multiple vaults and syncing, all sorts of issues
I have two vaults on my computer, both being synced to separate 1Password vaults stored on Dropbox. One of the vaults contains shared passwords and account information, and the other vault has my personal account information. I use 1Password on another Mac I own and sync both vaults there. My spouse syncs to the shared vault only on her Mac.
I meticulously went through and separated all of my passwords into the "shared" and "private" vaults. Everything was fine for a few days, but then all of a sudden all of my private vault information ended up in the shared vault somehow. I thought it was a fluke, and restored from a backup and went about my day.
About four days later, it's happened again -- all my "private vault" entries are in my "shared vault".
I'm at a loss to figure out how or why this is happening. Any suggestions? It's not exactly a major security breach (for me), but it's frustrating.
Comments
-
Hi @saagarp,
I'm sorry to hear about these unexpected, unwanted appearances of 1Password data from your primary vault in a secondary/shared vault. Since this has happened more than once it looks like some misconfiguration of Dropbox syncing/sharing might be responsible.
Can you open the Sync tab in the Preferences window on each Mac for every vault, check locations for all Agile Keychain (.agilekeychain) data currently being synced, and post a summary of it here? Something like:
Mac-me
- Primary vault: Dropbox/1Password.agilekeychain
- Secondary vault: Dropbox/Someplace/Share.agilekeychain (shared)
Mac-spouse
- Primary vault: Dropbox/1Password.agilekeychain
- Secondary vault: Dropbox/Someplace/Share.agilekeychain (shared)
Also, do you have any other systems/devices actively syncing with those keychains?
Thanks in advanced for the additional information to help get this sorted out for you.
0 -
I did go through those steps as I was writing the post (I do a lot of QA/Test work. :) )
the configuration was:
my primary Mac:
- Primary (my private) vault -> Dropbox/1Password/personal stuff.agilekeychain
- Secondary (shared) vault -> Dropbox/tiffany/1Password.agilekeychain
my secondary Mac: (I added the vaults in the wrong order, but it didn't bother me enough to fix)
- Primary (shared) vault -> Dropbox/tiffany/1Password.agilekeychain
- Secondary (my private) vault -> Dropbox/1Password/personal stuff.agilekeychain
Tiffany's mac:
- Primary (her private) vault -> (not sync'd)
- Secondary (shared) vault -> Dropbox/tiffany/1Password.agilekeychain
I have an Android phone as well, but since it doesn't support multiple vaults I haven't synced it in the last few months.
At the moment I've disabled syncing completely on my Mac.
0 -
I'm guessing what may have happened is that, at some point, I screwed up the sync associations on my second Mac, and that device merged the two vaults. I put that device to sleep for a while and restored the Dropbox versions based on a backup on my primary Mac. Then the secondary Mac woke up, found a bunch of missing passwords, and re-synced them to Dropbox. Does that sound plausible?
I guess, in short, the question is - if I delete an entry on one vault on one computer, and empty the trash, and then re-awaken a second machine that syncs to the same Dropbox vault but sees that the entry is now missing, what's the default behavior? Will it re-populate the missing entry to Dropbox, or is the sync journaled in such a way that the second Mac can tell it was deleted and do the same thing locally?
0 -
Hi @saagarp,
Thanks for that detailed and helpful configuration summary and explanation. What you've described does sound like the most plausible explanation for what happened.
Initially you mentioned that you:
… restored from a backup and went about my day.
And later clarified that you:
… restored the Dropbox versions based on a backup on my primary Mac.
I originally thought you had restored your 1Password database from a backup. To further clarify, did you mistakenly swap the two keychains on your secondary Mac?
If it's possible, I suggest using keychain locations like these in Dropbox:
- Primary (private) vault: Dropbox/1Password/1Password.agilekeychain
- Secondary (shared) vault: Dropbox/tiffany/SharedStuff.agilekeychain
1Password "prefers" Dropbox syncing its Primary vault to that (default) location/name and lessens possible issues when syncing with other non-Mac versions. Any other keychains that secondary vaults are synced/shared with is less location/name-dependent, as with the Dropbox/OrangeBits/OrangeBits.agilekeychain example in the How to share a non-primary vault guide.
if I delete an entry on one vault on one computer, and empty the trash, and then re-awaken a second machine that syncs to the same Dropbox vault but sees that the entry is now missing, what's the default behavior? Will it re-populate the missing entry to Dropbox, or is the sync journaled in such a way that the second Mac can tell it was deleted and do the same thing locally?
