Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Forum Discussion
Solved
Security concern with allowing Terminal complete access to my 1P account via op CLI
I have a shell script that uses 1Password secret reference:
export EXAMPLE_API_KEY=$(op read "op://Vault-Name/Example API Token/Specific-Token/Token")
But when it's loaded, I have to au...
Hi Integralist,
This is a great question. I think this falls into the same category as risks associated with malware or similarly compromised devices: there's very little any application can do to prevent that entity from accessing any information on your computer that the authorized user can access. An attacker that has the same permissions you have on the device (as is true in the scenario you are referring to in which there is arbitrary malicious code being executed) can at least theoretically access anything you access.
The CLI behaviour you outline doesn't meaningfully increase the risk in a situation like this because such an attacker with the level of access you describe doesn't require the CLI to behave this way to do harm, including potentially learning something about your 1Password data, since 1Password is necessarily unlocked in your scenario.
It sounds trite, but the answer almost always is: It's never safe to run any application on a device that is, or suspected to be, compromised. If you suspect your device is compromised, you should not unlock 1Password. That should at least prevent the attacker from obtaining any 1Password data (as for all the other data on your computer... that's a different story).
We do our best to protect your data even in the event of a compromised device, which you can read a bit more about here: https://blog.1password.com/local-threats-device-protections/
But at the end of the day, there's not a lot that any application can do to completely eliminate this risk. 1Password in it's locked state, however, would be almost an impossible nut to crack.
Scott_1P
1Password Team
1Password TeamHi Integralist,
This is a great question. I think this falls into the same category as risks associated with malware or similarly compromised devices: there's very little any application can do to prevent that entity from accessing any information on your computer that the authorized user can access. An attacker that has the same permissions you have on the device (as is true in the scenario you are referring to in which there is arbitrary malicious code being executed) can at least theoretically access anything you access.
The CLI behaviour you outline doesn't meaningfully increase the risk in a situation like this because such an attacker with the level of access you describe doesn't require the CLI to behave this way to do harm, including potentially learning something about your 1Password data, since 1Password is necessarily unlocked in your scenario.
It sounds trite, but the answer almost always is: It's never safe to run any application on a device that is, or suspected to be, compromised. If you suspect your device is compromised, you should not unlock 1Password. That should at least prevent the attacker from obtaining any 1Password data (as for all the other data on your computer... that's a different story).
We do our best to protect your data even in the event of a compromised device, which you can read a bit more about here: https://blog.1password.com/local-threats-device-protections/
But at the end of the day, there's not a lot that any application can do to completely eliminate this risk. 1Password in it's locked state, however, would be almost an impossible nut to crack.
