Safari Tech Preview with version 6, and Families subscription with external vaults

I have two questions:
1) I have been happily using the latest version 6, until recently, when suddenly Safari Tech Preview stopped working with the 1P extension. I can't see any way to reinstall it. It continues to work fine with Chrome, Firefox, and Safari. How can I make it work again?

2) I'm considering upgrading our Family product to the subscription (though I really hate subscription software, and consider your strong push to that to be the one really significant downside to your product). If I do that, it will by default put vaults on your cloud service. Can I still have vaults somewhere else as well? (Box, iCloud, Dropbox, whatever.)

...and while I'm at it: Can I still upgrade the family license instead of getting the subscription?

Thanks.

Comments

  • brentybrenty

    Team Member

    @alexisrosen: Recent releases of STP have known issues in this area. They've been reported to Apple, and hopefully they'll be addressed in an update -- though I am not holding my breath with WWDC around the corner.

    Regarding a 1Password Families membership, you can use local vaults too, but it's not recommended since you're then giving up a lot of functionality, convenience, and security that depends on the encrypted data being hosted in your account:

    • Sharing
    • Travel Mode
    • Automatic offsite backup and item history
    • The added security of the Secret Key (which you won't get with *Box, etc.)
    • Account recovery -- a really awesome feature to help family members who get locked out -- will be useless if the encrypted data is not even stored in the account

    1Password licenses are sold per-user. "Family" licenses have not been available for years, since they caused a lot of confusion and were not support convenient ("Why can't my family use the [insert name of platform with separate app store] app without paying again?", etc.) With a 1Password Families membership, it's more convenient, more secure, and, for many, more affordable (since buying separate licenses for each platform for up to five family members can quickly add up).

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • Thanks for your quick response. That's two out of three, pretty good, but you didn't quite answer question #2. I'd like to be able to share vaults with other 1password users who are NOT using your cloud service (say, they're still on version 6). So I'd like to be able to have some vaults on dropbox (google, icloud, whatever) in addition to your cloud service.

    It always seemed weird to me that you didn't allow any number of different cloud services, since the code's all written and it wouldn't add much complexity.

    Come to think of it... What if I configured it to use local vaults in addition to your cloud service, and the local folder contained either symlinks or aliases into dropbox and icloud folders? Would that work? Or would it use a file format (or locking protocol) incompatible with multiple simultaneous users/updaters?

  • brentybrenty

    Team Member

    Thanks for your quick response. That's two out of three, pretty good, but you didn't quite answer question #2. I'd like to be able to share vaults with other 1password users who are NOT using your cloud service (say, they're still on version 6). So I'd like to be able to have some vaults on dropbox (google, icloud, whatever) in addition to your cloud service.

    @alexisrosen: I don't see where you asked that in your original post, but it's a good question and I'm happy to answer it. :)

    Indeed, 1Password memberships' sharing features work between people who are part of the same plan: for example, I can share vaults securely with my colleagues here, being part of the AgileBits company account; and I can share them with my family members whom I've invited to my family plan. In both cases, each person has their own account and credentials, with a Personal/Private vault only accessible to them, and then access to any other vaults shared with them. That all works because part of the process of getting an invitation to join a family/business plan and signing up exchanges the equivalent of public keys between members. That way it's secure and seamless: people can share with each other just as easily as they'd copy items to or from any 1Password vault, without needing to understand, setup, and manage something like GPG themselves. So, in that regard, sharing depends on the 1Password service being used between all concerned.

    As I mentioned above though, you can use local vaults in addition to that, and you could certainly share those using Dropbox, etc. But all of that would depend on you and those involved managing file sharing, exchanging passwords for each vault, configuring them on each device, etc. So it's quite separate, and really a night and day difference.

    It always seemed weird to me that you didn't allow any number of different cloud services, since the code's all written and it wouldn't add much complexity.

    You should try it. ;) All of these services have separate APIs, different ways of handling data that need to be accounted for (or at least understood to avoid compatibility issues), and with us supporting multiple platforms it is no small feat to develop, test, and support each different configuration. Nevermind the fact that when stuff breaks with 3rd party services, we have no special insight into why or ability to fix it. They're great for their intended purposes, but we've built our 1Password service specifically for the needs of 1Password, so it's more efficient for what we all need as 1Password users and within our power to improve as those responsible for 1Password working well for our customers.

