--- title: "Protect 1Password Database | Security Cookbook" description: "Restrict 1Password database files to AgileBits-signed processes, blocking infostealers from enumerating or copying your stored credentials and vaults." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/protect-1password-database" --- [Back](https://northpole.security/cookbook) ### Idea Keeping your passwords in a password manager like 1Password is a good move for security. 1Password encrypts your password database using your "account password," but we can go one step further and use a file access rule to stop other applications from reading the database at all. This not only offers further protection in case the encryption is broken or your account password is lost, it also stops apps from discovering which passwords are available, which is generally not encrypted. The following rule protects the file path prefixes which need protection and specifies which processes need access. For simplicity we're allowing all processes signed by AgileBits' team ID but we also have to allow access to a few system processes for normal operation. ### Solutions File AccessProtect 1Password Database Restrict 1Password database access to authorized processes only Path Prefixes - • /Users/\*/Library/Group Containers/2BUA8C4S2C.com.1password - • /Users/\*/Library/Application Support/1Password - • /Applications/1Password.app Options Allow Read Access:false Audit Only:false Rule Type:PathsWithAllowedProcesses Processes - • Signing ID:2BUA8C4S2C:com.1password.op - • Signing ID:2BUA8C4S2C:com.1password.1password - • Signing ID:platform:com.apple.SafariPlatformSupport.Helper Custom Message 1Password database can only be accessed by 1Password ### Mitre Attack Tactics [Credential Access](https://attack.mitre.org/tactics/TA0006/) Techniques [T1555.005: Password Managers](https://attack.mitre.org/techniques/T1555/005/)[T1555: Credentials from Password Stores](https://attack.mitre.org/techniques/T1555/) ### Tags password-managercredentials1password ### Deployment Notes This rule locks down 1Password's database files so only 1Password and required system processes can access them. This prevents infostealers from discovering which credentials you have stored, even if they can't decrypt them. The rule allows processes signed by AgileBits' team ID (2BUA8C4S2C) and a few system processes required for iCloud sync. ### False Positive Guidance 1Password and required system processes are the only legitimate accessors. If you use 1Password browser extensions or CLI tools, ensure they're signed with the correct team ID. ### Resources [1Password Security DesignTake a look](https://1password.com/security/) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)