Vault Managers in 1P for Families?

124»

Comments

  • monstermac77
    monstermac77
    Community Member
    edited January 2017

    @brenty, thanks for your response. Yes, I understand that server policies don't permit them to access the data within those vaults, which is why I used the term "cryptographically capable".

    Is it not the case that every vault key in a family account is encrypted using the public key of what's termed in your white paper as the "recovery group", which in this case would the public key of the family organizer? Thus, if a sufficiently technical family organizer were to obtain the encrypted vault data of a family member (possibly by taking a dump of their hard drive), wouldn't they be able to decrypt all of that family member's 1Password vaults?

    Perhaps they'd need some additional keys that are stored only on your servers and never transmitted to anyone, but my main point (and concern) is that so long as the recovery process exists for a user, then necessarily there must be a way to fully decrypt that user's 1Password data without using their account key and master password.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Is it not the case that every vault key in a family account is encrypted using the public key of what's termed in your white paper as the "recovery group", which in this case would the public key of the family organizer? Thus, if a sufficiently technical family organizer were to obtain the encrypted vault data of a family member (possibly by taking a dump of their hard drive), wouldn't they be able to decrypt all of that family member's 1Password vaults?

    @monstermac77: That's an excellent question! The answer is no, because the data stored on their devices will also be encrypted with their private key, so the public key is not sufficient to decrypt it.

    Perhaps they'd need some additional keys that are stored only on your servers and never transmitted to anyone, but my main point (and concern) is that so long as the recovery process exists for a user, then necessarily there must be a way to fully decrypt that user's 1Password data without using their account key and master password.

    Indeed, you make a very good point. It's very much something we were concerned about when designing 1Password.com. The idea is that there isn't a single entity with everything needed to access the data. The server has the encrypted blob but not all of the keys, and similarly with the clients. In this case, even as a recovery member, you don't have access to any data which can be decrypted only with the keys you have. Ultimately the most important pieces of the puzzle — the Account Key and Master Password — are never stored or transmitted either. :)

  • monstermac77
    monstermac77
    Community Member

    The answer is no.

    @brenty, thanks again for your response. I'm afraid you might be wrong on this one. I just finished reading AgileBits' white paper, and indeed, members of the recovery group (in our discussion, family organizers) are capable of decrypting any vault in that group (in our discussion, all vaults in the account) if they got their hands on the encrypted data (say, from a family member's hard drive). Here's the quote from page 46/47:

    From a cryptographic point of view, the members of a Recovery Group have access to all of the vault keys in that group. Server policy restricts what a member of the Recovery Group can do with that access, but if a Recovery Group member is able to defeat or evade server policy and gain access to an encrypted vault (for example, as cached on someone else’s device) then that Recovery Group member can decrypt the contents of that vault.

    Here's the link to the original document: https://1password.com/files/1Password for Teams White Paper.pdf

  • AGAlumB
    AGAlumB
    1Password Alumni

    @monstermac77: Oh absolutely. The truth is we're both right. If you can get the data you could use the correct keys to decrypt it. What I'm saying is that in practice, you don't have the data and can't get it. Many have tried. You're right that it's theoretically possible though, but easier said than done. ;)

  • monstermac77
    monstermac77
    Community Member

    @brenty, yeah I, unlike most users I'm sure, was concerned with that theoretical possibility (especially since the section of the white paper detailing the recovery process has not yet been completed).

    That said, I managed to work out a solution that I believe keeps my vault "secure" to the unreasonable degree I want (that is, completely unrecoverable by anyone, including family organizers in the case that I forget my master password and of course only accessible via my master password). I did this by navigating to the "Advanced" tab of 1Password preferences in the Mac app and turning on "Local Vaults". Now I store all of my especially sensitive data in that local vault, "Primary" (and it's synced between my devices using Dropbox). It's awesome that even as a member of a family account, I'm able to do this and maintain vaults outside of the 1Password account world. (Also, please let me know if my understanding of the recoverability/accessibility of my "Primary" vault is incorrect; I want to make sure I have that right).

