Request: QubesOS cross-VM support

I'm liking 1Password's UX, in particular the combination of attention to security and general usability. The key motivator for me to start using it was the Families feature, enabling me to help get the rest of my family using a password manager. Unfortunately, that same feature is a huge blocker for me actually using 1Password, because it requires v6 which does not work on Linux, even under Wine.

As a stop-gap, I would like to see support for running the native app in a Windows 7 VM, and the browser extension in a Linux browser, when using QubesOS (the OS on my personal laptop; I use Ubuntu on my work laptop, where this strategy wouldn't work). This can be done with reasonable security using the Qrexec framework, and should be significantly easier to implement than a full Linux native app, as it roughly ends up being:

[Browser extension] ---> [netcat] --- stdin/out --> [qrexec Linux VM] --- Qubes RPC --> [qrexec Win7 VM] --- stdin/out --> [netcat] ---> [Native app]

It would also probably be necessary to register a URL handler on the Linux side for the onepassword4-extension:// triggering URL, which would send the trigger over Qubes RPC to the native app.

I actually attempted to implement this myself (along the lines of Split-GPG and Split-SSH), but ran into the semi-documented 1Password browser process signing verification, which obviously fails for netcat! But in theory it should be possible to bundle that signature verification into the Qrexec client-side on Linux, and then verify the signature of the Qubes Windows Tools in the Qrexec server-side on Windows before allowing it to communicate with the native app.

I think this would fit in well with your existing security model, would be a much lower toll on your development team, and would provide a workable alternative for Linux users until the Windows app works over Wine :smile:

1Password Version: 6.5.401d
Extension Version: 4.6.6
OS Version: QubesOS 3.2, Windows 7 x64
Sync Type: Not Provided


  • AGAlumB
    1Password Alumni

    @pythonian4000: Thanks for reaching out! I'm glad to hear you're enjoying 1Password. :)

    Unfortunately Linux, Wine , and VMs are not supported, and not something we're going to design around (though you may be able to get 1Password working there provided it meets the minimum requirements: Windows 7, .Net 4.6.2). Right now our focus is on the platforms we do support, but perhaps we can branch out further in the future. Thanks for letting us know what your preferences are. :)

  • pythonian4000
    Community Member

    Just to be clear, it's not something you'd need to design around as such - the native application would be running in Windows as-usual (I already have it installed and working fine in a Windows VM), and the extension would be running unmodified in a supported browser as-usual (I installed it in Firefox, but Chrome etc. would work too). The only affected component is the as-yet-unspecified protocol between the two, which AFAICT (without access to source code, obviously) does not require any changes for the above to work. The sole change affecting existing code would be adding an additional signature to the existing list in the native app; everything else is essentially repackaged code in a shim. That said, I can imagine there are various rabbit-holes hidden behind the proprietary binary which make this more complex, and I understand that even this suggestion might entail too much work for ongoing support to be viable. I was simply hoping to find a workable middle ground for the unsupported user-base. Thanks for listening! :smile:

  • AGAlumB
    1Password Alumni

    @pythonian4000: I know what you're saying. It just seems to me that validating netcat doesn't solve the problem of verifying the identity of the browser at the other end. It's a cool idea, but honestly if we're going to make a move into the Linux platform I think our efforts would be better spent on a more native solution, as based on feedback we've received over the years this is one of the reasons people love 1Password in the first place. We already have the web interface which can work on unsupported platforms, and I think it would be a shame if Linux didn't get the full AgileBits treatment if we go that way in the future. Cheers! :)

This discussion has been closed.