Keychains are some of the most important, and hard to replace, data on your Mac and iOS devices. Lose access to all those passwords and certificates, and doing almost anything becomes a purgatory of resetting passwords and trying to convince support desks of your identity. As many of us now rely on robust synthetic passwords, which are difficult even to write down, let alone key in, our keychains are crucial.
Unless you’re using a single Mac and have no iOS devices, by now you’ve probably succumbed to storing your keychain in iCloud. This is far more reliable than when Apple first encouraged us to trust it, and despite my original opposition, even I now use it.
Apple details iCloud Keychain in this note, where it refers to keychain recovery. What isn’t made clear there is that if you inadvertently do something to mutilate or destroy your iCloud Keychain, including making several incorrect attempts to access it, or deleting a whole batch of passwords, then there’s no backup of your keychain in iCloud from which you can restore it, as far as anyone has been able to discover.
If you don’t yet use iCloud Keychain, but do maintain good backups, you’ll know that you can always restore your keychains from those backups: user keychains are stored in ~/Library/Keychains. Each time that I migrate to a new Mac, I also bring across a copy of my last login keychain from my old Mac, and keep it handy in case I need to access an old password or certificate which gets omitted from my new login keychain.
As far as I can tell, neither Time Machine nor any similar backup system makes backups of iCloud Keychain locally, of its own accord. Some users report that their local keychains are kept reliably in sync with what is in iCloud; others have found to their cost that they haven’t been. If I don’t have a local backup, then as far as I am concerned, I have no backup at all. For such crucial data, that is a serious omission, and a single point of failure which I can’t accept. Nor should you.
There’s another confounding factor to bear in mind. It used to be that all the important keychain data were stored in your single login keychain. That hasn’t been true for some years now: specifically, all those essential website passwords are kept separately.
Open Keychain Access, and you’ll see that when using iCloud Keychain, those dozens or hundreds of passwords are listed as being in iCloud. If something were to happen to them there, you’d still be resetting them at Christmas.
The best way to ensure that you have a full local backup of all those passwords and other essentials in your keychains is to periodically come off iCloud Keychain to force-sync them into local storage, then enable iCloud Keychain again, and back your ~/Library/Keychains folder up.
When you turn iCloud Keychain off, macOS should invite you to keep a copy of your passwords and credit cards on this Mac. Click on the Keep on This Mac button to do that. Your Mac will then ensure it’s fully synced with iCloud, and saved to your local storage. This includes ~/Library/Keychains/login.keychain-db, which remains your main user keychain used from the moment that you log in, and at least one set of keychain-2 files stored in a folder whose name begins with a UUID, inside ~/Library/Keychains.
When your Mac has iCloud Keychain disabled, all those password items in your iCloud keychain are held in the keychain named Local Items. Thats the active set of keychain-2 files stored in a sub-folder whose name begins with a UUID. If you have multiple sub-folders whose names start with a UUID, it’s easy to tell which is the real Local Items keychain, as turning iCloud Keychain off will change its date of last modification to that of a few moments ago.
Provided that your backup system makes a full backup of ~/Library/Keychains, you’ll now have a fresh backup of both your login keychain and your Local Items. Should you need to restore them, simply restore the whole folder, and you should recover all those passwords in Local Items too.
So the summary sequence for backing up your iCloud Keychain to local storage runs:
- Disable iCloud Keychain, and click on the Keep on This Mac button.
- Give your Mac a little while to sync and download keychains from iCloud.
- Once Keychain Access reports all your passwords etc. as being stored locally, and not in iCloud, turn iCloud Keychain back on.
- Ensure that your ~/Library/Keychains folder is fully backed up.
I don’t do this frequently, but whenever I know I’ve added some important passwords to my iCloud Keychain, I ensure that I follow this procedure within a day or two.