iOS and Boxcryptor

flocola
flocola
Community Member
in iOS

Hi there,
after I used 1Password on Windows and OSX, i want to use it on iOS. While I trust the encryption, I don't trust transfers and life access on encrypted data. That's why I'm using extra encrypted folders in Dropbox for the Vault. I had to find out that there's no option for Boxcryptor. Are there any plans to integrate it?

Comments

  • Ben
    Ben

    Hi @flocola,

    Thanks for taking the time to write in. We do not have any plans to support storing 1Password vaults in Boxcryptor. As 1Password's vaults are already encrypted storing them in Boxcryptor would be redundant, and make syncing much more complicated.

    Thanks!

    Ben

  • Marcellus
    Marcellus
    Community Member

    Hi @flocola and @bwoodruff

    Might this be of any help? I just posted a couple of minutes ago to a different topic ...

    "Getting back on Boxcryptor, @DBrown ...

    I had an one hour conversation with their Head of Support, figuring out what follows:

    Using Boxcryptor on a Macbook (probably a PC, as well) there is no problem accessing the vault through Boxcryptor. By this, the vault has been encrypted locally before uploading to Dropbox. So far, so good.

    By the time you start 1Password on an iOS device the vault is synced instantly. Of course, this has to be done in order to provide the same passwords on any device at real time. This is what synching is for.

    Even if the user - most likely - has installed the Boxcryptor App on his or her iOS device, on such a device 1Password is not running through Boxcryptor. According to the Head of Support, Apple has set up limitations to prevent the one app using another one, which may be of advantages otherwise. This means, by the time iOS is synching 1Password via Dropbox, everything that had been encrypted on the Macbook is immediately decrypted and, after that, can bet seen decrypted in Dropbox via any browser - thanks to instant synching."

  • Ben
    Ben

    @Marcellus,

    If I follow correctly that statement is incorrect. 1Password's data is encrypted before leaving your computer. Your vault is never sent to Dropbox unencrypted. Boxcryptor doesn't change this.

    Ben

  • Marcellus
    Marcellus
    Community Member

    @bwoodruff

    To be precise: Whatever file is stored locally will be encrypted by Boxcryptor locally before being uploaded to Dropbox. In this case it doesn't matter whether the original file is already encrypted - like 1Password's vault" - or not. The decryption when synching with iOS is limited to Boxcryptor's encryption. The vault's description itself is not affected.

    In other words: With Boxcryptor from your Mac OS you get a double encryption, which is reduced to single encryption once synched with iOS.

    In this margins: Boxcryptor indeed does not change the 1Password encryption. Pardon me for being misunderstood.

    Marcellus

  • Ben
    Ben

    Gotcha. Thanks for the clarification, Marcellus. :)

    Ben

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited February 2016

    Hi @flocola and @Marcellus,

    I expect that you will be disappointed to learn that we are not actively working on iOS and Android support for synching via things like Boxcryptor, SpiderOak, Tresorit, and other end-to-end encrypted synching services. (I'm leaving out for the moment discussion of CloudKit synching.)

    It's harder than you might think

    It is actually a lot of work to bring a new synching system to mobile. On the desktop, of course, we can use Folder Sync so in principle don't have to do anything special to support any of those kinds of things. In practice we still do have to do a lot of work for making sure that 1Password doesn't freak out when working with unreliable filesystems. Indeed, if I may quote from our most recent release notes for 1Password for Mac 6.0.2

    Fixed an issue where unlock could hang for a long time if syncing to an unavailable Network Storage Device. {OPM-3677}

    I'm using this to illustrate that even the "easy" cases where 1Password shouldn't even know or care that it is working with a non-native filesystem can cause trouble. On mobile, we have to work with some API (if it is available at all) that often isn't really built for the kind of multiple file fetching and updating that we need. Indeed, we worked closely with Dropbox in getting the kinds of behaviors in their mobile API that we needed back in the early days of Dropbox synching to iOS.

    “What? So you are too lazy to do the hard work?”

    Just because something is a lot of work doesn't mean that it shouldn't be done. Lots of things that we do do are a lot of work. But we have to make choices about where we put our efforts.

