Required to enter OpenGPG keyphrase when unlocking 1Password for the first time after fresh boot

sarvapass
sarvapass
Community Member
edited October 2021 in Linux

When I open 1Password for the first time after booting, I am asked to unlock my 1Password vault and immediately after I am asked to key in my OpenGPG passphrase to get access to the '1Password for Linux' wallet.

Why does 1Password need to create its own wallet in kwallet and encrypt it with Blowfish or GPG?
OpenGPG is the option I chose. My keys are passphrase protected.
Selecting Blowfish and leaving username and password blank during wallet creation would not make a difference either as only the wallet named kdewallet gets unlocked by PAM on user login.

Also, why does 1Password need to change the default wallet in KDE to '1Password for Linux'?
Because of changing the default wallet, other apps such as Brave browser, that also wants access to the default wallet, suddenly also ask me to key in my OpenGPG passphrase.

Isn't it possible for 1Password to store the proof of the 2FA token in the already existing kdewallet?
The default kdewallet gets unlocked by PAM when I logon to my desktop.

1Password 8.1.3
1Password Plugin 2.1.3

                     ./o.                  anon@anon 
                   ./sssso-                ------------ 
                 `:osssssss+-              OS: EndeavourOS Linux x86_64 
               `:+sssssssssso/.            Host: 82A2 Yoga Slim 7 14ARE05 
             `-/ossssssssssssso/.          Kernel: 5.14.14-arch1-1 
           `-/+sssssssssssssssso+:`        Uptime: 3 mins 
         `-:/+sssssssssssssssssso+/.       Packages: 978 (pacman) 
       `.://osssssssssssssssssssso++-      Shell: zsh 5.8 
      .://+ssssssssssssssssssssssso++:     Resolution: 1920x1080 
    .:///ossssssssssssssssssssssssso++:    DE: Plasma 5.23.1 
  `:////ssssssssssssssssssssssssssso+++.   WM: KWin 
`-////+ssssssssssssssssssssssssssso++++-   Theme: Breeze Dark [Plasma], Nordic-darker-v40 [GTK2/3] 
 `..-+oosssssssssssssssssssssssso+++++/`   Icons: Papirus-Dark-nordic-blue-folders [Plasma], Papirus-Dark-nordic-blue-folders [GTK2/3] 
   ./++++++++++++++++++++++++++++++/:.     Terminal: konsole 
  `:::::::::::::::::::::::::------``       Terminal Font: FantasqueSansMono Nerd Font Mono 10 
                                           CPU: AMD Ryzen 7 4800U with Radeon Graphics (16) @ 1.800GHz 
                                           GPU: AMD ATI 03:00.0 Renoir 
                                           Memory: 1907MiB / 15366MiB

Comments

  • wolfpants
    wolfpants
    Community Member

    I have the same issues/questions, using Kubuntu out of the box (1. Starting 1Password requires typing 2 passwords, one for 1Password, and another to unlock the "1Password for Linux" KDE Wallet; 2. Setting up 1Password causes the "1Password for Linux" wallet to become the default KDE Wallet).

    Of note, I haven't enabled the "Unlock using System Authentication Service" option, since I'd prefer for there to be an extra step to unlock 1Password (e.g. if I'm letting somebody else use the computer), similar to how it works in the macOS/Windows/iOS versions of 1Password. I'm not sure if enabling this option would resolve the KDE Wallet issues, but #2 above seems like a bug, and #1 is not great UX. I'd love to hear if this is something the team is looking into, since it feels like it would affect anyone on KDE with 2fac enabled in 1password.

  • Savanni
    Savanni

    Hi, folks. This is going to take some investigation.

    Having talked with the security team, it seems that this may be something we did during development and then never revisited. I'm actually surprised it took so long for anyone to run into trouble with this feature, though.

    I'm unable to reproduce the problem where the 1Password for Linux wallet becomes the default one, so I cannot explain that. However, this problem will go away if we're able to switch back to kdewallet. I'll file an issue and see if we can make the change soon.

    @wolfpants Unlocking using the system auth service should not actually unlock 1Password automatically when you log in, especially since we do not auto-launch 1Password. Instead, it would allow you to unlock 1Password with your system account password or with biometric unlocking. I actually don't use this feature on machines that lack biometrics. But we use the keyring for storing two-factor authentication so that you don't have to enter your security code every time you unlock 1Password.

  • frogywill
    frogywill
    Community Member


    I think I have the same issue, on Ubuntu 21.04. This was not an issue until I enabled the fingerprint reader to be able to log on using bio metric data.

  • sarvapass
    sarvapass
    Community Member

    Any news @Savanni?

    I have since uninstalled 1Password and am now only using the browser plugin as having to unlock that '1Password for Linux' wallet is super annoying.

  • Savanni
    Savanni

    We have not been able to take the time to fix this yet. I'll see if I can bump it in our priority list since it may be easy.

  • TSzabo
    TSzabo
    Community Member

    Is there a workaround in the meantime where I could automatically unlock the "1Password for Linux" wallet using a secret that I store in "kdewallet"? I haven't played around with kwallet enough to have a good sense of the supported features.

  • sarvapass
    sarvapass
    Community Member

    Happy new year @Savanni!
    Any news?

  • Savanni
    Savanni

    Happy new year!

    We merged this change right before I went on break, so you should see it fixed in the beta that we release this week.

This discussion has been closed.