op slowness and 1password.com vs .eu

spacehog
spacehog
Community Member

Hi,
I currently own a 1password.com family account.

I use heavily the op cli and 1passwordX under Linux. But op is pretty slow so I rely on a wrapper, 1pass which caches gpg encrypted 1password items locally.
I have installed the last version of op: 0.5.4

My question:
Will op response times get better if I move my 1password account from the USA server to the Europe server?

Thanks
Spacehog


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: ArchLinux
Sync Type: Not Provided

Comments

  • cohix
    cohix
    1Password Alumni

    @spacehog thanks for writing in.

    We are currently working on a round of improvements that should drastically improve the performance of op. Switching to the eu servers would not make much of a difference.

  • spacehog
    spacehog
    Community Member

    Great news!

    Thanks. 👍🏻

  • cohix
    cohix
    1Password Alumni

    Keep an eye out for the next version!

  • mickael
    mickael
    Community Member

    We are currently investigating 1Password as a replacement of LastPass. It seems to have everything but the performance of the CLI is currently a dealbreaker for us as we plan to use our vault integrated with our DevOps scripts. We need to grab hundreds of passwords efficiently by calling the CLI.

    Currently, the retrieval of a password takes around 4-5s, this is really huge. We need a tool that answer around 100ms.

    Any news or ETA on the next op release ? or is there a CLI beta we could test ?

    Thanks for your answers,

  • cohix
    cohix
    1Password Alumni

    @mickael how are you querying the items? Using op get item with a UUID should be very fast.

  • mickael
    mickael
    Community Member

    @cohix thanks for your quick answer, sadly this is how I query.

    Some benchmarks:

    op --version
    0.5.5
    
    time (for i in {1..20}; do time op get item xydqygltsk6evp6aircxygh3ka --session=... > /dev/null; done)
            4.13 real         1.37 user         1.86 sys
            3.79 real         1.35 user         1.81 sys
            4.50 real         1.38 user         1.89 sys
            4.03 real         1.37 user         1.85 sys
            3.93 real         1.38 user         1.88 sys
            4.14 real         1.37 user         1.86 sys
            3.95 real         1.37 user         1.88 sys
            3.97 real         1.45 user         2.07 sys
            4.41 real         1.40 user         1.93 sys
            3.91 real         1.39 user         1.95 sys
            3.78 real         1.38 user         1.92 sys
            4.20 real         1.40 user         1.90 sys
            4.28 real         1.35 user         1.87 sys
            3.85 real         1.36 user         1.87 sys
            3.84 real         1.35 user         1.83 sys
            4.45 real         1.37 user         1.90 sys
            4.10 real         1.40 user         1.96 sys
            4.00 real         1.41 user         1.97 sys
            3.98 real         1.36 user         1.87 sys
    [LOG] 2019/04/22 15:51:33 (ERROR) Get https://team-dkod.1password.eu/api/v1/account/keysets: net/http: TLS handshake timeout
           10.03 real         1.32 user         1.86 sys
    ( for i in {1..20}; do; time op get item xydqygltsk6evp6aircxygh3ka  > ; done)  27,65s user 38,11s system 75% cpu 1:27,44 total
    

    My computer is a MBP 2018 i9 2.9GHz 32Gb runnin Mojave 10.14.4

    Running the benchmarks have spotted the TLS handshake timeout also.

  • mickael
    mickael
    Community Member

    We intend to subscribe to Business plan, and have some other questions, maybe you could help as they are more or less all related to CLI:
    - is the CLI officially supported ?
    - is there a limit capacity of the system ? a limit where things starts to slow down drastically ?
    - is it possible to sync the vaults locally while still using the cloud base syncing ?
    - is it possible to write a custom cli that use the local storagefor query purposes ?
    - is there a documentation of the API and the encryption/decryption process ?

  • cohix
    cohix
    1Password Alumni

    @mickael I'd be happy to answer all of this here, but I strongly suggest you contact business@1password.com so that we can get you set up with someone from the business team, and then we can schedule a call to go over all of these things. I would be happy to be on that call so we can go through the details.

  • mickael
    mickael
    Community Member

    @cohix I understand I will forward this by email, but what do you think of the performance of my queries ?

    Could you share what it is "a very fast" query on your side ?

  • cohix
    cohix
    1Password Alumni

    @mickael we made some improvements in 0.5.5, but we will have additional improvements in the upcoming 0.6 (no exact timeline on that just yet), but I can share some timings on the upcoming changes:

    time op get item jjr2czjf4zztx4qbqonx7dkt3e
    [...]
    0.12s user 0.04s system 15% cpu 1.039 total
    

    So about a 3-4x speedup from what you're seeing.

