Local File Sync Woes…
Local File Sync Woes…
Thought I would take some of the advice from agilebits and try the Local File Sync between two Macs to keep my 1Password files for two Macs in sync. I use a program called GoodSync for file synchronization, and it is my number one application I live with for backing up my data to local HardDrives, remote cloud storage, and even syncing directories between two Macs. (1Password is my number two application, I could not live with out GoodSync and 1Password…)
So the first thing to watch out for is what is the username you are connecting to the remote Mac with to push you Local File Sync. I tried a couple of manual copy/past of the 1Password “1Password.agilekeychain” file. For some reason in my OS X 10.10 installation my remote file server connections are defaulting to my iCloud user id, so I am connecting from MacA to MacB with the iCloud user permission of the user logged into MacA… call him UserTom. UserTom does have a user account on MacB, but the 1Password user data is under a UserTomHome account on MacB. Previously in OSX 10.9 I was always forced to specify a user when connecting to the file sharing services of MacB. For some iCloud-useraccount-reason MacA defaults to UserTom for connecting to MacB. This is a OS X issue, not a 1Password issue. The problem is that when the file sync occurs between MacA and MacB, the file is written with the permission of UserTom. When you log into MacB as UserTomHome and open 1Password, 1Password cannot read or write to the “1Password.agilekeychain” file as it has ownership permissions assigned to UserTom…. Yes there is a lot you can do to change permission for a directory, but custom permissions for a directory in a user folder can often backfire on you when something in OS X updates or changes. Here the best fix is to always ensure you are logged into MacB from MacA by using the UserTomHome login and the file permission of UserTomHome are transferred to the “1Password.agilekeychain” file as it is synced from MacA to MacB. When you sync the other way from MacB to MacA using GoodSync on MacA the files are pulled to MacA with the permission of UserTom on MacA. So far this is all working……
However using GoodSync to sync 1Password data provided some deeper review of the file structure in the “1Password.agilekeychain” file / folder / package. For one thing I was disappointed to see that the file was open for directory browsing, but this does make incremental file sync much easier to manage (folder to folder or folder to some cloud service). But it was quite the surprise to see a lot of the MetaData in the 1Password records were not encrypted. Yes the user password data in each records appears to be encrypted, but the “1Password.agilekeychain” contains a file called “contents.js” that provides a map of every record with the user defined record name to the unique key of the file that is that user password record. Here this basically provides a blueprint in plan text as to what specific and small file will hold my bank account password, allowing someone to ignore all the other password records to the kids school lunch accounts and passwords.
From contents.js a map to my Bank Account record:
["B4145A8D1B4498B81B23F455334D6A42","wallet.financial.BankAccountUS","AAAA-Bank","",1427625099,"",0,"N"]]
Not Cool!
Does it mean that 1Password is broken or used weak encryption, NO not at all. 1Password could have the worlds best encryption and I would still not want to see my metadata in plain text. It is a foolish approach to leave MetaData in plain text. It allows an attacker direct and specific knowledge of the data structure, and they can then target one small specific file for a brute force decryption attack on one file, rather than on one large block of noise. Should 1Password change their individual record for each password record filesystem, NO as this would break some of the simplicity of the folder syncing or cloud syncing options. However 1Password should consider providing encryption of all the user meta data fields for account type and account name. Furthermore it looks as if each individual entry/item within a record is stored as an individual encrypted blob in the text file. Here to you should be able to look at blob by blob and tell what pice of text is changing and detect the differences between the password filed and the notes field. Again this is too much given away by 1Password to an attacker to help focus their efforts on decrypting the user data. All this is yet another reason why your most sensitive data should not be in the cloud unless you are bulk encrypting the data files before they leave you computer. How is 1Password passing these records to the close, is the metadata in the clear in the cloud?
Here is a sample of an actual bank account record (not my real bank, and some of the data blobs have been altered to protect the innocent):
{“uuid":"B4145A8D1B4498B81B23F455334D6A42","updatedAt":1427625099,"securityLevel":"SL5","contentsHash":"4ab23b17","title":"AAAA-Bank","encrypted":"U2FsdGVkX19aEcBEikxY3XNUoK8vfwBgOsLvJrP2zH0U+JjreiTVVhj7ejKepThbClQz\/huh\/kAbhrqZ55I6MSaBqefxuZHOuc1GBhOD5LX7abI79z0qXbOaYnHwK1\/r6bHg7GdSbblUss6+18VHEvRKrg\/rttm9TMiZnBjaNofUkDdf2apls2+vh+gRBvbdqybSVZ0gyVhJr0niFIzX6BUKU6AgVaeRbJ9ZOrfARZ4XotB\/SED73kI18Lz2V+bDfh2+LKaVlc5mfqVc8wIJo8PFORmGGmmz9vSSd1\/QIQu2IJn7M3KDjW9XlgxBntoAT5n7GhzRrybgwJarT5qzScalR17KZ87zO5YL1HU+mKR1f8x4DPAfgK9TPWLyIkiFIqiadPyz7LGJ61n++gXrcD8ETsEptrmJ6PS5pLGsJ2BxBJshlCTihvr61drIFW3cQDBiJtHc9Fwpta6cBPntcp4MWuZBHs8PQjdOVsNfuq6P3S+Bth\/LGOnl7pWzMjSiyiVJpcNq7juVuB1oUzrEslXZDRRAhu+nEGsU9lF6oXP0g8iTJTx7LnEOYQembeNIi\/j+D1QiqUfUHTXlGpjiqUfQiqUmOo7T2l\/SyDp4VAIm3RGsiDn8T7HXhsiV4m5hY3\/CxY0u7m1TTdElmrWwPDHiTQc6JRysSpCtECF09stJ1xFRFHrbCis5IanN4zlAO\/Njfz\/cfiCw7qag\/pw11fDjGlUeGNseqVEpY1I3BazMBWw8GDz+YZvSvrlj5ZEubpUtUVSVdghO0R\/b68ypq+1j20DxzP\/cuWfsU1IGbW7qvp9bcR0=","createdAt":1427625092,"typeName":"wallet.financial.BankAccountUS"}
May I make a request that all user data, including record name and type, are part of 1Password’s encryption???