    What's the security gain

    There is a security gain in using sync system that provides end-to-end encryption on its own, independent of what 1Password does. An attacker who gets hold of the data from a sync service would need to first break through that additional encryption before they could begin to try to attack your 1Password data. Indeed, we advise people to use Full Disk Encryption on their come computers for similar reasons. (Though that is good in general, and not particularly relevant to 1Password data.)

    But we have designed 1Password with the expectation that people will have their data stolen. It can be through theft of a laptop or a compromise of a sync service. And this is where we put a great deal of our focus on security. 1Password itself provides strong, end-to-end encryption.

    We can't expect that all of our users will always be using encrypted file systems either locally or end-to-end remotely. Nor can we assume that those can't be evaded. For example, locally encrypted filesystems don't always protect you if the machine is captured while running.

    So the gain of having another layer of encryption beyond 1Password's isn't all that big. Particularly if the work to make it happen would be large, while only improving things for a small portion of users. Instead, we focus on security design and features that improve things for everyone.

    Alternatives

    1. Accept that 1Password's end-to-end strong, authenticated encryption is enough.

    2. Folder Sync + WiFi Sync

      If you really feel that you have a compelling need for that additional layer, you can use Folder Sync over whatever encrypted sync service you choose among your computers and then use Wifi sync to your mobile device.

      It does mean more work for you, as you will have to initiate the WiFi sync between desktop and mobile for 1Password. But this way you have a great deal of freedom in how your data exists "in the cloud" if, for whatever reason, you feel that 1Password's strong end-to-end encryption isn't enough for you.

    3. 1Password for Teams

      Please take a look at 1Password for Teams. We've worked to build it so that the data that is stored remotely is not worth attacking. For example, we've set things up so that even if someone grabbed every ounce of data from our servers, they still would not be in a position to launch a password cracking attack against your data. We use Two-Secret Key Derivation to do this.

    Nothing is ruled out

    Now just because I may have given you a disappointing answer to your direct question, nothing is written in stone. As technologies and needs change, we might come back to this. We've been known to change our minds before. But I'm not going to give you a "we are looking into this" kind of answer when at the moment we've decided to put those sorts of explorations on hold.

    Of course even if such explorations are on hold, we do try to pay attention to which such services look most promising and what tools they have for the various platforms we support.

    I am also hoping that, even if you disagree with our decision, that you see that it is a reasonable decision.

    Cheers,

    -j

  • flocola
    flocola
    Community Member

    Hi @jpgoldberg @Marcellus,

    thank you both for sharing your mind on this post, thats how i imagine a good working community for a very important task like storing passwords in one place. Thats why i trust you, and not another keychain system....
    The Alternative to sync via Wifi makes the most sense for me, if there is a need to share all passwords to all devices. In my case i will go for a second vault just for mobile logins, because i dont need root passwords on mobile.

    What you proposed with "1Password for Teams" is exactly my goal with using Boxcryptor as a layer between. Even if someone grabs the data stored in a cloud or while syncronizing, it would be to much effort to break into two high-graded encryptions. I dont rely on the encryption used to establish the connection to by dropbox or icloud or any other service. Thats the Security gain i can see. You could call it somewhat "1Password for Teams - Personal Edition", while the name without context makes no sense... :-)
    The other side of the medal i see is that mobile devices/OS´s getting more powerfull year to year. There will be a point where there will be mostly no difference of capabilities, between mobile OS´s and desktop OS´s except the raw computing power. So i think you could lift this great product to industry with your concept of "1Password for Teams" with the option to use own storages, what i know so far is what companies want.

    I can see clearly your standpoint why you didnt applied it yet and why there are no plans to do so at this moment, the depency of OS API´s often cuts off many things we have in mind. Thats why i only asked if there any plans...

    PS: dont wonder, english is not my native language :).

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Thanks, @flocola. Thank you for asking and thank you for your understanding.

    Mobile devices are becoming more powerful, but the sandboxing on them still makes them a very different environment. It is why we need an API on mobile, while on the desktop we just read and write to what looks like the native filesystem.

This discussion has been closed.