Good questions about how 1Password sync and how encryption is involved
Without a doubt you guys provide more transparency to users than pretty much any other development team, but to paraphrase, I am an Elephant of Very Little Brain :) The encrypted list(s) of passwords is what's sync'd via the cloud (iCloud, Dropbox, whatever) correct? Is it stored there, as well or does the cloud act as a passthrough mechanism to simply push the list(s) to the devices? When the devices login and the sync occurs, are they logging into a central location for authentication and if so, is that an Agile Bits server? Finally, is the encrypted Master Password passed around and/or stored in the cloud (iCloud, Dropbox, whatever)?
Like I said, you guys are amazing at sharing information. I'm just trying to get a clear understanding of the mechanisms. Thanks :)
Comments
-
Lets see if I can give a little insight. I have been around a little while, I came to get some answers like yours answered and never left circa 6-7 years ago now. ROFL
The data is local to your computer inside a special file which 1Password reads from, this file is separate from the keychain file that syncs thru Dropbox, or iCloud.
That data file syncs the content that you add to 1Password to your other computers, devices. That data is then read by the other instance of 1Password and added to your content available on that machine.The datafile is what contains your entire history if you will. The data file is never sent to a server unless you so choose. In fact you do not need to use a cloud service to sync your data between devices. You can choose folder sync and of wifi sync eliminating cloud access all together. When the syncing occurs the device is logging into Dropbox's or iCloud's servers to accomplish the data exchange.
AgileBits has no sever that validates anything like logins etc.
They do however have a server that goes out on to the internet and look for icons and login pictures for the rich icons for 1Password. Its a blind service in that all the service gets is a request for an item and if present it returns it. No password, login details etc are ever shared with that server. If you don't feel comfortable with this they have made it easy to disable the service. Simply un tick use rich icons in 1Password preferences.
The Master password is synced between devices, I forget the technical terminology. :( What essentially happens is the keychain is synced to the secondary device. The only way to open that file is to supply the Master Password, so if it didn't sync you would never be able to open it. Its not really a password being synced, no where is it store unencrypted. Your data is always encrypted where ever it is located. The only time the data is unencrypted is when you supply the Master Password and have the app open for its use.
I hope another users opinion and attempt to explain have not confused you. If so please ask away.
0 -
Hi guys,
Just to be clear, on your desktops, your master password is not stored anywhere on your drive.
The encrypted list(s) of passwords is what's sync'd via the cloud (iCloud, Dropbox, whatever) correct?
Yes and keep in mind that it is not just syncing, we only keep an encrypted version of your data on your drive. We decrypt the minimal amount of data needed to show you the data you need. We do not decrypt everything at once when you unlock 1Password, just the item you're viewing and the overview (list of items).
If you'd like, we have a technical design of how 1Password encryption works that you can read here: https://learn2.agilebits.com/1Password4/Security/keychain-design.html
Is it stored there, as well or does the cloud act as a passthrough mechanism to simply push the list(s) to the devices?
All of your 1Password data is always stored on the device. When you enable the sync for one of the vaults, 1Password will then create a sync file (encrypted) and place it in the cloud folder that you want to sync with. The cloud sync service on your computer will sync it to their services.
For Dropbox (and Folder Sync), Dropbox monitors your Dropbox folder to monitor changes and whatever changes, gets pushed to their server. Folder Sync just writes a sync file to any folder you want and 1Password will just monitor that folder. For an example, if you use Google Drive, you can tell 1Password to put the folder inside Google Drive's folder and that'll sync your data between all computers you use with Google Drive.
For iCloud, we actually changed this in 1Password 5 for Mac and iOS to take advantage of the new CloudKit APIs available for Yosemite and iOS 8. While your data is stored locally, 1Password will directly connect to Apple's CloudKit servers and push encrypted content data to a local private database that's owned by your AppleID account and 1Password. CloudKit gives us more power to keep the sync under our control (most of the time).
For the Wi-Fi sync, we establish a direct connection between your iOS device and the Mac, we handle everything ourselves manually.
When the devices login and the sync occurs, are they logging into a central location for authentication and if so, is that an Agile Bits server?
For iCloud, you're already logged in when you enable iCloud on your Mac and/or iOS device. When you install Dropbox, you had to authenticate before proceeding, so Dropbox can sync your data. On the desktops, you've already authenticated for iCloud and Dropbox and we don't have to do anything, we simply push the encrypted data on the local cloud folders and they'll simply push it to their servers, which will then go to other computers that's logged in with your accounts already.
Finally, is the encrypted Master Password passed around and/or stored in the cloud (iCloud, Dropbox, whatever)?
Your master password is not stored nor used anywhere in your data file. The only thing that is stored is the encrypted content of your encryption keys that we've generated on your behalf. We generate a key that's based on a very long complicated string of characters that nobody is going to remember and we use that key to encrypt your data. The only way you can get access to this key is by entering your master password because the key will be encrypted by your master password.
On the iOS device, your master password will be stored in the local secure iOS keychain when you enable TouchID. TouchID decrypts your master password, which passes into 1Password to unlock the data.
The Master password is synced between devices, I forget the technical terminology. :(
What you meant is encryption key. Master password is not stored anywhere and nor is it ever sync'ed anywhere. Encryption keys are encrypted by your master password. So while the encryption keys are sync'ed, nobody can decrypt it unless they know the master password.
When you open 1Password and enter your master password, 1Password uses that to decrypt the keys and that key is then used to decrypt the data. It is not your master password that encrypts your data but a very heavily strong key that we generate uniquely that is not linked to anything, we simply encrypt this key with your master password.
0 -
Many thanks for the detailed walkthrough. Like I said in my initial post, you guys are fantastic at sharing the behind-the-scenes information and it's very much appreciated!
0 -
BTW - Wanted to close the loop: Was so happy with the answers and level of comfort I just bought an upgrade license. I switched to lastpass rather than upgrade from 1Password v3. Time to come back :)
0 -
@3l3phant welcome back :wink: if you have any questions, well you know exactly where to come to ask :smile:
0