    Come to think of it... What if I configured it to use local vaults in addition to your cloud service, and the local folder contained either symlinks or aliases into dropbox and icloud folders? Would that work? Or would it use a file format (or locking protocol) incompatible with multiple simultaneous users/updaters?

    I'm not 100% sure I understand what you're asking, but if you mean syncing a single local vault using multiple services, that's a bag of hurt. Honestly, you can try it. The 1Password desktop apps can sync to an arbitrary folder on your local drive, and then you can do whatever you want from there. But don't blame me when you hose your data. Backup religiously. And good luck. You'll need it. They all work differently, and as far as the exact constraints and results, you'd need to talk to their developers. 1Password just reads and writes to its own files on disk, same for everyone. Outside of that, we don't have control over any shenanigans that go on with other software. And there will be shenanigans! File sync tools are really amazing in that they work at all between different platforms and filesystems. So there can definitely be quirks, especially with more than one involved. And that's putting it mildly. Seriously, I don't recommend it unless you just really enjoy breaking things and have the time to figure out how to fix them. :)

  • brentybrenty

    Team Member

    @alexisrosen: Following up on my initial comment, a colleague pointed out that I overlooked that you're asking about 1Password 6 connecting to Safari Tech Preview. This won't work at all going forward, as Apple is ditching the old (.safariextz) extensions, will be shutting down the only source of them (their gallery) any day now, and Safari App Extensions (which are used now by 1Password 7) are what will be required going forward. STP 80 and higher does not support the old extensions already, so that simply can't work with the old version of 1Password. You'd need to upgrade to 1Password 7 or switch to another browser (e.g. Firefox, Chrome/-based). Sorry for missing that.

  • Sorry for the delay here, I was away last month.

    I'm not sure where your confusion was, but let me try again.

    Assume, to begin with, that I've upgraded to 1P7, and that I have a main vault stored on your service. But I need to share passwords with people who are not part of any group account, and might still be using 1P6. I can think of two scenarios that might plausibly work. Will they?
    1) Use Dropbox (or iCloud, etc.) for a separate vault, and share that.
    2) Use a local vault. But once that vault is created, move it into a folder shared by DropBox/iCloud/etc., and then make a symlink (or alias) back to where it was created (presumably, something in ~/Library/Group Containers/2BUA8C4S2C.com.agilebits/Library/Application Support/1Password/ ?). Then that vault would continue to work locally, and would also be synched and available to the various share users.

    If neither will work, what will?

    Thanks.

  • edited July 9

    Separately, I wrote "It always seemed weird to me that you didn't allow any number of different cloud services, since the code's all written and it wouldn't add much complexity.". You responded that it was too hard, APIs were all different, etc.

    Dealing with those sync services might be hard... but you've already done the work! You support them all right now. And you allow users to use any one of those services. What I was asking was for you to allow a choice of sync service per vault. This can be important when sharing with people who are on different services. For example, I'd like to share a vault with a friend who uses dropbox, and another vault with a coworker who uses icloud. Your software already supports this - just not at the same time.

    I am specifically not suggesting that you allow syncing a single vault using multiple services at once.

  • BenBen AWS Team

    Team Member

    @alexisrosen

    We don't support sharing 1Password data except through 1Password.com. Sharing through Dropbox is not supported due to the technical difficulties it inevitably creates and sharing though iCloud isn't possible. If you sign up for a 1Password Families membership and need to share a handful of items with a few people outside of your family you can invite them as guests, which will get them access to the latest versions of 1Password:

    Share with guests in 1Password Families

    They can continue to use their own standalone vaults alongside that, if they have any, but ideally they too would upgrade to their own membership. If you want to try one of the setups you've proposed that would certainly be your prerogative but it isn't something we can help set up or help fix.

    Ben

  • edited July 9

    Ben, this makes absolutely no sense to me.

    In 1P6, sharing vaults over dropbox works fine. I've done this for years, both between my own devices (macs and iphone) and with others who need to access shared passwords. Are you saying this is unsupported because it's buggy?

    If so, is it unsupported in 1P7 only, or are you claiming that it's unsupported in 1P6 as well?

  • brentybrenty

    Team Member

    @alexisrosen: I don't see where ben said anything of the kind. His point is that we are not Dropbox. You can certainly sync files using Dropbox, but if you need help with that, you'd need to get support from Dropbox. The same would apply to iCloud, which is also not our service.

