How to backup 1Password account

ManuCH
ManuCH
Community Member

I just subscribed to a 1Password personal account. Previously I had been using the standalone version for years, syncing via Dropbox. I migrated all data to the account and deleted my old primary vault - all is good.

After doing that, something came to my mind: there doesn't seem to be a way to backup all data locally. Or at least I can't find it.

I know that 1Password guarantees backup and redundancy of all data, which is nice. But should something bad and unforeseeable happen whereas the 1Password cloud suddenly thinks I have 0 passwords stored, then syncs this across all my devices (basically deleting all my passwords), I would be out of luck, with no passwords and no backup.

So, is there some kind of way to create a backup of the locally cached 1Password data on a Mac, as a disaster recovery case? Or do we really have a 100% guarantee that nothing will ever happen to our data?


1Password Version: 6.6
Extension Version: Not Provided
OS Version: macOS 10.12.3
Sync Type: 1Password Account

Comments

  • Hi @ManuCH,

    Thanks for signing up for a 1Password membership! I hope you're enjoying it :)

    Regarding local backups, before jumping to that specifically, let me talk a bit about what we do by default. First, we do a lot of things on the server to help recover when needed. We have version control for each item so you can restore previous versions of the item if something ever accidentally happens to it, and we also perform full database backups that we can restore in cases of emergency.

    In addition to the server, 1Password for Mac and iOS contain an offline cache of your data, which basically means they have their own local backup of nearly everything on the server. We do this for performance and reliability for when you're offline, but it also serves as a great backup. The only caveat is Documents as they are only downloaded on demand, so you need to make sure you go through those and download each one to make sure that a backup of everything is stored locally.

    With these safeguards in place, we feel users who "do nothing"​ automatically have a very robust backup solution. As you say, however, everything breaks at some point, so while it's extremely unlikely anything catastrophic would happen that you couldn't recover from, I understand where you're coming from and I can see why you'd like to manage your own backups in addition to what we do. If making your own local backups will help you sleep better at night, who are we to say no? :)

    Creating your own backup is pretty straightforward in 1Password for Mac. You can simply export the data to our 1PIF data format and store that in an encrypted disk image or other safe location. The reason I mentioned an encrypted disk image is because the 1PIF format itself is not encrypted and it's essential to keep your data somewhere safe. Apple has a great guide for creating encrypted disk images in their knowledge base, and it should have everything you need to get things set up: https://support.apple.com/en-us/HT201599

    We also have some musings on how we could make local backups easier to perform, but at the moment we are focused on making backups on the server as simple as possible. By focusing our efforts there we can make sure that everyone has consistent and rigid backups. The main issue with backups is that they are often manual, which means people might forget to create them, or wait a month between creation, leading to a large discrepancy between the current and previous backup. We want to ensure every item has versions that can be restored if someone changes or removes it by mistake.

    I hope this helps explain where we are coming from! If you have anymore questions, please let us know!

  • ManuCH
    ManuCH
    Community Member

    Hi @Meek, thank you for your response, I appreciate it! This answers all the questions I had and I now know what to expect.

    Still, it would be really awesome if you could add automated encrypted local (or cloud) backup features for advanced users in your long-term roadmap. It would make your great product even better

  • Hey @ManuCH,

    I'm glad I was able to answer your questions! Thanks for letting us know you'd like to see an easier way to do local backups!

