Switching to OPVault from Agile Keychain

Dale Myers wrote a post about a potential insecurity in 1Password’s data format. The team at 1Password wrote a great response that discusses the design decisions that Dale was critical of.

The bottom line is that, in their older .agilekeychain data format, the metadata for your passwords — titles and URLs — is not encrypted. This data format was designed in the era of the iPhone 3G, when iOS devices had a lot less processing power, and this was viewed as a necessary trade-off for mobile devices.

1Password’s post points out that many vaults created since 2012 are using their newer .OPVault data format, which encrypts all of the metadata. Since I sync via Dropbox, my vault is still in the old .agilekeychain format.

Migrating to OPVault

The documentation for 1Password is great, and migrating to the .OPVault format is well explained. For the time being, I’m still keeping my vault synced via Dropbox, though I may eventually migrate to iCloud.

The process was:

  1. Backup your data.
  2. Quit 1Password.
  3. Change the default vault format with this command in the terminal: defaults write 2BUA8C4S2C.com.agilebits.onepassword-osx-helper useOPVaultFormatByDefault true1
  4. Disable the sync via Dropbox (which deletes the existing .agilekeychain data).
  5. Reenable sync via Dropbox (this will create data in the new .OPVault format).2
  6. Disable and reenable syncing on all other devices.

This last step was actually the most complicated. On iOS, I disabled sync (Settings -> Sync -> Sync Service -> Disable Sync), wiped out the local data cache (Settings -> Advanced -> Erase Data and Settings), and then turned sync back on. My data repopulated very quickly — I believe speed is one of the benefits of the new format. I’m not sure if the wiping step was necessary, but I was more comfortable syncing one-way than relying on a proper merge of the data.

On my laptop I used the same process. The process of wiping the local data is a lot more involved, and I couldn’t figure out a way to sync the local data with the Dropbox data otherwise.

The End of 1PasswordAnywhere

The benefit of this hassle is additional security. Now, all of the metadata in my vault is encrypted.

The downside is that the handy 1PasswordAnywhere tool does not work with the new .OPVault format — this looks like the end of the road for it. AgileBits describes 1PasswordAnywhere as:

1PasswordAnywhere is a local, web browser-based interface for your vault. It was built into our Agile Keychain format years ago, and hasn’t seen many updates in recent years. These days, it has been mostly replaced by platform-native versions of 1Password.

The benefit of this was that, armed with my Dropbox password and 1Password Master Password, you could view my login information without having the native application. This was a key enabler of the original 1Password Emergency Kit. The newer version 3 has dropped any references to 1PasswordAnywhere, in keeping up with the times.

Initially, the loss of this functionality seemed like a major step backwards. In reality, I doubt anyone with a copy of my emergency kit would have made use of 1PasswordAnywhere, anyway. My wife has a copy of 1Password on her laptop, so she would be able to access the data regardless. At this point, I’m taking the added security of .OPVault over the inconvenience of losing 1PasswordAnywhere.

  1. The command is slightly different if you’re using the direct purchase version of 1Password, so refer to their support documentation

  2. As a side benefit, I finally moved the 1Password folder into ~/Dropbox/Apps/, so it’s no longer cluttering up my root folder.