How to sync Sqlite Database with Remote Database?

Will 1Password ever support password database sync other than over Dropbox?

• I am unwilling to put my encrypted password file on storage I don't control, as I don't have source code to 1Password itself.  Thus, a vulnerability in 1Password (or, in my specific binary of 1Password) could easily lead to a less-than-secure password database being stored effectively unencrypted on Dropbox. I want synchronization across multiple machines, but I want to be able to host the files entirely on my own hardware, potentially disconnected from the Internet, using peer to peer direct sync or something like AeroFS.

• Answer:

  Good question. There are actually several different questions all rolled into this one, so I'll try to address each of them. Apologies in advance for the novel. You raised some very good issues — directly and indirectly — which I think are important. It is great that you are thinking about these things. Won't any local, file-based syncing solution work to sync 1Password data on the desktop? Yep. You can use tools like ChronoSync and rsync to keep your data file up to date across multiple desktop machines without any Internet connection because third-party apps have access to the file system on the desktop and can sync the files directly. There are some caveats, but most of the known issues with specific sync solutions are covered in the User Guide: http://help.agilebits.com/1Password3/sync_solutions.html As you may know, the situation is pretty different on mobile platforms where apps are sandboxed and don't have access to the file system. So, for example, the Dropbox iOS app can't and doesn't have any roll in syncing 1Password on iOS. Any syncing in the mobile apps needs to be built in to the 1Password app itself. The problem is that there are not really great ways to do this with the majority of sync solutions. Dropbox provides two things that are very important for syncing 1Password data: It provides the necessary programming tools (APIs) for all of the platforms that we support: Mac, Windows, iOS, Android, and Windows Phone 7. It provides syncing to truly native filesystems for Mac and Windows. We've gone into greater detail in our "Alternatives to Dropbox cloud syncing" support article: http://support.agilebits.com/kb/syncing/alternatives-to-dropbox-cloud-syncing-icloud-google-drive-skydrive If all you need is desktop syncing, there are many options available to you, and they are listed in the aforelinked section of the User Guide above. Please do be aware, though, that you will need a true sync solution. Storing 1Password data on a network share or external volume is neither recommended nor supported. You want to make sure that each machine has an entire copy of the data stored locally for performance and reliability. A key component of security is data availability. :) Can I sync mobile devices without an Internet connection? Yep. 1Password for Mac syncs with 1Password on iOS via Wi-Fi. No Internet connection needed. http://help.agilebits.com/1Password_touch/sync_to_mac_manually.html How secure is 1Password? I won't bore you with all the details of the AES-encrypted, PBKDF2-strengthened Agile Keychain Format which uses a combination of the OpenSSL library, CommonCrypto, or Windows cryptography libraries depending on platform and version for all of its encryption and key generation needs. You can read about that in our Agile Keychain Design document: http://help.agilebits.com/1Password3/agile_keychain_design.html One of the best ways to show just how strongly 1Password protects your data is by pitting it against the pre-eminent password cracking tool John the Ripper. We've did just that not too long ago: http://blog.agilebits.com/2012/07/31/1password-is-ready-for-john-the-ripper/ So is it safe to store 1Password data in the cloud? Your secrets in your 1Password data are safe wherever they are stored. Although we don’t recommend making your 1Password database publicly available to the world, we have designed it so that your username and password data (along with other secret data stored within it) is protected no matter whose hands they fall into. For this and other reasons we are very confident when we recommend cloud syncing of 1Password data with Dropbox. Our "Security of storing 1Password data in the Cloud" document goes into increasing detail about the security measures in place and issues surrounding them: http://help.agilebits.com/1Password3/cloud_storage_security.html Some of the key points from the document: Your master password is never transmitted from your computer or device. All 1Password decryption and encryption is performed on your computer or device. The 1Password data format was designed to withstand sophisticated attacks if it fell into the wrong hands (cf. John the Ripper blog post above). Dropbox provides an additional layer of encryption. Might there be a backdoor in 1Password (or my copy of 1Password)? While our Agile Keychain Design document (linked above) doesn't directly address the question of whether or not there is a backdoor in 1Password, it does show that we are as open as possible about our data formats, which are fully available for inspection. However, that is only part of an answer. There are, in fact, two parts to the question. One is about a backdoor which someone at Agile would maliciously put in the code, the other is about a third party supplying you with a modified version of 1Password. For the latter, we use Apple's codesigning system as well as have our updater verify each download against a digital signature. I can give you more detail about those if you wish, but I suspect that you are more interested to know that we are not the bad guys ourselves. The simple truth is that you can never be absolutely certain that there is no backdoor. There isn't one, but if we would do something so evil as to put in a backdoor, we certainly would be willing to lie about it. So you can't simply take our word for it. Nonetheless, there are things that I can point to which are strong indicators that there is no backdoor. I know that we at Agile are all good people, but simply stating that does not prove it. Therefore, let me point to reasons that go beyond reliance on our virtue. It would be incredibly foolish of us from a business perspective to put in a backdoor. The trust that we have from our customers is our livelihood. There are very sophisticated security researchers out there scrutinizing 1Password for security flaws. If they were to discover a backdoor, our reputation and business would come to an end. Consider the effort that has gone into developing 1Password over the years. Our business is about providing a quality product and support. If we were seeking credit card numbers and online banking credentials, we would be conducting our business differently. These are some great reasons to avoid low-cost password managers from fly-by-night companies who don't offer a lot of detail about their formats and methods. We have never had any government pressure to put in a backdoor. We are a Canadian company, and we have an international staff. If one government were to try to pressure us, we could easily relocate the business to another jurisdiction. Lots of people within AgileBits have access to the source code which means that if one of us tried to put in a backdoor, others would spot it. So it would not be possible for just one or two people colluding to do it. At the same time, only a few people have the ability to sign the code that gets distributed, so all changes do get reviewed. We can't be as fully open as an open source project, but within the constraints of our business we try to be as open as possible. With our Chrome extension, where more code is written in JavaScript, that source is available for inspection (although parts of it are obfuscated). For network operations, you can monitor all network traffic coming from 1Password and its components. You will only find three cases where 1Password opens a network connection. For WiFi syncing (if you use it) 1Password for Mac will pick up host information over Bonjour and then open up a connection on the local network to 1Password on an iPhone, iPad, or iPod Touch but only when you have set things up for Wi-Fi syncing. Our updater will check for new updates, fetch them, and verify their signature. You can disable this if you wish (Preferences > Updates > Automatically check for updates). Thumbnail previews are retrieved when you create a new Login. 1Password will attempt to create a preview of that page (with no form filling). This can also be disabled (Preferences > Logins > Login Previews). All of the encryption and security protocols we use are from well known and well reviewed libraries. This means that it would be harder for us to conceal a backdoor as we just aren't in a position to make subtle changes to the actual encryption algorithms and protocols. Our practice of not "rolling our own" encryption implementation is also an overall security advantage. As we've said elsewhere, proprietary encryption systems are a warning sign, not a virtue. I hope that this goes some way to reassuring you. As I said, we know we are honest, and we want you to know that too. Caution and skepticism are healthy habits, though, especially when it comes to security. Please let me know if you would like any clarification of any of these points or if there is anything else I can help with. --- Khad Young, AgileBits, http://agilebits.com/support