Sync & share with database in a network filesystem

Hi 1password team!

Is it possible to use 1password without a cloud sharing software (like dropbox or iCloud) without loosing the possibilities of sharing and synching passwords with other users? For example with a shared network folder.

Furthermore i do no want any data to be sent to any server. It should just be handled locally.

Comments

  • edited December 2014

    The Mac version can use folder sync to a network share. The Windows version can directly open the vault on the network share (although this isn't recommended for some reason). You should probably give more detail on the setup you have in terms of devices and platforms.

  • We do have both: Mac OS Clients and Windows clients. We need a crossOS solution with multi user management wich does not store data in the web.

  • with multi user management

    what do you mean by that?

  • I need to share some passwors with other members of the team. In the best case, each user is able to manage his own passwords and to publish some of the passwords to other users. The shared password should be kept in sync, regardless which user does edit it.
    As possible, all the password data should be just safed in files in the shared file system and be somehow distributed.

  • MeganMegan

    Team Member

    Hi @thomas_cb,

    Thanks so much for clarifying your needs here!

    In the best case, each user is able to manage his own passwords and to publish some of the passwords to other users.

    To share some passwords while keeping others private, you'll want to take advantage of 1Password's multiple vault feature. It is important to note that vaults are handled differently on Mac and Windows systems.

    On Mac

    A user has a primary vault, and can create as many secondary vaults as they wish. These secondary vaults can be shared with others (this is usually done using Dropbox, but can be done using Folder Sync as well.) When a user unlocks their primary vault, they will have access to all secondary vaults as well. For this reason, we recommend that users share secondary vaults, and not their primary.

    On Windows

    Users can use File > Open Datafile to open a separate vault. Each vault will be unlocked with its own Master Password. Again, this allows users to create a separate vault with their personal information that is separate from the shared work information. The method of accessing the data is just less integrated.

    As possible, all the password data should be just safed in files in the shared file system and be somehow distributed.

    Using Folder Sync on Mac you can sync a 1Password vault via an internal network. However, we do recommend storing the folder locally on the computer and using a sync solution to copy it to the network drive. We suggest this instead of storing the folder directly on the network drive because 1Password expects this folder to be available at all times. If the network folder is not available when 1Password opens, you will see a sync error.

    I hope this helps, but we're here if you have any further questions or concerns! :)

  • ok, so each user would need two vaults. One for their own logins and then a shared one. They would switch between them.

    The personal logins vault can stay entirely local. Probably best to store it in their roaming profile as you get the benefits of cross network syncing without the network traffic overhead from storing it in a network share. The exception is if, at any given time, a user needs to access their vault from more than one device. In that case a network share is the only way to go.

    The shared vault would need to be in a network shared to support concurrent usage.

    There are issues with running multiple 1Password for Windows apps from a single shared vault relating to concurrency (locking, simultaneous edits, etc) that result from Windows not dealing with conflict management well. The Mac versions don't have this issue as they run local databases and then sync to the vault on the network share. Windows doesn't support this: https://discussions.agilebits.com/discussion/32351/folder-based-syncing-on-windows

    Not that if you need Android support then current the Android version doesn't support multiple vaults at all, although I believe that this is coming soon'ish. As usual Agilebits haven't said so directly, but they've dropped hints.

    Overall though, using Dropbox would be far simpler. This has conflict management built in. I know you didn't want to use public cloud services, but really, the encryption that 1Password uses means that you could effectively leave the vault on a usb stick in a public library and there were be little risk of its contents being revealed.

  • thomas_cbthomas_cb
    edited December 2014

    Thank you both for your answers. I have some question to the worklow:

    Let's have two projects and some access priviliges:

    PROJECT1: Admin, User1OnWindows, User2OnMac

    PROJECT2: Admin, User1OnWindows, User3

    Tasks for Admin:
    As far as i unterstood, Admin now has to create some secondary vaults. If admin works an a Mac, he himself will have immediatly access to all secondary vaults. If he works with Windows, he has to open each secondary vault one by one. Does he even has to enter another password for each secondary vault?

    Tasks for User2OnMac:
    The user just opens his primary vault. The secondary vaults are opended automatically because he is a lucky Mac user.

    Task for User1OnWindows:
    The user opens his primary vault and has to open each secandary vault one by one; each with another password.

