How to handle airgapped transfer of certain files for 1Password on Windows

sach_nyc

I did it using 1password ios app. Will it work on app?

sach_nyc

also, i think you are talking about setup code and I am asking for 2fa bar code to txt key. I don't think it is same?

Also, I did your method too and it gave me secret key in text box below. I am asking for 2fa key which goes in google authenticator manually.

MikeT

@sach_nyc,

You are correct. I misread the several posts and got myself confused between 2FA and 1Password secret key. I apologize!

There is no 1Password.com 2FA secret stored on the 1Password.com website that you can use to re-enter into Google Authenticator.

You will need to use the Google Authenticator app on your mobile device with a camera to scan your physical copy of the QR barcode that you saved when setting up 1Password.

If you can't scan it properly, you'll need to de-activate two-factor authentication for your 1Password account on the website and turn it back on to get a new code. Here's how: https://support.1password.com/two-factor-authentication/#if-you-lose-access-to-your-authenticator-app

sach_nyc

ok..got it. i'll try it

AGAlumB

Sounds good. Let us know how you get along. :) :+1:

sach_nyc

Ok..it worked. Now to something more complicated. Is it advisable to store crypto wallet seed ( a series of words) in 1password?

Greg

Hi @sach_nyc, great news! I am glad to hear it worked. :)

As for your crypto wallet question, everything you store in 1Password is encrypted. Moreover, we had a blog post about managing cryptocurrency back in February this year:

How to use 1Password to manage cryptocurrency

Please let me know if it helps. Thanks! :+1:

Cheers,
Greg

sach_nyc

Article recommends storing private keys or seeds in 1password. But considering 1password remains unlocked for time set in settings, isn't this a risk? I leave my computer on desk for 2 mins and some one makes a photo of my seed? it will be all over

MikeT

Hi @sach_nyc,

If you're in an unsafe environment where other people are around and you leave your desk, you have much bigger risk that's not limited to 1Password. Anyone can just walk to your computer, plug a usb drive with malware and infect it; you're compromised and the game is over. 1Password does not protect you against compromises like this, it is designed for one specific use, protect your passwords and specific data on disk with the use of encryption.

When you leave your desk, you must always lock your system and you must protect your system, 1Password is one tool in the whole series of defenses you have to use.

With that in mind, I'm not familiar with your wallet seed looks like; you can use the custom password fields to store the private key, it'll be concealed. If it is a file, you upload it as such, 1Password only renders image files, it does not reveal any other format upon viewing that document item.

sach_nyc

thanks for info. I have paid versions of malwarebytes and webroot running on my pc. I have read everywhere that it's not safe to keep private keys or wallet seeds anywhere online? but what could be issue if it is kept encrypted?

what do you think of below solution:
create a new 1password vault on pc folder which has cloud backup and save your seed/private keys in that vault? keep password to at new thvault in 1password current vault? Will new vault on local computer be saved on 1password.com database?

AGAlumB

thanks for info. I have paid versions of malwarebytes and webroot running on my pc. I have read everywhere that it's not safe to keep private keys or wallet seeds anywhere online? but what could be issue if it is kept encrypted?

@sach_nyc: Encrypted is important, but the real key (pun sort of intended) is using a strong Master Password for that purpose. If someone encrypt their data with "monkey123" that won't do them much good. ;)

what do you think of below solution: create a new 1password vault on pc folder which has cloud backup and save your seed/private keys there? keep password to vault in 1password current vault? Will new vault on local computer be saved on 1password.com database?

An encrypted disk image? Sure. Personally I'd use 1Password to store a key like that, but with files I sometimes find it helpful to do what you describe, since that makes them usable on a computer. But keep in mind that local vaults are completely unrelated to 1Password.com; you'd need to sync that yourself if you wanted it available on other devices.

sach_nyc

I understand importance of strong passwords

An encrypted disk image? Sure. Personally I'd use 1Password to store a key like that, but with files I sometimes find it helpful to do what you describe, since that makes them usable on a computer.

An encrypted disk image? - you mean local 1password vault on encrypted disk using bitlocker? that would be double encryption.

but while i'll put those secret private keys in 1password vault, how can i be not sure that other trusted softwares like malwarebytes or webroot are not watching what I am doing or may be steal the keys?

MikeT

Hi @sach_nyc,

I have read everywhere that it's not safe to keep private keys or wallet seeds anywhere online? but what could be issue if it is kept encrypted?

Is it possible that they meant it is not safe to put it in your cloud folders that is not using end to end encryption like your Dropbox/OneDrive or Git repos? There were some bad security habits by a lot of people over the years where they left the certain keys in a git repo and they sync it with Github or other places and it was accessible to anyone in public.

