Share Vault Set Up Using WiFi

serky

Hi
I need help setting up a shared vault/s. I have 4 vaults and want to share 2 of them with my husband on the same Mac, his iPad and his iPhone. I do not want to use Dropbox (or any other cloud solution). I was intending to share the vaults with him on the Mac and then use WiFi to sync across all our devices.
I only want to use WiFi to set this up. I have read the WiFi instructions for syncing and these seem straightforward but seem to rely on already having shared the vault.
Can I import the shared vault data to his Mac 1Password to set up the vault initially? (I have logged onto the Mac as him and opened 1Password. He has never used it before so it prompts me if 'already have 1Password data somewhere else?' An option is 'This Mac'. If I choose this, can I select my 1Password file '***.agilekeychain' to set up the data initially?)

If this is not an option, how do I share the vault without using Dropbox?

Thanks

---

1Password Version: 6.1
Extension Version: 4.5.4
OS Version: OS X 10.11.3
Sync Type: To be decided!
Referrer: forum-search:wifi share vault

nathanvf

Hi there @serky,

So, you wouldn't be able to sync from your Mac to another Mac. But you can sync to his iPhone via wifi, and then he can disconnect and reconnect to his Mac and then sync his other iOS devices from there. I also think you might have some limitations in offering your vaults for sync. For example if you currently sync all your vaults for your devices, you might have to play with the settings to only offer the two you want him to access. It also doesn't appear as if you can prevent your primary vault from syncing.

You would not have an agilekeychain file to start with if you are wifi syncing only. You can just setup a new vault to start out with and then go to the settings and setup the wifi syncing to get the items initially sync.

Ultimately the only other option would be Dropbox sync, even though I realize that you do not want to do it that way. But ultimately it would give you the more fine-grained setup for syncing.

serky

Hi nathanvf
thanks for the reply but I still need help. I don't currently sync anything as I was previously using 1Password3 in a very basic manner. I have now upgraded to v6 and want to manage and share our information more effectively.
I think my confusion is around both of us accessing 1Password on the same Mac ie - we only have one Mac. I have set up 4 vaults under my login. How does my husband see this information when he logs onto the Mac under his name? How do I set it up? What process ensures the data remains synced? Can I limit which vaults he 'sees'?
Thanks

Jacob

@serky On behalf of Nathan, you're welcome. I'd be happy to help out with your followup question. Using 1Password with multiple users on the same computer is quite easy. First, install the app on your husband's account. You can use your license for it since he's in the same household as you. Once you've installed the app, are you looking to share any passwords with him or do you two have different sets of data? If you want to share things, you can use Dropbox to do that or you can use 1Password for Families, which is built specifically for sharing among a family. If you give us a bit more info about what you need, we can recommend one over the other. :)

serky

Hi penderworth

I do not want to use the cloud or 1Password for Families. We only have a small amount of data that needs to be shared. We will be sharing 2 vaults and have several other personal vaults each. We will be using WiFi to sync our respective 1Password data from the Mac with our respective mobile devices. I want to understand how to share the 2 vaults between our logons on the Mac and ensure that they remain synced with each other eg -
1. if he logs onto the Mac and changes data in the shared vault, how will I see the update?
2. if he makes a change on his iPhone to data in a shared vault and then syncs it back to the Mac, how will I see the change when I logon to the Mac?

Note that I can open the app under his logon. It prompts me if 'already have 1Password data somewhere else?' An option is 'This Mac'. If I choose this, can I select my 1Password file '***.agilekeychain' to set up the data initially?

I just don't understand 1. how to set it up on the Mac initially so that he has access to the data and 2. what syncs the data between his logon and mine on the Mac.

Thanks

littlebobbytables

Hi @serky,

I apologise for the confusion caused by our previous attempts to help. We can all have off days and that's true at work just as much as at home. I believe I understand what you're wanting to do and what needs to be done to allow it. If I'm correct and not having an off day myself the following should help.

What you will need to use is the Folder Sync option. As you are aware, we need to use some kind of sync between these copies of 1Password if the two shared vaults are to remain the same. Dropbox and iCloud are out as you don't want to use them and you've said you don't want to consider 1Password Families which is your choice to make. This leaves Folder Sync to synchronise between two copies of 1Password for Mac.

Now Folder Sync requires somewhere to sync to. One option would be a flash/pen drive but that's more about sharing between two Macs and comes with the fantastic title of sneakernet (sorry, I just love saying it). We also have a Shared user folder in every copy of OS X so we should be able to use that shouldn't we? We can, just not in it's default state. In the default state the Shared user folder will let both of you write to it and read files the other person wrote but if you create an item in your vault and that creates a file then only you can edit it later and that's not very useful. So the first thing we need to do is make the Shared user folder more useful by allowing all users to read and write to any file in their regardless of who the owner is. This can be accomplished by the following.

1. Use Spotlight to open a Terminal window.
2. Paste the following command into the Terminal window and press enter. The command is sudo chmod -R +a "everyone allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" /Users/Shared You will be asked for your password and I'm assuming your account is an Administrator account.

