6 How vaults are shared securely
Sharing items among members of the same 1Password account happens at the vault level. This allows those members to share and mutually maintain sets of items. Through the magic of public key encryption, this happens without the 1Password service (or us, its operators) ever having the keys or secrets necessary to decrypt shared data.
As described in “How vault items are secured,” each user has a personal key setHow collections of keys and their metadata are organized within 1Password. that includes a public/private key pair, and each vault has its own key used to encrypt the items within that vault. At the simplest level, to share the items in a vault, one merely needs to encrypt the items with the public key of the recipient.
Alice is running a small company and would like to share the office Wi-Fi password and the keypad code for the front door with the entire team. Alice will create the items in the Everyone vault, using the 1Password client on her device. These items will be encrypted with the vault key. When Alice adds Bob to the Everyone vault, Alice’s 1Password client will encrypt a copy of the vault key with Bob’s public key.
Bob will be notified that he has access to a new vault, and his client will download the encrypted vault key, along with the encrypted vault items. Bob’s client can decrypt the vault key using Bob’s private key, giving him access to the items within the vault and allowing Bob to see the Wi-Fi password and the front door keypad code.
The 1Password server never has a copy of the decrypted vault key, and is never in a position to share it. Only someone with that key can encrypt a copy of it. Thus, an attack on our server could not result in unwanted sharing.
6.1 Getting the message (to the right people)
It’s important that the person sharing a vault shares it with the right person, and uses the public key of the intended recipient. One of the primary roles of the 1Password server is to ensure that public keys belong to the right email addresses.
1Password does not attempt to verify the identity of an individual. The focus is on tying a public key to an email address. Internally we bind a key set to an email address, but we have no information about who controls that email address.
Connecting users with their keys as they register, enroll new devices, or simply sign in is a fundamental part of the service. How this happens without giving us the ability to acquire user secrets is the subject of the next section.