Cloud-Free Syncing Between macOS and Windows Environments

JediJoker
JediJoker
Community Member
edited February 2019 in Mac

I have individual licenses for 1Password on macOS and Windows. I have no interest in subscribing to the 1Password service, as I do not want my aggregate password data in the cloud at all. I balk at the idea of someone only needing to brute force one password to gain access to all of my passwords, versus needing to first hack into one of my devices. It's an extra layer of protection I do not intend to relinquish.

I have one Mac on which I run macOS—my primary environment, the one in which I started using 1Password years and versions ago—and Windows, plus a Windows-only laptop. I'd like to keep all three environments in sync as seamlessly as possible, but lets focus on just the primary Mac for the moment. On the Mac, I have Mac 1Password set to sync to a folder residing on my Windows boot drive. As long as the boot drive is mounted, it syncs properly. When initially setting up 1Password in Windows, I select the "Sync using folder" option and select the ".opvault" folder. This creates a new vault with the same name and password, but does not import any of the data. I then import the data from the same ".opvault" in a rather ouroborosesque operation, which populates the vault with the latest data as synced from macOS, and leaves the vault set up to sync back to the same ".opvault" folder. Any change made in Windows will therefore be synced to the folder, and should show up automatically in macOS and vice-versa. Unfortunately, no changes appear in either direction. If I try to reimport from the same ".opvault," duplicates of any previously existing item are added to the vault, rather than just new items or changes to existing items.

What am I doing wrong?


1Password Version: macOS 7.2.5 / Windows 7.3.657
Extension Version: Google Chrome 4.7.3.90
OS Version: macOS Sierra 10.12.6 (16G1815) / Windows 10 V. 1803 (17134.619)
Sync Type: Folder

Comments

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @JediJoker! Thanks for being a 1Password user and for thinking proactively about your security. :) And, first things first; bonus points for using ouroborosesque in a sentence. ;)

    I balk at the idea of someone only needing to brute force one password to gain access to all of my passwords, versus needing to first hack into one of my devices. It's an extra layer of protection I do not intend to relinquish.

    In that case, I have good news for you; relinquishing this won't be necessary. I don't know how much you've looked into 1password.com memberships, but while standalone 1Password you're using (and familiar with) uses your Master Password to encrypt your data, 1password.com memberships add a second layer of security using what we call 2SKD (2-Secret Key Derivation) using something called the Secret Key. The full details can be read in our 1password.com security white paper, but the general gist is that the Secret Key is randomly-generated on your device when the account is created, and never transmitted to us. Because all encryption and decryption of your 1Password data is done locally on your own devices(s), that means that in addition to your long, strong, carefully chosen, you also have the Secret Key (equivalent to 128 bits of additional entropy) protecting your data on our servers. The Secret Key was designed specifically to protect you if WE get hacked. Since the Secret Key never leaves your device(s), anyone managing to bypass all the security we deploy on the 1password.com servers and grab your encrypted data file would need to not only brute-force your Master Password, but ALSO the Secret Key...which they'd have to obtain from directly hacking one of your devices...IF they could determine which blob of encrypted data belonged to you. In short, we've got your back on that one. :)

    If I were you, I'd strongly consider moving to a 1password.com account if you're using multiple devices, as it just makes the syncing issues you're experiencing a non-issue/thing of the past, since the specific security issue you mentioned is already addressed with the Secret Key. This isn't a "sales" pitch -- I'm tech support, not sales -- it's simply being straightforward with you about which method is going to be as secure as what you're currently doing or even more secure...and which is going to have a much greater possibility of being (in technical language) "a bag of hurt."

    The possibilities for problems are so substantial with Folder Sync, in fact, that we specifically state in our support page on setting up Folder Sync that

    If you're resolved to try it the way you have been, what I'd recommend is not using the Windows boot drive specifically, as there will be (as you've observed) issues with the partition not being mounted (or otherwise inaccessible). If both these partitions are on the same physical device, then I'd recommend using a shared folder that both partitions can access to locate the OPVault -- and even then, make sure that both partitions are not booted simultaneously, to avoid simultaneous-sync conflicts. But I'm not at all confident that's a "will definitely work" solution for you, since too many other factors come into play. Hope the above is helpful. :)

  • JediJoker
    JediJoker
    Community Member

    Eh... Secret Key or no, I'm just not comfortable having all my passwords stored in one place in the cloud. It's also another subscription I'd rather avoid.

    I'm having no issues with the boot drive "not being mounted." It's always mounted in Windows, and when it is mounted in macOS, 1Password is succesfully writing to it. (I'm not sure how to confirm that 1Password Windows is successfully syncing; it's not as obvious in the app.) The issue is that the synced changes are not being read back into 1Password automatically in either OS. It is supposed to work as such, yes?

  • Lars
    Lars
    1Password Alumni

    @JediJoker - in theory, yes. But since this is a separate boot partition, there may be permissions issues, or other issues that can crop up which might be causing or contributing to this.

    I'm just not comfortable having all my passwords stored in one place in the cloud.

    You wouldn't. Only ciphertext, unreadable by human or machine without both your Master Password and your Secret Key, both of which never leave your own device(s).

This discussion has been closed.