This will alter the default privileges of the /Users/Shared/ folder so that you both can do anything to any file in there.

Now you want to set up Folder Sync so that the two vaults you want to share are being synced to there.

Having done this you can now point 1Password from his account to the sync container for the shared folders. With both copies of 1Password syncing to the same OPVaults any changes made in one copy of 1Password for Mac will be passed to the other.

With this set up you can now both separately set up Wi-Fi Sync from your own copies of 1Password for Mac to your respective iOS devices. Don't worry, you can use a combination of Wi-Fi Sync and Folder Sync for the two shared vaults so that your iOS devices see them as well as your shared Mac. Changes to one of the shared vaults on your iOS device will be synced to your respective copies of 1Password for Mac the next time 1Password for Mac and iOS are both unlocked and from there those changes are then synced to the /Users/Shared/ where they can then be picked up by the other person when you swap accounts.

Have I understood your requirements and does this sound like a viable plan? Please keep us updated and if you need further assistance or if any of the instructions are unclear at all please let us know.

serky

Hello littlebobbytables
you are a champion! This is exactly what I want. Sorry if I didn't explain it very well but it seems like we're on the right track now! I just have some extra questions.
1. When I change the default privileges of /Users/Shared/, does that mean that anyone who logons onto the Mac can 'do anything to the file' in there eg - a 'guest user' or another logon for the Mac? This isn't a big problem as it's not likely there will be other users but I just want to understand the implications.
2. Do I just follow the instructions in the user guide Section 2.4 to setup folder sync? And do I just set up any folder in /Users/Shared/?
3. Is this methodology secure - or do I need to set up other security measures?
Thanks :)

littlebobbytables

Greetings @serky,

I think you explained yourself very well. I've had experience of this kind of request before which is why when I read your posts I was confident I knew precisely what you wanted. We all have our strengths and weaknesses and it just so happened this is an area I feel reasonably good at :smile:

1. You are correct that any other account could alter anything in the /Users/Shared/ folder. I would assume Guest can as well as I don't know otherwise and I admit that's partly because while I can understand that feature it frustrates me - I don't want a guest account on my encrypted MacBook. I'm thinking it must be possible to exclude the Guest account though so if that could be an issue for you let me know and I'll do some testing in a VM copy of OS X that I have (which is specifically for testing and breaking this sort of stuff so you and I don't have to on our real computers).
2. That's correct, you would follow the steps in that section of the guide and use the /Users/Shared/ folder as the location. As it's multiple vaults maybe you want to keep it tidy and first create a 1Password folder and have the two vaults sync in there. Basically though you have complete control of the folder structure and can do as you wish. All that matters is it is somewhere in the /Users/Shared/ so we benefit from both accounts having access.
3. For me this would be secure. The vault never leaves your Mac and I also use FileVault. I'm happy that my SSD in the MacBook is encrypted, the sync container is also encrypted and it never leaves my Mac which I guard carefully. I keep my OS X account locked when not in use so accessibility is minimal. I can't think of much more you could do to be honest (see question regarding Guest account in answer 1. though).

Please let me know if that helps and if you have other questions? keep them coming :smile:

serky

Hello littlebobbytables
I have finally had a chance to set this up. I didn't use the terminal command to set up access but rather used the 'get info' window and the permissions box to set access for the relevant folder (and any sub-folders). All seems to be working OK but I need to clarify a few of items:

A.) the primary vault for Account 1 syncs to a file 'XXXX.agilekeychain' in account 1 'home folder\library\application support\ 1Password' I believe this was set up automatically as part of the 1Password installation. None of the other vaults in Account 1 sync to a folder except the 'shared vault' with Account 2 (which has been set up in a special shared folder).

• Why does the primary vault need to sync with the 'XXXX.agilekeychain' file?
• Can this sync be removed?
• The primary vault for Account 2 does not sync with a folder/file. Do I need to set up a sync to the folder 'home folder\library\application support\ 1Password' for Account2?

B.) both Accounts use the same password to access 1Password. Can each account have their own password?

C.) will the 'shared' vault be 'backed up' and managed as part of the normal 1Password processes even though it's in a non-standard location?

Thanks

littlebobbytables

Hi @serky,

The issue with altering the permissions from the Get Info window in OS X is it doesn't alter how OS X behaves with new files. It's effect is almost all on the older Agile Keychain format because each item is a distinct file and so a new item means a new file. OS X applies the default permissions which don't equate to the folder permissions meaning it can cause issues with new items created inside your vault. What you would find happen is the person that created the item can edit while the other person can view but edits keep getting overwritten because OS X won't allow their copy of 1Password to write to that file.

The reason I mention the Agile Keychain format is the newer OPVault which is now the default in 1Password 6 for Mac uses bands. A set number of them are created and the items divided between them. As such, once the bands are created no new files are generated meaning the same issue doesn't apply.

So if you're syncing to a OPVault container in the Shared user folder what you did should be okay. If you're syncing to an Agile Keychain then you will likely run into quirky behaviour down the line and it will likely baffle as to what the heck is going on.

