Switching to the new Cloud keychain format

I just upgraded my 1Password 3 to version 4 because I want the new Cloud keychain format for increased security. However I cannot find any way to convert my existing password database's format to the new Cloud keychain format. How do I perform the conversion?

«1

Comments

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @FooBarWidget,

    1Password 4 automatically imports your data into a secure internal format with all the latest security improvements. When you turn on either iCloud and Wi-Fi sync, it'll export the new cloud keychain format that'll use the same security improvements. Basically, 1Password 4 deals with your data separately in two contexts, one format internally for the app/mini and a different format for each sync method.

    Right now, the Dropbox and Folder sync both uses the older format in order to remain compatible with the rest of the platforms. Once we release 1Password 4 for those platforms, we'll phase out the older format and use the new format everywhere for all sync methods. It's one of our top priorities to complete as soon as humanly possible.

  • I'm sure I read something in the forum a while back that said that older Agile Keychains couldn't be upgraded when the number of PBKDF2 iterations was increased from 1000 to 10000 last year, as only newly created Keychains could benefit from that?

    Does the same principle not apply to this new format? i.e. only newly created Keychains will be Cloud Keychains with all the benefits?

    Or does 1P v4 actually convert imported v3 Agile Keychains into v4 Cloud Keychains with all the improvements?

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @Tezcatlipoca,

    I think the confusion is that 1Password can't automatically increase the PBKDF2 count for existing data files, which we improved in a future update to automatically increase to 10K min for existing data files as long you rebuild your data file and/or change your master password. It certainly can be upgraded, it just requires a human intervention.

    In 1Password 4, we calibrate the PBKDF2 against your Mac. On my Mac, it uses 348K PBKDF2 count for others it might be different but never less than 10K. We use a different calibration spec for the cloud keychain format, since 350K would be too much on other systems/devices, again never less than 10K.

    Just to be clear: when you open your data file with 1Password, it automatically pulls the data from there into its own internal file (OnePassword.sqlite), and that uses all the latest security improvements, AES-256, HMAC-SHA-256 authentication, etc and so on.

    It is when you turn on the sync, 1Password will then export and sync the cloud keychain formats into the respective sync folders/containers. For an example: .agilekeychain in Dropbox folder, com.agilebits.1Password4 container in the ~/Library/Mobile Documents folder and so on.

    Or does 1P v4 actually convert imported v3 Agile Keychains into v4 Cloud Keychains with all the improvements?

    It copies the data from the agilekeychain file into its internal database and then it'll sync with that data file in the Dropbox folder. In future updates when we are getting rid of the older agilekeychain format, it'll easily replace the agilekeychain file with the newer opvault format by copying over from its internal database.

  • Thanks for the explanation :)

    So, my 1P v3 Agile Keychain will now definitely be a v4 Cloud Keychain with all the improvements? Great! :)

    [I'm not worried about Dropbox/iCloud - I don't use those and am waiting for the iOS app to get WiFi syncing.]

    Re. the update for the PBKDF2 manual increase via a rebuild or a master password change... Any idea on when that may be?

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @tezcatlipoca,

    You're welcome.

    the update for the PBKDF2 manual increase via a rebuild or a master password change... Any idea on when that may be?

    It's been available for months already in the 3.8.21 update.

  • Ah, right... You said "future update".

    I can't see an option to "rebuild" in 1P v4, though. I don't really want to have to change my Master Password.

  • Could I change my Master Password purely to force 1P v4 to increase the PBKDF2 iterations on my existing Cloud Keychain, and then change it back to my current Master Password, or will it not allow re-use?

  • roustemroustem AgileBits Founder

    Team Member

    If you are using 1Password 4 then both internal database and the iCloud data will have the calibrated number of PBKDF2 iterations.

    On your Mac you will see the number of iterations in the ~/Library/Mobile Documents/2BUA8C4S2C~com~agilebits~onepassword/onepassword_data/default/profile.js file. Simply open it in any text editor and search for 'iterations'. You will see something like this:

  • Thanks, but as I mentioned earlier I am not using iCloud (I'm waiting for WiFi sync to be restored to v4 for iOS, after v4 for OS X broke USB sync...).

  • edited October 2013

    @MikeT said

    Right now, the Dropbox and Folder sync both uses the older format in order to remain
    compatible with the rest of the platforms. Once we release 1Password 4 for those
    platforms, we'll phase out the older format and use the new format everywhere for all
    sync methods. It's one of our top priorities to complete as soon as humanly possible.

    I run 1Password 4 on my iPhone, 1Password 4 on my Mountain Lion desktop, 1Password 3 on my Snow Leopard desktop (2006 hardware). I use Dropbox to sync across these platforms.

    Does this mean at some point that my Snow Leopard desktop running 1Password 3 will stop working?

  • MeganMegan

    Team Member

    Hi @AndrewParker,

    Does this mean at some point that my Snow Leopard desktop running 1Password 3 will stop working?

    I'm not quite sure what will happen once all platforms have been updated to use the new cloud keychain, but please note that the wording is "phase out" and not "cut off immediately". We try to provide as much legacy support as possible for customers on older operating systems.

  • Can anyone answer my question please?

  • edited October 2013

    < tumbleweed >

  • revenkyterevenkyte
    edited October 2013

    you rebuild your data file and/or change your master password.

    Are there software / data corruption prevention systems within 1Password, out of curiosity?

