hoakley August 7, 2023 Macs, Technology

An introduction to keychains and how they’ve changed

Many apps and services rely on secrets. Your browser needs access to the passwords you need to log into online services, for example, and other apps have to handle their own protected data. If you had to remember all those passwords and enter them manually, then you’d need a long written list, and the passwords you’d use would have to be easy to recall and type in. Way back in the days of Classic Mac OS, Apple decided to provide system-level support for the secure storage of passwords, making it far easier to manage and use unguessable passwords, by storing them in a secure database, the keychain.

From the moment you log into your Mac until you log out again (and, for some services, even when there’s no user logged in at all), it depends on keychains, generally kept in Keychains folders in each of its Library folders. Keychains are used to store, access and manage secrets, including passwords for various purposes, security certificates, private keys, passkeys, and secure notes.

Until OS X 10.9 when iCloud keychains were introduced to Macs, all its keychains were based on files, and the master is the keychain opened automatically at login, the login keychain. iOS devices have always been different; for a start, while Macs have multiple keychains, iOS only has one, and from the outset that single keychain is designed to be stored in iCloud and protected by the Secure Enclave. Apple refers to these two types as file-based and Data Protection keychains.

login keychain

For each user, their default personal file-based keychain is the login keychain, located in ~/Library/Keychains/login.keychain-db. This is unlocked automatically when the user logs in as it has the same password as that user account. It’s here that each user should store their certificates, secure notes, etc. for general use.

Although kept unlocked, readable and writeable while the user is logged in, that doesn’t guarantee access to its contents. If an app makes a call to the macOS security system to retrieve a stored password for its use, that system determines whether the app is trusted to access that information, and whether that keychain is locked. Assuming the password is stored there, the app is trusted, and the keychain is unlocked, then the password is retrieved and passed back to the app. If the app isn’t trusted or the keychain is locked, then the security system, not the app, displays a dialog asking for the password to that keychain to authenticate before it will provide the password to the app.

The user cannot determine which apps are trusted, as far as the security system is concerned. Those are determined by the security system, the specific access it grants to an app, and to individual items in that user’s keychain. At its most restrictive, the system can limit all other apps from accessing a particular secret in the keychain, but specific secrets can also be shared across several different apps.

System keychains

For the system, there are two vital groups of keychains:

in /System/Library/Keychains, in the SSV, is SystemRootCertificates and others providing the set of root security certificates for that version of macOS;
in /Library/Keychains is the System keychain and others providing certificates and passwords required for all users, including those to gain access to that Mac’s Wi-Fi connections.

Custom keychains

Apps and users are also able to create their own keychains. Among those I have on my Macs are shared keychains with Parallels virtual machines, several for Microsoft apps, and some for Adobe’s products. I also tend to make a copy of the login keychain from my last Mac and copy it across under another name to ~/Library/Keychains, so that if I happen to have left any important certificates or passwords behind when migrating to a new Mac, I should be able to find them there.

Although these additional keychains may be included in the keychain search path, when macOS is looking for a secret kept in a keychain, unlike the login keychain they’re normally kept locked. If I or an app want access to them, I’ll be prompted for that keychain’s password. For old login keychains, that’s just my old login password from that Mac, of course.

Data Protection keychain

Since OS X 10.9, Macs have also had one and only one Data Protection keychain that’s accessed using a different API. If you share your keychain in iCloud, this is the local copy of that shared keychain and is known as iCloud Keychain; if you don’t share it in iCloud, then it’s known as Local Items instead. The local copy of this is normally stored in ~/Library/Keychains/[UUID]/keychain-2.db, where the UUID is that assigned to that Mac.

The Data Protection keychain stores all the standard types of secret, including internet and other passwords, certificates, keys and passkeys, although it isn’t normally used for secure notes. Prior to macOS 11, it only synchronised internet passwords using iCloud, but from Big Sur onwards it synchronises all its content, including passkeys. Unlike file-based keychains, secrets in the Data Protection keychain can be protected by the Secure Enclave, and can therefore be protected by biometrics including Touch ID (and, on iOS and iPadOS, Face ID). Hence they are required for passkeys, which don’t appear to be supported by traditional file-based keychains.

Tools

The bundled tool for working with keychains is the Keychain Access app, in /Applications/Utilities, and some of the features of the command tool security. A few third-party utilities, including my own free Mints, give additional information that can be helpful in resolving keychain problems. However, those are largely based on the APIs for working with file-based keychains, and have limited abilities when working with Data Protection keychains. For instance, Keychain Access can only display and work with password items in iCloud and Local Items Keychains, and can’t provide any access to certificates, keys or passkeys held there, although I’m not aware that Apple documents this in the app’s Help book, or in man security. Currently, Apple doesn’t appear to provide any command tool that works fully with Data Protection keychains, and that appears intentional.

