Deleted 1Password membership accounts


Team Member
This discussion was created from comments split from: Please help me !!!.


  • @skxs067

    Luckily you should be protected because AgileBits don't actually remove your data when you delete a user or an account.


    Disaster recovery and data availability requirements mean that AgileBits has a legitimate interest in maintaining secure and immutable backups. Erasure requests will leave those backups untouched, and we will only remove data from backups if legally compelled to.

    Deleting an account (or a user) only 'expunges' your data from local systems. ;)

    AgileBits' interpretation of the GDPR is that you can request deletion but they're not obliged to alter their backup data unless a court compels them to.

    I assume there's an undisclosed period of time before their backups are recycled (probably months/years) and only then will the data be permanently deleted.

  • brentybrenty

    Team Member

    @gazu: I appreciate the good intentions of transparency, but I’d like to clear a few things up here so folks who read this thread don’t get false hope about the situation. Account/user deletion is not a local thing; it happens on the server. You're correct that the the encrypted data is not necessarily purged immediately, but the key word here is "encrypted": when the keys have been deleted, nothing will be recoverable. So the best thing is to do is, as Jacob suggested above, contact us via email so we can help find the best solution for your specific case.

  • @brenty

    You're correct that the the encrypted data is not necessarily purged immediately, but the key word here is "encrypted": when the keys have been deleted, nothing will be recoverable.

    I'm not sure I follow - which keys are deleted?

    I understood the only relevant 'keys' in 1Password were the master password and the secret key. Some applications use a Key Encryption Key (KEK) but if you were to destroy that key then the data would become unreadable - this would make backups a waste of time.

    The privacy policy says:

    Erasure requests will leave those backups untouched...

    How can you reconcile that statement with your comment:

    "when the keys have been deleted, nothing will be recoverable."

    I'm only trying to better understand how 1Password works underneath the hood; I'm not being obtuse. :)

  • BenBen AWS Team

    Team Member

    "Keys" are perhaps not the best way to talk about this. The long and short of the situation is that we don't keep deleted accounts around forever. They are / may be purged at any time. As such we don't recommend relying on the possibility of us being able to "un-delete" an account. While in some cases we may be able to accommodate such requests that certainly will not universally be the case. It is largely going to depend on when the account was deleted and if that data has been purged. Deleted accounts could be permanently removed at any point.


  • brentybrenty

    Team Member
    edited May 2019

    @gazu: 1Password has always used a chain of encryption keys. For example, even in its simplest form (earlier local vaults), the Master Password was not used directly to encrypt data. If that were the case, changing the Master Password would require re-encrypting everything. That's not only costly in terms of time and energy, but also we wanted to use a really strong encryption key for the data itself -- much stronger than anyone's Master Password could be in order to remember and type it. So using the Master Password to encrypt a random encryption key which in turn encrypts the data solved both of those problems. 1Password accounts do something similar, but the chain of encryption keys is much longer, in order to facilitate multiple vaults (which also each have their own encryption keys) and sharing them with others without having to give them the keys to everything else. You can get a much better sense of how all of this works from the white paper:

    1Password security

    I think maybe a more concrete example similar to this is iOS device wipe. Rather than overwriting everything with random data to erase, since device encryption uses a random key (which in turn is encrypted using the device passcode), only the encryption key needs to be destroyed for the device to be wiped remotely. Cheap, quick, and easy.

    So, getting back to the earlier point, 1Password backups don't have to be destroyed completely right off the bat in order for the data to be lost forever on account deletion. Hope that helps. :)

This discussion has been closed.