Backing up 1Password accounts

124

Comments

  • JacobJacob

    Team Member

    Hi @anrise! Thanks for posting about this. 1Password Families backs things up automatically on the server so you don't need to worry about doing it yourself. :) In addition to the server, the 1Password apps contain an offline cache of your data, which basically means they have their own local backup of nearly everything on the server. We do this for performance and reliability when you're offline, but it also serves as a great backup. The only caveat is Documents as they are only downloaded on demand, so make sure to go through your Documents and download each one so you have them stored locally.

    With these safeguards in place, we feel users who "do nothing"​ automatically have a very robust backup solution, which is a solid solution. I hope this helps answer your question!

  • @Jacob, as a follow up to this question. We use the Team service. Not that we don't trust your backups but we'd like to employ our own backup practice for redundancy. Do you have a suggestion? Ideally it would be something that could be scripted like via an API.

    Thanks.

  • @Jacob Hi. I don't think it's a good message for you/1Password to tell people that users do not have to worry because 1Password backs up the user's files automatically on the server. I trust 1Password (as do many users), but it's a common and good practice for companies to provide users with simple ways to export their data for their own safekeeping.

    I appreciate that 1Password is considering it, and I love the software and the fantastic support team. But, I've seen it said quite a few times that the users don't have to worry because their data is backed up on the 1Password servers. If the myriad of hacks the past few years have taught us anything, it's that no data is safe and that users should be given the capability and encouragement to take ownership of their data.

    Thanks for all the hard work you all do here in the forums and behind the scenes.

  • JacobJacob

    Team Member

    @timbrisc Good question. Right now backups are only made on the server. Local backups are something we're looking into for the future. We have internal discussions about what folks have been looking for each week, and I'd be happy to bring this one up. :)

    Thanks for the kind words about our team @tastyroadkill. We're hoping we can help you feel the confident in using 1Password with or without an account. I'm sure we can do better here.

  • Hi,
    is there an update about the option to backup Team and Familiy vaults to my own storage?
    Cheers,
    Andre

  • JacobJacob

    Team Member

    We've been discussing this internally, and while there isn't an update to share publicly, we are looking into local backups for 1Password accounts. Thanks for checking in. :+1:

  • That's good news. To be very open I'm surprised that you forgot to have local backups in the first place.

    We put our most valuable data in 1Password.com. In case your sync backend goes kaputt and removes all our local data or any other accident happens on your side, we need to be able to recover locally. The local backup should be periodic so that we can go back to that last working local backup in case the synced version of the data is corrupted. And the backup should be easily picked up by Time Machine, etc.

    In the light of all these cloud data breaches (e.g. Yahoo, Dropbox, ...) and corruptions (e.g. Evernote) this is a no brainer.

  • roustemroustem AgileBits Founder

    Team Member

    I think the main issue we are struggling with is the fact that we would prefer the backups to be fully encrypted. However, if they are fully encrypted then they are going to be completely unusable if the 1Password servers are unavailable -- the server data format is different from format used by the client apps.

    The unencrypted backup (plain text export) is already available but the problem there is now you have to take extra steps to encrypt and protect them.

    It is also possible to manually copy your server vaults to local vaults. However, this will be limited only to vaults that you have access to.

  • meloramamelorama Junior Member

    Why can't you reinstate the previous client-side functionality that let you periodically save versioned backups/snapshots of your client-side 1PW data? Were those backups also not encrypted?

    I'm fine with there not being a user-facing, server-side backup option if I could be able to easily/automatically create backups of my local client data (like in the "old days"), since it should theoretically be an inherent "backup" of my 1Password Teams/Family server-side data.

    Having my own local backups/snapshots of my 1PW data saved my butt on numerous occasions, and it totally freaks me out that there is no good mechanism for this, now that I'm using 1PW Teams/Families.

  • BenBen AWS Team

    Team Member
    edited October 2016

    Why can't you reinstate the previous client-side functionality that let you periodically save versioned backups/snapshots of your client-side 1PW data? Were those backups also not encrypted?

    The reason the existing system doesn't work with 1Password accounts is because there would be no way to restore the backup to the server. Roustem explained this here:

    the server data format is different from format used by the client apps.