    Now, how do User1 and User2 open the secondary vault for PROJECT1 ? Do i have to give the vault a password and distribute the same password to all user which should have access to it by myself? In this case User1 and User2 would get the same vault password. If one of them quits the team, i would have to set a new vault password and distribute it once again to all users.

  • MeganMegan

    Team Member

    Hi @thomas_cb,

    Multiple vaults can be a bit confusing, I'll do what I can to clear things up here.

    Admin now has to create some secondary vaults.

    Since 1Password is still largely a consumer product, we don't have any distinction built in for admins vs. users, so anyone can create and share a vault.

    If admin works an a Mac, he himself will have immediatly access to all secondary vaults. If he works with Windows, he has to open each secondary vault one by one. Does he even has to enter another password for each secondary vault?

    You're correct. Unlocking 1Password for Mac will unlock the primary and all secondary vaults. 1Password for Windows will be unlocked to a specific vault/datafile. The Master Password for each vault will be required when switching between vaults.

    Tasks for User2OnMac: The user just opens his primary vault. The secondary vaults are opended automatically because he is a lucky Mac user.

    Task for User1OnWindows: The user opens his primary vault and has to open each secandary vault one by one; each with another password.

    You're correct. Personally, I agree with you - I really like the way 1Password for Mac handles multiple vaults, but there are users who prefer the current Windows approach.

    Now, how do User1 and User2 open the secondary vault for PROJECT1 ? Do i have to give the vault a password and distribute the same password to all user which should have access to it by myself? In this case User1 and User2 would get the same vault password. If one of them quits the team, i would have to set a new vault password and distribute it once again to all users.

    There are instructions for sharing a non-primary vault in our knowledgebase. These instructions do deal specifically with Dropbox, but they will work with Folder sync as well. The important thing is to sync your secondary vault to a folder so that a 'vault name'.agilekeychain file is created inside. Then that folder, with the keychain inside will need to get synced to your network drive so that User1 and User2 can access it.

    You will need to share the vault's password with them. Our knowledgebase also contains a handy article about Revoking access to a shared vault which you might find useful.

    Please let me know if you have any further questions. :)

  • You're correct. Personally, I agree with you - I really like the way 1Password for Mac handles multiple vaults, but there are users who prefer the current Windows approach.

    Are there? I thought it was just @svondutch! :stuck_out_tongue:

  • Thank you for the information.

    Do you plan to integrate the approach the Mac handles multiple vaults also to the Windows client?

  • MeganMegan

    Team Member

    Hi @RichardPayne‌,

    There really are - I know, surprised me a bit too! :)

    Hi @thomas_cb,

    We do strive for consistency with 1Password wherever possible, as it makes things so much simpler for users who want 1Password across multiple platforms. In this case, however, changing the way vaults are handled on Windows would require a complete re-write of the app's internal architecture ... which is no simple matter. So, while it may be on our list, it's not something that we'll be able to implement any time soon.

    For the time being, we'll just have to cope with slightly different workflows on 1Password for Mac and 1Password for Windows.

    I hope this helps!

  • changing the way vaults are handled on Windows would require a complete re-write of the app's internal architecture ... which is no simple matter.

    That would tend to imply that you have no abstracted out the DAL. If this is the case then this is really something that should be done for v5. It would make transitioning to new vault formats a lot easier too.

  • MeganMegan

    Team Member

    Hi @RichardPayne,

    I'm sure I've said it before, but I feel the need to say it again: I'm certainly not a developer. My understanding of the intricacies of coding are minimal at best.

    The primary difference in the way that Mac and Windows manage files is that 1Password 4 (and 5) for Mac have an internal .sqlite database that holds all of the users' vaults, and copies of the appropriate vault are made in the sync location when sync is set up. On 1Password 4 for Windows, the database is the keychain file, and 1Password reads and writes directly to that file. In order to have the same multiple vault experience on Windows that we have on Mac, we have to implement that internal database and a whole different way of handling sync.

    That's a really basic outline of things, but it's pretty much all I understand. :) I hope this helps!

  • @Megan, I know you're not a developer but plenty of your developers frequently this forum.

  • MeganMegan

    Team Member

    Hi @RichardPayne‌

    I'll let the developers know you're keen for a bit more information on this then.

This discussion has been closed.