Support for local vaults?

I see "To use 1Password, you need a 1Password membership" (https://support.1password.com/cs/getting-started-linux/), are you planning on building support for local vaults via regular software licences?

I'm a long time 1password user that's paid for many upgrades over the years but I don't ever want my vault stored on someone else's server or tied to somebody else's business or deprecation whims. Running fully locally is very important to me and with the Mac client I'm able to do this


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Linux
Sync Type: local

Comments

  • BenBen AWS Team

    Team Member

    Hi @ketralnis

    Membership is the way forward with 1Password. There is just so much more that we can offer there than with standalone vaults synced with 3rd party services (or not synced at all). At this time we do not plan to add support for licenses or standalone vaults to 1Password for Linux.

    That said we'd be happy to try to address any concerns with syncing your encrypted data with 1Password.com, if that's a conversation you're interested in having. :)

    Thanks!

    Ben

  • For me standalone vault would be useful because there are some passwords I don't want to sync to all of my connected computers, for example I don't want my bank passwords synced to my work laptop. No problem with the subscription model, but please consider standalone vaults for use cases such as the above.

  • BenBen AWS Team

    Team Member

    Thanks @tomgibson. We'll continue to brainstorm about how we might address that problem.

    Ben

  • Local vaults would fix that problem.

    I've been waiting for Linux 1password to come out for years, and was about to give up - have started migrating to another system instead.

    I saw this and thought "finally, I can go back to 1Pass and ditch the other system" - at least until you said you wouldn't support local vaults.

    It's not that I don't trust you guys, I do... But I'll never put my password database into a cloud service that I don't totally control. If that means I have to stop using your system, then that's what I'll have to do. I don't want to, though... So I really hope you add back in local vault support.

  • BenBen AWS Team

    Team Member

    Hi @Deadpan :)

    Thanks for checking out the preview.

    Local vaults would fix that problem.

    That's not a solution that is going to be viable at this point.

    But I'll never put my password database into a cloud service that I don't totally control. If that means I have to stop using your system, then that's what I'll have to do.

    If that's absolutely a non-starter for you then unfortunately I don't think 1Password is going to be a good solution for you going forward. Membership is the path that we're on and that's likely to be true for the foreseeable future. That said I'd encourage you to read up on our security model before making that determination. I used to think the same way you do, but we've built a model that provides a level of security comparable with that of local vaults. The Secret Key is a big component of that.

    Thanks for considering.

    Ben

  • roustemroustem AgileBits Founder

    Team Member
    edited August 17

    It would be really difficult to support old-style local vault files.

    One potential workaround could be to run a Docker container that provides 1Password.com service locally. I am not sure how many people would be interested in that, it would require a bit of technical knowledge.

    Let me know if this is something that might work for you and if enough people are interested, I could get a Docker image ready.

  • lumarellumarel
    edited August 17

    If I'm allowed to write something about this as well.

    I was really concerned about the closed infrastructure of the 1Password subscription as well (until I moved there because the Dropbox service got so horrible for my "less secure" vaults).

    I would definitely be on the train if there is a possibility (for all platforms, not only Linux) to host the service on my own.
    Yes, off course you, the 1Password team, are always in control of this locally hosted cloud service, but if you can assure that the data is only hosted on the self hosted infrastructure (and can't be moved/copied elsewhere), this would definitely be a step in the direction, where local databases aren't needed any more.

    There is only one more problem, which is... what if the cloud service does not work anymore? because of internet outages, expired certificates, or some other thing I can't think of right now. (in the case the local cache is not up to date ^^)
    With the opvault vaults I always have multiple ways to recover my data, even if windows (or the windows application) is broken, it is "kind of easy" to decipher the vault with a self-written (or open-source and trustworthy) script.
    It is also snapshot-able to the hell, as it can be put on any filesystem which supports that. There is never the possibility to loose any of the data.
    For already some weeks (since I changed to the subscription), I'm searching for a solution to backup my passwords securely, externally (on my own hardware), automatically.

    Nevertheless, the locally hosted cloud service would further help to promote 1Password at the company where I work (as I think of it) :)

  • One potential workaround could be to run a Docker container that provides 1Password.com service locally. I am not sure how many people would be interested in that, it would require a bit of technical knowledge.

