Possible to whitelist IP access to vaults?

skopcho
skopcho
Community Member

Is it possible to restrict access for specific vaults or even entire accounts via IP whitelist? My specific use case would be to limit the use of the CLI to specific machines for storage of secrets used in automation. If not, is this something you are looking into?

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:whitelist access

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @skopcho: Interesting. You could kind of do this to some extent using Travel Mode, but it was really designed for a very different use case. 1Password.com itself doesn't support anything like what you're trying to do though, so it isn't something we've built into the CLI app — or any of the clients — either. You can, however, use guest accounts, which have access to a single vault you share with them, to accomplish what you're trying to do. But I'd be interested to hear the use case. :)

  • skopcho
    skopcho
    Community Member

    The use case would be to store secrets, keys, etc, that would be retrieved during deployment to servers, but I would want to limit the ability to access that vault to a specific deployment machine to reduce risk of intrusion. I'm thinking of a lighter weight version of HashiCorp's Vault.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @skopcho: Thanks for letting me know! That's interesting, and while it isn't something 1Password is designed for, it's something we'll continue to evaluate. Our focus is on making a secure and convenient password manager first and foremost, and limiting access to only some data like that complicates things significantly, both with regard to usability and technically. Certainly it could be possible for us to do something that today, but it would be phony, since your account credentials would allow you to access all of the data in your account, even if it is superficially limited to some subset of your data. You can, however, accomplish pretty much the same thing cryptographically by using a separate account with which you share specific vaults. If you just need one vault for this purpose, you may want to consider using a guest account. A guest account has no Personal/Private vault, only a single vault you share with it. And since each account has its own encryption keys, that would in fact be a secure way of doing the same thing. I hope this helps. Be sure to let me know if you have any other questions! :)

This discussion has been closed.