message from windows 10 to back-up file encryption certificate and key

I have just received a message from Windows 10 on a PC recommending to "Back up your file encryption certificate and key". I am not knowingly using any file or disk encryption on this Windows machine. When I investigated on internet search the main suggestion was to find encrypted files on the hard disk. For me this search found .....\AppData\Roaming\Agilebits\OPX4.auth and I am not sure if this file is encrypted by 1Password itself, whether it needs to be encrypted and if so whether I should perform the suggested back-up of the referenced certificate/key files. Your feedback would be appreciated. This has only just recently happened so might be linked to one of the latest beta of 1Password. I am using v6.0.245d

1Password Version: v6.0.245d
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: 1Password Family
Referrer: forum-search:message from windows 10 to back-up file encryption certificate and key


  • MikeTMikeT Agile Samurai

    Team Member
    edited October 2016

    Hi @Stephen_lee,

    Yes, you should back up your Windows' encryption keys and yes, this can happen because of recent 1Password updates.

    We're using Windows' built-in EFS (Encrypting File System) to secure your files on the drive when you download attachments and also use it to protect certain files that's used for communicating between the 1Password browser extensions and 1Password mini (you may have noticed the new pairing setup recently).

    These are recent changes, we've just implemented support for the attachments in Document items in the 1Password 6.0.239d update and changes to support the next update to the browser extension versions in both 1Password 6.0.245d and 1Password 4.6.0.BETA-415 updates.

    The file you found is the authorization file used for the pairing setup between the extensions and 1Password 4 Helper, you might still have 1Password 4 installed alongside 1Password 6.

  • So, in short, what should I do then? I have the same problem too. It keeps on popping up each time I turn on my PC. Upon inspection, I found out that the encrypted files is only one: which is 1Password file (screenshot below). Appreciate if you could share some guidance. Thanks!

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @shark_coffee,

    Do what it said to back it up or dismiss the dialog, it shouldn't pop up again after that. This is a default Windows behavior that requires you to do something to dismiss it. We can't control how Windows work here.

  • Thanks for the info'.
    The ambiguous message from windows looked like it was encrypting my file system, so I was worried that a new strain of Crypto locker had got on.

    However, this raises a question regarding agilebits use of the encryption system, what happens IF my system goes away for some reason i.e crash, stolen, whatever, and I have to use one of 1Password's backup files (as stored in Dropbox) to get my data back?

    Do I need the encryption key from the failed machine?

    How does this impact the sharing of the database through Dropbox?

    In the past I could install 1Password, install my licence key, conenct to dropbox and be away.

    Is that no longer the case?


  • brentybrenty

    Team Member

    @I_Hate_My_PC: Thanks for reaching out. I’m sorry for the confusion! Unfortunately we don't have any control over the cryptic messages Windows gives. Oddly enough, I haven't encountered this on any of my machines.

    But to be clear, this has absolutely no effect on your use of 1Password. Your 1Password data is not encrypted by Windows; rather, as Mike mentioned, EFS is only used for viewing attachments temporarily and storing the secret shared between 1Password and its browser extension. So even if you do lose your Windows keys, you'll only be "losing" the temporary copies of attachments (not those in your vault) and the shared secret (which you can recreate simply by installing the extension and authorizing it again).

    You only need the Windows encryption key if you want to be able to access data on the drive from another machine. 1Password uses EFS for these to ensure that this data cannot be accessed by another user on the same machine. I hope this helps. Be sure to let me know if you have any other questions! :)

  • Thanks. That sets my mind at ease.
    I have to point out that this "Encryption Backup" message is happening on both my PCs (win 10 and win 7) on which I use 1Password.
    So it is happening quite a bit more than you are seeing I suspect.
    And, despite having chosen "never to back it up", I am seeing this at each start-up.

    I realise you have no control over windows messages, but the sudden display of this message combined with a 1Password update is enough to generate concern in anyone even slightly aware of the threat of viruses sneaking on.

    I don't know how Agilebits can rectify or accommodate this, but it is something that is of enough concern to impact your users and more importantly to you, their continued use of 1Password.

    You (Agilebits) need to stop it from happening and/or clearly communicate why it is happening and how to handle it...because it is 1Password that has kicked this off.
    No other piece of software on my machine has done this ...ever.

    As I said, having NO machine wide encryption turned on, to suddenly see a message (albeit not yours) that sounds like the whole machine is being encrypted against my will, when a 1Password update is performed, is of major concern.

    It was only that the upgrade happened initially on my test machine that I did not panic and just pull the plug and roll back.

    I've been in the IT game for well over 30 years so I have a good handle on the "the issues" and realities of software development.

    However, a good proportion of that was a senior level software testing consultant, so I can say with some authority that leaving 1Password users in this situation is not good.

    I am trying to be helpful here, not a pain in the "a" here, I just really want to be able to keep using 1Password. :-)


  • MikeTMikeT Agile Samurai

    Team Member

    Hi @I_Hate_My_PC,

    We do agree that we should've clarify this better from the changelog, we apologize that we didn't do this.

    I can definitely see why this will look like as if you may have been infected with ransomware that's been happening lately. We'll see what we can do about presenting a notice before we start encrypting certain files.