    If you have anymore question you know where to find us :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @sashk: Export formats are not encrypted, as they're designed to allow for interoperability (importing, migrating, etc.) You can always store them in an encrypted archive or volume, but their purpose is to be readable. But you can always save data to a local vault and back that up somewhere. Cheers! :)

  • t2clej
    t2clej
    Community Member
    edited May 2017

    "But you can always save data to a local vault and back that up somewhere"

    So if I do that, 1pw says that I must primary vault to unlock 1password.

    how does that work? do I have password for PRIMARY vault and it will unlock the vaults in 1pw families account?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @t2clej: When you enable local vaults in 1Password for Mac (Preference > Advanced), you'll have a Primary vault separate from your account, and you'll unlock the app with its Master Password (that can be the same as your 1Password.com account though). You can then copy data there from your 1Password.com account, setup folder sync to save it in a location of your choosing on your Mac, and back that up with Time Machine, SuperDuper!, or pretty much any backup tool that supports macOS natively (I only mention that as cross platform tools sometimes don't play well with "bundles" like this). Cheers! :)

  • t2clej
    t2clej
    Community Member

    @brenty: excellent. thanks for the info.

    when I enabled local vaults, it made me use the master password that i was already using for 1pw families. that is probably because it was a new vault?

    If i open a vault already in use on dropbox, will it require the password I setup for that vault originally, right?

    Any downside to maintaining both types of vaults (private and primary)?

    Is this a feature that is going to be removed in the future?

    Thanks.

  • Drew_AG
    Drew_AG
    1Password Alumni

    Hi @t2clej,

    On behalf of Brenty, you're very welcome! :)

    when I enabled local vaults, it made me use the master password that i was already using for 1pw families. that is probably because it was a new vault?

    That's correct - your Primary vault was created with the same master password as your 1Password Families account. But keep in mind they are separate master passwords now, so if you change the master password for your Primary vault (for example), that will not change the master password for your Families account (and vice versa).

    If i open a vault already in use on dropbox, will it require the password I setup for that vault originally, right?

    Right again! :)

    Any downside to maintaining both types of vaults (private and primary)?

    Not really, although it might get a little confusing to have both kinds. The Primary vault is a local vault which isn't part of your account, so it won't sync through your account (and you won't be able to access the Primary vault on 1Password.com). The Primary vault only exists on the Mac where you created it unless you use one of the other sync options (Dropbox, iCloud, etc) to sync it elsewhere.

    Is this a feature that is going to be removed in the future?

    I don't think there's any reason to remove local vaults from 1Password 6 for Mac, so it wouldn't make sense for us to do that. As for future versions (1Password 7 and so on), I honestly don't know for sure because that hasn't been decided yet.

    If you need more help with that or have any questions, please let us know! :)

  • alexthornton
    alexthornton
    Community Member

    Still, it would be really awesome if you could add automated encrypted local (or cloud) backup features for advanced users in your long-term roadmap. It would make your great product even better

    Agree! I love the 1Password product but worry about the situation in the first comment where "the 1Password cloud suddenly thinks I have 0 passwords stored, then syncs this across all my devices". I'd love to backup an encrypted version of my data to a 3rd party such as Dropbox.

  • @alexthornton : I'd love that too. It's a problem that we've been putting a fair bit of thought towards in the last while. It's an interesting problem, and I hope that it's something we can address.

    Rick

  • alexthornton
    alexthornton
    Community Member

    Thanks @rickfillion. Any timeline on new features to address this that you could share?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @alexthornton: We don't discuss timelines for unreleased features, but as Rick mentioned, this is something we're investigating.

    In the mean time, 1Password accounts automatically backup everything stored in them, and have item history as well.

  • normanrz
    normanrz
    Community Member

    I'm currently using a standalone vault and would love to change to a 1Password account. However, the lack of automated local (or third-party) backups is preventing me from switching. My data in 1Password is just too valuable to me personally that I would trust any single entity to make sure it is not lost.

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @normanrz! Welcome to the forum!

    If you absolutely want to keep additional backups locally, in addition to the automatic ones performed by 1Password.com, nothing is stopping you from doing that manually. We do not recommend doing this unless necessary however, because exported data is not encrypted, but you can certainly do it if you manage to keep your backup data as secure as the one in 1Password.

  • normanrz
    normanrz
    Community Member

    Thanks for the quick reply! I was under the impression that periodic local backups were only available for standalone vaults and not account-managed vaults.

