It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
How does the recovery of a private vault in the Family account work
I’m trying to wrap my head around how private vault recovery works when someone forgets their Master Password. From what I understand, the Master Password plus the Secret Key are used to lock and unlock the keys that actually protect all the vault data. The client device generates the Master Unlock Key each time a user accesses 1Password by providing the Master Password, which is combined with the Secret Key. The asymmetric keys that are kept securely encrypted on the server, right?
If the Master Password is lost, the user can’t generate the Master Unlock Key to obtain keys, so they can’t get into their private vault. At that point, the account organizer can start the recovery process.
What I don’t get is: what additional piece of information does the organizer and/or the server have that makes it possible to get back the keys needed to decrypt the vault?
I realize that the recovery process also involves extra safeguards, such as a secure email, which should keep outsiders locked out even if they somehow got the Secret Key. But if some piece of recovery data really is stored on the servers, what’s stopping a malicious insider from bypassing the email step and taking over the vault?
Could you point to documentation that explains this?
Thank you!
8 Replies
- 1P_Dave
Moderator
Dave,
It was quite refreshing to read such a well-written document, which clearly explains security design goals and means to achieve them. It instills higher confidence when you understand what to do and how to make it more secure from my personal point of view.
I believe I have a pretty good understanding of the recovery process. I understand the underlying risks associated with the recovery, and they seem reasonable.
Tell me if my statements are correct:
- The server maintains the vault key in question encrypted with the recovery group public key. As such, the server could do nothing with it
- The owner of the recovery group's public key can recover the vault key, but they have no access to the vault content and can’t take advantage of it. Besides, they would get this key only if there is the owner’s request to do so
- (Not sure) After the recovery, the vault content will be reincrypted with a new key, so the possession of the old one is useless after that.
- New Account password and Master Key will be used after recovery, so effectively the encrypted vault content is fresh and is free of the previous hacking attempts, if they took place
Now, what I don’t quite understand (I use the same names as in the documentation example: Bob, Carol, server)
- (Major, Line 3-4 of the recovery process) How could the owner send a request after they lost a password? Is there a section that I missed that explains this part?
Carol could ask for the recovery outside the system, but how is it done within? The documentation also states that Carol starts by creating a new vault. How could she do it? Is their password replaced through the “Forget password” mechanism? That’s not clear - (Minor, Line 8 of the recovery process) Why does the server need to send Carol her public key just generated during the recovery process? I think it was meant to be: Bob who receives Carol’s new public key in order to create her wrapped vault key, right?
- Within the system, all interactions happen between Bob/Server and Server/Carrol, never directly between Bob and Carrol
Thanks!
- 1P_Dave
Thanks for the reply. I'm glad that you found the white paper helpful. As the white paper says: "When a vault is created, a copy of the vault key is encrypted with the public key of the recovery group. The members of the can decrypt the private key of the recovery group." Even if our servers were compromised, the vault keys are still encrypted: "Most importantly, at no time
was the server capable of decrypting anyone’s data or keys."- (Not sure) After the recovery, the vault content will be reincrypted with a new key, so the possession of the old one is useless after that.
The vault content itself isn't re-encrypted. Instead the recovered user's personal key set will be re-created: "And from her new Secret Key and potentially new account password, her client will generate a new with which it will encrypt her new personal key set." The recovered user's new public key is used to re-encrypt the vault key that is sent to them by the member of the recovery group who is performing the recovery.
I'll answer your specific questions below based on our white paper:
- (Major, Line 3-4 of the recovery process) How could the owner send a request after they lost a password? Is there a section that I missed that explains this part?
Carol could ask for the recovery outside the system, but how is it done within? The documentation also states that Carol starts by creating a new vault. How could she do it? Is their password replaced through the “Forget password” mechanism? That’s not clear
If someone loses access to their 1Password account then they'll need to reach out to a member of the recovery group. Usually in organizations this is done by creating an IT ticket or sending an email to the appropriate person. The recovery group member would then initiate recovery from their end and the person being recovered receives an email with instructions on how to begin the process.
You can find our support article on what this process looks like here: Recover accounts for family or team members
The references to vault creation on page 36 are just part of a general description of how someone might use 1Password. It's not something that someone would do as part of the recovery process.
- (Minor, Line 8 of the recovery process) Why does the server need to send Carol her public key just generated during the recovery process? I think it was meant to be: Bob who receives Carol’s new public key in order to create her wrapped vault key, right?
I'm sorry that this line isn't as clear as it should be. You're correct, it refers to the server sending Bob, the member of the recovery group, the public key of the person being recovered. Bob then decrypts the vault key using the recovery group's private key and re-encrypts it using Carol's public key. Then this new re-wrapped key is sent to Carol.
- Within the system, all interactions happen between Bob/Server and Server/Carrol, never directly between Bob and Carrol
That's correct, recovery traffic is mediated by the 1Password server.
Let me know if you have any other questions.
-Dave
Thank you! An excellent review, trying to get thorough details. If any questions arise, will follow
No takers to explain this part? I hope it is not secret information
... and creates a new Master password. I understand this part. What happens after recovery is clear. Before recovery, a user doesn't have the keys to decrypt the vault content,
What I asked: what additional information does the process use to recover keys that decrypt the vault content?The recovery process resets the account secret key. The assumption would be that you have verified the user needing to be recovered, which I suspect is a non-issue for Family accounts. This resource should answer things: Recover accounts for family or team members | 1Password Support,
