Folder Sync

Hi @jkbos,

It sounds to me like you've got Folder Sync set up correctly. Essentially, Folder Sync does the same thing as Dropbox sync, in that 1Password will copy your database into .agilekeychain format and store it in a location of your choice. Then you can use a secondary sync solution or a home network to keep your data up-to-date across multiple computers.

The important thing to note when using a home network solution is that each computer must have full read/write permissions to the location that your 1Password.agilekeychain is stored in. If you are seeing inconsistencies, I suspect that one of the computers might only have read permissions and is unable to write any database changes to the folder.

I hope this gets things sorted out for you, but if you do have any further questions, we're here for you!

Hi @jkbos,

It sounds like there could be a permissions issue with the Agile Keychain that's configured with folder syncing in 1Password 4 on both of your Macs. Also, which version of 1Password are you using?

When changes are made to the database on the computer where the .agilekeychain file is located, changes are not completely reflected in the database on the second computer (total count is not correct, trash not emptied, for example).

Is that the current behavior, after making these changes:

I did update the permissions to include Admin and the user on the second computer (Fetching) with Read & Write. I even deleted the .agilekeychain file, launched 1Password on the second computer and it recreated the file on the first computer.

?

If 1Password on Mac2 recreated the keychain it's possible that it doesn't have enough permission for 1Password on Mac1 to make updates even if the keychain is being stored there.

To help determine if that's the reason please create and/or change items on both Macs, then look for those specific modifications in the synced keychain by using 1PasswordAnywhere keychain locally with Safari and Chrome (as @khad explains here). If you see changes made from one Mac and not the other then you know which one isn't properly syncing its local 1Password database with the keychain.

Let us know the results of that testing and we'll have a better idea of what to suggest next for keeping 1Password data synced between your Macs.

Also, the database on the second machine does not seem to be backing up automatically daily. I can manually back it up but it doesn't seem to backup automatically.

This could be an issue with the 1Password mini helper process not being kept running long enough to do the automatic backups. To keep it running even when when the main application isn't running open the main app Preferences window, select the General tab, and make sure Always keep 1Password mini running is enabled:

Also, an automatic backup is skipped if the database hasn't changed since the last backup was created. I see gaps like this:

Sometimes gaps occur simply because the system and/or 1Password mini weren't running.

Looking forward to hearing from you again with the sync test results. Thanks!

Hi @jkbos,

I'm glad to hear you've made progress with your folder syncing configuration!

I found that the permissions for the package contents did not match the package, I set them all to match, for admin, the two users and everyone as read & write.

It's important that any individual files written in the keychain by either user will have read/write permissions for both users. Otherwise changes the non-creator makes to items in the local database won't be saved in the keychain and synced with corresponding items in the creator's local database.

Did you mean unavoidable, when you said avoidable in your statement above, "Sometimes that type of permission adjustment is avoidable. Are you using different user accounts on each Mac?"

I meant that both accounts might automatically have enough permission to read/write all the keychain data without explicitly changing permissions. For example, the same user account I use on different Macs can read/write data in certain shared folders on any Mac they're accessed from, locally or over the network, without making permission changes. Say, /Volumes/Space is local on Mac1 and user A has ownership permissions. Logged in as user A on Mac2, I can AFP-mount that volume and have essentially the same ownership permission to it there as on Mac1. So, folder syncing configured to an Agile Keychain stored on it "just works".

In other words if I had a child who I wanted to only access there vault and not the primary how would that be set up?

This guide uses Dropbox as the example, and you can also do it with folder syncing (with permissions possibly being a factor):

How to share a non-primary vault

With Dropbox syncing, each user has ownership permission to a local copy of the keychain. Here's a basic diagram of the data flow on two Macs between Primary vaults and the Agile Keychain that'll be stored locally and on the Dropbox site:

• Mac1 1P4 vault <---Mac1 1P4 Dropbox sync---> Mac1 Dropbox keychain <---Mac1 Dropbox app sync---> shared Dropbox keychain (on dropbox.com) <---Mac2 Dropbox App sync ---> Mac2 Dropbox keychain <---Mac2 1P4 Dropbox sync---> Mac2 1P4 vault

The Dropbox app sync on each Mac has permission to all the keychain data it accesses.

With a folder syncing configuration like yours, it's simply:

• Mac1 1P4 vault <---Mac1 1P4 folder sync---> shared folder keychain <---Mac2 1P4 folder sync---> Mac2 1P4 vault

The 1P4 folder sync on each Mac may or may not have permission to data in the single shared folder keychain it access.

The bold indicates where data is stored; italics indicates where syncing connections are.

I wish your forum sent an email when there was as discussion response.

The forum Notification Preferences page is where you can view/change your settings. To (un)bookmark a specific topic, click the star at the top of its page next to the gear and just above the POST A REPLY button. It'll be yellow when it's bookmarked:

When unbookmarked, it's just an uncolored outline:

I read some of the faqs and help and I think figured this out.

Nice! :)

I didn't appreciate that when sharing items iPassword needs to create a keychain for that vault for the sync — which of course makes perfect sense.

Syncing is configured independently for each vault in the 1Password database.

Created a secondary vault in my primary vault.

Actually, you created that secondary vault in your database. :)

The 1Password 4 glossary has some definitions for your 1Password data.

Then in the secondary vault set up folder sync over the network to a user on Mac 2, saving the keychain in that users Documents folder.