  • edited October 2013

    This is getting rather tedious... What happened to Agile's previously excellent CS?

    Are my posts deliberately being ignored?

    @MikeT @roustem

  • MeganMegan

    Team Member

    @revenkyte,

    1Password performs regular backups of your data to prevent against data corruption or loss. We also offer Dropbox and iCloud sync options so that you can store a copy of your data in the cloud to protect against any hardware crashes.

    @Tezcatlipoca,

    Unfortunately, we have given you the answer that we can for the moment. Wi-Fi sync is coming soon for iOS. You are welcome to join the beta program to help us test it if you want access to it right now. As soon as we can tell you more, we certainly will :)

  • Thanks @Megan, but that is not the question I am asking in this thread...

  • MeganMegan

    Team Member

    Oops, I'm so sorry, @Tezcatlipoca I must have misread the thread.

    1Password does not prevent re-use of Master Passwords, so if you wanted to change your password, and then change it back again, you can.

    Again, my apologies for missing that question!

  • Thanks :)

    So this would definitely increase the PBKDF2 iterations, if I changed my master password and then changed it back again?

    Also, does v4 for OS X not have a "rebuild" option like v3?

  • And another question, in addition to the above: Is there a way of seeing the number of iterations as @roustem mentioned earlier if you don't use Dropbox?

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @tezcatlipoca,

    This is getting rather tedious... What happened to Agile's previously excellent CS? Are my posts deliberately being ignored?

    No, I do apologize but because of the recent release of 1Password 4, we're simply seeing a huge unprecedented of inquiries (tens of thousands of emails and still coming in) and we're behind in responding to everybody. We're doing our best to respond to everybody as fast as humanly possible while also working on updates to be released soon.

    Could I change my Master Password purely to force 1P v4 to increase the PBKDF2 iterations on my existing Cloud Keychain, and then change it back to my current Master Password, or will it not allow re-use?

    No, you don't have to do that because your 1Password 4 is already calibrated to use the highest PBKDF2 possible for the internal data file. If you're not syncing anywhere, you don't have to do anything because you don't have any separate sync files. The moment you turn on a new sync for a vault, 1Password 4 will automatically create a separate sync file and use a different calibration that's fit for syncing, so that your mobile devices and other computers don't have the issue of unlocking for a long time if your Mac is very powerful.

    Changing the master password is not needed (but you can do it) in 1Password 4, it's just smarter about using the higher iterations. It's only needed in the older 1Password 3 version.

    Also, does v4 for OS X not have a "rebuild" option like v3?

    Nope, it is not needed at the moment. It's using a better data structure that 1Password 3 didn't have back in 2009.

    Is there a way of seeing the number of iterations as @roustem mentioned earlier if you don't use Dropbox?

    Yes, but it is a bit of a hassle. What you can do is download our diagnostic tool, unzip, open it, and press Create Report.

    When you see the blue icon show up, click on it to open in Finder, and open the folder. If you don't see any folder, unzip the zip file there and it'll create a folder. Go in there and open 1Password4.html. Now, on top, go to 1Password tab > \<MAS/Website> Details depending on where you bought 1Password from.

    From there, you can see a table of your vaults and on the right side, there is a column of the iterations:

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @Tezcatlipoca, you're welcome!

  • edited December 2013

    I just read though this thread, but I'm still confused. How do i convert my ".agilekeychain" to the new ".opvault" format?

    I'm on full 1P4 in iOS & OS X. Primarily using Dropbox.

    • iOS is using dual sync iCloud & Dropbox.
    • OSX is dropbox only.
    • Dropbox is located on an external drive on 1 of my Macs; not my system drive. My system drive is simply not large enough for my Dropbox account.

    By my understanding, this conversion should already have happened with iCloud sync enabled. But huh? I'm still using the old format somehow. Should I switch from dropbox to iCloud only? Is iCloud finally reliable enough?

    EDIT : I don't think i can switch to iCloud only, since I have work (OS X) computers with my work iCloud account installed, but my Dropbox account as well; for my 1P keychain. My iP is on my personal iCloud.

  • MeganMegan

    Team Member

    Hi @RyanPoirier,

    I apologize for the confusion here, and I'll do my best to clear things up for you. iCloud sync does make use of the new keychain format, but Dropbox has to store your data in the agilekeychain format to be compatible with all of the platforms that use Dropbox to sync. Once 1Password 4 is available on all platforms, the Dropbox keychain will be updated to the cloud keychain format as well.

    By my understanding, this conversion should already have happened with iCloud sync enabled.

    You are correct, the keychain that you have stored in iCloud will be in the new cloud keychain format. The copy of the keychain stored in Dropbox, however, will remain in the current agilekeychain format.

    iOS is using dual sync iCloud & Dropbox.

    I just want to caution you that at this point, we don't recommend enabling multiple sync options at once. When we initially launched 1Password 4 for iOS, we had hoped that this would be an option, but we have seen several users experiencing sync conflicts, and sometimes merged databases that can be messy to clean up. The sync dialogue box will likely be changed in the future to make this a bit more clear to users, but for the time being, we do recommend picking the sync solution that best fits your needs and sticking with just that.

    Please let me know if you have any further questions! :)

  • dsm363dsm363 Junior Member
    edited July 2014

    Thanks for clearing everything up. I saw this was answered somewhere else so sorry for bumping this thread.

This discussion has been closed.