    Having my own local backups/snapshots of my 1PW data saved my butt on numerous occasions, and it totally freaks me out that there is no good mechanism for this, now that I'm using 1PW Teams/Families.

    But was it the fact that they were local that saved you, or the fact that there were backups?

    I'm not arguing against having local backups. But it is a more complex problem than it might appear to be from the surface. Having the server be "the source of truth" solves a lot of problems when using a model like this, but it also makes restoring a backup client side a challenge.

    Ben

  • lhaganlhagan Junior Member
    edited October 2016

    there would be no way to restore the backup to the server

    Isn't that OK, though? These hypothetical backups are just a last line of defense. If the AgileBits server goes crazy and deletes all of my data, and those deletions are mirrored on my local machine, my only hope is to restore from a local backup of ~/Library/Application Support.

    Instead, if 1Password can backup the cloud data to a local vault, I can just open up that vault and keep going. I can also "go back in time" to a previous version of my vault without depending on the cloud. If the AgileBits server gets fixed, I can use the "Share" feature in 1Password to move my data from the backup vault to the cloud again.

  • roustemroustem AgileBits Founder

    Team Member

    We might be using the term "backup" in different ways. When I think about the backups, I am trying to find the solution that would allow you to have the full copy of your entire account, including all vaults of all team/family members.

    At the moment, if the client apps would perform a backup, they would only be able to copy of the vaults that you personally can access. The client apps can't back up the vaults that you do not have access. We can certainly implement the backup for these vaults only but then it is no different than you simply copying the contents of the ~/Library/Application Support folder yourself.

  • meloramamelorama Junior Member

    At the moment, if the client apps would perform a backup, they would only be able to copy of the vaults that you personally can access. The client apps can't back up the vaults that you do not have access. We can certainly implement the backup for these vaults only but then it is no different than you simply copying the contents of the ~/Library/Application Support folder yourself.

    As far as I'm concerned, this is good enough. In practice, all that matters is that if the data in my wife's 1Password app on her laptop is routinely backed up, with multiple versions on her machine, and the data in MY 1Password app on my desktop computer is also backed up locally in the same way, then this is achieving the desired purpose of ensuring that there are versioned backups that can be used in the event that either 1Password's servers go away, or if I make a horrible mistake on my end, and I need to revert to older versions of my vaults.

    As lhagan mentioned, these local "backups" would just be a last line of defense.

    The key is that the "backups" need to happen automatically, like they used to in older versions of 1Password desktop client apps. Leaving it up to the user to manually copy the contents of "~/Library/Application Support" is a bad idea.

  • meloramamelorama Junior Member

    The reason the existing system doesn't work with 1Password accounts is because there would be no way to restore the backup to the server.

    I think this is the source of confusion in this discussion.

    Speaking for myself, when I talk about "backups" of the 1PW data, it's without regard for of the 1Password servers even exist or not. If anything, this is the entire concern most of us are voicing in regards about the lack of backups. I frankly don't care if the backups cannot be easily restored to the 1PW server or not. If I have to manually re-enter everything by hand, that is a lesser concern to me than having the data backed up in the first place.

    I understand that you want an "ideal" backup and restore solution that serves all possible scenarios, but the lack of any form of automated local, versioned backup (like the way it used to be) is what is most concerning at this point.

  • brentybrenty

    Team Member

    there would be no way to restore the backup to the server

    Isn't that OK, though? These hypothetical backups are just a last line of defense. If the AgileBits server goes crazy and deletes all of my data, and those deletions are mirrored on my local machine, my only hope is to restore from a local backup of ~/Library/Application Support.
    Instead, if 1Password can backup the cloud data to a local vault, I can just open up that vault and keep going. I can also "go back in time" to a previous version of my vault without depending on the cloud. If the AgileBits server gets fixed, I can use the "Share" feature in 1Password to move my data from the backup vault to the cloud again.

    @lhagan: The interesting thing is that this is already possible: you can copy your data to a local vault, and that local vault will both be fully available to you even without the 1Password.com server, and it can also be backed up and restored on your device.

    Another challenge here (and why this is a long, rather long-standing discussion) is that different people have different needs/desires/expectations, and one persons ideal theoretical "1Password Account backup" solution may not be adequate for another. I think this discussion encapsulates that well.