You had sufficient permission to create that keychain with folder syncing and you're its owner.

Then launched 1Password in that account, navigated to the keychain from the 1Password start up dialog and it all seems to work.

So, 1Password created a Primary vault for that user from the keychain you previously created in their Documents folder?

I set the permissions on the package and it's contents as well although it was working even without having all the permissions match.

To work correctly, individual files written in that keychain by any user need read/write permissions for all users accessing it.

I did have one problem creating the keychain in that user's account although it was just a normal permissions problem.

Not sure I understand what happened there. I thought the keychain was already created in the Documents folder, and sill being folder synced with a secondary vault in 1Password on your Mac?

Is this this how you intend multiple vaults to work?

Multiple vaults can be used without sharing/syncing any of them. And both are optional, i.e. 1Password can be used with the single, unsynced Primary vault.

You might want to sync/share your secondary vault with a secondary vault on the other Mac, keeping Primary vaults on both Macs private.

Can the name of a secondary vault be changed once created?

Not yet but it's on our list of improvements for a future update. There's current the "hard way" described in this guide:

Edit a vault's details

I hope that information is helpful for any further multiple vault and syncing you're doing.

Hi @jkbos,

I'd like to apologize for the delay in getting back with you here. We've experienced a surge in support requests recently and are doing the best we can to get back to our usual speedy replies as soon as possible.

1Password created a Primary vault for that User 2 on Mac 2 from the keychain I previously created in that users Documents folder. Is that not correct?

During 1Password 4 setup on Mac 2, was that keychain automatically detected and used to populate and folder sync with the Primary vault? Regardless of how it was done, you could start over with a new database on Mac 2, create an empty Primary vault with a unique Master Password, then open the keychain in the Documents folder to create a secondary vault and sync with it.

However, this sounds like you may first want to delete and recreate the secondary vault in your database on Mac 1, then folder sync to a new keychain that you'll use for creating and syncing with a secondary vault on Mac 2:

At this point I think recreating the secondary vault with a new password and keychain and is quicker than editing the vaults details.

That's quicker if you don't care about saving any data in either the vault or the keychain it's currently syncing with. :)

Note: As long as any data you need is in a 1Password database you can always (re)create keychain data from it.

The permissions issue occurred in first trying to save the keychain to Mac 2, one I had sufficient permissions in the user's documents folder it saved fine.

Did you try changing any items on Mac 2 and check if they were correctly synced with secondary vault items on Mac 1?

On Mac 1 Primary Vault and Secondary Vault synced to keychain on Mac 1.

Each vault would have to be configured separately to sync with a different keychain. Which keychain is the Primary vault syncing with (if any) and is the secondary vault still configured to sync with the keychain stored in Documents on Mac 2?

On Mac 2 User 1 syncs to that keychain over networks as I want that user to have access to the Primary and Secondary vault.

It's impossible to sync both vaults with a single keychain. I'd suggested this possible configuration:

You might want to sync/share your secondary vault with a secondary vault on the other Mac, keeping Primary vaults on both Macs private.

Secondary Vault on Mac 1 is synced to keychain on Mac 2 User 2 (so Mac 2 User 2 only has access to secondary vault).

That'll work. :)

BTW, backups seem to be working correctly.

Excellent!

If there's anything else I can help you with or if you've got more questions please let me know.

Hi @jkbos,

Sync with Dropbox and Import from iTunes are the sync methods available for secondary vaults in 1Password 4.5 for iOS. At the moment we're investigating an issue with Import from iTunes, currently leaving Sync with Dropbox as the only method of syncing data with a secondary vault. Wi-Fi syncing of secondary vaults and being able to copy/move items between vaults will probably be supported with a future update to 1Password for iOS.

I'm sorry I don't have a better answer for you right now.

Hi @jkbos‌,

Thanks for the additional questions!

Regarding your first question, you can indeed change your master password for a secondary vault. First, switch to that vault, and then go into 1Password > Preferences > Security and click Change Master Password (On Mac), or go into Settings > Security and click Change Master Password (on iOS). These settings are vault-specific, so whichever vault you currently have active will be the one that is updated.

Well look at that! You are absolutely correct - currently there is no way to change the Master Password of a secondary vault. My mistake - sorry about that! We have this on our todo list. Thanks for adding your vote!

Regarding your second question, have you updated 1Password for Mac to version 4.3? If not, give that a try and let us know if it works out any better.

Hi @jkbos,

Here are some steps you can currently use to indirectly change the password and other details of a secondary vault: post #8.

It is not possible to open that secondary vault from within the primary vault of the original database where the secondary vault was created if that secondary vault is synced to a keychain and that keychain is not available.

If you wait long enough this notification should eventually appear:

Some system errors can appear first depending on why the keychain that's configured to sync with the vault is unavailable (e.g. remote volume its on is unmounted and/or network connectivity is lost). After clicking Ignore in the notification, 1Password should switch to the vault, retain the current sync configuration, and still be able to reestablish syncing with the keychain again when it's available. After clicking Fix…, 1Password should switch to the vault and open the Sync preferences where the configuration will be disabled without being retained for future attempts to reestablish syncing.

1Password can "beachball" for awhile, appearing to be in a hung state, if it's running when attempting to sync with a keychain on a network volume folder that's unavailable before timing out if it fails and displaying the 1Password Sync - Problem detected notification.

That's some background on how 1Password currently responds to error conditions with network-based folder syncing configurations. I'm working with our developers to improve how this is handled.