Comments
-
You will find a full, detailed explanation for what you see in this security this knowledge base article. Start at the part headed Individual entry contents and make sure you also check the link to security enhancements in OPVault.
Stephen
0 -
Hi @lc3user,
If I've followed your post correctly you do have Folder Sync working at the moment and you just wanted to let others know of your experience there with this particular application and the potential pitfalls. Thank you by the way :smile:
Of course you also wanted to ask us about the .agilkeychain and the contents of this special bundle. I'm going to start by linking you to a couple of security articles that you can review in your own time.
In the Agile Keychain Design there is a paragraph that states:
As you can see, not all the information is encrypted. For example, the title of each entry (“Example Login”) and the location (“https://example.com/account/login”) are open. Having these open allows 1Password to organize your data and display it without suffering the performance hit of needing to decrypt every single item. All the sensitive information is stored in the encrypted section of the file.
So it was a deliberate decision at the time the Agile Keychain was designed. Of course everything changes over time and the reasons for a particular decision back then many not be applicable any more. This has changed in the newer OPVault where everything is encrypted but we haven't yet made it the default format as not all platforms support it yet. You've posted this in the Mac section though so if we know you're using Macs. If the other platforms you want to sync to only include iOS devices and Windows machines though you could try the .opvault format out if you wish. If that is something that interests you please do let us know.
0 -
Well there is certainly some amazing support on the AgileBits discussion boards!!! Thank you to the AgileBits time for catching this thread on a Sunday. The good news is AgileBits is already done with or has available the type of MetaData encryption I was looking for…
However, is OPVault now the default format for the main record of 1Password? I found an article here:
https://guides.agilebits.com/kb/security/en/topic/opvault-designThat list a document on how to switch your files to OPVault, but that link is now dead:
https://guides.agilebits.com/kb/security/en/topic/switching-to-opvaultSo what do I have to do to use OPVault over Agile Keychain?
Does the local sync folder still use Agile Keychain? I assume because the Agile Keychain file structure is what is still used for any outside of main line sync such as DropBox or Local Folder Sync, but OPVault is used for the main record and with iCloud?
I anticipate that Local Sync Folder will continue using Agile Keychain for a while to be replaced at some later date?
Is OPVault used between iOS and Mac 1Password?
0 -
Hi @lc3user,
Good catch on that broken link and thank you for reporting it. I'm sure that article did exist at one point and I think we pulled it because we didn't want people jumping the gun without ensuring they really wanted to transition over as we are still smoothing out a few aspects while we prepare for the change to the .opvault format.
On Macs and iOS devices we actually store the local copy of the vault in an encrypted .sqlite database file. Both the .agilekeychain and .opvault containers are used solely for syncing on these platforms. In 1Password 4 for Windows it writes directly to the .opvault or .agilekeychain, using it as the vault.
If we transition you over to using the .opvault container it would affect future syncing over both Dropbox and Folder Sync. It would't stop you accessing an existing .agilekeychain and to transition you over we would have to disable Folder Sync, make the changes and then when you re-enable it would be using the newer container. It won't affect the .sqlite file, it would just alter the syncing.
As for syncing between iOS and Mac. As you're currently using Folder Sync I assume you use it in conjunction with Wi-Fi Sync for the iOS devices? Your iOS devices wouldn't be affected at all as my understanding is Wi-Fi Sync communicates using encrypted database records rather than via a one of our containers.
As it stands though you are correct, we will continue to use the .agilekeychain for a while longer while we move the final platforms over to the newer container format and once all can communicate with .opvault we'd flip the switch.
If you have any more questions do please ask, once we get to the point where you feel comfortable with what's happening and you're still wanting to shift to the newer format we can help with that :smile:
ref: DOCS-456
0 -
I think I need to hold until the Agile team gets the OPVault system ready for prime time? I am very interested to see how OPVault works, how the transition will work, and then how the local folder sync will work with OPVault. For now I probably need to hold off. I am sticking to local wifi or folder sync as I am not ready to trust the cloud with my password manager database. Agile Keychain package is mostly acceptable as all my local drives are protected with FileVault, so I have some layered protection from the package and file meta data leaking out, which is not a big risk just something to improve on with the OPVault. If the Agile Keychain works with files and folder sync such as Dropbox, it should work with GoodSync. With my luck I'd dive into OPVault now and AglieBits adds the Mac to Mac sync feature and the user's need to touch or mess with OPVaults in file folders may go away.
0 -
I'd have to agree @lc3user, if you're pretty happy with the combination of FileVault and .agilekeychain with Folder Sync then I'd say there may not be much benefit to playing about with it unless you felt the need. If you change your mind though just say :smile:
0