In this case, encrypting the files itself like in 1Password is safe to do but keep in mind that when you extract the file from 1Password, it is not going to be encrypted on disk, you still have to make sure you trash the files properly while using BitLocker to encrypt your drives fully.

but while i'll put those secret private keys in 1password vault, how can i be not sure that other trusted softwares like malwarebytes or webroot are not watching what I am doing or may be steal the keys?

Sadly, that's one of the most difficult security problems there is for computers, there isn't a way to be sure. Intel's recent security issues like Meltdown/Spectre was basically allowing any malware to read any sensitive content in the system's memory without isolating it to authorized processes. Anything running in your local account's memory is possible to retrieve by any other processes.

We will add an option in a future update to allow you to unlock on an isolated desktop, to prevent other processes from listening in but even that's not a secure thing. Someone could compromise the system's files to replace that isolated desktop to whitelist themselves. It's a tough world to work in.

sach_nyc

Is it possible that they meant it is not safe to put it in your cloud folders that is not using end to end encryption like your Dropbox/OneDrive or Git repos? There were some bad security habits by a lot of people over the years where they left the certain keys in a git repo and they sync it with Github or other places and it was accessible to anyone in public.

It's possible.

Sadly, that's one of the most difficult security problems there is for computers, there isn't a way to be sure. Intel's recent security issues like Meltdown/Spectre was basically allowing any malware to read any sensitive content in the system's memory without isolating it to authorized processes. Anything running in your local account's memory is possible to retrieve by any other processes.

so, what is best way to input ledger wallet seed (on paper) in new vault in 1password?

AGAlumB

@sach_nyc: I'm not sure there's a "best" way. It's really a matter of preference. Do you prefer to store text in something like a Secure Note, which makes it relatively easy to copy and paste? Or save the file as a Document so it is secured but can be retrieved? I can never decide, so I tend to do both. :lol:

sach_nyc

thanks for ideas. I prefer to save as jpeg. so, here are two ways:

1. I am thinking of taking photo with my digital camera then plugging card in computer, add it to new local vault and then format the card. what do you think of this approach? i have webroot and malwarebytes running on computer among other bunch of software like meta trader 5, office etc
2. Buy a old laptop with no network card i.e air gapped. Install MS office on it. take photo of seed with digital camera and plug camera card in air gapped computer. copy image and paste it in word document. protect / encrypt word document with 6 words passphrase using ms word menu options. format camera card. copy encrypted word document to usb drive and transfer it to other computer with 1password vault. create a new note with word document as it's attached and store passphrase as password.

what do you think? i have heard about encrypted virtual machine but do not know how to set it up

MikeT

Hi @sach_nyc,

You are not likely going to hear good answers from our paranoid staff;

am thinking of taking photo with my digital camera then plugging card in computer, add it to new local vault and then format the card. what do you think of this approach? i

I don't think it would make too much of a difference than you taking a screenshot on your PC, attach it to your Document item in 1Password and then delete your local copy from the disk.

Remember that Windows cache your used files, so stuff like SuperFetch may retain a copy of your image file from SD card and then clear up later.

Buy a old laptop with no network card i.e air gapped. Install MS office on it. take photo of seed with digital camera and plug camera card in air gapped computer. copy image and paste it in word document. protect / encrypt word document with 6 words passphrase using ms word menu options. format camera card. copy encrypted word document to usb drive and transfer it to other computer with 1password vault. create a new note with word document as it's attached and store passphrase as password.

The big problem with that is that you have no proof the laptop isn't compromised by default. You'd then have to format the disk, reset the BIOS, (tape the camera) and so on.

I also wouldn't trust any encryption that is used in any office tools. We've been able to break encryption in PDF, ZIP and Document files for a long time because their default protocols were outdated and broken.

You'd be better off with the virtual machine instead as explained below:

what do you think? i have heard about encrypted virtual machine but do not know how to set it up

Actually, that's our suggestion, it's the same thing we recommend when you don't trust the web and some of the files you need to download. Use an isolated virtual machine (VM) (not Windows, something like Qubes (1) or Whonix (2)) to download the files, scan it, and then if it is reasonably safe, copy it to your disk. If it is infected, simple reset the VM back to fresh and it'd be like you've never touched that file.

Unfortunately, there has been some malware that was able to work around some of the VM isolation methods but they've been patched and harder to break.