Now to your questions :smile:

1. Given the location you mentioned it sounds like you used to be a 1Password 3 for Mac user. When you 'upgraded' it was basically installing a brand new application which just happened to know where the old data was stored and understands the format. When we found that data, rather than importing the contents and deleting the file we left the file in place and set up syncing to it. That's convenient if the file was in the likes of Dropbox where you probably do want this but if you've completely moved away from 1Password 3 for Mac this syncing is no longer required. Chances are you don't use and even haven't thought about 1Password 3 for Mac in a while so you can go ahead and disable sync.
2. If the primary vault in 1Password in both of your accounts was syncing to a single Agile Keychain or OPVault then they would have to share a Master Password. The reason is we do kind of sync the Master Password (in a convoluted way that I'll skip for now) but basically the goal is if you change your Master Password for your primary vault from one device, all devices syncing that same primary vault and using it as a primary vault will also require the new Master Password. From your description though you're definitely not sharing a primary vault so you should both be able to have different Master Passwords. With your primary vault active, head into the Security tab of 1Password's preferences and you'll find the ability to change the Master Password. Just don't forget the new password!
3. A 1Password backup is actually a backup of the encrypted SQLite database file that resides locally in 1Password's support folder. This means a backup backs up all vaults in this copy of 1Password and that is regardless of whether they are being synced or not. If a vault is being shared like you're doing it means both copies of 1Password will be making their own backups of that vault because it appears in both copies. It also means it isn't possible to easily restore a single vault to a previous point in time when you have multiple vaults in your copy of 1Password. Should the need arise we can help as it's possible, it just involves a few steps.

Hopefully this helps clarify matters but if anything has come across as poorly worded and confusing please let me know. The notion of a primary vault and secondary vaults can get a bit convoluted given you can technically have a person's primary vault as a secondary vault and we know of couples that have done this, they each have their own primary vault but for convenience they have their spouse's primary vault as a secondary. It means conversations quickly have to delve deep into details to be accurate which never makes for light reading :tongue: If you have any further questions please let me know.

serky

Hello littlebobbytables
thank you for your detailed reply.
As I didn't follow your instructions re permission set-up, I did some testing to make sure both Accounts could create, read, update and delete items from their own Account or the other Account. This seemed to work OK so hopefully it will be OK in the future (fingers crossed!)

Re my questions:
1. yes I was originally a 1Password 3 user but have changed to 1Password 6. Given that syncing is no longer required, can I actually delete the 'agilekeychain' file?
2. for interest only, if I wanted to share the primary vault with both Accounts, would I just set up an OPvault (in the same manner I set up the 'shared' vault)? Just want to make sure I understand what is happening ...
3. you pre-empted my question re restore of 1Password information. In my case it is likely that we would want to restore all vaults from the same point in time ie - the same backup. Would it be as simple as copying the relevant OnePassword.sqlite for each Account back into each Account's 1Password's support folder AND the 'shared' OPvault into the folder that I have set up for sharing purposes? If it's more complicated than this, no need to go into detail - I was just curious!

littlebobbytables

Hi @serky,

1. You can yes. In fact if you don't use 1Password 3 at all then the entire folder that it lives in can be safely removed. Just to help keep things straight, if you're an AgileBits Store customer there will be two 1Password folders in your ~/Library/Application Support/ folder. The folder titled just 1Password belongs to 1Password 3 for Mac. The folder titled 1Password 4 belongs to 1Password 4-6 so you definitely don't want to remove that. We really do need to update titles as we know it causes confusion. The reason we created the 1Password 4 folder instead of continuing with the 1Password one was because some users did use both 1Password 3 and 1Password 4 in tandem for a while. Anyway, this is all in the past so the 1Password folder isn't used by any version newer than 1Password 4.
2. That is correct. Sharing or syncing of a vault is a per vault setting because many of our users desire this. So to sync a primary vault you would go through similar steps. If you have any questions about the idea of one person's primary being a secondary vault for somebody else just say :smile:
3. So the backup doesn't store OPVault or Agile Keychain containers because 1Password can generate new ones whenever you need it to. Other than that you pretty much right. The restore option in 1Password handles restoring this copy of 1Password to a previous point in time. It also disconnects syncing because you don't want to end up in the vicious cycle of restoring because something went wrong and syncing returning you to that exact state. If you've restored a vault that you synchronised what you would do is have 1Password create a new OPVault based on the now restored state of the vault you used to sync. Where it gets a little fiddly is on the other devices that also store this vault. It might be you don't want to restore these other devices so what you would do is delete just that vault from the other copies of 1Password and re-add it using the freshly generated OPVault. That way the various copies of 1Password don't try to do anything clever relating to merging stuff and instead all now accept that the new OPVault is the one true source. It's an area where if you've got any doubts I would always recommend contacting us so there isn't any accidental loss of data.

It sounds like you're using an OPVault so between that and your testing at least you can be confident of no nasty surprises later. Hopefully everything just runs smoothly :smile: