At the heart of 1Password’s security model is our use of end-to-end encryption. This means that your passwords and other secrets are encrypted on your device before being sent to the cloud. Without your encryption keys (derived from your account password and Secret Key), it’s cryptographically impossible for anyone to read your data, even us at 1Password.
We believe the use of an end-to-end encryption model is the strongest defense possible to protect your secrets. But it also presents challenges when building new features, and limits what is possible, especially for our enterprise customers.
Enter confidential computing: a new technology that enables us to bring our end-to-end encryption model into the cloud, while offering the same security and privacy guarantees we do today on your device.
Our industry-first use of confidential computing enables us to securely decrypt certain secrets and process them in plaintext on 1Password servers without sacrificing security or privacy.
Today, it’s already powering parts of 1Password Extended Access Management, such as allowing us to provide detailed reporting to our enterprise customers. But this is just the beginning — additional solutions built with confidential computing are under development, and we look forward to sharing them soon!
The problem with traditional cloud compute
Cloud computing generally has an inherent lack of transparency — users have little to no visibility or control over where their data is stored, how it is secured, or who has access to it. Even if a company claims it’s not misusing your data, you’re unable to verify this.
And the risk of compromise is amplified in cloud environments — it’s all too easy for data on a server to be accessed by other processes on the machine, or a privileged user (or attacker) remotely connecting to it.
None of this is appropriate for an end-to-end encrypted system, where security and privacy are a priority.
The confidential computing solution
Confidential computing is a new technology, backed by special hardware, that helps protect data while it’s being used, even on shared or public cloud infrastructure.
Normally, when data is being used by software on a server, it’s vulnerable to being accessed by others. But with confidential computing, the data is kept secure inside a special, isolated environment called an “enclave.” The data inside is protected from the operating system, the cloud provider, and even the owners of the software running on the server.
Think of it like a safe deposit box at a bank — only you hold the key, and nobody else can access it, even though it’s located in a public building. The bank employees cannot access the contents of your safe deposit box, just as cloud providers cannot access the data being processed in a confidential computing environment. The bank has strict regulations in place to ensure your valuables are secure, including detailed audit records and surveillance cameras that track who enters the vault, remaining accountable to both the customer and third-party regulators. Similarly, confidential computing creates a tightly controlled “enclave” for your data, ensuring that it remains private and secure during processing.
Just as you can verify the safety of your belongings in the bank, you can trust that your data is protected from unauthorized access, with every action monitored and transparent, making the entire process — from transport to storage to processing — safe and secure.
Confidential computing allows us to take advantage of the benefits of the cloud when building new features. For instance, we use it when compiling encrypted reports about employee vault usage which we make available to enterprise admins to help them secure their company. Such large datasets cannot be decrypted and aggregated on-device by the admin due to performance limitations. Performance and scalability is enabled by performing these operations on confidential computing servers which have much more computational power, enabling fast and reliable reports every time.
Confidential computing, the 1Password way
We designed our confidential computing system around several principles, to ensure the resulting architecture meets our extraordinary security and privacy requirements.
Verifiable guarantees. We start by building on top of AWS Nitro Enclaves, which are specialized servers that provide enforceable guarantees of isolation, confidentiality, and integrity through a cryptographic attestation system. These servers can prove their identity and exactly what code they are running, by offering a signed attestation document.
Public transparency. We publish each enclave release to a public transparency log — Rekor — which is controlled by a third party. This means an independent auditor can inspect the code and verify our claims, including every single version of code ever run in the enclave — making it impossible for us to do anything in secret.
No operator access. This means that neither 1Password administrators nor AWS administrators have the ability to access or interact with the code and data running inside the enclave. The isolation is enforced at the hardware level by the AWS Nitro System, of which AWS has received an external audit on its design and security assurances. This hardware-based isolation ensures that even the most privileged users or processes on the host system cannot intrude upon or tamper with the contents of the enclave.
Trusted communication from clients. Our aim is for an enclave service to act as an extension of our client applications running on your device. In order to connect to an enclave service, we need to establish a trusted communication channel, which ties together attestation, signing, and encryption. We use Noise to create an encrypted channel, using a public key that is trusted through attestation. Additionally, our client applications will refuse to connect to an enclave, unless its code has been signed by 1Password, and publicly published to the third-party transparency log.
Safe & resilient coding. We opted to write our confidential computing system in Rust, a systems language known for its security and memory safety. This helps prevent vulnerabilities and ensures isolation of requests. And because we also use Rust for our client applications, we’re able to use the exact same tried and tested libraries already in use today for important components such as cryptography and safe logging.
We’ve also recently undergone an external security audit of our confidential computing system, which affirmed the robustness of our design and found zero major vulnerabilities. In the future we will also be making available further technical documentation and resources, ensuring security researchers have everything needed to inspect and verify our claims.
Jasper Patterson
Staff Developer
Tweet about this post