Separate password to open secondary vault
I currently am using the standalone version of 1Password6 (not the 1Password Account) on my Mac, iPad and IOS.
There are some notes and passwords that I do not want to share with anyone and I do not want them to appear unless I decide so. So I put them on a separate secondary vault and I set up a COMPLETELY different password from the first. I thought the second vault would open only if I entered the secondary password but once I enter my Master Password, both vaults open even thought the second vault has its own password. I want this setup so that when I sign into 1Password, it opens my primary vault. If I want to switch to another vault, it will not open that without entering the second vault's password. Is that possible? I think it is a very simple useful feature but I don't find how to set that up.
1Password Version: 6.8.8
Extension Version: 4.7.3
OS Version: Mac OS 10.13.6
Sync Type: WLan
Comments
-
Welcome to the forum, @Ignis! I'm sorry for the confusion. In order to be "1Password" - in other words, in order for users to be able to access all of their data in all vaults with just a single password (instead of having to remember two or three or half a dozen (presumably) long, strong vault passwords, one for each vault) - we "escrow" the keys of secondary vaults inside the Primary vault. The Primary vault is the one you created when you first began using 1Password, and it's the Master Password that opens 1Password. As you add secondary vaults, you need to give each of them unique vault passwords (in case you ever want to sync them/share them elsewhere), but you still only need your ONE Master Password to unlock all of 1Password.
I think it is a very simple useful feature but I don't find how to set that up.
You haven't been able to find how to set it up because this is anything but a simple feature. It's literally the heart of 1Password's design (well, one of main hallmarks, anyway): the ability to unlock all data with ONE password. We're usually open to entertaining feature requests and suggestions, but on this one, I can tell you we probably won't be re-working the entire key structure to allow for this ability.
0 -
OK, thanks for the answer, I did not realize you needed to rework the entire key structure, I thought it was something easier to do 8-) Obviously I did not mean to keep several vaults and all with different passwords, I want it to remain "1-Password" as you remark, I thought of just the possibility to have one "deeper" vault that needed an extra access key to unlock. Sometimes ideas that sound so against the spirit of the software may not be that odd :)
Thanks again for your reply and the explanation.0 -
@Ignis - oh, please don't misunderstand me: I'm glad you asked, and it wasn't a silly question. In fact, this is now 1Password 4 for Windows worked, and it's also how 1Password for Mac worked for a while...under the hood. But as we've gone on, we've made changes to how the unlocking process works, because allowing separate vault unlock caused more problems than it solved, and there weren't that many users who even knew it existed, let alone made use of it consciously.
0 -
Lars is of course right that 1Password doesn't really support this and that's sort of the whole point... But that said, I have set up a seperate extra-secure vault like Ignis requested.
I created a new 1Password vault and put some higher security/rarely requested secrets in there. Think photos of a birth certificate or maybe a 2FA secret when you mainly rely on the 2FA secret stored on your phone. I copied the .opvault for this vault somewhere I trust, and deleted the vault within 1Password. (And I'm trusting whatever keys 1Password stored to decrypt this vault are erased when the vault is deleted as well). This basically works but is pretty cumbersome and error-prone so best for things you access very rarely. (could also open your extra-secret vault when you're logged into your machine as a different user for more separation).
I trust 1Password deeply...but for high-value things which I rarely access I like having a bit of a separation between them and the rest of 1Password. It'd probably be easier just to use a competing password manager for my use case, but I love 1Password too much for that =)
(oh and in my above setup, everything is local. No 1Password online for me....)
0