The item you've permanently deleted on the first Mac should also be permanently deleted on the second Mac after re-awakening and syncing.
By the way, which version(s) of 1Password are you running on all the Macs?
Please let me know if there's anything else I can help you with related to this or anything else.
0 -
OK, I tried to do what I thought was reasonable to test:
- I deleted the Dropbox vaults
- I disabled sync on all computers
- I exported my two vaults using 1password exchange format, and then reset 1Password on all computers.
- I re-created my two vaults.
- I re-imported the exported data, confirming the data was properly partitioned afterwards.
- I re-configured Dropbox sync:
- primary vault for shared data, in Dropbox/1password/1password.agilekeychain
- secondary vault for private data Dropbox/1password/personal stuff.agilekeychain
I went to my second computer and opened 1Password after allowing Dropbox to sync the new files. It came up helpfully saying it had found my data, but it's showing 296 items in my primary Dropbox vault, when on my primary computer there are only 91 items in the vault.
So, again, primary vault on main computer has 91 items (none in trash).
Secondary vault on main computer has 211 items (none in trash).1Password.agilekeychain/data/default/ contains 300 files.
personal stuff.agilekeychain/data/default/ contains 214 files.The 214 seems to make sense (211 + metadata), but the 300 in my primary vault looks like it's combining both vaults into the 1Password.agilekeychain file.
and, to reiterate, at this point only ONE computer is touching the files on Dropbox (I have not yet provided the vault password on the second computer to actually unlock / set up the vaults.)
0 -
Also, looking at Dropbox version history, I can clearly see that all the files in the 1password.agilekeychain./data/default directory were created on my primary Mac [as expected].
0 -
I forced 1P to disable sync and delete 1Password.agilekeychain, and re-create it, and [for now] it's got the expected 95(ish) files. I'll watch the behavior again over the next few days.
0 -
sorry, to answer some earlier questions: I'm running OS X 10.9 and iPW 4.2.2 on all machines in question.
0 -
Hi @saagarp,
Thank you for those step-by-step details of the reconfiguration of 1Password you've done. It sounds like that final recreation and resyncing of 1Password.agilekeychain got its early mismatch issue straightened out.
I'm curious about this step:
6. I re-configured Dropbox sync:
- primary vault for shared data, in Dropbox/1password/1password.agilekeychain
- secondary vault for private data Dropbox/1password/personal stuff.agilekeychain
Is there a reason you're preferring to use the Primary vault for shared data instead of the secondary?
Differences between the All Items count for a 1Password vault and the number of files in a keychain it syncs with can widely vary. For instance, one of my Primary vaults currently has 1456 items while the corresponding 1Password.agilekeychain it syncs with contains 2527 files.
We'd be happy to take a closer look at your new configuration to check for any inconsistencies or other problems worth additional attention. To do that, please send us a Diagnostics Report from each Mac, along with a link to this topic, to support+forum@agilebits.com. A brief comment here mentioning that you've sent those reports would also be helpful. Thanks in advance!
0 -
The shared vault actually contains most of my useful data (credit cards, bank accounts, etc) that I share with my spouse. I keep it as my primary because the Android app doesn't understand multiple vaults yet, and I assume the Android app will only sync to the default 1PW Dropbox path, and I'd rather that be the useful vault rather than my internet forum passwords. :)
My private 1PW vault is back up to 300 items. I know you mentioned that the numbers don't necessarily need to correlate, but the new files are definitely in the wrong spot; I opened one of the ~210 files that showed up this morning unexpectedly and can clearly see that it's tagged with data for a login that is only in my private vault, not in my shared vault... yet the data file is present in the shared vault's agilekeychain.
It seems as though the application is intentionally writing ALL passwords to Dropbox/1Password/1Password.agilekeychain, even from my non-primary vault. At this point I don't even have multiple machines syncing, just multiple vaults being sync'd to Dropbox.
I will submit the diagnostic information momentarily.
0 -
ok, I have a theory.
