What is OPVault?
A word about names
“OPVault” can refer both to the data security design used in 1Password and it to a particular file format typically with the filename extension .opvault. The OPVault security design is not limited to the OPVault file format. Indeed, we use the OPVault design within SQLite data records and CloudKit records.
It should be clear from context when we are referring specifically to the OPVault file format or more generally.
Design goals and features
It is difficult to design something well if you do not know what you want it to achieve, so perhaps the best way to provide an overview of OPVault is to describe what we require of it.
Security and convenience
We do not believe that there must always be a trade-off between security and convenience. Instead, we aim to make it easier and more convenient for people to behave securely than insecurely.
Achieving this is not merely a matter of having a friendly interface; instead it must be built into the security design of the data. (For example, if you investigate the OPVault design details you will find separate overview keys per vault, or design features that help make sync conflict resolution easier.)
Well-trusted cryptographic functions and libraries
Cryptography is a remarkably easy thing to do incorrectly, and so we avoid developing our own cryptographic constructions and protocols as much as possible. In our choice of cryptographic libraries and routines, we tend to be conservative. Indeed, the only cryptographic primitives used within OPVault are AES and SHA-2, which in turn are used within well-established constructions. (SHA-1 was used within the Agile Keychain format.)
All encryption is local
1Password is fully end-to-end encrypted. All encryption and decryption is performed on your computer and devices with keys that are derived from your vault password.
Decrypted data is never written or transmitted
Unless you explicitly export or send your 1Password data, it is never transmitted or written unencrypted.
Privacy is built into our data design
1Password is built with privacy by design so that we have no information about your data or how you use it. With this design, we work to deny ourselves even the option to violate your privacy.
We are open about our data design
Our openness about the OPVault data design may be your single most important reason to have confidence in its design. We continue to encourage public and expert scrutiny of it.
Data integrity checks
The OPVault format is tamper resistant. A Message Authentication Code or MAC derived from your vault password is used to check that your data hasn’t been modified, either by accident or maliciously. This defends against what are called Chosen Ciphertext Attacks (CCA) and also against other mischief that can be done through tampering with your data.
For those who love details, all encryption is now authenticated encryption using an Encrypt-then-MAC construction with HMAC-SHA256. Most associated data is also subject to integrity checks using HMAC-SHA256.
Protecting your data against password cracking
Even if your OPVault data is captured, we use PBKDF2 to slow down automated password guessing systems. Indeed, 1Password was among the first password managers to use PBKDF2 to defend against automated guessing, and we have continued to use and fine tune it.
OPVault is even more cracker resistant than the Agile Keychain. Our switch to using SHA512 within PBKDF2 thwarts many GPU-based password cracking optimizations.
Separation of overview data
Sometimes it is useful for 1Password to only have “overview data” decrypted and in memory. In OPVault a separate set of encryption keys are kept for this overview data. This gives us the same listing and searching flexibility of the Agile Keychain, ensuring that overview data (such as item title or URL) remain encrypted within OPVault.
So with OPVault we are able to provide the secrecy you expect while still maintaining the ability to list and search your data for matching items before decrypting the full item.
256-bit encryption keys
OPVault marks the completion of our move from 128-bit AES keys to 256-bit keys.
128-bit symmetrical keys remain more than sufficient for security against brute force attacks against the key, but as the machines we use are able to perform AES encryption extremely efficiently, there is now no longer any reason not to move to 256-bit keys.
We are aware that there are design problems with the AES key schedule for 256-bit keys and that progress is being made on exploiting those design problems to create related key attacks.
When applications are designed correctly, there should be no opportunity to use a related key attack; and so, these concerns about AES with 256-bit keys have no security implications for 1Password. All encryption keys are created using a cryptographically secure pseudorandom number generator.