    I would be strongly interested in that

  • MikeTMikeT Agile Samurai

    Team Member
    edited August 17

    Hi guys,

    @lumarel

    There is only one more problem, which is... what if the cloud service does not work anymore? because of internet outages, expired certificates, or some other thing I can't think of right now. (in the case the local cache is not up to date ^^)

    You will never be locked out of your 1Password data (with the tiny exception of Documents, mentioned below for the moment, will be better in the future.

    You'd have the same issue with standalone vaults that you're syncing via third party services like Dropbox. Regardless of self-hosted, hosted, standalone or any form of 1Password, 1Password is never in a position where your 1Password data is decrypted outside of your device, which means majority of the data has to be downloaded first in an encrypted fashion on your drive. You can be fully offline and it still works just fine.

    The only limitation is the documents since it is downloaded on demand (to save on the initial sync time) and it is something we'll improve in the future to allow you to automatically download all documents at once to ensure you'll have access to all data on your device regardless of what happens to 1Password.

    With the opvault vaults I always have multiple ways to recover my data, even if windows (or the windows application) is broken, it is "kind of easy" to decipher the vault with a self-written (or open-source and trustworthy) script.

    The same is true with your 1Password account. You can write your own script or study our 1Password command line tool to decrypt the local database on your drive. On Linux, go to your ~/.config/1Password directory to find the sqlite file for your 1Password database just as for Windows app is %LOCALAPPDATA%\1Password\data.

    It is also snapshot-able to the hell, as it can be put on any filesystem which supports that. There is never the possibility to loose any of the data.

    Same with that 1Password database file. We just don't recommend you backing up that directory as long as you still have access to your 1Password account remotely, so that 1Password doesn't conflict with syncing, let 1Password handle the source of the truth. Only restore it in a very-last resort measure.

  • Thank you @MikeT for this quite distinct answer!

    You'd have the same issue with standalone vaults that you're syncing via third party services like Dropbox.

    Yes, this is correct. Self-hosted is a different story :)

    Regardless of self-hosted, hosted, standalone or any form of 1Password, 1Password is never in a position where your 1Password data is decrypted outside of your device [...]

    I had some weeks ago a really detailed discussion about the whole "what Agilebits knows about my vault" topic, and I'm completely sure that there is absolutely no way that somebody else, who doesn't have the master password (as well as the secret key or device with a established connection) could access the data.
    There is just some data which some people don't want to give out of their hands / out of their own infrastructure :(

    I totally forgot about the caching model for documents, thank you for reminding me about that!

    You can write your own script or study our 1Password command line tool to decrypt the local database on your drive.

    And thank's for that suggestion,
    I didn't try the decrypt the sqlite database file up to now, will have to give that a shot :+1::chuffed: (the last time I tried to decrypt a sqlite database I somehow immediately ran against a wall, but I didn't have a valid key there)
    Do I understand this correctly, also the command line tool uses the exact same database? (and does it understand all of them, even if there is a scheme change as the Windows version had one recently) That would make it to the always rescue bringing dependency-less swiss knife :fearful:

    Same with that 1Password database file. We just don't recommend you backing up that directory as long as you still have access to your 1Password account remotely, so that 1Password doesn't conflict with syncing, let 1Password handle the source of the truth. Only restore it in a very-last resort measure.

    You're definitely right, it should always only be the last solution.
    E.g. in case you deleted an item noticed it month later, that you need it up to now and yeah... already deleted the waste bin :unamused:
    That's this case where a last solution would be needed :chuffed:

  • dtearedteare Agile Founder

    Team Member

    Just wanted to jump in quick on this point:

    For already some weeks (since I changed to the subscription), I'm searching for a solution to backup my passwords securely, externally (on my own hardware), automatically.

    In the development preview we included an export feature. We've always tried our best to make sure nobody would be locked into 1Password so export itself is nothing new for 1Password, but this particular one is new and improved and lays the ground work for us to build further upon in the future.

    The exported data is unencrypted so you'll need to find a way to protect the data once you take it out of 1Password but it might suit your needs. Longer term we plan on having an option to encrypt the exported data using a format that is completely documented and include a reference reader implementation (likely in Rust) that you can use to decrypt the data.

    This is something @jpgoldberg and @ag_Christian have been designing and implementing. They'll be excited to hear you'll be using this feature.