The best way to work with passwords and passkeys stored in a Data Protection keychain is in the Passwords section of System Settings, or its equivalent in Safari’s Settings.

Future

Currently macOS still supports keychains in their original Classic Mac OS format, and file-based keychains remain widely used. As they can never provide the same level of security as Data Protection keychains, and can’t benefit from biometrics or the Secure Enclave, Apple is keen to move on to Data Protection keychains as much as possible. It even states that “the file-based keychain is on the road to deprecation. It’s not officially deprecated, but some of the APIs surrounding it are.” That road stretches long ahead, though, as it requires every app that relies on keychains to adopt the new API, and complete reliability.

Apple also has one significant problem to solve: code such as LaunchDaemons and LaunchAgents that don’t run in a user context, but through launchd, can’t currently access a Data Protection keychain, and must rely on file-based keychains. Traditional keychains aren’t going away yet.

References

Apple TN3137: On Mac keychain APIs and implementations
Apple Platform Security Guide
Apple Keychain Services

31Comments

Add yours

1

FRPSR on August 7, 2023 at 9:11 am

The suggestion of placing passwords in ~/Library/Keychains , has aroused my interest . I have a frequently updated selection of ‘Passwords’ I Keep in Documents .
Sans attempting to move the collection without naming it to , ~/Library/Keychains , would you seek to identify this within the ~/Library/Keychains as a folder name familiar/exchangeable to its current one . My luck with using the utility ‘keychains’ has predictably failed , which motivated the frequently updated selection of ‘Passwords’ . FRPSR .

LikeLiked by 1 person
- 2
  
  hoakley on August 7, 2023 at 11:03 am
  
  If it’s a keychain, then you should keep it in a Keychains folder, as that’s where it will be most accessible to Keychain Access and apps. If it’s not a keychain, then there’s no point: Keychains folders aren’t protected, it’s access to their databases that are.
  Howard.
  
  LikeLike
  - 3
    
    FRPSR on August 7, 2023 at 11:35 am
    
    Thank you .
    
    LikeLiked by 1 person
4

SarahB on August 7, 2023 at 10:21 am

I thought long ago on macOS we could lock keychain access with a password but not sure. My memory is kind of foggy. Always felt odd to me I could see so much in keychain and it wasn’t asking for anything security wise to open the app. Even opening the mail app, I just wish things were more secure like asking me for Touch ID if the Mac has that to open keychain.

I use Proton Mail on my phone and it lets me set it to use Touch ID before opening the app. Sorry to get away from keychain but I just wish it would ask for our user password even to open the app. I guess I always want more security than less.

Like how that person in recent news had someone see their password on their phone and was able to change their iCloud password and lock them out. I don’t think iOS asked for anything when changing the email, like asking for Touch ID first.

I think it comes down to apple and the image they want to give. How everything just works. When it comes to passwords and security, most people think are an inconvenience or a nuisance. I’m the opposite.

I do sync keychain but not really for any passwords, I use 1password for that. I know some people use keychain to store all their passwords but that never seemed like an option for me due to it not having enough security. Or security I want like having to enter something like a master password before opening keychain.

My Mac has the T2 chip also and always been a bit confused about what it handles. I know a bit but it’s already disappeared come and gone or is built into the M series now. So much keeps changing so fast lately. I wish things would settle down a bit.

LikeLiked by 1 person
- 5
  
  Udo Thiel on August 7, 2023 at 10:29 am
  
  Your Mac has a T2 chip and you use 1Password instead of keychain because you think keychain is not having enough security? So you assume 1Password has better security than keychain. Do you have any documentation on which your assumption is based on?
  
  LikeLiked by 1 person
  - 6
    
    SarahB on August 7, 2023 at 1:50 pm
    
    It’s not I think keychain is less secure than 1password. Just that 1password is a password manager so has more of what I need. Such as the ability to store one time passwords that have a time sensitive access or notes and other things.
    
    When I open 1password it just asks for my master password compared to keychain which just opens. But I know there are other levels of security in keychain. I just never viewed it as a place to keep all my passwords and things. Just my personal choice not assumption.
    
    LikeLiked by 1 person
    - 7
      
      Udo Thiel on August 7, 2023 at 4:57 pm
      
      I’m not a keychain expert, but I’m pretty sure that you can sotre notes in it. Not sure about arbitrary data though.
      
