Questions about subscriptions and recovery

mattyd

With version 7 out now, it is time to re-evaluate going with the subscription plan again. I’ve done a lot of reading of the docs you’ve published, but I still have a few questions left to decide if I’m going to make the leap or not, and if that leap should be to a family version.

1) Can I use only a standalone vault even with the subscription version of the app?
2) Does an individual account have the concept of a Recovery Group?
2b) If not, does each vault have an individual key that is encrypted to the master password+secret or is each vault key directly derived from the master password+secret?
3) If I understand how things work, a person in the Recovery Group can participate in the recovery process for all vaults in the family/team, even if that person was added to the recovery group after the vaults were created. Is that right?
4) Is there any way to regenerate the Recovery Group keys?
5) Who can put people in the Recovery Group? If I’m the family organizer and I die, can AgileBits move my sister or my spouse to be in the Recovery Group?
6) If is possible to create vaults where there is not a copy of the vault key encrypted by the Recovery Group key?

I know that is a lot of questions for one post. Thanks in advance!
-Matt

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

AGAlumB

With version 7 out now, it is time to re-evaluate going with the subscription plan again. I’ve done a lot of reading of the docs you’ve published, but I still have a few questions left to decide if I’m going to make the leap or not, and if that leap should be to a family version.

@mattyd: Sounds good! Interested to hear what you think. :)

1) Can I use only a standalone vault even with the subscription version of the app?

Yep!

2) Does an individual account have the concept of a Recovery Group?

Yes, but for all intents and purposes this will be a "nope" since you will be the only member of the recovery group! Save your Emergency Kit!

2b) If not, does each vault have an individual key that is encrypted to the master password+secret or is each vault key directly derived from the master password+secret?

It works exactly the same as other 1Password.com accounts, but doesn't have the luxury of having other admins who can put your account into recovery mode to re-encrypt the vault keys with a new Master Password and Secret Key. :(

3) If I understand how things work, a person in the Recovery Group can participate in the recovery process for all vaults in the family/team, even if that person was added to the recovery group after the vaults were created. Is that right?

Correct! All of that happens behind the scenes during account setup, so subsequent members who are added to the recovery group (either explicitly or by virtue of having an admin role) will also get the keys needed to perform recovery.

4) Is there any way to regenerate the Recovery Group keys?

It's not possible for a user to do this within an account. A new account would need to be created. I'm curious what the use case would be though!

5) Who can put people in the Recovery Group? If I’m the family organizer and I die, can AgileBits move my sister or my spouse to be in the Recovery Group?

No. We don't have access to do any of that. You (or another admin on the account) would have to set that up yourself before your demise.

6) If is possible to create vaults where there is not a copy of the vault key encrypted by the Recovery Group key?

No.

I know that is a lot of questions for one post. Thanks in advance!

These are great questions! Looking forward to more. :)

mattyd

Is the reason AgileBits can’t add people to the Recovery Group because only someone in the group already has access to the keys?

The use case for rolling the Recovery Group keys (and vault keys) is mentioned in your white paper and are more than a teams than a family use case. It isn’t unusual for a company to roll all the sensitive passwords that a fired employee had access to. But if the vaults have the same keys and the fired user either directly has saved either the vault key or the recovery key, they are down to “only” needing a copy of the vault with the rolled passwords. Even for regular users with access to sensitive passwords, it is not unreasonable to want to roll the vault keys as a defense in depth measure. Recovery Group members just require more resetting.

Where does the initial generation of the recovery keys and the vault keys happen? Do both happen entirely on the client? Or is the server involved in that key generation at all?

rickfillion

Is the reason AgileBits can’t add people to the Recovery Group because only someone in the group already has access to the keys?

Yup. Adding someone to a group in 1Password isn't simply a matter of associating a user to a group like in most systems. Adding someone to a group is a matter of sharing the group's keys with the user (encrypting the group's private key with the user's public key). Since AgileBits doesn't have the private keys for anything of yours (nor do we want them!), we can't perform that operation.

Where does the initial generation of the recovery keys and the vault keys happen? Do both happen entirely on the client? Or is the server involved in that key generation at all?

It's entirely on the client. When you initially create a 1Password account there's a ton of work that the client needs to do. It's responsible for creating several groups: Recovery, Owners, Admin, Team Members each with their own public/private key. It needs to take the recovery group's keys and encrypt them with the Owners and Admins group public keys and associate those so that anyone in either of those groups can make use of the recovery keys. It needs to create the first user's public/private key, then encrypt each of those groups' private keys with the user's public key to create the group memberships there. It needs to create the Shared vault & key, and encrypt that key with the Team Members public key so that anyone in the Team Members group can access that vault. It needs to create the user's own Personal vault & key, and encrypt that with the user's public key, along with the recovery group's public key so that if the user ever loses access it can be regained via the recovery group's keys. It's quite the dance.

The only keys that the server creates related to your account is signing keys for files that you've uploaded. Those keys aren't used for encryption, but only as a form of shared secret and used to sign associations between items and files.

Rick