Multiple unlocked vaults with ease of use on MS Windows and Mac

Hawkwind

I've seen a few threads that touch on this subject but none that I saw that covers all these.

Currently using:

Mac OSX 10.9.4 with 1Password 4.4.3

Windows 7 64-bit SP1 with 1Password 4.1.0.526

Sync and sharing vaults via Dropbox

1. Family use cases: For example a Husband and Wife each have their own personal non-shared vault and a vault shared between them for commonly shared entities (logins, etc) such as child's school or team sports/activities registration/management, shopping, pizza ordering, joint credit cards, etc with both vaults concurrently unlocked for ease of using them. Having to change vaults and enter the master password (when on Windows) every time one changes to another vault is hard to accept since it makes using multiple vaults more time consuming/complex, etc.

Copying/moving entities from one vault to another is so very time consuming and complex on MS Windows especially if we are using appropriate master passwords that take time to enter. These master passwords must be entered for each switch to a vault every time an entity is copied. Even more time consuming if one needs to copy multiple entities since one can copy only one entity at a time. This means going back and forth from source vault, switch to target vault, enter it's master password, paste (if it works - sometimes it doesn't), then switch back to source vault entering it's master password and so on... Tried a few other methods including having the the password for the other vault stored inside each vault. Not much success or it was even more complexity, but the details/troubleshooting is for another day.

I assume that on the Mac, 1Password is using the Mac's keychain to store/cache the password once the given vaults are unlocked and this keychain feature does not exist in MS Windows. On Mac, this WORKS WELL and is EASY TO USE. However, why use keychain for this purpose just to keep multiple vaults open? Maybe keychain was used cause it was easier/faster to deploy multi unlocked vaults, but best if redesigned and use internal aspects of 1Password to maintain unlocked states. A development as well as user interface feature benefit of changing to an internal 1Password facility could be the use of the same or similar design for MS Windows.

Are the vaults even open concurrently? Or on Mac it's the same as in Windows but on the Mac the switch to another vault just seamlessly unlocks the requested vault behind the scene from the cached password in the Mac keychain?

On MS Windows once above is implemented, also implement the ease of copy and move to another vault just like in Mac version - ie: not copy and paste, instead use the rightclick then choose vault to copy or move.

To ease use even further, have an option to combine the entities for all opened/unlocked vaults into one list using a view option toggle. Internally and within the details of each entity, store and show the vault(s) this entity belongs to and is physically located. Reason: For scenario 1 in most cases, why should someone manually have to remember which vault a given entity is stored and have to go inside the given vault to use or edit it. For this combined list option above, I assume you would have to have vaults unlocked and actually open concurrently.

Add the ability to select multiple entities even across categories (Logins, Software Licenses, Credit Cards, etc) and allow to copy and/or move just like individually on a Mac.

2. Other use cases with or without the above, might be the need to have shared with non-shared vaults, but one or more vaults can not be unlocked along with other unlocked vaults - business/security rules/policies/etc. To mitigate this with the above suggested enhancements, would be to add a toggle option per vault maintaining whether or not a vault could be left unlocked along with other vaults.

Thanks,

DBrown

@Hawkwind, thank you for using 1Password!

If there aren't any threads covering all of these questions, it's probably because this one contains a lot of questions! :D I'll try answering them in the order in which they're presented.

Having to change vaults and enter the master password (when on Windows) every time one changes to another vault is hard to accept since it makes using multiple vaults more time consuming/complex, etc.

It's true—1Password for Windows does not include the concept of primary and secondary vaults. Each vault stands alone, and only one vault can be open at a time. (That last part is true of 1Password for Mac, as well; it's just able to unlock so-called "secondary" vaults without prompting you for their individual master passwords.)

Copying/moving entities from one vault to another is so very time consuming and complex on MS Windows especially if we are using appropriate master passwords that take time to enter.

It's much easier to select the items you want to share (copy to another vault) and export them to 1PIF. Then you can unlock the "destination" vault and import the 1PIF. (Be sure to "securely delete" the 1PIF when you're through; it's a plain-text file, so the values in it aren't encrypted.)

Once you've got the items you want to share in a separate vault, you can sync that vault with the other people, and tell them the master password with which it can be unlocked.

I assume that on the Mac, 1Password is using the Mac's keychain to store/cache the password once the given [secondary] vaults are unlocked...

That's not the case. 1Password for Mac has an internal database, and the primary-secondary relationships are recorded there, along with the encryption keys for any defined secondary vaults. Only if you sync using Dropbox or folder-based syncing does 1Password for Mac write out the .agilekeychain folder that is needed by 1Password for Windows. The .agilekeychain format does not accommodate those definitions of primary-secondary relationships.

1Password for Windows has no internal database, though. It uses the .agilekeychain folder directly. Until something in that setup changes, whether it's 1Password for Windows gaining an internal database or the .agilekeychain (or .opvault) folder format gaining a way to store the necessary metadata, 1Password for Windows will not be able to open multiple vaults with a single master password. (We're not even certain that's the best model possible, by the way. My guess is that the eventual solution won't look exactly like it does in the current version of either 1Password for Mac or 1Password for Windows, but that remains to be seen.)

Are the vaults even open concurrently?

As noted above, no—only one vault is open at a time in 1Password for Mac, as well.

[In 1Password for Windows], also implement the ease of copy and move to another vault just like in Mac version...

As noted above, vault handling on all the platforms for which we create 1Password is an ongoing project.

...have an option to combine the entities for all opened/unlocked vaults into one list using a view option toggle...

This is an interesting idea that has come up in recent discussions. Thanks for letting us know it would be useful to you, too!

Add the ability to select multiple [items] even across categories..., and allow to copy and/or move just like individually

You can do that today: just select the built-in All folder, and proceed with selecting items for export, as described above.

...add a toggle option per vault maintaining whether or not a vault could be left unlocked along with other vaults.

As noted above, vault handling is a work in progress.

---

Thanks so much for taking time to lay out your thoughts on all of this, @Hawkwind‌!

We'll be glad to hear from you again, but maybe you could have separate threads for separate issues...just to make it easier for other folks to follow the threads in which they're interested.

RichardPayne

@DBrown‌
If I've understood it correctly, it should not be too different to add a new category code to both agilekeychain and opvault formats called "Linked Vaults". Every 1Password could then implement multiple vaults in the same way as Mac without relying on the Mac's internal database implementation.

DBrown

At a minimum, there are multiple versions of 1Password on four different operating systems that would all need to be updated simultaneously to be able to read and write the .agilekeychain or .opvault folder.

A representative of Dev should probably answer this one, though.

RichardPayne

What I had in mind should only require that all versions ignore unknown category codes. After that, the various teams can implement support for the new code at their convenience.

AlexHoffmann

This is something the devs might need to figure out.
What we're trying to do, though, is to create a common basis for all 1Password apps and this will require a concerted effort.

I won't say that your idea doesn't have its merits—because it clearly does—but this would only sidetrack/delay efforts for a proper implementation in all apps.

svondutch

What I had in mind should only require that all versions ignore unknown category codes

@RichardPayne unfortunately, old versions (such as 1Password 3 for Mac, for example) do not do this.

RichardPayne

@RichardPayne unfortunately, old versions (such as 1Password 3 for Mac, for example) do not do this.

ok, but surely it's a relatively trivial change to make do it?