  • ag_ana
    ag_ana
    1Password Alumni

    @normanrz:

    I was under the impression that periodic local backups were only available for standalone vaults and not account-managed vaults.

    Automatic backups (the ones you could find under 1Password Preferences > Backups tab) are indeed just for standalone vaults. This is because, if you have a 1Password Membership, backups are taken automatically on the server, so there was no need to keep them locally too.

    But this doesn't mean that you cannot do it manually through exporting and automating the process ;)

  • Lars
    Lars
    1Password Alumni
    edited June 2019

    @normanrz

    My data in 1Password is just too valuable to me personally that I would trust any single entity to make sure it is not lost.

    I hear you. I can only imagine - and shudder to think - what a mess it would be if I lost my 1Password data all at once. But, if anything, 1password.com accounts are actually significantly more robust in that regard than the older standalone setups. Yes, when used in standalone mode, your local 1Password app will make regular (about once a day) backups of your data, and keep those backups zipped in your User/Library folder. But this is because it has to. With standalone 1Password, you don't even have to set up sync if you don't want to, so frequently, in the case of inadvertent data loss (such as mistakenly trashing an item you actually needed, etc) the local store of backups is a user's only recourse to recover critical data.

    But that system is not without its issues. Because that store of local backups is in your User/Library folder, if you experience data loss not because you mistakenly trashed an item or two but, say, because your hard drive fails unrecoverably...well, your backups would be on the same hard drive that your main 1Password database was -- in other words, just as unavailable as your 1Password app itself, unless you'd already thought to make backups of the backup folder to an external hard drive, NAS or offsite backup solution. The standalone setup worked - and continues to work, for those who are still using a standalone setup - pretty well...but just having local backups in your User/Library folder is not a bulletproof solution for data retention/recovery.

    By contrast, in a 1password.com account, two things are present that make the data redundancy much more robust than the more "DIY" approach of standalone:

    • your main 1Password data file is stored on 1password.com, which is not just your sync provider, but also your data host. We use Amazon's AWS as our actual provider, and their data redundancy/disaster recovery is second to none. On top of that, we provide our own version history which allows you, on an item-by-item basis, to restore items to a previous version (something that was not possible with standalone), as well as recovery of deleted (trashed) items.
    • each device on which you install a 1Password app additionally has a local cache of the data. That's how you're able to unlock 1Password and see/work with your data even when you don't have an internet connection. That's the main reason for it, but it also means that if either we (1Password) or Amazon, or both, were to simply go poof tomorrow, you would still have your local copy of your data, on each device where you'd been using a 1Password app.

    In short, 1Password.com data is very well protected in terms of preparation for accident or disaster -- considerably more so than what you've become accustomed to with your existing standalone setup, so don't let that be the factor that keeps you from joining us in 1password.com membership. :)

  • normanrz
    normanrz
    Community Member

    Thanks for your detailed explanation, Lars. I understand that local backups are not bulletproof. Therefore, I have multiple NAS and cloud backups in place for my critical data. The benefit is that I understand these redundant systems (and their failure modes) very well which makes me trust them. A single cloud service cannot provide that level of trust. Many of us have been burned by shut down cloud services (e.g. Google Reader or Inbox) or data accidents.

    Unencrypted manual backups are not a satisfying solution, because I have to think about them. Computers are much better at regular schedules than I am.
    The device caching is interesting. Last time I checked, I had the impression that only part of the vaults were cached. Notably, documents seemed to be fetched on-demand.

  • Lars
    Lars
    1Password Alumni
    edited June 2019

    @normanrz

    Unencrypted manual backups are not a satisfying solution, because I have to think about them.

    Very glad to hear you say that. If I get asked point-blank "can I do this," I will answer affirmatively...but only because anything else wouldn't be true. But we strongly recommend people NOT try to use unencrypted .1pif exports as a DIY "backup" solution.

    The device caching is interesting.