    Regarding syncing different things using different services, that's already possible, but there are limitations based on those. For example, you can sync the Primary vault using iCloud or Dropbox, and additional local vaults using Dropbox. iCloud, however, has no cross-account sharing mechanism for CloudKit, which is what Apple built for apps (like 1Password) to sync data; it will only sync the database between devices using the same Apple ID. Dropbox is more flexible in that you could probably even sync different vaults with different Dropbox accounts using their sharing feature...but again that's outside the scope of 1Password; 1Password is just writing the files, that's it.

    If you're using a 1Password membership, we can offer support for syncing/sharing issues, as we built that; and if there is a bug, we can fix it; and we can potentially add features as well in the future. There is literally nothing we can do to fix or improve 3rd party services.

  • (Apologies for the delays, I'm out a lot this summer)

    I think I may see what's going on - we're using the word "support" differently. When I asked for you to "support" using multiple sync services, I meant that I wanted your software to make this possible. (As of 1P6, you can pick one and only one sync service for all your vaults in the preferences section.) On the other hand, I think when you are using the word "support", you mean "provide technical support for". I'm definitely not asking for that, except to the extent that I'd like clear documentation of what's supposed to work and what isn't.

    @brenty: Let me see if I understand what you're saying above. While I can't use the preferences syncing section to sync different vaults through different syncing services (which is what I was originally asking for), I can use the features of those sync services to sync the vaults as I like, I just have to tell the sync services to access the vaults where 1P puts them (or, possibly, move the actual vaults to the synced folders, and put symlinks in the place of the original vaults- I'd experiment). But you won't provide tech support for this.

    So... Let me ask this, as I think these three questions should cover everything:
    1) If I have a local vault, and I arrange for something like Dropbox to sync it - as opposed to setting up a synced shared vault using the sync section of the 1P6 preferences - is that safe, barring bugs in Dropbox? Specifically, if I have 1P running on a Mac and a phone, and I change a password on the phone and then it gets synced via dropbox (or similar) to the Mac, will that change be properly noticed and used by my Mac?
    2) Is there a meaningful file format difference between 1P vaults that are meant for local use, and vaults that are synced (by the sync controls in 1P6)?
    3) If my brother and I are both running 1P6, and share a dropbox folder, and we both tell our 1P6 to open the vault shared in that dropbox, does that work? Or will it break if we both try to modify passwords? (I'm not worried about modifying the same password, just different pws in the same vault).

    And lastly, if I upgrade to 1P7, I will not be able to get everyone else to upgrade too. Will I still be able to do all the syncing things I can do in 1p6, once I'm upgraded to 7?

    Thanks.

  • brentybrenty

    Team Member

    @alexisrosen: No worries. Thanks for following up. I hope you're having a great summer! :)

    I think you're right that to an extent it comes down to semantics, and I'm sorry if I contributed to some confusion in that regard. Happy to answer your questions:

    1) If I have a local vault, and I arrange for something like Dropbox to sync it - as opposed to setting up a synced shared vault using the sync section of the 1P6 preferences - is that safe, barring bugs in Dropbox?

    Ultimately the "safety" (or lack thereof) here is outside of 1Password, but not limited to the sync service: 1Password just reads and writes files to disk, so anything that goes wrong with that from one end to the other (devices you have syncing, and everything in between) can contribute to that. That's a whole can of worms right there, and a big reason we put the time and effort into building our own sync solution: we can validate the data from start to finish. 3rd party sync services, understandably, don't know or care about what constitutes valid 1Password data, so there's a lot that can go wrong. Back in the day, a not uncommon refrain was that sync includes deletion and data corruption, where we're dealing with files; so something going wrong on one device could propagate to the others. We're able to avoid things like that happening, being in control of the whole chain, from one device to all the others.

    Specifically, if I have 1P running on a Mac and a phone, and I change a password on the phone and then it gets synced via dropbox (or similar) to the Mac, will that change be properly noticed and used by my Mac?

    The Master Password is never stored with your data. So it cannot sync. What would happen is that you'd make the change on one device, which ends up with the data being modified using the new Master Password, and then you'd need to unlock using your "old" Master Password on the other device(s) in order to have those changes sync. From then on, you'd be able to unlock using the new one.