    We've been doing this with 1Password 4 for Windows for a few years now and we didn't get this feedback, so we naturally just added it to 1Password 6 Beta without any forethought about adding a note that this will happen.

    Thank you for your thoughts.

  • Thanks :-)

  • MikeTMikeT Agile Samurai

    Team Member

    This is all you, you can thank us when we add a proper notice to the app.

  • This just started happening to me as well. I just updated 1Password yesterday and then started getting the little icon indicating that I should backup my file encryption key. I was also worried about ransomware getting on my pc. With a file scan program, the only file that popped up as encrypted was the 1Password file.

  • MikeTMikeT Agile Samurai

    Team Member

    Thanks for letting us know, we're going to write a support article about this while we work on adding the notice to the app.

  • I've started getting this on my Windows 10 machines too - I checked with Microsoft support and they said if Bitlocker isn't being used, the certificate can be deleted using the Certificate Manager (certmgr.msc).

    Microsoft support don't seem to realise EFS is being used outside Bitlocker...

    1Password needs to work with Microsoft to ensure that either this message stops appearing or that it is clearly associated with 1Password software.

  • mzelmzel
    edited November 2016

    I am getting this on both Win 7 and Win 10 machines. And I am using 4.6 only and never installed the 6 beta

  • brentybrenty

    Team Member
    edited November 2016

    To add to the confusion, not all "editions" of Windows support EFS! We don't exactly hold sway over Microsoft, and I doubt they'll change their messages since EFS has been around since at least 2009. But we'll see if we can find a way to present helpful information about this ourselves. Thanks for your feedback on this!

    Edit: I wasn't sure about this, so I did a little research. Apparently EFS was part of NTFS 3.0, which was introduced with Windows 2000. I was still using FAT32 back then! :dizzy:

  • brentybrenty

    Team Member

    @mzel: Just to clarify, all current versions of the 1Password desktop apps (and extensions) support the new authentication, including 1Password

  • I respect you guys, as you do good work.

    I know Babylon's security people have their own opinion, however it generally isn't a good idea to use certificates anymore for authentication, as both RSA, and ECC algorithms are vulnerable to quantum processors / Shor's Algorithm.

    The only Public / Private key algorithm I have heard of that is supposedly resistant to Shor's Algorithm is Lattice Cryptography. ECC, and RSA shouldn't be used. As I understand Symmetric key ciphers are resistant to Shor's Algorithm (though perhaps a suitable algorithm is yet to be found?)

    The NSA was awfully excited about something a few years back, and given their basically unlimited budget, and all of the 'black project' budgeteering. It would seem to be possible, if not likely that they can factor large enough numbers to make EFS obsolete:

    All the conspiracy theories aside (that statement was made the day before 9/11). He was likely talking about a multi-year audting cycle of some kind. It is telling that no one cared about that statement though. Even after 9/11, someone should have asked about the missing 2 trillion dollars.

    It is suspicious enough to me that IBM factored 15 on quantum hardware in 2001, and only claims to have 5 qubits available now:

    Wheres D-Wave supposedly had 28 qubits back in '07, right around the time the NSA got really excited about some new fangled way to harvest communications (Ground breaker was in 2000, so that couldn't be it).

    Now they claim to have over 1,000 qubits, and further claim their chips are scalable:

    EFS / RSA / ECC need to be deprecated now.

    It is a very sick country indeed that tolerates the pervasiveness of things like the Patriot ACT, and Ground Breaker. The NSA aside, 'normal' people will be able break these ciphers in the not too distant future.

    It wouldn't make any sense for these entities to release information as soon as they find it. It would make a lot of sense for them to delay releasing the tech, and profit from it (the revolving door of government).

  • brentybrenty

    Team Member

    Indeed. Chips are scalable (so far, though we may soon see the end of Moore's Law), and of course clustering scales that even further. But you quickly (in terms of the kind of processing power we're talking about) run into power limitations when trying to accelerate brute force attacks. I have no doubt this will change in the future, but today there are practical limitations that really get in the way — even if you have a trillion dollars to blow, there isn't anyone who can sell you as much power as you'll need to get the work done quickly. Fascinating stuff.

  • Hi there,
    I just wanted to add that this happened to me as well after setting up a new windows machine. Since I didn't know about that, I did a second fresh installation of Windows because I thougth something went wrong during the first installation which caused the drive to encrypt "itself". I just found out about 1Password being resonsible for the message because I checked the menu bar after each new programm I installed.
    Not too much of a big deal for me, but I wanted to let you know because a notice would really be helpful during the installation process of 1Password to explain why this message will show up.

  • @funzyl sorry for the trouble, we did use EFS by default before, but this has been changed and EFS is off by default. It can be turned on from Gear > Options > Advanced only and there is message like you described. Are you sure you used latest 6.4.377+ build?

  • Actually not, I'm using version 4 because I sync over iCloud and do not have a 1Password account. Unfortunately, I wasn't able to get 1Password running without an account, so I went back to version 4.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @funzyl,

    We understand. Thanks for letting us know.

This discussion has been closed.