Fixing iCloud Keychains, and backing them up

El Capitan and Sierra have pushed one new feature which has resulted in some dreadful disasters: iCloud Keychain (iCK). Each time you install El Capitan or Sierra, you are encouraged to trust your keychain to iCloud, and I know that a significant number of users have come to regret doing so.

iCloud Keychain is, in the words of the cliché, wonderful when it works. And it works a great deal of the time, unless it goes wrong. Even more unfortunately, it most often goes wrong when a user tries to solve another problem, by doing something which inadvertently messes iCK up. Then they are in trouble.

Like everything in iCloud, when there are problems they seem out of your control. When you realise that all your experience of managing problems on your Mac is irrelevant, and you have no tools on your Mac to help, panic sets in. Sometimes that panic precipitates further actions which only make things worse.

When you’re using a local keychain, your main login keychain is stored as login.keychain-db in ~/Library/Keychains. So long as you remember the password required to access it – which should be your normal login password for that Mac – you can back it up, and use that backup to recover from, if you ever need to. My Keychains folder even contains an old keychain from my last Mac Pro, in case I need to use old passwords which are still stored in it.

But with iCK turned on, your login keychain is in iCloud, and is not something which you can access as a file, as you can a local keychain. If you use iCloud for backups, then it is specifically excluded from those backups, because Apple argues that it is already stored in iCloud, therefore doesn’t need to be backed up. Unless of course something happens to it, like all its password entries get wiped: then you’re apparently stuck, contacting iCloud support to try to recover a copy of it before disaster struck.

There is, though, a simple way of making a snapshot copy of your iCloud keychain at any instant.

When you turn iCK off, the current keychain held in iCloud is downloaded to your Mac (or iOS device), and used as its local keychain. So to make a backup copy of your iCloud keychain, turn iCK off, wait a little while, and back up login.keychain-db from your ~/Library/Keychains folder. Once you have made that copy, turn iCK back on, and it should carry on where it left off.

Apple uses this technique as the basis for another approach to tackling problems with iCK: turn iCK off on all the Macs and iOS devices which share your keychain. Identify the one with the most up-to-date keychain, then turn iCK back on on that Mac/device alone. Let that sync with iCloud, and once that has set the iCloud keychain up properly, turn iCK on on your other Macs/devices. They should all sync to that master keychain.

If you think that something has gone wrong with iCK, it may well already be too late to stop that situation from propagating to all your other Macs/devices, but you should take all of them back to local keychains until the issue is sorted out.

If you have a recent backup, you can sit and patiently copy items from a copy of that backup to your local login.keychain-db, using Keychain Access, until you have restored what you need; then on that Mac alone, turn iCK back on. That should sync your rebuilt keychain with iCloud, and you can then turn iCK back on on your other devices.

Hopefully this has given you some better strategies for dealing with iCloud Keychain issues, and should stop you from getting sick of iCK.