Multiple secret keys and the emergency kit
Hi Agilebits Team,
I just spend some time with your great Security-Whitepaper. One question that came up and didńt find a answer for by myself is:
Is the following assumption correct?
The secret key never leaves the device where it was created on, so if i own two synced devices with 1password installed, each one has itś own unique secret key. If i print out my emergency kit, it only provides one of these two existing secret keys. That is ok, because i just need the secret key and related masterpassword of ONE of my devices to unlock the vault, regardless if the vault is stored on device A; B, or your Server.
Additonial question: In my case i own the non-subscription mac software and sync it only locally via wifi to my iOS devices. Which emergency-informations do i need to successfully acess my vault if i end up owning nothing but a 1password backup-file (...1p4_zip)?
1Password Version: 6.6.1
Extension Version: Not Provided
OS Version: MacOS 10.12.5
Sync Type: Not Provided
Comments
-
Hi Agilebits Team,
I just spend some time with your great Security-Whitepaper. One question that came up and didńt find a answer for by myself is:
Is the following assumption correct?:
The secret key never leaves the device where it was created on, so if i own two synced devices with 1password installed, each one has itś own unique secret key. If i print out my emergency kit, it only provides one of these two existing secret keys. That is ok, because i just need the secret key and related masterpassword of ONE of my devices to unlock the vault, regardless if the vault is stored on device A; B, or your Server.Additonial question: In my case i own the non-subscription mac software and sync it only locally via wifi to my iOS devices. Which emergency-informations do i need to successfully acess my vault if i end up owning nothing but a 1password backup-file (...1p4_zip)?
1Password Version: 6.6.1
Extension Version: Not Provided
OS Version: MacOS 10.12.5
Sync Type: Not Provided0 -
Hi Agilebits Team, I just spend some time with your great Security-Whitepaper.
@Torben985: Awesome! I hope you enjoyed reading it as much as I did. I won't lie: I didn't expect to! :lol:
One question that came up and didńt find a answer for by myself is: Is the following assumption correct?: The secret key never leaves the device where it was created on, so if i own two synced devices with 1password installed, each one has itś own unique secret key.
That's an excellent question and you're on to something. While there is only ever one Secret Key for your 1Password.com account (and therefore used to authorize all of your devices), you're correct that different vaults will have to have different keys so that they can be accessible to some members (in a 1Password Team or Family) but not others. The server has the encryption keys for all of these to facilitate exchanging them within a 1Password Team or Family. And these keys, in turn, are encrypted using the keys belonging to individual members as needed. There's more to it than that of course, but if you're familiar with public key cryptography you'll have an idea of the rest.
If i print out my emergency kit, it only provides one of these two existing secret keys. That is ok, because i just need the secret key and related masterpassword of ONE of my devices to unlock the vault, regardless if the vault is stored on device A; B, or your Server.
Included in your Emergency Kit are your Sign In URL, email address, Secret Key, and a place to fill your Master Password. If you complete this and store it in a safe deposit box, you'll have everything you need to login to 1Password.com and access your data even if all of your other devices are lost or destroyed.
Additonial question: In my case i own the non-subscription mac software and sync it only locally via wifi to my iOS devices. Which emergency-informations do i need to successfully acess my vault if i end up owning nothing but a 1password backup-file (...1p4_zip)?
Local vaults are self contained and not connected to a 1Password.com account, so it works a bit differently. You'll just need to make sure you have a copy of the data and your Master Password to decrypt it. A
.1p4_zip
backup archive can be restored using a recent version of 1Password for Mac if needed. I hope this helps. Be sure to let me know if you have any other questions! :)0 -
Hi @DavidRichter,
Thanks for taking the time to write in.
The security white paper is written for our 1Password Teams, 1Password Families, and individual 1Password.com subscription accounts. It does not apply to using the 1Password apps standalone (sans-account).
The secret key never leaves the device where it was created on, so if i own two synced devices with 1password installed, each one has itś own unique secret key.
Each device does not have its own Secret Key. The Secret Key is unique to you but not to each device. When you create an account the Secret Key is generated and then in order to sign in on any other devices you must enter the Secret Key on those devices (e.x. by scanning it from the QR code on the Emergency Kit).
Additonial question: In my case i own the non-subscription mac software and sync it only locally via wifi to my iOS devices. Which emergency-informations do i need to successfully acess my vault if i end up owning nothing but a 1password backup-file (...1p4_zip)?
Just your Master Password. Standalone vaults don't have Secret Keys, email addresses, or sign-in URLs. Those things are unique to 1Password accounts. I assume if you're needing to protect against this sort of scenario you are backing up your 1Password backups off-site? :) That is one of the things a 1Password account does for you, but of course you can roll your own solution for that as well.
Thanks!
Ben
0 -
Thank you so much Ben and Brenty, the simple fact that the secret key is transmitted manually/QR when establishing a new device solves the puzzle in my mind.
And sorry for my double post (i created a new account because i thought posting with the old one didńt work, but i was too blind to see it actually did work).
0 -
You're very welcome. :)
And sorry for my double post (i created a new account because i thought posting with the old one didńt work, but i was too blind to see it actually did work).
Ah! Fair enough. We were both scratching our heads thinking "I thought I replied to that thread?" heh
If there is anything else we can do, please don't hesitate to contact us.
Ben
0