I have installed the "1password-cli" package on my airgapped linux machine with no network access ('op --version' gives me 2.30.3).
If I run 'op vault list', it tells me I have to add an account. When I run 'op account add' it tries to connect to 1password's servers and won't let me proceed without internet.
I don't see how this "local client" is helping if all the auth infrastructure goes through their servers.
There might be alternatives that are better designed for that use case these days; pass and KeePassXC are popular ones, depending on the interface you want (pass is made for the cli as the primary interface).
What does "You will get your vaults locally" mean?
Is it possible to export as a file, take that with you on whatever medium (eg. USB key, CD-ROM, future isolinear chip), put it on a brand new PC you built from scratch and never connected to the internet, and open it in some kind of standalone viewer?
That’s how 1Password used to work. Not sure how much of that is still left in the system these days.
Originally it was an app with no remote component. The vault was yours to look after. Most people kept it in Dropbox to make it accessible anywhere. The vault itself actually had an html file in it that you could open in a pinch that was able to decrypt secrets (only for reading, from memory).
Actually, 1Password had local syncing where you synced the vaults between devices on a local connection (I think it was point to point WiFi, so your internet dropped off, Bluetooth was less common then). So it was bucket brigade syncing.
Dropbox came later and security minded folks were wary. Honestly, I trust 1Password sync more than an encrypted db on a general purpose cloud file sync, but maybe that’s naive.
After auth, it downloads a copy of your vaults to your device from their servers.
Super contrived, but you could probably just copy the sqlite dbs of your vault it creates locally to another PC along with the 1Password installer and it might let you sign in with just your master key.
The likelihood that someone would be able to do this in 50 years time, without your company still around? Close to zero.
Passwords, even ssh keys and passkeys, are little pieces of plain text. If you think needing a specialised sdk or cli to retrieve plain text is a good software architecture, I think we see the world quite differently.
That's the exact reason it's open source, so it would still be possible to access your data in such an event.
We clearly see things differently but I think using computers to make our lives easier is worthwhile and storing/managing our secrets securely, effectively and conveniently is better managed by software than some ad-hoc setup.
Nitpick, passkeys are not text, they are binary blobs.
I have installed the "1password-cli" package on my airgapped linux machine with no network access ('op --version' gives me 2.30.3).
If I run 'op vault list', it tells me I have to add an account. When I run 'op account add' it tries to connect to 1password's servers and won't let me proceed without internet.
I don't see how this "local client" is helping if all the auth infrastructure goes through their servers.