In my 1Password.agilekeychain/data/default directory, I have CF19B6B5E620C0C71BF7E448FACC0F49.1password, which contains:
{"uuid":"CF19B6B5E620C0C71BF7E448FACC0F49","updatedAt":1371572769,"locationKey":"umloud.org","securityLevel":"SL5","contentsHash":"d0980f74","title":"Umloud","location":"http:\/\/umloud.org\/login", [...]
My Umloud account login is NOT part of the private vault (exported as 1Password.agilechain), but is part of my shared vault (shared stuff.agilekeychain). However, this data key is still present in the 1Password.agilekeychain bundle for some reason.
If I look at contents.js (which I assume is used only by web client), the UUID CF19B6B5E620C0C71BF7E448FACC0F49 is not listed there, as expected. The web client properly shows 96 entries in the vault when unlocked.
If I pull up 1PW on a second computer (unconfigured) and tell it to sync to this Dropbox vault, in the dropdown [see attached] it tells me there are 296 entries in the vault when there are should only actually be 92. When I enter the vault password, it is able to successfully decrypt and sync all 296 vault entries (which it definitely should NOT be able to do, since I theoretically have two vaults with different passwords.)
Anyways, from a software guy's point of view, it looks like 1PW is, for some reason, writing entries from one vault into the wrong Dropbox target. It is also doing so in such a manner that these entries can be decrypted with /the wrong vault's password/ (I went through and confirmed this myself). The first is just annoying, the second seems like a major problem.
0 -
Forgive me if it seems like I'm making a lot of assumptions/accusations, I'm just trying to make relatively educated guesses about how the software works. It's entirely possible I'm off-base, but I do honestly believe something is awry here.
0 -
Hi there,
I'm trying to get you a more detailed reply than what I would be able to give on this issue, but I'm having some difficulty tracking down your diagnostic report. Could you please send me a private message here on the forums indicating what email address you sent your diagnostic report from? I don't see anything from the email address you used to register for the forums with.
Thanks!
Ben
0 -
Just wanted to chime in that I'm having the same issue here. We use 1Password on a few different machines with a shared company agilekeychain file in Dropbox. Most folks only have a Primary vault, whereas I have a personal vault that syncs to a different agilekeychain file in Dropbox. All of my personal vault items are appearing in the Primary vaults for everyone.
To follow the feedback format above:
Mac-Me
- Primary: ~/Dropbox/[company]/[company].agilekeychain
- Personal: ~/Dropbox/Apps/1Password/Personal.agilekeychain
Mac-everyone else
- Primary: ~/Dropbox/[company]/[company].agilekeychain
Again, all of my personal vault items appear in the primary/company vaults on everyone else's computers.
0 -
I worked with a support person and the eventual result was that the issue was particular to a bug in 1PW 4.2; try installing the beta version (4.3-beta8 or higher) and restoring your backups -- I haven't had an issue since.
0 -
(you will possibly need to blow away the Dropbox files and reset the shared vaults on the other persons' machines, unfortunately.)
0 -
Hi @actionscripted,
I'm really sorry you're having this problem with 1Password data from your personal secondary vault appearing in other primary vaults where it doesn't belong. The resolution could be similar to what @saagarp explained he did for his issue and we'd also like to work out the details with you directly in email. To do that, please start by sending us a Diagnostics Report from your "Mac-Me" system, along with a link to this topic and your forum username, to support+forum@agilebits.com. After you've sent the report a brief comment here mentioning it would be helpful. Thank you!
0 -
Hey @sjk: I didn't see the response/notification so I'm sorry to reply to an old thread so late. We have everything cleaned up now. Since I was the only one with a personal vault polluting the company (primary) vault on other machines here's how we fixed things:
- I made a local backup of my personal vault and removed it from 1Password
- Everyone using the shared primary vault disabled Dropbox sync and deleted everything from their 1Password instances
- I re-synced my primary back to Dropbox
- Everyone turned on Dropbox sync and pointed their primary vault to the clean, shared keychain
And now we're golden. Thanks so much for following up @sjk, my apologies again on responding to an old thread but I hope maybe this can help someone else.
0 -
On behalf of @sjk, thanks so much for letting us know that you're all sorted out, and for including your fix steps.
I can't tell you how much I apologize for the trouble here - that can't have been a fun problem to sort out.
If you have any further questions or concerns, we're here for you!
0
