Possible to whitelist IP access to vaults?

skopchoskopcho Junior Member

Is it possible to restrict access for specific vaults or even entire accounts via IP whitelist? My specific use case would be to limit the use of the CLI to specific machines for storage of secrets used in automation. If not, is this something you are looking into?

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:whitelist access

Comments

  • brentybrenty

    Team Member

    @skopcho: Interesting. You could kind of do this to some extent using Travel Mode, but it was really designed for a very different use case. 1Password.com itself doesn't support anything like what you're trying to do though, so it isn't something we've built into the CLI app — or any of the clients — either. You can, however, use guest accounts, which have access to a single vault you share with them, to accomplish what you're trying to do. But I'd be interested to hear the use case. :)

  • skopchoskopcho Junior Member

    The use case would be to store secrets, keys, etc, that would be retrieved during deployment to servers, but I would want to limit the ability to access that vault to a specific deployment machine to reduce risk of intrusion. I'm thinking of a lighter weight version of HashiCorp's Vault.

  • brentybrenty

    Team Member

    @skopcho: Thanks for letting me know! That's interesting, and while it isn't something 1Password is designed for, it's something we'll continue to evaluate. Our focus is on making a secure and convenient password manager first and foremost, and limiting access to only some data like that complicates things significantly, both with regard to usability and technically. Certainly it could be possible for us to do something that today, but it would be phony, since your account credentials would allow you to access all of the data in your account, even if it is superficially limited to some subset of your data. You can, however, accomplish pretty much the same thing cryptographically by using a separate account with which you share specific vaults. If you just need one vault for this purpose, you may want to consider using a guest account. A guest account has no Personal/Private vault, only a single vault you share with it. And since each account has its own encryption keys, that would in fact be a secure way of doing the same thing. I hope this helps. Be sure to let me know if you have any other questions! :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file