Unlocking all vaults with Primary master password

Options
Drew_AG
Drew_AG
1Password Alumni
in Mac
This discussion was created from comments split from: Questions about using multiple vaults for our business.

Comments

  • tsm_100
    tsm_100
    Community Member
    Options

    "Unlocking your Primary vault with its master password will also unlock all the secondary vaults in 1Password on that Mac. Therefore, if your "main shared vault" is set up as the Primary vault, unlocking it will automatically unlock all the secondary vaults as well."

    I have 3 vaults and a primary vault. Unlocking the primary vault allows me to open all other vaults without their unique password (as you've explained above) which works perfectly for me.

    However other people in my company unlock their primary vault, and it doesn't then auto unlock the other vaults and so they need to remember the additional 3 passwords. How do we get around this?

    Thanks,
    Andrew

  • Drew_AG
    Drew_AG
    1Password Alumni
    Options

    Hi @tsm_100,

    Your question is a bit different than the one in the previous discussion, so I've moved your message to a new thread. I hope you don't mind!

    However other people in my company unlock their primary vault, and it doesn't then auto unlock the other vaults and so they need to remember the additional 3 passwords.

    Are those other people using the Mac version of 1Password, or the Windows version? The reason I ask is that unlocking vaults works differently on Windows than on Mac. In 1Password for Windows, there's no concept of Primary or secondary vaults, so each vault needs to be unlocked separately with its own master password. Each time you switch from one vault to another on Windows, you'll need to enter the master password for the vault you're opening.

    On the other hand, if they're all using 1Password for Mac, did they each create their own secondary vaults on their own Macs, or are they trying to use vaults that have been shared via Dropbox? In the case of shared vaults, have they added those shared vaults to the 1Password app? To add a vault as a secondary vault on a Mac, they would just need to double-click the .agilekeychain file for the shared vault, and 1Password should prompt them to add it as a secondary vault. They'll need to enter the master password for that vault in order to add it to 1Password that first time, but after that, it will be automatically unlocked when the Primary vault on that Mac is unlocked.

    Does that help to explain what's happening at all? If not, please let us know the exact version of 1Password they're using on their Macs, the OS X version, and if they have multiple vaults listed in the main app when they go to the menu for 1Password > Switch to Vault. Thanks in advance! :)

  • tsm_100
    tsm_100
    Community Member
    Options

    Not an issue at all @Drew_AG - appreciate the reply.

    1. These users are on 1Password for Mac (as am I),
    2. Myself, the user who cannot unlock all vaults (user #2), and another user (User #3 who I just tested) who can unlock all vaults are all using v5.3.2
    3. When I setup 1Password there was 1 vault, which everyone in the company had access to so there was one password
    4. User #2 also created a 'personal' vault that they setup before our company vault was added through dropbox, so their personal vault was their primary vault
    5. So User #2 has one password for their primary vault (personal passwords), and then another password for our company vault
    6. Because we wanted multiple people to have access to not all the vaults I created 3 additional vaults, and added them to everyone's 1Password through the dropbox file as you mention above
    7. For myself, I still have the original primary vault (now with no passwords in it) and the 3 other company vaults which I've moved all the passwords across to. So when I open 1Password it pops up with the primary vault with no passwords and I enter that original password which I can then toggle to all other vaults
    8. User #3 has this exact same setup as me. They had the original primary vault, and now they have 3 additional vaults. They sign into the empty primary vault, and can then access the other vaults I've given them
    9. User #2 however still has their primary vault as their personal vault, which when they unlock, they cannot then toggle between all the other company vaults and has to enter each vault's password
    10. I've just checked and User #2 does not have their primary vault synced to dropbox, could this be why they need to enter additional passwords as it opens and isn't synced to dropbox so doesn't create a 'link' between the other dropbox vaults?

    Hope all that makes sense..

