Single shared vault on Win 7, 10+ concurrent users (not able to use any cloud sync storage)?
Hi,
Background: I am a long term very satisfied 1Password user on Mac, iOS and Windows for my personal data.
At work we manage a lot of disparate systems and servers that require the storage of credentials and other sensitive data in a way that team members can easily access and keep up to date.
I am interested in hearing from anyone that has used this type of setup WITHOUT using a cloud sync service like iCloud, Google Drive or Dropbox. The setup would need to run in our local LAN environment and those type of services are blocked.
The key question in my mind is without using a shared cloud hosted vault, is 1Password the right tool for this? Multiple team members may be accessing and updating the shared vault at the same time so it is essential that any updates to the shared vault don't cause data corruption or result in manual change merging type activities.
Can the shared vault be hosted on a network volume for example, or could we use a tool like rsync to continuously sync changes between a central shared vault location and local vault copies stored on team members machines?
Any advice, examples or suggestions welcome.
Thanks********
Comments
-
First thing to understand is that 1Password does not have the concept of user authorisation. If the user can provide the master password to a vault then they have full access to that data. You can not restrict their ability to edit or delete entries in the software. You might be able to set read only user permissions on the keychain folder for all but the admins but I have no idea if that would break the 1Password app.
For syncing, using rsync might work although if you have multiple users making changes concurrently then I suspect you'll end up in an almighty mess eventually. That said, if a read only vault works then your concurrency issues disappear.
The key thing is that all of the 1Password apps have free trial periods so you can try setting it up with a small group of "trusted" users and see if it works as you need.
Once other thing, there is no native Linux support so if you need to support Linux desktops then you're looking at WINE.
0 -
Oh, one other thought. If your users don't need write access then you could use make the vault accessible to an internal webserver and let them use 1PasswordAnywhere. The downside is that they'd lose easy filling in the browser and what need to copy and paste.
0 -
Hi guys,
@ChrisB, about the user authorization that Richard mentioned, you can learn more here: https://support.1password.com/revoke-shared-vault-access/
We are definitely interested in making 1Password more useful for your specific setup as we're hearing the same thing from other companies who want to share vaults between people behind their own firewalls/VPN. We will keep your questions and use-case in mind as we continuously work on improving 1Password.
The key question in my mind is without using a shared cloud hosted vault, is 1Password the right tool for this? Multiple team members may be accessing and updating the shared vault at the same time so it is essential that any updates to the shared vault don't cause data corruption or result in manual change merging type activities.
It depends on the sync tool your company will use and if it provides a built-in sync resolution feature. First, 1Password will back up your data on each computer daily if there are changes to the data file, so you would be able to restore from backups if such a situation occurs.
I assume we're talking about 10+ users all running Windows 7, no other platforms as you specified in the thread title here, right? In this case, your best option is to set up your own local sync solution (rsync would work) to sync with the network folder as a central "truth" location rather than everybody working on the same folder, which we do not recommend at all. You should also back up your vaults on your network drives nightly, even if you weren't syncing.
With that setup, it should work even for 10 users as it is not very likely that they will change the same item at the same time. In the
.agilekeychainformat we use, each item is its own file, so even if 10 user modifies the same item at the same time, only that specific item would be sync'ed, nothing else is affected.could we use a tool like rsync to continuously sync changes between a central shared vault location and local vault copies stored on team members machines?
Yes, you can do that. In fact, we actually moved toward that on the Mac platform with Folder Sync and you can see rsync is even on our list.
0 -
You might be able to set read only user permissions on the keychain folder for all but the admins but I have no idea if that would break the 1Password app.
Can you address this?
0 -
I will defer to others on this one since I haven't tried this kind of setup myself, but I believe that write failures make 1Password very unhappy.
/cc @MikeT, @svondutch
0 -
What I was getting at is whether the app tries to write stuff without and explicit modification action (delete, edit, mark as favourite, etc) in addition to the obvious "does it die a horrible fiery death" question.
0 -
@RichardPayne: Indeed. I know 1Password operates with the expectation that it will have write access to its data; I'm just unsure of the specifics as to how it copes with the failure, what types of writes it is doing in the background (apart from metadata, such as timestamp, etc.), and if this would have a negative impact on its usability.
0 -
Hi guys,
@RichardPayne, @brenty, we intentionally check for the read-only status at launch and won't unlock until the user fixes it.
0 -
ok, so that's not a solution to the concurrency issues then. @MikeT was there a specific reason for handling it like that rather than switching to a "read-only" mode where the options to change the vault are disabled, or was it just an easy out option?
0 -
@RichardPayne I have added this error message when we discovered that some customers...
- have a 1Password vault on a OS X partition, and
- are running Windows in Boot Camp, and
- are opening their 1Password vault from Boot Camp, and
- Apple's HFS+ driver for Windows allows you to mount your OS X partitions read-only, not read-write
https://discussions.agilebits.com/discussion/comment/9815/#Comment_9815
0 -
That wasn't what I was asking. I was asking why you went with the blanket prohibition option instead of a more subtle read-only mode?
To me, it would be better to allow the vault to be opened and read but disable any options that would cause a change to the vault. That would allow a couple of options which aren't viable now:
1) The OP's situation, multiple corporate users can share a vault on a read-only network share with no risk of one of them damaging the vault.
2) The example you cited, those Apple users could continue to access their vault from Bootcamp without having to go out to the internet.
0 -
it would be better to allow the vault to be opened and read but disable any options that would cause a change to the vault.
@RichardPayne You're right. That would be better.
0 -
add to the to-do list? :wink:
0 -
@MikeT Can you add this to JIRA, please? Thanks! /cc @RichardPayne
0 -
Hi guys,
I've added this to our tracker, OPW-326.
0 -
Thanks everyone for the comments and discussion - very useful. I like the last enhancement suggested by @RichardPayne .
Also thanks to @MikeT @svondutch for adding this to the issue tracker - I will monitor for any developments on that issue.
I think as suggested we will try a few different configs with the trial version, but the read only network share option, maybe with one team member (data steward type role?) with write permissions might be a good way forward in the short term.
Probably something for another thread, but we do have a use case for command line access from Linux to a 1Password vault....
0 -
I manage IT for a department of 50 people and we are currently evaluating 1Password for Windows as a potential replacement for Roboform. I wanted to chime in because we too require the ability to store the vault on a network share in a read-only fashion to most staff, and only a handful of data steward staff will have read/write access. This is something we are currently able to do with Roboform, and I was disappointed to see that 1Password doesn't allow a vault to be opened from a read-only location. So, this is good news that it may be addressed in a future release.
Is the "tracker" something that we can see / follow? Or is that an internal-only tracker? Is it possible to estimate how long it will be before this change is implemented?
0 -
@ChrisB: Absolutely, and thank you for the feedback. While 1Password wasn't designed with this particular use in mind, knowing how you actually do (or would like to) use 1Password is immensely helpful. :)
@RyanL: Our tracker is internal, but you can 'bookmark' this thread by clicking the star at the top right. That way you'll have quick access to further discussion and updates in this topic. I hope this helps! :)
0
