How To Re-Encrypt Everything (Increasing Security)
I would like to know how to re-encrypt everything in my 1Password 4 vault.
The reason for this is that it appears that when the master password is changed, the encryption key for all of the secure data is not changed.
Imagine the following situation:
You have a friend who you trust, and you share your 1Password file with them, and you both know the master password.
Then, you part ways.
Then, you change your master password on your copy of the file.
Then, you start adding all sorts of new passwords to your file.
You can clearly see, beacuse the key has not changed, that even if the master password is new, if this friend got access to your file, he would be able to get all the new, fresh passwords that he isn't supposed to have.
Because of situations like this, I would like to know how to re-encrypt everything in my 1Password 4 vault with a completely new key. This should be a standard feature.
Thanks.
Comments
-
Hi @PackagedSpackle,
To re-encrypt your vault, you can export the entire vault in .1pif format, and import your data into a new vault. This will be a shiny new vault with a new password and new encryption keys. :)
You can clearly see, beacuse the key has not changed, that even if the master password is new, if this friend got access to your file, he would be able to get all the new, fresh passwords that he isn't supposed to have.
I'm going to ask our security guru, @jpgoldberg, to chime in on the last bit, I don't yet have the expertise to discuss the ins-and-outs of encryption like he does.
0 -
@PackagedSpackle Here's a little bit to add about the encryption keys (previously said by @jpgoldberg):
Your Master Password is used to encrypt an encryption key, which in turn is used to encrypt everything else. When you change your master password, you don't get a new encryption key, you just encrypt your encryption key differently (with the new master password). So if someone has or can get an old copy of the file that contains your encrypted encryption key, then your old master password could be used, in principle, to not only unlock the old data, but also newer things.
0 -
What if the vault that had the data to be re-encrypted is the primary vault? How do you delete the primary vault after exporting the data to the pif file and then making a new vault with the pif file data?
0 -
Hi, @PackagedSpackle.
The full post (#4) from @jpgoldberg that @JasperP partly quoted from is: here.
You seem to be security conscious having brought up this issue so I thought you might find his post, and others in that topic, interesting and informative. :)
0 -
Ok, thank you everyone. This is helpful.
So, this certainly seems to be the case, then:
- My original concept was correct. If someone has access to a version of your vault where they can unlock it with a given master password, then they will be able to access all future versions of that vault, even if you change the password.
I am also confirming back this concept from above:
To re-encrypt your vault, you can export the entire vault in .1pif format, and import your data into a new vault. This will be a shiny new vault with a new password and new encryption keys.
I also share duelist77's question though:
What if the vault that had the data to be re-encrypted is the primary vault? How do you delete the primary vault after exporting the data to the pif file and then making a new vault with the pif file data?
I am particularly curious to hear step by step how to do this, especially if you have the same vault synced in multiple devices on iCloud.
What is the best set of steps? It must look something like this:
- Export data to 1pif.
- Delete the current vault from all devices somehow.
- Create new vault, and get it syncing on all devices.
- Import 1pif.
It's #2 and #3 that are the most unclear to me at this moment.
Thanks.
0 -
Hi @duelist77 and @PackagedSpackle,
At this point in time, re-encrypting a primary vault in this manner is possible, but it would involve re-installing 1Password and starting fresh with all vaults. So it's probably a much simpler practice to create secondary vaults if you need to share information with a friend, colleague or family member. :)
0