  • On Linux, go to your ~/.config/1Password directory to find the sqlite file for your 1Password database just as for Windows app is %LOCALAPPDATA%\1Password\data.

    Are there plans on documenting that file, like its .opvault friend? I thought I recalled seeing opdata01 serialized inside the file from back when 1P.com first came out, but the file from a few minutes ago has about 4 json encoding layers before reaching a structure with keys like ["cty", "kid", "enc", "iv", "data"]

  • Longer term we plan on having an option to encrypt the exported data using a format that is completely documented and include a reference reader implementation (likely in Rust) that you can use to decrypt the data.

    Merely for your consideration, if you were to choose your own opvault format for the encrypted export, that would do 3 awesome things:

    1. use a format that you already know, has presumably already been security vetted, and is currently documented well enough that people on the Internet can code up a reader for it
    2. if you do end up making a rust reader for it, which would presumably be open source, that would be two independent open source readers for the opvault format -- the more reader implementations, the more likely spec bugs will be found
    3. it would enable a small, but probably non-zero, percentage of your audience to go back to the standalone version of 1Password without having to completely leave the 1Password ecosystem
  • MikeTMikeT Agile Samurai

    Team Member

    @mdaniel,

    Are there plans on documenting that file, like its .opvault friend?

    Not the database file that I mentioned but rather a new format that's based on what we're doing with the new export format that Dave just mentioned. There is a reason why but first the plan is to fully document the new export format along with a reader you can use like Dave just said.

    The reason is that our application database contains device settings and other non-user stuff that doesn't need to be in the exported data, especially since they may contain application-version-specific database schemas that may not be backward/forward compatible. In other words, you shouldn't worry about which version of 1Password app to use with a specific snapshot of the database and we're doing that with the new export format and its own tool to read the data regardless of when it was created.

    if you were to choose your own opvault format for the encrypted export, that would do 3 awesome things:

    Yes, that is mostly the plan but this will be its own export format that'll evolve with its own tool that folks can use outside of 1Password. We're not saying it will be anything like OPVault but as you own the data, you can do whatever you wish with it.

  • Thank you for this deeper sight in the future development @dteare
    Also thank you @MikeT that you are (maybe once again) going through such heated discussion ^^

    [...] Longer term we plan on having an option to encrypt the exported data using a format that is completely documented and include a reference reader implementation (likely in Rust) that you can use to decrypt the data.

    I kind of think this is the solution I was searching for the whole time :chuffed:

    Off course this will take its time until we will be able to use it, but if the design is secure and as usable as you say, it will definitely worth it :+1:

  • MikeTMikeT Agile Samurai

    Team Member

    @lumarel,

    Also thank you @MikeT that you are (maybe once again) going through such heated discussion ^^

    All I see is passion from everyone to help improve 1Password. :smile:

    Off course this will take its time until we will be able to use it, but if the design is secure and as usable as you say, it will definitely worth it :+1:

    :+1: Yep. We got a lot of things going on and this 1Password for Linux is just the beginning, it is a piece of a big picture. It's going to be a wild ride. :smile:

  • I just switched to using Ubuntu. I was hoping for offline, local vaults too. But as per this thread, no :(

    I do have a workaround: use a virtual machine.

    Download VMware Workstation (free for non-commercial use).

    Install Windows. And then install VMware Tools so you can copy and paste between the host (Linux) and guest (Windows) machine.

    I use Syncthing to sync the 1Password vault between the host and guest machine.

    PS: this solution may sound overkill but I do need to use other Windows software as well ;)

  • MikeTMikeT Agile Samurai

    Team Member
    edited August 27

    Hey @Tran,

    No such thing as overkill when it does exactly what you need.

    By the way, you don't have to use VMWare Workstation, most Linux distros usually come with KVM built-in. You can use Virtual Machine Manager or a simpler version, Gnome Boxes. I recommend the former as it gives you more options.

    I bring this up since VMWare uses kernel modules, meaning that you have to wait for them to compile a new version for each new kernel version and you don't have to with KVM.

    Also, you could share a common folder between the host / VM instead of using a sync tool.

  • One potential workaround could be to run a Docker container that provides 1Password.com service locally. I am not sure how many people would be interested in that, it would require a bit of technical knowledge.

