Shared vault

Plato
Plato
Community Member

I have an iMac and a MacBook. Each machine has two users - me and my wife. _We have our own separate iCloud IDs. _My master vault is shared between the two devices via my iCloud ID for my login only. I want to share a subset of that vault with her. Secondarily, I want her to have the ability to add logins that I will not see. Can this be done and, if so, how?

Comments

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @Plato‌

    This is exactly what they had in mind for when they came up with secondary vaults so you're good. What you might want to do though is move to using Dropbox for syncing your primary vault as you will need to use Dropbox for syncing your secondary vault - iCloud only supports syncing the primary (sorry).

    I'm going to assume you also want your wife's private primary vault to sync between the two computers so here's what I suggest.

    If she doesn't already, have your wife create her own primary vault in her account and again, if she doesn't already have her create a Dropbox account for herself. You can even set up her primary to sync between your two machine as well as yours just now. Here's a guide for syncing via Dropbox.

    So at this point you should each have your own vaults syncing between the two machines.

    Now on your system you will want to create a secondary vault which you can do via 1Password > New Vault.... You may want to record your secondary vault password in your primary vault as you won't be asked it very often. I know I forgot my password by the time I first needed it haha.

    Now you can select as few or as many items in your current vault and if you right click on the selection you can copy or move them to your secondary vault via Share > name of secondary vault > Copy/Move (depending on which task you wish to do).

    With your secondary vault populated with the items you wish to share what you need to do now is sync your secondary vault, share it with your wife's Dropbox account and then add it to hers. We have a guide for sharing a secondary vault that details all of those steps.

    Once you've followed all of those steps you should be in a state where both you and your wife have a primary vault that you aren't sharing, and a secondary vault that you are. You can also add other machines as you please.

    Now if I've skimped at all in any of the details or you're unsure of something then post back here and we'll do our best to clarify :smile:

  • Plato
    Plato
    Community Member

    Thanks but I'm not anxious to use Dropbox. I'm already bumping up against the limits of free Dropbox.

    In my case, it's no big deal to copy a file to a jump drive from my login and then to log on as my wife and copy the file to her system. Will that work?

  • Hi @Plato,

    Yea that should work. You could either export individual items or sync your secondary vault to an agilekeychain on the removable drive, then sync against that agilekeychain on the other Mac.

    Rick

  • Plato
    Plato
    Community Member

    Rick...

    Thanks. Sounds real easy. Should I create primary and secondary vaults on her machine first? Also, it sounds like her primary vault can contain items that I don't want on my machine. Correct?

    What about Master Password? Should we use the same one (which might even be preferable to us)?

  • Megan
    Megan
    1Password Alumni

    Hi @Plato,

    Also, it sounds like her primary vault can contain items that I don't want on my machine. Correct?

    Ideally, your primary vault contains your personal data, and is never shared. Secondary vaults were created to allow you to share parts of your database, while keeping your personal data tucked safely inside that primary vault, just for you. :)

    What about Master Password? Should we use the same one (which might even be preferable to us)?

    You and your wife should create your own separate and secure Master Password for your individual primary vaults. Our security guru has written an excellent post on how to create a strong and unique Master Password that is easy to remember: Towards Better Master Passwords.

    Your secondary vault should have a unique password as well, but the encryption keys for this vault will be stored in the primary vault, so unlocking your primary vault will also unlock the secondary vault (this is done so you don't have to remember multiple passwords.)

    Should I create primary and secondary vaults on her machine first?

    Here's how I would suggest getting things set up:

    • On your wife's computer, set up 1Password as a new user, with a new vault and her unique Master Password.
    • On either computer, use 1Password > New Vault menu item and create a secondary vault (feel free to customize the details of the vault icon here - change the colour or add an image so that you can easily differentiate between it and the primary in the vault switcher menu)
    • You can easily move data from the primary vault into the secondary vault using the Item > Share menu
    • Use Folder Sync to save the secondary vault's data to a memorable location.
    • Copy this 'vault name'.agilekeychain file onto a jump drive
    • Store the 'vault name'.agilekeychain in a memorable location on the second computer
    • Double-click on the file to open it in 1Password.
    • 1Password will prompt you for the Master Password of the vault - again, you will have the opportunity here to customize the vault details, such as icon colour.

    Keep in mind, that you will need to manually update this keychain file whenever data is changed. If you do decide to go with Dropbox for some handy automatic syncing of that secondary vault, here are the instructions that you'll need: share a non-primary vault.

    I hope this helps, but we're here if you have any further questions or concerns! :)

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    @Plato‌

    I read your response earlier but I needed to explore a few things before I could reply.

    How adventurous are you feeling and how comfortable are you with OS X?

    I've been reading and breaking stuff. I've found two ways to store an agilekeychain such that users on the same computer follow some setup instructions once and then (in theory) don't have to do anything again. So it's kind of like Dropbox but it doesn't use Dropbox - the secondary vault keychain doesn't leave your computer.

    Of the two approaches I've found so far, one seems a little more elegant than the other but I don't think it would work if you're copying the keychain backwards and forwards between the two computers. The other one I've thought of is designed for a situation more for your case, to share a vault between two users on two computers using a pen drive (aka sneakernet).

    I can put a bunch of steps together if you wish, just let me know.

    I was originally going to suggest simply storing the secondary vault in /Users/Shared/ but the problem is making sure the contents of the keychain package (it's actually a folder with lots of files) maintain read/write access for both users. Both approaches I've come up with handle this.

    Even if you don't feel up for such a thing it was an interesting brain exercise, cheers :smile:

  • Plato
    Plato
    Community Member

    Megan...
    That's what I'm looking for. Thanks.

    Bobby...
    I'm geeky enough to do it but, honestly, Megan's solution is fine for me. It has the added benefit of simplicity - less to go wrong!

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    @Plato‌ As long as we've found a solution that works for you :smile:

  • PearFreezing
    PearFreezing
    Community Member

    @littlebobbytables‌

    I'm having trouble sharing a single agilekeychain file between two users on the same Mac using folder sharing. I'd love to see your solution to this!

    What I did:

    1. User A created a secondary vault and used folder sharing to share it as /Users/Shared/foo.agilekeychain.

    2. User B double-clicked foo.agilekeychain to add it as a secondary vault.

    3. I edited the permissions of the package foo.agilekeychain to give read/write access to User B.

    4. User A added a secure note to the shared vault, and User B could see this new note

    5. User B added a secure note to the shared vault but User A could not see this note.

    I believe I'm having permission issues -- when I looked at the contents of the foo.agilekeychain package, I saw that the files inside the package were only read/write for User A.

    What I'm trying next

    Next, I'll make all of foo.agilekeychain's contents read/write for User B as well. But this is only a good solution if the foo.agilekeychain package never gets any new files added to it. Not sure if this is how it works or not.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @PearFreezing‌

    You've fallen foul of the very understandable (I made the exact same mistakes with my assumptions) misconceptions of how the Shared folder worked. Personally I think Apple missed a trick with the default permission settings on the Shared folder.

    I'm going to message you directly here on the forums regarding this.

This discussion has been closed.