Skip to main content
Maldroid
February 28, 2024
Question

Encrypted at rest when locked?

  • February 28, 2024
  • 2 replies
  • 152 views

When the 1Password vault, extension, or app is locked on Windows and Android platforms, is the data encrypted at reset? This implies that there are no feasible physical or hardware-based attacks capable of extracting the encryption key.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

2 replies

1P_Dave
1Password Employee
February 28, 2024

Hello @maldroid! 👋

That's a great question! When 1Password is locked on your devices, your data is encrypted at rest and requires your account password to decrypt your data and unlock 1Password. If you use biometric unlock then the secret used to decrypt your data is stored in the Trusted Platform Module (TPM) and can only be accessed by you.

As soon as 1Password is locked, whether by restarting your device or having auto-lock get triggered, all vault data is encrypted until you unlock 1Password again.

This implies that there are no feasible physical or hardware-based attacks capable of extracting the encryption key.

Can you clarify a little more about the specific sort of attack that you're referring to? I would be happy to go into greater detail once I learn more.

In the meantime, you can learn more about our security design by taking a look at our white paper: https://1passwordstatic.com/files/security/1password-white-paper.pdf

-Dave

Maldroid
MaldroidAuthor
February 28, 2024

I didn't have a particular attack in mind. My main concern was to ensure that someone with physical access couldn't launch an attack that would compromise the encryption key for the vault. Given that the vault is encrypted at rest while locked, such an attack should be infeasible.

I've heard about "vulnerabilities" in BitLocker and other full-disk encryption systems, like malicious reset attacks or Direct Memory Access (DMA) attacks. This can be mitigated with preboot authentication but this is way off topic.