Do users *have* to have their own "Primary" vault, separate from our team vaults?
This article provides instructions for a user to set up the desktop application to use 1Password for Teams.
To accomplish this, (1) the user creates their own "Primary" vault, as if they were going to use 1Password for personal use; and then (2) they add their Team account.
My question: is (1) really necessary? I'm trying to keep this as simple as possible for my users. If they have an extra vault lurking around, I guarantee that they'll accidentally store some new passwords there, instead of in the Team vaults. (I know that Step 5 in the article shows how to remove the "Primary" vault from the "All Vaults" listing, but that's only a partial solution.)
Also, just to make sure I'm understanding the "Primary" vault properly: am I correct in thinking that passwords in this vault are only stored locally—i.e., on the machine that is running the 1Password desktop application? (Unless I've configured the application to sync them to Dropbox or iCloud?) And that these passwords are therefore not associated with any specific email address—so the user can't manage them by logging into the 1password.com website?
1Password Version: 6.0 (600008)
Extension Version: Not Provided
OS Version: OS X 10.10.5
Sync Type: Not Provided
Comments
-
@immersiontravis Thank you for pointing this out!
Things are changing fast and this article is out of date now. In 1Password 6 for Mac you can set everything up using an existing Teams account, without the need to create a Primary vault.
We will make sure the documentation gets updated.
Thanks again!
0 -
OK—that is good to know. Thanks!
0 -
On behalf of @roustem you are very welcome @immersiontravis.
0 -
On a related note, is it possible to remove my (now empty) Primary vault after setting up 1Password for Teams and moving everything over to my team vault? Thanks.
0 -
Hi @skylarp,
Unfortunately there's no quick/automated way of doing that. If all of your data is migrated over to Teams, you can accomplish this the slightly long way by:
- Making sure you have your Emergency Kit, I really don't want to see you get locked out of anything. :)
- Following our Starting Over guide, which will delete your local 1Password data
- Launching 1Password, which will treat you like a new user
- Sign in to 1Password for Teams.
Once that's done you'll have what we refer to as a Teams-only setup. No Primary Vault, simplified Preferences, etc. It's awesome.
I hope this helps.
Rick
0 -
It is possible if you remove 1Password data and then start over with the new Team set up:
To remove the existing data:
- Create a backup (just in case)
- In 1Password app: Press and hold Control key, choose 1Password > Quit 1Password and 1Password mini menu
- Rename
~/Library/Application Support/1Password 4/Datafolder.
0 -
Thanks, all! That's perfect.
0 -
I did the above and successfully registered my two teams. It seems that the osx app uses the master password of the first Team added to the app as the master password to log into the app. This was not intuitive as I added two teams back to back, and upon reboot wasn't sure which password to use to get into the osx app. I had a panic moment, but eventually figured it out.
If I now remove the first Team, will the password for the app become the master password on the remaining registered Team?
I suggest some messaging to the user regarding the password to use for the app upon creating a Team only configuration, especially when there are multiple teams.
0 -
Hi @tbaker,
You're right, we need to do something about that. When removing a team and we're changing the password that will unlock the app we notify the user. But I think we need to make it clearer when adding teams as well, as you say.
If I now remove the first Team, will the password for the app become the master password on the remaining registered Team?
Yes. And the app should tell you as much. If it doesn't, then that's a bug and we need to fix that.
Thanks for the feedback.
Rick
0 -
From a security model standpoint, how is this working? I thought the master password was mathematically necessary to derive the private key. It seems that once you authenticate with one master password, the app is able to decrypt the other vaults too, even though they have a different master password. I can't seem to find an answer in the white paper.
0 -
Hi, @scottsb.
You are correct, the Master Password is mathematically necessary to derive the keys that decrypt your data. I'm a little fuzzy on the exact implementation details (@rickfillion can help a bit more here), but basically we encrypt the Master Passwords we need for your other vaults and/or accounts with the Master Password for your "primary" vault or account. So once you unlock the first, we have the information needed to unlock the rest.
0 -
That's a good question, @scottsb.
Basically we encrypt one dependent thing with another. While the app is unlocked we have all of the interesting keys available to us in memory, so we can set things up for ourselves later. The Master Password was used to derive a key that was used to decrypt the first thing (either the Primary Vault key, or what we call the Master Teams Account key). The next thing, say another Team... has had its key encrypted with the first thing. So once we have one, we can decrypt the next. It's effectively a chain of decryptions. Even in the simplest case, unlocking a Team account involves no fewer than 3 levels like that. Additional levels don't add any security by themselves, so don't take my saying that as touting it as a security measure. What I'm saying is that when you want 1 thing to unlock n things, you need to build these kinds of chains. It gets fun/interesting when you want to change what the root key is (say when you're going from Teams-only to Teams+Personal vaults, or when you're removing your Master Teams Account).
This stuff isn't documented in our Teams whitepaper as far as I know. We should maybe consider adding it.
Rick
0 -
Thanks. That's basically what I was expecting, but good to get it confirmed. When I was arguing for use of 1Password Teams here at my company, I explained the keys to our president as a set of Russian nesting dolls. Basically when you change the "root key" you simply change what the outermost doll is. :-)
0