    However, going back to the workaround I noted above, perhaps doing something similar to this, but in an automated fashion (not requiring you to periodically copy manually), may work for you and others. It's one possibility we can consider.

  • brentybrenty

    Team Member

    As lhagan mentioned, these local "backups" would just be a last line of defense.
    The key is that the "backups" need to happen automatically, like they used to in older versions of 1Password desktop client apps. Leaving it up to the user to manually copy the contents of "~/Library/Application Support" is a bad idea. [...]
    Speaking for myself, when I talk about "backups" of the 1PW data, it's without regard for of the 1Password servers even exist or not. If anything, this is the entire concern most of us are voicing in regards about the lack of backups. I frankly don't care if the backups cannot be easily restored to the 1PW server or not. If I have to manually re-enter everything by hand, that is a lesser concern to me than having the data backed up in the first place.

    @melorama: Time Machine (or really any other backup tool) should be able to include 1Password's Application Support files, which includes the encrypted cache of all of your 1Password data, both local and 1Password.com vaults. So there's no need to do this manually if you're just looking for a "last line of defense" backup.

    I understand that you want an "ideal" backup and restore solution that serves all possible scenarios, but the lack of any form of automated local, versioned backup (like the way it used to be) is what is most concerning at this point.

    In most scenarios, the only way the local vault backups you're familiar with are useful is if you're also backing them up offsite, since any damage or theft will likely nullify both the computer itself and any connected devices. The only benefit that this method provides over the database backup suggested previously is usability. So while a full-fledged local backup feature could make things much more usable, based on your description, the thing that you're asking for is already possible using the backup tool of your choice (which is necessary regardless of 1Password).

  • lhaganlhagan Junior Member

    @brenty: You're right -- I'm already adequately covered with a reliable backup of my local machine (e.g. Time Machine, or CrashPlan in my case). Will test this solution to confirm...

  • JacobJacob

    Team Member

    Sounds good. :+1:

  • edited October 2016

    Just to confirm -- we are saying that for 1Password family users, if you back up all of the files in this directory:

    [email protected] ~/Library/Application Support/1Password 4/Data $ ls | cat B5.sqlite B5.sqlite-shm B5.sqlite-wal E19D58E92....[REDACTED].....blob2 OnePassword.sqlite OnePassword.sqlite-shm OnePassword.sqlite-wal

    You could, at a later time, replace these files with an older version of themselves and login to the desktop app, and you would see the old vault? And this could, of course, be done with no internet access? If you were connected to the internet, would it try to sync these changes to 1Password.com, or what would happen?

    I deleted all of the files in that directory and turned off my computer's network access, and if I sign in, it still seems to show all of my 1Password.com vaults?

    Edit: Looks like ~/Library/Containers/2BUA8C4S2C.com.agilebits.onepassword-osx-helper/Data/Library/Data is what I was looking for. Is there anything else I need to backup?

  • brentybrenty

    Team Member

    @lookingforentropy: You're right on about backing up the data yourself, but as mentioned previously there is no way to restore that "personal backup", either in the app or on the server. That's something an actual backup/restore feature would address, and none exists at this time on your local machine, only on the server with automatic backups.

  • @brenty Yes, I understand, that would be great, but I have the same opinion that @melorama voiced above: I must have an encrypted backup that I can access in a disaster scenario, regardless of whether the 1Password servers are accessible or not, no matter how difficult it is to restore my synced data to that state if I need to do a recovery. If that means there is a program that I run, enter my master password, and it drops a plaintext JSON file on my desktop, so be it. I just need some way to decrypt the data in my backups -- the hope is that I will never need to actually do this. "Restore" can be a totally manual process (for now).