      LikeLiked by 1 person
    - 8
      
      hoakley on August 7, 2023 at 6:55 pm
      
      Secure notes have been a feature of file-based keychains for some years now, and work well. However they’re not arbitrary data. I’d argue that a keychain isn’t the right place to store arbitrary data, which should instead be in encrypted storage.
      Howard.
      
      LikeLike
- 9
  
  hoakley on August 7, 2023 at 11:12 am
  
  Keychains are locked, and the circumstances in which they can be unlocked are strictly controlled. Furthermore, as I explained above, the fact that your login keychain is automatically unlocked when you log in doesn’t give all apps free access to the secrets it holds.
  If every app and process had to prompt for access to any item in a keychain every time, you’d spend all your time on your Mac entering passwords. The whole purpose of keychains is to limit what access is provided, and to ensure that only legitimate access is given when it’s permitted.
  Anything that relies on Touch ID is also working through a keychain, and not one of the file-based keychains like login, but the single Data Protection keychain that you share in iCloud. Proton Mail is thus no more secure than any other app that relies on your shared keychain.
  The T2 chip in your Mac contains a Secure Enclave that is required for Touch ID, and protects the keychain you share in iCloud. Although the Secure Enclave in Apple silicon chips is more secure than that, they’re both highly robust and trustworthy, and every bit as secure as on iPhones – it’s all the same technology and protection.
  Howard.
  
  LikeLiked by 1 person
  - 10
    
    SarahB on August 7, 2023 at 1:47 pm
    
    Thank you, I did understand what you wrote. I know if someone has physical access in person to my device then it’s much worse if I don’t log out. I always check that box that says require an administrator password to access system wide settings, so I’m used to entering it a lot. But I know what you mean.
    
    I know someone would need to get into my account to see anything. I’ve just always been a bit paranoid from being in hacker forums years ago but I feel macOS is safer. I don’t have Touch ID on any Mac I have just my phone. Nice how it is on more mac’s now though.
    
    I like how now the main system container is separate from our user one also. Sorry if I gave the impression nothing is secure. I just tried viewing something in keychain like a screen sharing credential and it did ask for my password before showing me it. Guess I’ve just been using so many older versions of macOS I get confused but happy things are safer now.
    
    LikeLiked by 1 person
11

Udo Thiel on August 7, 2023 at 10:24 am

Excellent article, as always. One thing I don’t understand is why are some people using a 3rd party app like 1Password instead of iCloud keychain (cross-platform users excluded)? If you don’t trust Apple, then don’t use their products! And if you don’t trust Apple, why trust 1Password?

LikeLiked by 1 person
- 12
  
  Julien on August 7, 2023 at 11:10 am
  
  For my part, I use 1Password mainly because you can store much more than just passwords (software licenses, notes, documents, etc.). Shared safes are also a must for my wife and me. There’s also the multi-platform aspect
  
  LikeLiked by 1 person
  - 13
    
    hoakley on August 7, 2023 at 11:16 am
    
    There are completely free ways of storing similar information in macOS without paying anyone a monthly subscription. While some of them aren’t accessible to Windows, they do work fine across all Apple’s computers and devices.
    Howard.
    
    LikeLike
- 14
  
  hoakley on August 7, 2023 at 11:13 am
  
  Thank you.
  I agree. Particularly since 1Password started using Electron I wouldn’t touch it.
  Howard.
  
  LikeLike
  - 15
    
    SarahB on August 7, 2023 at 1:59 pm
    
    Sorry to reply again, just wanted to mention when I say I use 1password on here I’m still using the pre-electron version 7. Never used their electron app or site since I never could store my vault offline anymore. It’s still been getting updates but not sure how much longer I will be able to use it. Sad how they turned to electron and a subscription.
    
    LikeLiked by 1 person
    - 16
      
      hoakley on August 7, 2023 at 3:55 pm
      
      Ah, I understand. The last time that I wrote a group test of password managers was just as 1Password was about to launch version 8. It was a bitter experience, as it’s impossible to verify objectively how well-protected your secrets are with these firms. My recommendation was by far the best app, but just a few months after the review was published, they suffered a major security breach, the result of bad design decisions on their part. You simply never can tell.
      Howard.
      
      LikeLike
17

Brian on August 8, 2023 at 5:37 pm

Thank you for the overview. Two questions please. My keychain has thousands of entries going back 8 years, and probably 80% of it is iMessage Encryption and Signing keys. Upgrading to the latest OS and transferring important user data, brings all these entries. Is there any problem with ignoring the keychain that never shrinks, or a good way to manually delete entries? It seems safest to ignore it.

