal vault my work vault is also opened without entering the work vault's password.

Do I have something misconfigured? I should need to enter the work vault password before gaining access (for obvious reasons)

Comments

  • thightower
    thightower
    Community Member

    @JimLeask‌

    No you have nothing misconfigured. This is by design. There is a growing chorus of folks whom want an option to disable this. One of the admins can add you vote to the topic. cc @Megan‌

    The staff has said the rational for this behavior as far as I can remember is that its your computer therefore you should have access to all vaults without extra hoops to jump through. Several folks whom share computers with other co workers, find this especially problematic.

  • Megan
    Megan
    1Password Alumni

    Hi @JimLeask,

    I'll just follow-up a bit here on what @thightower has already told you.

    1Password's new multiple vault feature was designed so that you still only have to remember one password, no matter how many vaults you create. Your primary vault holds the encryption keys for all of your secondary vaults. This means that unlocking your primary vault will give you quick and easy access to all of your data, regardless of which vault it is stored in.

    However, you still can unlock a secondary vault on its own. In the main app, use 1Password > Switch Vault menu. (In the 1Password mini, click on the lock image on the lock screen to select the secondary vault.) Please note that when you unlock the secondary vault alone, all other vaults will remain locked. You won't be able to copy items between vaults, and you will need to enter your Master Password to view another vault.

    Generally, the way that we advise you to set things up is to use your primary vault for all of your personal data that will never be shared. All shared data goes into secondary vaults. This set-up allows you to use your own personal password to unlock all of your data.

    If you provide me a bit more detail about your 1Password set-up and the number of users and vaults, perhaps I can suggest a better solution for your situation.

  • JimLeask
    JimLeask
    Community Member

    I'm checking back in after a bit of a delay, as we stopped trying to do what we originally intended due to these limitations (and the inability to change the password on the second vault)

    What I am trying to do is have a primary vault for my family, and a secondary vault that holds work items. Many of the work items are shared logins that are commonly used by all of the developers (to servers, admin websites etc). We have placed the 1Password vault for the work items on a corporate dropbox so it is available to all of the developers. However, I don't want to expose these logins to my wife or other personal machines. Note that I still keep my personal work items like email access in my primary vault as they are mine and not shared with others. I could (likely should) create a 3rd vault to hold my personal work items, but this problem would be raised again as it should be only available to me and not others in my family or other family shared computers.

    Actually, I don't want to put the secondary vault password into my primary vault, unless of course I explicitly add it myself. For the reason above, this is work related stuff and just because someone has access to the primary vault does not mean they should have access to the other vaults.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @JimLeask,

    So just to clarify. At the moment you have a family and work vault but your family vault contains items you don't actually want to share.

    It seems like what might work for you is a third vault that becomes your new Primary vault. From there you would have two secondary vaults, one for family and one for work. The new primary wouldn't be shared with anybody and can hold items like your email credentials (that you mentioned).

    Now when Megan talked about encryption keys stored in your primary vault it is more precise to say they're only stored locally within the .sqlite database file. When you sync a single vault via Dropbox or similar that information isn't sent, all that the sync data contains are the items and attachments you've explicitly added. So for example if you sync your family vault to other machines it knows nothing about the work vault on your machine.

    So the questions to ask of you are.

    1. How do you feel about the arrangement of a Primary vault shared only with your devices, a secondary vault for family and a secondary vault for work? Your Master Password for your new Primary would access all three vaults on your own machine. The family could access just the secondary vault on shared machines and even your very own machine (as secondary vaults can be unlocked separately) and the work vault is also isolated from your family.
    2. If that sounds like an arrangement that could work for you are you currently syncing both the current primary (family) vault and the work one with Dropbox? You specifically mentioned Dropbox in reference to the work vault but I wanted to confirm your current primary vault.

    If both are in Dropbox what we could do is guide you through the steps to start over. We'd have you create a brand new Primary vault for your items and then add the old primary as the family vault and re-add the work vault.

    Let us know what you think and we can take it from there :smile:

  • HanSoLow
    HanSoLow
    Community Member

    I believe I have a similar issue. I currently have a single vault for my own personal use that is synced via my own personal iCloud. At work I have a 1Password synced with an iCloud account registered to my company. Can I add my company work vault as a secondary vault without syncing my personal vault to their iCloud and vice versa?