    I conducted an experiment that verified this is possible:

    1. Backup data to ~/Desktop/1pwd-test-original
    2. Add a new login: 1password-test-1
    3. Backup data to ~/Desktop/1pwd-test-1
    4. Move 1password-test-1 to trash, add a new login: 1password-test-2
    5. Backup data to ~/Desktop/1pwd-test-2
    6. Restore data from ~/Desktop/1pwd-test-1
    7. Turn off network access
    8. Help > Troubleshooting > Restart 1Password mini
    9. I only see 1password-test-1 -- success!
    10. Restore data from ~/Desktop/1pwd-test-2
    11. Help > Troubleshooting > Restart 1Password mini
    12. 1password-test-1 is in the trash and 1password-test-2 exists -- success!
    13. Restore data from ~/Desktop/1pwd-test-1
    14. Turn on network access, and the vault is replaced with data from 1pwd-test-2 (i.e. the last time I synced with the server)

    To summarize the findings:

    • You can decrypt an old version of a vault by replacing the files in ~/Library/Containers/2BUA8C4S2C.com.agilebits.onepassword-osx-helper/Data/Library/Data
    • Help > Troubleshooting > Restart 1Password mini will re-load the files in the Data directory
    • However, if 1Password has network access, it will replace the local data immediately. (The good news here is that restoring from a backup locally will not inadvertently replace your data on the server.) Removing network access allows you to access the old vault.

    I hope that Agile Bits takes our concerns seriously and implements a proper backup/restore scheme (especially helpful would be one that converted a local backup to a local vault that could be loaded in the app alongside my server-synced vaults, regardless of the availability of network), but in the mean time, it seems like this strategy will give me the necessary peace of mind.

  • brentybrenty

    Team Member

    @lookingforentropy: I'm glad that helps! As mentioned previously though, I still feel that local vaults are a better option, as they (and 1Password) were designed to function fully offline, and can be read in even years-old versions of the app. They're encrypted, and of course regardless you can export JSON (in 1PIF form) of any of your data in 1Password for Mac — even from a vault which is part of your 1Password Account. But using a local vault is preferable since it is encrypted and easily usable in the app itself. Cheers! :)

  • joe6759joe6759
    edited November 2016

    @brenty I admittedly haven't read all 4 pages of this thread, but you mention local vaults as a better option, but how do we copy our family vaults to a local vault if they're read-only in v6? (remember, most customers probably use Windows, not MacOS :))

  • brentybrenty

    Team Member

    @joe6759: Sorry for the confusion! I'm pretty sure that lookingforentropy is using macOS. Definitely the majority, especially since the 1Password 6 Windows desktop app is still new. ;)

    However, while the new app on your PC does not yet support local vaults, copying the database is less convoluted than on macOS. Just type %LOCALAPPDATA%\1Password\ into the address bar in Windows File Explorer, and copy the data folder. Cheers! :)

  • I'm trying the Families version and like it (even though I think that $5 is a bit unfair for just two users). But like many users I'll probably be switching back to the standalone version unless a local backup capability shows up before the end of the 6-month trial period.

  • brentybrenty

    Team Member

    I'm not sure that "unfair" is a fair term. You can certainly add more! I have a small family myself, so I like the fact that the "extra" users allow me to add accounts with limited access to important information that people may need if something happens to me. It's my "poor man's" legacy management system. ;)

  • Just to add to what @brenty has said, I am also a Family subscription user and I only have 2 users currently using it (me and my fiancée). We may end up with my daughter on there in the future at no extra cost. Even if we don't, we both feel that $5 per month for 2 of us is a very small cost to pay for our password security. In addition, we much prefer the fact that the synchronisation between devices is all handled by 1Password/Agilebits servers (they use AWS services) rather than having to set it all up ourselves with Dropbox or iCloud (and frankly we trust 1Password/Agilebits' setup and security more than that of Dropbox or iCloud!!).

  • brentybrenty

    Team Member

    Glad to hear it! I do want to add though that your 1Password data is end-to-end encrypted, so 1Password simply doesn't depend on the sync service to protect your data. 1Password is secure by design, not by chance. So the real benefits that 1Password.com offers over Dropbox or iCloud are the addition of the Account Key (which is used in conjunction with the Master Password to encrypt your data), and the ease of setup: you just login to your 1Password Account on each device to access your data — no sync configuration required. Cheers! :)

  • I agree brenty,
    We have switched from Dropbox syncing to Families for our one Mac and four i-devices. Have setup a Shared vault with two of us and our two Personal Representatives as specified in our powers of attorney. It's a secure and easy way have our wills, POAs, financial information in an organized secure accessible place.

  • JacobJacob

    Team Member

    That's awesome @pairiewalker! Glad you're liking it. :)

This discussion has been closed.