Encryption is great. By magic (well, by math) it converts data from a useful form to complete gibberish that can only be turned back into useful data with secret number called a key.
I happen to think that the term “key” that we use for encryption and decryption keys is a poor metaphor, as it suggests unlocking a door or a box. Cryptographic keys are more like special magic wands that are essential to the process of transforming data from its useful (decrypted) form to gibberish and back again. Since we’ve seen fit to disguise this magic wand as a simple “key,” I will continue to use “key” for simplicity’s sake.
Encryption is very powerful magic, and when done properly it is so close to being unbreakable that we might even get away with claiming it is. Of course, anyone who has a copy of the key doesn’t need to break it; they can just use their copies of the keys to decrypt your data.
This is why we have designed 1Password so that we never have the keys needed to decrypt your data. You are the master of your own keys. You are your own key master.
I should point out that even if you trusted us to not misuse your keys (if we had them) they could still be stolen from us (if we had them). If everyone’s keys were all in one place that would also make a very attractive target — yet another reason we don’t want them. We cannot use, lose, or abuse information that we don’t have. It’s not like we are planning on having data stolen from us. But we do plan for the possibility. Not having your keys is an essential part of that planning.
Now if someone were to store encrypted data in the same place that they store the keys to decrypt it, they may as well not encrypt it in the first place. I do not know what happened to OneLogin (absolutely no relation to us), but they did release a notice to their customers saying that their customer data was compromised “including the ability to decrypt encrypted data.” That certainly suggests that they held both the keys to the data and the encrypted data itself.
It really doesn’t matter how strong your encryption is if the keys can be stolen along with the data. This is why we have been very careful to design 1Password so that we never, ever have the keys to decrypt your secrets. Even if we are breached, your data remains secure because you (and only you) have the keys to decrypt it — we don’t.
Key management is hard
Key management is hard. And it is hard to talk about. I would love to talk about it here, but frankly it is what the bulk of our technical documentation (PDF) discusses, and I cannot do it justice without turning this post into a treatise.
Instead, I will summarize (with many shortcuts and omissions) how 1Password manages the keys to unlock your data in a manner that keeps your data secure:
- Your encryption keys are generated only on your devices.
- They are generated using a cryptographically secure generator.
- Those keys, in turn, are encrypted with other keys that are generated on your device the the same way.
- The key that encrypts the keys that encrypt the keys that encrypt your data are derived from secrets that we never have access to: Your Master Password and your Secret Key (formerly known as Account Key).
- We’ve made sure that you don’t pass us secrets from which your keys could be learned when you sign in to your 1Password Account.
- We’ve designed things so that it is impossible to make guesses at the secrets your keys are derived from using the data that we do store.
I could write at great length about each and every one of these, but I should probably finish this article this year, and much of this is in our security white paper.
Where the strength lies
It is frustrating and hard for the consumer to judge the security of a product or system as they choose one. Everyone touts the same buzzword compliance, yet there can be substantial differences in security design that are not reflected by that jargon.
Very strong cryptographic tools are (fortunately) available to almost every developer, but using those tools doesn’t automatically make a system secure. Let me offer an analogy in which I confess to being a terrible cook.
If I were tasked with producing a high quality cooked meal and were given the freedom to pick the very best ingredients, the results would not live up to the quality of ingredients. The failure wouldn’t be that I choose incorrectly between Himalayan rock salt or Oshima Island sea salt. The disappointing meal I would prepare would be because I used far too much salt on the spinach which I boiled for 10 minutes. Using the right ingredients is the starting point, but preparing something with them to be proud of takes much more work and skill.
Handling keys in a way that ensures that only the owner of the data has the power to decrypt it (or share it) is just one of the many things that needs to be done right to make a system secure, just like adding proper amounts of salt at the proper time while preparing food is just one of the many things that a cook needs to master in order to prepare a five-star meal.
There is an important way in which my analogy fails. It does not take an expert cook to judge the quality (or lack) of a meal I prepare. I could advertise honestly the use of the very best ingredients, but the proof would literally be in the pudding (and the starter, and the main course …). But the practical security of a system is not so transparent to non-experts (or even to experts if they are not given a peek into the kitchen). This, as I lamented, puts the consumer in a very difficult situation.
Our hope, however, is that our openness about our security design, processes, and decisions allows the curious to peek into the kitchen and make an informed decision. We are happy to go to great lengths to ensure the security of 1Password even if those results aren’t immediately visible to the typical user. We do that because it is the right thing to do. (And we enjoy the challenge.)
This last point – naturally enough – leads directly to …
The marketing pitch
If you know someone (possibly even yourself) who has been using something other than 1Password, then we have a great offer for those ready to make the switch to 1Password. Not all security tools are created equal, and we suggest that you see what the security community recommends and what people love. (Yes, 1Password is a security tool that people love using.)
And, of course, you don’t have to be a switcher to start using 1Password. Just start using 1Password.