You might want to check out QubeOS (1) if you still want to go with an old laptop:

sach_nyc

thanks for all details. QubeOS looks good but I am not familiar with it. how about below approach:

1. Get a laptop (lets call it cryptolaptop) with usb plug and play network card and no wifi
2. install fresh windows 10 using usb and also install webroot and malwarebytes. scan computer to ensure no bugs
3. download 1password
4. remove plug and play wifi to remove networking (and do not plug it in again). disconnect any other networking, if any
5. Create new local vault for 1password
6. take photo of crypto wallet seed using a camera and copy it to computer and then add it to new 1password vault
7. copy then vault to usb and then copy it to google drive or some other cloud drive with end to end encryption using your usual laptop with internet connection
8. delete local copy of vault using webroot secure delete option
9. add password to new vault (containing seed) to 1password on your usual laptop (not cryptolaptop)
10. full format cryptolaptop
11. fully format camera card

what do you think of this approach? How secure is google drive or other such drives?

MikeT

Hi @sach_nyc,

3. download 1password

Make sure you do that first before you scan the computer but generally, yes, make sure you only download it from our official site and nowhere else.

remove plug and play wifi to remove networking (and do not plug it in again). disconnect any other networking, if any

Don't forget bluetooth.

take photo of crypto wallet seed using a camera and copy it to computer and then add it to new 1password vault

Make sure the camera doesn't have Wi-Fi/bluetooth either.

delete local copy of vault using webroot secure delete option

No point of doing this if you're going to wipe your laptop's drive. There is no 100% sure way of secure deleting a single file on a hard drive (since data fragments are scattered all over the platter and they cannot tell any software which fragment is at which location), you have to use the disk wipe feature to write all 0s to the disk.

what do you think of this approach? How secure is google drive or other such drives?

As long as the file is encrypted first and you use a strong password for it, it matters not of the security on the cloud services. Same thing with 1Password account, it'll be secure.

For me, I'd just go with the simple virtual machine setup, it's easier and cheaper.

sach_nyc

For me, I'd just go with the simple virtual machine setup, it's easier and cheaper.

thanks. Is there a link you can give me on how to set it up for crypto work like this and how it is secure? Can I install it inside windows?

AGAlumB

@sach_nyc: What Mike was saying is that you can use virtual machines to isolate files when downloading them to make sure they're safe before using them in your main OS. However, how to use virtual machines is far outside the scope of 1Password. There's a lot of information out there on the subject though, lots of different options, and probably support forums for the software involved as well.

sach_nyc

thanks. I think i'll go with windows 10 pc with no network since I know it well. does 1password decrypts vault in memory or on disk too?

AGAlumB

thanks. I think i'll go with windows 10 pc with no network since I know it well.

Virtual machines can be more cost effective, but if you've got a spare computer to use solely for that purpose that's certainly a simpler option. :)

1password decrypts vault in memory or on disk too?

1Password only saves decrypted data to disk when you either a) export it or b) open an attachment/document file for viewing. The rest is done in memory and cleared when 1Password is locked. :sunglasses:

sach_nyc

awesome. thanks :) 8-)

sach_nyc

I have another question. hope you don't mind.

If i create local vault, it does not give me new secret key. this means, it is using secret key of my 1password account?

also, if want to backup local vault in a cloud, i'll have to copy .opvault file to cloud?

AGAlumB

I have another question. hope you don't mind.

@sach_nyc: We never mind questions. :chuffed:

If i create local vault, it does not give me new secret key. this means, it is using secret key of my 1password account?

Local vaults do not use a Secret Key at all, only a Master Password you choose. Only 1Password.com uses a Secret Key for the account there.

also, if want to backup local vault in a cloud, i'll have to copy .opvault file to cloud?

Yes, you'd need to copy the whole .opvault file (technically a folder) to whatever cloud storage you're using. Just keep in mind that if you're using a sync service for this purpose, it really isn't a backup, since file deletion will sync as well. But if it's just one of a number of different places you're keeping your encrypted data that's good for redundancy. :)

sach_nyc

Yes, you'd need to copy the whole .opvault file (technically a folder) to whatever cloud storage you're using. Just keep in mind that if you're using a sync service for this purpose, it really isn't a backup, since file deletion will sync as well. But if it's just one of a number of different places you're keeping your encrypted data that's good for redundancy.

I'll copy manually. I do not plan to update it often. thanks

AGAlumB

:) :+1:

sach_nyc

A weird issue I am experiencing second time in 1password. search bar for the top when selecting "all items" is not working when app is checking for vulnerable passwords. also, I can't filter using any option in left panel. I am currently waiting for vulnerable items search to finish to get a password. Chrome 1password icon is also not doing anything when clicking. scrolling on right panel is working however in 1password.

I restarted my laptop few mins ago.

update: vulnerable password check is stopped but filtering and search is still not working. I exited app using it's icon in system tray and restarted. now it works

Greg

@sach_nyc: Does 1Password start working correctly after checking for vulnerable passwords? There is a known performance issue in the current version of 1Password 7, where you can see delayed UI reactions, so I wonder if you bumped into this issue.

Thanks!

++
Greg