How does cloudkit and backup have same password as device vault?

Trishaelwood
Trishaelwood
Community Member

Mentioned in docs:
1. user master password is not stored beyond the vault unlocking process.
2. agilekeychain or cloudkit have thier own profile, overviewkey and masterkey. So say in case of mac syncing(cloudkit) with a iphone, we have three pairs of overviewkey, masterkey and profile.

Question:
When am syncing from iphone to cloudkit for the first time, not from initial app setup but from setting on second launch of application, then if you generate profile, overviewkey and masterkey on the spot for cloudkit then with what password they are encrypted since by this time you would not be having masterpassword ?

Same goes for backup, with what password they are encrypted and which profile is stored inside them for authentication on restore.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: cloudkit

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Excellent observation, @Trishaelwood!

    It's a bit more complicated than this, but when 1Password is unlocked, not only are the keys stored in memory, but your Master Password. So when keys are generated for the export/sync format (Agilekeychain, OPVault, or CloudKit) those keys get encrypted with your Master Password. This way when the device you are first synching to gets the profile, all it needs is your Master Password in the recipient app.

    I guess this means that we need to put some footnotes on

    user master password is not stored beyond the vault unlocking process.

    Depending on the particular app and circumstances it may be retained during the time that the app is unlocked. It is also the case that if you use TouchID unlock on iOS, it is stored in the iOS keychain.

    Can you let me know what document you got that in. I'll be happy to check to see if there are improvements we can make to that document?

  • Trishaelwood
    Trishaelwood
    Community Member

    Thanks jpgoldberg :) .

    Following is the link [https://blog.agilebits.com/2015/04/28/how-1password-syncs-changes-to-your-master-password/] (https://blog.agilebits.com/2015/04/28/how-1password-syncs-changes-to-your-master-password/ "https://blog.agilebits.com/2015/04/28/how-1password-syncs-changes-to-your-master-password/")

    Following places
    "1Password never stores your Master Password in any form."
    "A cornerstone of Master Password security, though, is that 1Password never stores your Master Password in any form." Except for touchID and passcode :)

    From above link i thought that except for touchID and passcode if masterpassword is not stored then how comes you guys encrypt the keys for cloudkit and backup :) Thanks for clearing it up.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Thank you, @Trishaelwood.

    I guess we need something like “never saves to ‘disk’” or something along those lines. Off-hand I can't think of a way to word it that doesn't lead to confusion or cause a distraction. But we will figure something out.

This discussion has been closed.