Secret Key being stored in iCloud?
I recently re-installed macOS. When I was setting up 1Password, I was shocked to find that I didn't need to enter my secret key. Instead, this box came up:
After clicking "Done", I just had to type in my Master Password, and my all my vaults appeared.
I couldn't find any mention of this feature anywhere, and looking through the 1Password Security Design document, I found this note:
"True end-to-end encryption All cryptographic keys are generated and managed by the client on your devices, and all encryption is done locally."
Could anyone elaborate as to why 1Password is potentially storing the Secret Key in iCloud? That's the only thing that was the same between my old installation of macOS and my new one. Having the secret key stored in iCloud was not a risk factor that I was considering, or even aware of.
If the Secret Key is indeed being stored in iCloud, is there a way to disable this feature?
1Password Version: 6.8.8
Extension Version: N/A
OS Version: macOS 10.13.4
Sync Type: 1Password.com
Comments
-
The Secret Key is indeed stored in the iCloud Keychain. There was a lengthy discussion about this about a year ago:
I was also a bit worried about this to begin with but especially the response from @jpgoldberg put my mind at ease. Do read the whole thread if you're interested, but in particular this part is important, I think:
Roughly speaking, we believe that any attacker who can acquire information from your iCloud Keychain has already completely broken into one of your Apple Devices. As Kyle pointed out, the iCloud Keychain is not something like your iCloud photos or Pages documents. Getting at the iCloud Keychain requires both the iCloud password and the ability to unlock a device that is already set up with it. So other than some rare situations, and attacker who would be in a position to get at your Secret Key from your iCloud Keychain would already be able to capture it without bothering with the iCloud Keychain.
0 -
Ah, that makes me feel much better. Thanks for the clarification.
I was worried that it was in standard iCloud storage, instead of iCloud Keychain.
Sidenote: This is a good video that explains the tremendous length Apple goes to to ensure that even they don't have access to iCloud Keychain data.
I couldn't find mention of this feature anywhere before you linked me to the discussion above, perhaps AgileBits should be a bit more upfront as to this feature?
Also, I just want to say that everything else about 1Password has been extremely impressive, and after learning that it uses iCloud Keychain and not standard iCloud storage for this feature, I continue to be impressed at how well-designed 1Password is. 8-)
0 -