    Thanks,
    Andrew

  • Drew_AG
    Drew_AG
    1Password Alumni
    Options

    Hi @tsm_100 / Andrew (great name, btw! ;) )

    Thank you for all the details! So it sounds like this problem is happening for just one person (User #2) on their Mac, and it's working fine for the others (including you and User #3)? This is certainly a strange issue, and I haven't heard of this happening before. But I'm sure we'll figure it out one way or another!

    If you don't mind, I'd like to make sure I understand User #2's exact workflow. Can you please have User #2 read through the following to confirm if this is exactly what they do (and see) when they reproduce the issue?

    • User #2 launches the main 1Password app (which is locked) and sees "Unlock Primary Vault" in the master password field.
    • They enter their personal master password to unlock the Primary/personal vault.
    • It unlocks correctly and shows their Primary/personal vault data.
    • The top left corner of the window shows "1Password" (above the categories), and when User #2 clicks on that, it shows 4 vaults (Primary/personal vault at the top of the list, then 3 secondary vaults (i.e. the 3 shared company vaults) below that.
    • When User #2 selects the 2nd, 3rd, or 4th vault in that list, the app locks itself, and shows "Unlock [company vault name] Vault" in the master password field.

    Sorry to be so specific here! But if you can have User #2 verify that's exactly what they do and what happens, it will be helpful for us. Thanks!

  • tsm_100
    tsm_100
    Community Member
    Options

    That is all correct @Drew_AG.

    User #2 has pretty much the same setup as another user (User #4). However for user #4 I installed the company main vault first, before setting up their personal vault. So right now User #4 has 4 vaults as well, however the primary vault is the original company vault, and their personal vault (vault 2) is also synced to dropbox, whereas User #2's personal vault isn't synced anywhere. And User #2's primary vault is their personal vault.

    Perhaps it has something to do with the primary vault for User #2 not being synced to dropbox?

  • Drew_AG
    Drew_AG
    1Password Alumni
    Options

    Thanks for confirming that @tsm_100. It doesn't matter if the Primary vault isn't synced to Dropbox (but thanks for mentioning it again, I forgot to explain that the first time). The ability for the Primary vault to unlock the secondary vaults on a Mac isn't connected to Dropbox or the other sync options at all. The way it works is that there's a database on your Mac (an sqlite file) that contains all your 1Password vaults, as well as the encryption keys for those vaults. Each vault has its own key, and each key is encrypted by the master password for that specific vault. In the sqlite database, the Primary vault is given access to the encryption keys for the other secondary vaults on that Mac, so unlocking the Primary vault allows it to unlock the other vaults. But this relationship between vaults only exists in the local sqlite database, not in the .agilekeychain files that are stored in Dropbox.

    At this point, to help us figure out why that's not working as expected on User #2's Mac, I'd like to ask you (User #2) to create a Diagnostics Report from their Mac: https://support.1password.com/diagnostics/mac.html

    You/they can attach the Diagnostics Report to an email message addressed to support+forum@agilebits.com.

    Please do not post that Diagnostics Report in the forums, but please do include a link to this thread in the email, along with your forum username so that we can "connect the dots" when we see the Diagnostics Report in our inbox.

    You (or User #2, depending on who emails us) should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here so we can track down the report and make sure you receive a reply as quickly as possible.

    Once we see the report we should be able to better assist you. Thanks in advance! :)

  • tsm_100
    tsm_100
    Community Member
    Options

    Thanks @Drew_AG . Email just sent to "support+forum@agilebits.com"

  • Drew_AG
    Drew_AG
    1Password Alumni
    Options

    Thanks @tsm_100, we received that Diagnostics Report, and I've updated the email thread with details from this forum discussion so it's easier for our support team to get up to speed with the issue. Someone will get back to you as soon as possible with more information, and we'll keep the conversation going directly via email to avoid complicating things between here and there. Thanks so much for your patience, hopefully we'll get this all straightened out soon! :)

    ref: KJE-68511-816

  • tsm_100
    tsm_100
    Community Member
    Options

    Appreciate the help @Drew_AG

  • Drew_AG
    Drew_AG
    1Password Alumni
    Options

    :+1:

This discussion has been closed.