Detailed vault reporting gives administrators better visibility into shadow IT, security alerts, and the recovery process. 1Password designed vault reporting in a way that preserves the cryptographic integrity of vault information.
Technical design
If you’re signed in to 1Password and detailed vault reporting is turned on, the 1Password clients automatically generate snapshots that contain limited information. 1Password encrypts the snapshots with a vault reporting-specific cryptographic key and uploads them to the 1Password server. Only administrators with access to the vault reporting keyset’s private key can download and decrypt the snapshots.
Snapshots include vault and item identifiers, creation time, version, a subset of the item’s overview (name, username, and the hostname portion of URLs), and any active Watchtower alerts. Your passwords, notes, and other secrets are not included.
Security model
Apart from the timestamp, item version, and vault and item identifiers, snapshot information is encrypted with the ChaCha20-Poly1305 key, then HPKE encrypted with the x25519 public key. Access to your private key is protected by the same chain of keys that protects all your 1Password data. The 1Password servers never see or hold a key that can decrypt the snapshots or their contents.
Risk considerations
1Password helps minimize the risk of team members storing personal information in their Employee vaults with in-app communication and by limiting the information presented in vault reports. You can take steps to communicate that your team’s 1Password account should not be used to store personal information.