Answered: How does this Teams thing really work, anyway?

edited November 2018 in Lounge

So back a few months ago, I came onto the forums here asking for a lot more deep technical details about how 1Password works. I'd read the Teams white paper, I'd played with some of the underlying data a little, but I was still confused.

I was able to get a lot of great answers here in the forums, but I also saw a few people asking similar questions. And while, again, the engineers here have been great about answering those questions, you really had to skip around to find the answers. Sometimes a solid answer never really materializes (in particular I'm thinking about "test vectors," which are vital to have but a pain in the neck to generate).

So as I dug deeper, and built my own tools to convince myself that I really did understand what was going on, I slowly moved into Phase 2 of my typical "how does this work" obsession/process: Give a talk. I gave a short talk at a local hacker community (shout-out to NoVAHackers!) that was well received. Then I updated the talk, with a nice new metaphor for how vaults work, and gave it internally at work. Finally, last weekend I presented the talk at BSides Delaware, a small local security conference in, you guessed it, Delaware.

Along with the presentation, I published a multi-part blog series on how all these things work and interoperate. I've got sections on 2SKD and unlocking macOS clients, EMK and Windows clients, how vaults work, how local vaults change things (the older OPVault format), and finally a catch-all for lots of the little things I didn't really talk about. Wrap them up with an introductory bit and a "start-to-finish" walkthrough (the whole process from Master Password to decrypted vault item) and you've got a series.

Also included are the slides from my talk, and a GitHub repository with (really rough) tools / functions to play with the 1Password data, as well as a tool to generate those elusive test vectors. So you don't need to play with your actual live password data while you're building a tool to decrypt Team Vaults.

I'd been a little uncertain about posting it here (partially because I didn't want to come off too brashly tooting my own horn, and partially because I was a little hesitant about response from AgileBits, and whether I might've messed anything up...) But an encouraging tweet from Rick Fillion convinced me otherwise (Thanks!)

So you can find the whole blog series, with links to the talk and the GitHub repository, here: . Start with the first entry ("Getting under the hood") and just read forward from there. Warning: They're a little dense at times, partially because one of my goals was for people to be able to use this as a reference when building and debugging their own tools... But hopefully it'll be interesting, for anyone who's curious how it works, as an alternative viewpoint to the (excellent) Teams Whitepaper. And ideally, it'll help at least a few people who are trying to go deeper with their own tools, too.

And, again, thanks to everyone who've answered my crazy questions here! Your help and the company's openness were vital to me making sense of everything, and are a big reason why I've enthusiastically recommend 1Password for, like, nearly a decade.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • roustemroustem AgileBits Founder

    Team Member
    edited November 2018

    Thank you so much! I found the link a few days ago and was extremely impressed by the level of detail in your posts. Your posts, in many ways, surpass our internal documentation and the information we have in the whitepaper. :+1:

  • Well, to be fair, your authors have a lot more going on. And we're writing for very different audiences and purposes.

    I like to think of it more like the old Perl 6 "Exegesis" series -- here's the official doc, and I wrote a "What this all really means is..." companion.

    That said, I'm particularly happy with my steampunk vault explanation. Though I still need to explore things like vault memberships and the recovery process a bit more...I got a little hand-wavy with some of that. I should also explore the network stuff a little more at some point...

    And thanks for the kind words! It really means a lot...I love digging into things, and then explaining them to others, and to know that I did a good job with this (and, at least so far, haven't heard of anything I got terribly wrong) really makes my day. :)

  • rickfillionrickfillion Junior Member

    Team Member

    to know that I did a good job with this

    Quite the understatement. :)

    Feel free to pepper us with more questions about how anything works.


Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file