    2) Is there a meaningful file format difference between 1P vaults that are meant for local use, and vaults that are synced (by the sync controls in 1P6)?

    No. While technically the mechanisms of sync used by Dropbox and iCloud are completely different (file versus database), the structures are the same. The OPVault file format is essentially structured the same way as what is used to sync values over iCloud, with the difference being mainly implementation details based on each service.

    3) If my brother and I are both running 1P6, and share a dropbox folder, and we both tell our 1P6 to open the vault shared in that dropbox, does that work?

    It should, yes. As I mentioned above, there's a lot that can go wrong. But that's essentially how I used 1Password for years. Just make sure you backup your data, in case anything goes wrong -- for example, it's easy to misconfigure something and end up overwriting/merging data you didn't mean to.

    Or will it break if we both try to modify passwords? (I'm not worried about modifying the same password, just different pws in the same vault).

    You can run into issues if you're both using the same vault synchronously, as that can easily lead to sync conflicts.

    And lastly, if I upgrade to 1P7, I will not be able to get everyone else to upgrade too. Will I still be able to do all the syncing things I can do in 1p6, once I'm upgraded to 7?

    As long as you're using the OPVault format, that will be usable by both 1Password 6 and 1Password 7.

    I hope this helps. :)

  • This does help, thanks, but you again brought up something that I didn't mention, which has confused the issue. In the second part of your answer to question 1, you say "The Master Password is never stored with your data". I can't imagine why you decided I was talking about the master password. I said "change a password". As in, any password stored by 1P.

    Let me be even more explicit. I've got 40 years experience coding in a variety of contexts, including lockless multi-writer database design, so don't be shy with technical details... My question is: Is the structure of your vault such that modifications to one item in the vault can not affect another item in the vault? If writer A changes the password, or other data, for object 1, and meanwhile writer B changes data for object 2, is there ever any circumstance in which corruption can result, ASSUMING the sync service functions correctly? (The obvious and naive implementation would do file-per-object, with no shared indices, though more sophisticated possibilities exist.)

    Secondarily, assuming the answer to the first question is yes, will changes to objects be noticed immediately after sync? This would imply that objects are not cached, or that caches are invalidated by checking mtime (in Unix parlance) on the relevant directories and files every time the service is used, or that FSEvents/inotify/whatever-the-hell-windows-does are used.

    My experience so far is that the answer to both questions is yes, but I'd really like to know that that is by design and not just luck so far. I'm especially concerned by this comment: "You can run into issues if you're both using the same vault synchronously, as that can easily lead to sync conflicts." That would tend to imply that there are single files that contain data for all objects (or at least more than one) and that contention on that file could corrupt the vault.

    Thanks.

  • BenBen AWS Team

    Team Member
    edited August 13

    Hi @alexisrosen,

    Just to reiterate we do not recommend attempting to use Dropbox to share 1Password data with another person. Note that you won't see anything in the 1Password UI about sharing when it comes to Dropbox: only syncing.

    With that said, the answer to your question is yes: two people editing different items at the same time can cause a conflict. Our OPVault sync format (which is what you should be using to sync with Dropbox) uses "bands" so two different items that end up in the same band, when edited at the same time, would cause a file conflict in Dropbox. 1Password for Mac has logic built in to look for these conflict files and resolve them automatically whenever possible. So you may have actually had conflicts and not known / realized it, because they were automatically resolved. The older Agile Keychain format was not as robust when it came to this as it had a shared "index" (contents.js if memory serves) which was more susceptible to conflicts that could not automatically be resolved. If you are using Agile Keychain you should upgrade.

    Does that address the question? Please let me know. Thanks!

    Ben

  • Thank you!

    Yes, that does finally answer my question.

    As a (hopefully last) followup, if I want to upgrade to the OPVault format, is it as simple as creating a new vault, moving all items into it, and then replacing the old one with the new one? Or do you have a document covering this?

  • BenBen AWS Team

    Team Member

    @alexisrosen

    I'm glad that helped. If you're still on 1Password 6 for Mac at this point then we do have a guide:

    https://support.1password.com/cs/switch-to-opvault/

    If you've upgraded to 1Password 7 then it would necessitate using OPVault; it doesn't support Agile Keychain. If all you have is an Agile Keychain then 1Password 7 isn't syncing with it. If you find that is the case please let us know and we'll have to do a little troubleshooting. :)

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file