    When I enabled this setting, I was a little fuzzy on what the sentence "You will use the primary vault to unlock 1Password from now on." meant. Any clarification for the technical specifics of what changes when you turn this on would be greatly appreciated!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Now I store all of my especially sensitive data in that local vault, "Primary" (and it's synced between my devices using Dropbox). It's awesome that even as a member of a family account, I'm able to do this and maintain vaults outside of the 1Password account world. (Also, please let me know if my understanding of the recoverability/accessibility of my "Primary" vault is incorrect; I want to make sure I have that right).

    @monstermac77: You're correct, and I love that you're enjoying this under-appreciated feature! It's certainly a trade off depending on whether you want your account to be recoverable or not. While I know a lot of folks (myself included) use local vaults alongside an account, I hadn't heard of any doing so for this express purpose. It's a good solution! That way it's stored only on your device unless you sync it elsewhere, and no one but you has the data or any means to access or recover it.

    When I enabled this setting, I was a little fuzzy on what the sentence "You will use the primary vault to unlock 1Password from now on." meant. Any clarification for the technical specifics of what changes when you turn this on would be greatly appreciated!

    This just means that 1Password will require your Primary vault's Master Password to unlock. Under the hood, this means that your Primary vault contains the keys for any subsidiary vaults (or accounts), but it sounds like you're probably already doing that manually so that won't be an issue. Let me know if that helps! :)

  • monstermac77
    monstermac77
    Community Member

    You're correct, and I love that you're enjoying this under-appreciated feature!

    @brenty, awesome! Yeah, this is the perfect solution for me. Really glad you guys have left that feature in even for 1Password account users.

    This just means that 1Password will require your Primary vault's Master Password to unlock. Under the hood, this means that your Primary vault contains the keys for any subsidiary vaults (or accounts), but it sounds like you're probably already doing that manually so that won't be an issue. Let me know if that helps! :)

    Ah, that makes sense. What do you mean by "it sounds like you're probably already doing that manually so that won't be an issue", though? Like, what am I doing manually and what won't be an issue?

    Thanks again for your help!

  • AGAlumB
    AGAlumB
    1Password Alumni

    @monstermac77: Ah, based on your earlier comments, it sounded like your goal is to keep some really important stuff not in your 1Password.com Account, so for example you might have the Emergency Kit for your account in the local vault. No need to confirm or deny. It's just similar to what I do, so I thought you might be going in a similar direction. Cheers! :sunglasses:

  • monstermac77
    monstermac77
    Community Member

    @brenty, thanks for the clarification; that makes sense!

  • AGAlumB
    AGAlumB
    1Password Alumni

    :) :+1:

  • benfdc
    benfdc
    Community Member

    I'm just getting started with 1P/Families, and I am so glad that I stumbled onto this thread. I think it will prove to be a very useful reference as I try to get a handle on the ins and outs of the product so that I can give solid answers to whatever questions other family members throw my way. I've just skimmed enough of the posts to have an idea of the issues; I'm going to have to play with things a while before I will be able to understand everything being said here. But I have read enough to see that this is fantastic.

    When people have asked me over the years how I can be so comfortable trusting 1Password, I talk about threads like this. As I've observed repeatedly, in the forums and elsewhere, I don't agree with every design decision that Agilebits makes but I am almost always blown away by the amount of careful thought that goes into those decisions.

  • Ben
    Ben
    edited March 2017

    I am almost always blown away by the amount of careful thought that goes into those decisions.

    :chuffed: Thanks benfdc. :smile:

    Ben

  • mikeseeh
    mikeseeh
    Community Member

    Hi!

    Glad I found this conversation.
    I just signed up for Families (we also have a Teams account for our company) and would need to create shared vaults that are not accessible by Admins.

    Any progress on this?

    Thanks,
    Mike

  • Thanks for asking! At the moment, Personal vaults are the only ones that aren't shared with the rest of the family. This may change down the road, but right now that's where things are at.

This discussion has been closed.