Where is the vault being decrypted when using the CLI?

Hello,

I've been trying to write a wrapper for the CLI to make it work just the way I like it. However, there are some things I've noticed from using the CLI that make me a bit uneasy.

  • The CLI doesn't work (can't get session tokens) without a network connection. Does this mean the master password is being sent to 1Password servers for the session tokens to be generated?
  • You cannot signout or list items without a network connection. Does this mean that the vault is being decrypted on 1Password servers?

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Ubuntu 18.04 LTS
Sync Type: Not Provided

Comments

  • felix_1pfelix_1p

    Team Member

    Hi @airplaneap !

    I can assure you that neither is your Master Password sent to our servers nor are your vaults decryped on your servers (we can't because we don't have the Master Password or Secret Key).

    The reason why the command line tool only works online is because unlike other clients it doesn't maintain a local copy of the vaults. When you access a vault or vault item the tool therefore has to request the (encrypted) data from the server, and then decrypts it locally, in memory.

    As for the session token: Just like the other clients, the command line tool use SRP to establish a session, so no secrets are sent to our servers (https://support.1password.com/secure-remote-password/).

    I hope this addresses your concerns. If you have more questions please let me know.

  • Thanks for responding so quickly Felix! That's a relief :)

    One more thing. The session token is automatically invalidated in 30 minutes and you do not need to provide the master password again in that time. Does this mean that the master password is stored in memory during that time so that whatever encrypted vault contents are fetched can be decrypted?

  • felix_1pfelix_1p

    Team Member

    @airplaneap

    Does this mean that the master password is stored in memory during that time so that whatever encrypted vault contents are fetched can be decrypted?

    The master password is only stored in memory for as long as op signin runs. Subsequent command invocations use data in the session file, which is accessed and decrypted via the session token.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file