server side decryption of shared team passwords

My understanding is that the personal vault passwords can never be decrypted on the sever side because it requires our master key, which we only have on the client. However, for sharing a vault with the team, I don't see how this mechanism would work with us all having a different master key. How can I share a password with the whole team without agilebits having the ability to decrypt the passwords?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • nmottnmott 1Password Alumni
    edited February 2018

    @travnet you might be interested in the document we wrote explaining 1Password Teams' security:

    1Password Teams Security Design white paper

    Specifically, the section called "How Vault Items Are Securely Shared." (There's a link to that section in the introduction.) That offers the most thorough explanation for how you're able to share vault items with your team in a secure way that no one else can access.

    Let me know if that document answers your question 8-)

  • roustemroustem AgileBits Founder

    Team Member

    @travnet TL;DR version: when someone shares a vault with you, they re-encrypt the vault key using your public key. The vault can also be shared with a group, in this case the vault key is encrypted using the group public key.

This discussion has been closed.