  • mickael
    mickael
    Community Member

    @cohix thanks, that's a great performance gain, however four our usage that will be still insufficient. We need to get answers in around 100ms mainly due to our usage with Ansible.

    Our Ansible playbooks have hundred of secrets, each secrets is retrieven with a separate CLI request. So say you have 300 secrets in your playbook, your need to wait 5 minutes each time the playbook needs access to the credentials file, this could multiple times depending on how the ansible playbook is structured.

    That's why I have all that other questions.

    We tested Bitwarden also a few weeks ago. The official CLI was able to retrieve secrets in 0.85s that was still insufficient for our usage. So I wrote a simple python CLI focused on query secrets to match our expected performance results by etudying the opensource nodeJS CLI.

    I was simply wondering if something like this was eventually possible with 1Password.

  • cohix
    cohix
    1Password Alumni

    @mickael we will indeed continue to make performance gains wherever we can, but for now I can't promise that we'll get down to 100ms. We don't currently have any official tool that can query the local databases of the desktop apps, and we don't have any official tool to query AgileKeychain/OPVault files either. The CLI tool is still in beta, but we are actively working on it.

  • mickael
    mickael
    Community Member

    @cohix thanks a lot for your answers.

    1Password looks like a great product, if you success in making a great CLI that will make it the only Password Manager which provides sexy desktop/app UI, effective team sharing and effective usage in DevOps scripts.

    Keep the good job, I will follow performance gains upon releases.

  • cohix
    cohix
    1Password Alumni

    @mickael absolutely, and really appreciate the feedback. We know there's work to be done here, and there has been quite a lot of "maintainance" being done to move us towards the goal of a more performant, usable CLI.

  • mickael
    mickael
    Community Member

    @cohix Just to share with you, that I succeed in developing my local 1password query tool.

    Performance is good, I can grab results in around 0.13s.

    If you're curious, code is here: https://github.com/mickaelperrin/onepassword-local-search

    That may encourage you to implement a sync option with the cli and use it locally for querying ;)

  • cohix
    cohix
    1Password Alumni

    Well now that is very cool. I'll need to look over the code later to see what's going on.

  • mickael
    mickael
    Community Member

    Hey @cohix,

    Just to inform you that things are getting desperately worse :

    op get item UUID --account=XXX 1,91s user 2,56s system 17% cpu 25,233 total
    

    :( :'(

  • cohix
    cohix
    1Password Alumni

    @mickael how many items total are in the account? Have you tried adding the --vault flag as well?

  • mickael
    mickael
    Community Member
    edited May 2019

    @cohix My setup is composed of :

    • 2 accounts: team and personal
    • team account with: 537 items in 41 vaults (we create a separate vault for each customer)
    • a personal account with: 1422 entries and 5 vaults

    Indeed adding the --vault drastically increase the performance, this is good to know (15s -> 5s, according to this morning benchmarks)

  • cohix
    cohix
    1Password Alumni

    @mickael the instance above of 25s, was that on the personal account?

  • mickael
    mickael
    Community Member

    Honestly, I don't remember. I currently avoid doing "get" requests on the native op (that gets me crazy ;)), I switch to my op-local alternative.

    So I currently use op only to create new entries. The performance is around 4-5s. Not incredible, but as I create only a few entries per day, this is largely acceptable.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I hear you. I suspect cohix can help track down the cause when he gets back. Thanks for your patience and willingness to work with us on this! :)

  • sarneeh
    sarneeh
    Community Member

    I've also noticed that op is extremely slow. What are your plans on improving this? I mean some specific date range, as "this is a high priority in our backlog" often ends up not being done at all :smiley:

  • AGAlumB
    AGAlumB
    1Password Alumni

    We do not offer any release windows for future updates, features, or improvements. That's just not practical or helpful, as anything I could potentially tell you is subject to change. Right now our focus is on the beta. :)

  • mickael
    mickael
    Community Member

    I update this post to warn users that the performance of the op cli (as àf 0.6.1) is directly imlpacted by the number of certificates you have in your keychain on mac os x.

    The performance of the op CLI decreased over the time due to the augmentation of the number of self signed certificates I used on my machine. I reach the point of 600 certificates and the performance of the op CLI was so bad that it started to timout on TLS handshake.

    I did a cleanup of all custom certificates and things started to fly and work as expected...

    Hope it helps future users.

This discussion has been closed.