    It's not truly a cache -- it's your actual 1Password database. 1Password for Mac, in both standalone version and with 1password.com accounts, works on an internal SQLite database. In standalone 1Password 7 for Mac, it's ~/Library/Group Containers/2BUA8C4S2C.com.agilebits/Library/Application Support/1Password/Data/OnePassword.sqlite and with a 1password.com account, it's ~/Library/Group Containers/2BUA8C4S2C.com.agilebits/Library/Application Support/1Password/Data/B5.sqlite. This is the actual data file that's opened/decrypted when you enter your Master Password into 1Password 7 for Mac.

    Last time I checked, I had the impression that only part of the vaults were cached. Notably, documents seemed to be fetched on-demand.

    That was true regarding Documents for some time, but a while ago (I can't remember exact version, but after 7.0) we added automatic document downloading in 1Password for Mac. If you upload a Document using a different device, or even using the web interface, the next time you open 1Password for Mac, it should appear nearly instantaneously, and after that, it will require only that you click it to view -- even if you're offline. Hope that's helpful! :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    Also worth mentioning that most "cloud backup" services are running on AWS. 1Password is as well. And that has a great deal of redundancy built into it, so saying it's a "single" thing is not really accurate: it's a network of servers, both for "live" data and "frozen" backups. 1Password account data is automatically backed up offsite -- including item history -- so you can get your data back within seconds of signing into your account, even if all of your devices were lost, stolen, or destroyed. That's not something you're going to get with any other backup strategy, no matter how much you pay for it. And you don't ever have to think about it. :)

  • normanrz
    normanrz
    Community Member

    Thanks for taking the time to explain your backup systems. I'll give the 1password account another try.

  • ag_ana
    ag_ana
    1Password Alumni

    On behalf of Lars and brenty, you are welcome @normanrz! I am happy to hear this :)

    If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

  • brebre
    brebre
    Community Member

    Question (I'm in the same boat as the OP --- I want to switch to accounts but very much want to control my own backup):

    Given that there's a real copy of the 1Password vault on my machine (for both standalone and accounts), wouldn't services like Backblaze or Time Machine (or really any service that backs up ~/Library/Group Containers/*) keep an offline backup of my encrypted vault?

    If yes, I guess the second question is: how could I open the contents of a vault that I restore from such a backup?

  • Lars
    Lars
    1Password Alumni

    @brebre - "controlling your own backup" isn't possible at this time without some of the more clumsy, manual workarounds that have been mentioned earlier in this thread -- things we definitely don't recommend, such as pressing the Export feature into service as an unencrypted backup of sorts.

    Given that there's a real copy of the 1Password vault on my machine (for both standalone and accounts), wouldn't services like Backblaze or Time Machine (or really any service that backs up ~/Library/Group Containers/*) keep an offline backup of my encrypted vault?

    Sort of, in the sense that yes, that data would be backed up.

    ...how could I open the contents of a vault that I restore from such a backup?

    That's the rub: you can't. There's no mechanism to restore such a backed-up copy via the 1Password application, on any platform, because we've already got the iterative backups and individual item history built in as part of 1password.com accounts.

  • virtualbartek
    virtualbartek
    Community Member
    edited September 2019

    "There's no mechanism to restore such a backed-up copy"

    Hi. Just to add to the discussion here. I maintain bootable backups with Carbon Copy Cloner. Wouldn't that work to get access to the data? I suppose the computer would be best left offline when accessing it, but nonetheless, it should work. I can't imagine it would work with a cloud backup, though.

    Would it confuse 1Password if it was opened offline, with the backed up version of ~/Library/Group Containers/2BUA8C4S2C.com.agilebits/Library/Application Support/1Password/Data/B5.sqlite replacing what was previously there?

    We need the ability to have automated local backups, that then become part of our regular backup scheme, irrespective of 1Passwords efforts to do the same on their end.

    Thanks

  • AGAlumB
    AGAlumB
    1Password Alumni

    @virtualbartek: That may be possible. You could always boot from your backup offline and find out. :)

This discussion has been closed.