    That would be interesting. One of my customers has a requirement for a self-hosted password store with synced copies on laptops (it's an ISP, so access to the passwords must be available during a network outage :) )

  • dtearedteare Agile Founder

    Team Member

    @steffann: please keep in mind that 1Password caches your items locally so you always have access to your data. We primarily did this for performance reasons but improves availability was a nice benefit, too. 🙂

  • I know. On-site server and client cache are two separate requirements :)

  • BenBen AWS Team

    Team Member

    Understood. :) I think Dave was just making sure you were aware that this part is already baked in:

    so access to the passwords must be available during a network outage

    We'll absolutely be taking another look at how we might address the other needs here. :+1:

    Ben

  • I'll say it again... Offline vaults.

    I'll happily pay you more money for a new licence if you give me offline vaults.

  • BenBen AWS Team

    Team Member

    Hey @Deadpan

    1Password's vaults are already available offline. You can test this by unlocking 1Password while disconnected from the Internet. :) If you mean entirely offline vaults, e.g. ones which are not synced at all, would you mind sharing what your use case for such vaults would be / what your concern with the current model is? Thanks!

    Ben

  • More than anything, it's the combination of subscription model and not being able to store the vault in a location of my choosing. I'm sure your storage system is quite secure, but I'm also sure mine is equally as secure, if not more so.

    While I know you have our best interests at heart, if someone came in and offered you $xxxxxxx for you company, at the end of the day there's nothing to stop you/the company you sell to from withdrawing/changing the service, making software updates that remove local functionality, lock users in and raise prices, etc.

    Like I said, I know you wouldn't act that way, because I've been a customer of yours since early versions of 1pass v4. I've also recommended you to others in both family, friends, and business (I also work for an ISP/communications carrier/managed services company).

    But the fact is, no company is immune to risks like I've mentioned. There could be any number of reasons why you may stop operating, and I'll openly admit that you have a great product (it's why I use it).

    My opinion: work out how much lost income you think you'd have if you didn't lock me into a subscription, and tell me that number. I'll pay it for local vaults.

  • BenBen AWS Team

    Team Member
    edited August 31

    Thanks for elaborating, @Deadpan. I think there are perhaps a couple of separate concerns there, but would it be fair to say that the biggest one is the fear we could be bought out / go out of business / charge prices that are unsustainable for you? I'd be happy to help address that. There are a few points that I would make:

    1. If that were to happen, the concern wouldn't be all that different regardless of where the data is stored. Software like 1Password isn't a one-and-done, write once and forget about it kind of product. It requires constant attention from a development team to keep it going. Even under the model of licenses & standalone vaults everything else surrounding 1Password is going to continue to evolve... notably your operating system and web browsers. Without updates to 1Password it wouldn't be incredibly long before it would be impractical (if not impossible) to continue using it. As a recent example: Safari 13 was released after 1Password 6 development was discontinued, bringing with it an entirely changed extension system. The extension that was build for use with 1Password 6 doesn't work with it. If we were to find ourselves in one of the situations outlined you would want to export and move to another solution rather than limp along an old version of 1Password. And we give you that ability.
    2. Largely because of the above we feel it is incredibly important to give people options to export their data into plan text, such that no one is ever 'locked in.' Additionally our data format is open, so that even if somehow every copy of 1Password suddenly stopped working, tools could easily be written to do this. In fact, while we don't recommend their use (because we recommend never putting your Master Password into any tool other than 1Password), such tools do exist. We also have a command line tool which can help make getting data out of 1Password even easier.
    3. 1Password is a long standing company with the founders continuing to be heavily involved in the day-to-day many years into it. Dave, who posted just above is one of the founders, and he is actively involved in the development of 1Password for Linux. The same is true for Roustem, who also participated in this thread. With bringing on Accel as a partner there was a lot of speculation from outsiders that Dave and Roustem would be retiring or taking a less active role, but they're still here, and they're still helping steer the ship.

    A couple of resources that may be helpful while considering this:

    My opinion: work out how much lost income you think you'd have if you didn't lock me into a subscription, and tell me that number. I'll pay it for local vaults.

    The subscription model is what is providing a sustainable business model for us now and going forward, so I don't imagine we'd be in a position to offer a non-subscription arrangement for 1Password for Linux in the forseeable future. There are likely valid use cases for a "local vault" of sorts, and as such we'll continue evaluating how we might best address that. But 'standalone vaults' and licenses, as they were, are not likely to be a viable solution here.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file