Apple’s Keychain might do the job for managing website logins, but the organization and interface isn’t the easiest, especially for seniors. For a 1Password 6-7 replacement, Enpass has the closest interface that I’ve found, offline syncing, and still a $100 lifetime license purchase option. But their tech support never responds to new tickets asking basic questions, so I haven’t bought it. And I’m not sure how great it is that Enpass is owned by Atlassian. Do you have any thoughts on Enpass, or another alternative to consider for? Where could I read your old password manager review? Thank you.

LikeLiked by 1 person
- 18
  
  hoakley on August 8, 2023 at 9:30 pm
  
  If the keychain ain’t broken, then I wouldn’t touch those old keys. As it’s an SQLite database, it should cope just fine with them. You can delete entries in Keychain Access if you want to, but I’m sure you have other and better things to do.
  My password manager group test was published in MacLife and MacFormat. After writing it, I decided that I wouldn’t use one even if it was free. Apple has improved that in macOS considerably, and with the coming of Passkeys it’s getting better all the time.
  Howard.
  
  LikeLike
  - 19
    
    Eve Rought on August 10, 2023 at 3:11 pm
    
    Thank you, Howard, for this helpful article.
    
    You differentiate ‘file based keychains’ (*.keychain-db files) and ‘data protection keychains’ (the keychain-2.db file).
    
    Are both of them SQLite Databases?
    
    Are the encryption parameters known for them? Like:
    Is AES-128 or AES-256 or something else used to encrypt the secrets in the database?
    What is the encryption key derivation faction (KDF)? Argon2? Parameters?
    
    Why exactly is the ‘data protection keychain’ more secure? In the end both are ‘files’ after all. Is it just because the database key is stored in the secure enclave and probably of higher entropy then your logon password (or any other typical password)?
    
    LikeLiked by 1 person
    - 20
      
      hoakley on August 10, 2023 at 9:16 pm
      
      Thank you.
      It’s not my differentiation, but Apple’s. You can read more details about their differences in the TN I have referenced. While they are both SQLite databases, the way in which they work is different. But most importantly, file-based keychains can still be accessed using older APIs that are less controlled. Only the more recent SecItem API can access DP keychains, and that uses app entitlements as part of its access controls.
      Apple provides limited details of their internals in the Platform Security Guide link that I have given. For example: “Keychain items are encrypted using two different AES-256-GCM keys: a table key (metadata) and a per-row key (secret key). Keychain metadata (all attributes other than kSecValue) is encrypted with the metadata key to speed searches and the secret value (kSecValueData) is encrypted with the secret key. The metadata key is protected by the Secure Enclave but is cached in the Application Processor to allow fast queries of the keychain. The secret key always requires a round trip through the Secure Enclave.”
      That refers to the DP keychain; I don’t see any equivalent description of file-based keychains there, for comparison.
      Howard.
      
      LikeLike
    - 21
      
      Eve Rought on August 12, 2023 at 11:05 am
      
      _File bases Apple keychains:_
      
      It looks like the passwords/secrets are encrypted, whereas the metadata like websites, URLs apps names, account names or numbers or other information are stored in clear text easily readable with TextEdit.app. This seems like a big NO-NO to me. Where I have what bank account or what apps I use is already sensitive data I my eyes. People were really upset, when it became public, that Lastpass did the same.
      
      As you write, the access to the files in ~/Library/Keychains/ is not protected. Any program intentionally or accidently exposing these .keychain-db files to someone else, may not expose the passwords itself but a lot of sensitive information about the user.
      
      Another thing that users should consider is this: If you chose a somewhat shorter password for your modern Mac, because of file vault and the limited number of tries a potential attacker has, realize that the security of limited tries does not apply to brute forcing your ~/Library/Keychains/login.keychain-db.
      
      _KeePass databases (KeePassXC, Strongbox, KeePassium):_
      
      As far as I know, KDBX 4 file are encrypted as a whole. So I would assume, as long as you don’t have the password or break this encryption otherwise there is absolutely no information retrievable from a KDBX file. A huge advantage.
      
      _Data protection Apple keychains:_
      
      When looking inside the keychain-2.db file with TextEdit.app or a SQLite Viewer, it doesn’t seem to be so chatty like the file based key chains. A few hints on some apps I use I cloud find as clear text. From what you cite from Apple’s TN I assume other metadata ist encrypted by the metadata key (table key).
      