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @HanSoLow,

    If both accounts are being synced via iCloud then you have no options I'm afraid.

    • iCloud Sync doesn't allow any sharing between iCloud accounts.
    • iCloud Sync only allows the syncing of a single primary vault - currently there is no secondary vault syncing.
    • Access to your iCloud sync data is only possible by logging into that iCloud account via either OS X or iOS's iCloud Settings which limits you to a single account.

    What you want to do is quite possible from Dropbox but sadly iCloud simply isn't versatile enough at the moment. If you're willing to consider Dropbox we can assist with what you need to do.

  • HanSoLow
    HanSoLow
    Community Member

    Sorry to reply so late, I've been in Florida on vacation. Thanks for the information. I will get both vaults moved to dropbox and then report back. Possibly early next week. Thank you.

  • Drew_AG
    Drew_AG
    1Password Alumni

    No problem, @HanSoLow. If you need more help with that, we're here for you! :)

  • HanSoLow
    HanSoLow
    Community Member

    Ok so I've migrated my personal 1Password keychain from my iCloud account to Dropbox and have migrated the company account a Dropbox account from their iCloud sync. I'm happy to read documentation on this as to not bother you guys but if there is walkthrough that will prevent a catastrophe I'd sure appreciate it. Thanks for your responsiveness.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @HanSoLow,

    Now there are two routes at the moment depending on if the company is using Dropbox for Business or a personal one.

    If it's a Dropbox for Business account them you can have both your personal and the business Dropbox accounts linked to a single machine.

    I would probably recommend the following steps to keep it easy.

    1. Install the personal Dropbox first and set up 1Password as an existing user. You want your personal vault as the primary otherwise the business Master Password would unlock your vault (which is not what you want). We have a guide for Getting started again on a new computer.
    2. Install Dropbox for Business so you have access to the .agilekeychain for the business vault. Simply double clicking on it will add it as a secondary vault.

    At this point you have a copy of 1Password that has both vaults syncing and are only accessible to you.

    If you are using a personal Dropbox account for the business .agilekeychain then you will want to share the folder the business .agilekeychain resides in with your personal Dropbox account and you can find more details on how to do that at How do I share folders with other people? (that's a Dropbox KB article just so you're aware). With the business one shared with your personal Dropbox account you would install Dropbox and connect your personal account up. The neat part is you can un-share the folder whenever you like and removed access for others with a few clicks. Nice and easy :smile:

    The easiest way forward though is in this scenario is as follows.

    1. Before sharing the folder install Dropbox and connect your personal account. In fact step 1. here is the same as step 1. above.
    2. Share the folder from the business Dropbox account with your personal one. Let this sync.
    3. With the business .agilekeychain now visible in your personal Dropbox space you can double click on it as described in step 2. of the alternative instructions above.

    If you have any questions please do ask :smile:

  • JimLeask
    JimLeask
    Community Member

    Yes, my current primary vault is my personal one, as that was the only one I needed when I first started using 1Password. The scheme you mentioned to have a different primary vault sounds like it may work for me and is worth trying. Both are on dropbox, one my personal and the other a corporate dropbox.

    Can this work so only my work machine has this top-level primary vault, and my home machines continue as they are now without any reference to the others? I don't mind configuring my work machine this way, but I don't think I should have to do this with any of my home computers that don't want the work vault anyway.

  • JimLeask
    JimLeask
    Community Member

    Before I will look at using the secondary vault though, the ability to change the vault's password needs to work. This is being tracked as a separate issue, but in brief there is no point in my sharing a vault with other developers unless we have the ability to easily change the vault's password so it can remain secure if someone on the team changes.

  • Stephen_C
    Stephen_C
    Community Member

    in brief there is no point in my sharing a vault with other developers unless we have the ability to easily change the vault's password so it can remain secure if someone on the team changes

    But how will you "un-share_ the vault once it's been shared...regardless of changing the password? For example, you share a secondary vault with an employee using Password 1. The employee leaves so you change the password of the secondary vault on your machine to Password 2. BUT the employee still has the original vault and can open it with Password 1. The only solution to that, surely, is in some way to ensure the employee can't walk off with the original secondary vault (secured by Password 1).

    Or am I being obtuse and missing something obvious (quite possible)?

    Stephen

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @JimLeask,

    I do see that you've posted in another thread regarding this issue and I've said I would query any update for you there.

This discussion has been closed.