      If I understand you, Howard, and the technical notes from Apple correctly, every password/secret in the data protection key chain can only be decrypted by and inside the secure enclaves associated with the particular user and is secured with a per row key. This sounds indeed even more secure than the KeePass procedure, where (I assume) the whole KDBX 4 file is decrypted to RAM by the application processor. If the data protection key chain is designed in a way that only the requested password at a particular instant is decrypted, this seems to be another huge advantage over the KeePass approach.
      
      Now I wonder about the following: If the data protection key chain is end to end encrypted like described, and the ends are “my” secure enclaves, how do I back up my passwords/secrets. Let’s say my Mac and my iPhone are simultaneously destroyed in a fire. I that scenario a time machine backup in a remote location would not help me to retrieve any of my passwords, right?
      
      LikeLiked by 1 person
    - 22
      
      hoakley on August 12, 2023 at 8:59 pm
      
      Thank you.
      I’m sure that you’re correct over the metadata in file-based keychains. They date back well into the last century, when encrypting secrets was quite novel. The good news is that for many years now nothing should use file-based keychains for items with potentially sensitive metadata. Internet and other passwords are almost invariably stored in the DP keychain – that’s been true of Safari for a good number of years, for instance.
      Look through the login keychain of any recent Mac (without a load of legacy junk from the past) and you’ll hardly see anything of use to the malicious. Most of mine are key pairs (of no use whatsoever, as the metadata is the public not private key), certificates, and the few passwords used by processes run by launchd, which are of no consequence. They’re dead easy to steal – you don’t need an app to expose them. But malicious apps exfiltrating them are in for a big disappointment. And exfiltration is the only way that they could be obtained in practice: you can’t share them, and without the FileVault password, you can’t gain access to their encrypted volume either. Good luck to anyone wasting their effort brute-forcing them.
      So if you want access to a user’s internet passwords, passkeys, etc., then the only way now is to break into the DP keychain. AFAIK despite a lot of effort, that’s never been achieved on a Mac with a Secure Enclave.
      DP keychains are backed up by most backup utilities, including Time Machine. While I’ve not tried restoring one, I don’t see why you shouldn’t be able to.
      If your destroyed Mac and iPhone are sharing a DP keychain, then that’s by putting the keychain into iCloud. Chances are that your backups are destroyed anyway, and your solution is to connect your replacement Mac/iPhone to your iCloud account, so that it will sync down your keychain. With 2FA, if your designated device(s) have been destroyed, then you’re going to be talking to Apple about signing the replacement into iCloud. That’s the same problem and solution as with any cloud-based keychain.
      Howard.
      
      LikeLike
23

cpragman on August 9, 2023 at 10:06 am

One practice that is possible is to make a separate keychain for things you don’t want unlocked by your logon password. Since it’s not unlocked automatically at login, accessing any secure item there requires a deliberate intentional act by the user. You can set it to auto-lock again after a short amount of time.

This can be useful for things like banking passwords, recovery questions and answers for really important accounts (stored in a secure note), or public and private signing certificates for encrypted email.

LikeLiked by 1 person
- 24
  
  hoakley on August 9, 2023 at 10:58 am
  
  Logging on is also a deliberate intentional act, at least if you have FileVault enabled, when logging in without a password is prohibited. That’s much better protection, as it applies to everything.
  As you can only normally store those items in file-based keychains, which aren’t as secure as the Data Protection keychain, I don’t encourage people to amass private keychains containing those data. They’re not protected by biometrics or the Secure Enclave, and can be accessed by weaker older APIs.
  For really important secrets, you’re better off using a modern app that uses the Data Protection keychain – which includes Notes, I believe, and all Safari’s passwords and passkeys. It’s a common fallacy that you’re better of trying to manage internet passwords independently, which you’re not, as you can only readily store them in a file-based keychain. The simple test is that if an item is shared in the iCloud Keychain, then it’s well protected; if it’s only accessible locally, then it’s not as secure. That may appear counter-intuitive, but has been tested and confirmed.
  Howard.
  
  LikeLike
25

et2infinity on August 14, 2023 at 4:58 pm

Some more useful info on keychains https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption

LikeLiked by 1 person
- 26
  
  hoakley on August 14, 2023 at 6:58 pm
  
  Thank you.
  Howard.
  
  LikeLike
27

Michele Galvagno on October 23, 2023 at 8:08 pm

Forgive me, but I don’t understand why you would create keychains for Microsoft and Adobe apps. What would you store in there and what would they serve? Also, why would they benefit from being separated from the main keychain?
Thanks

LikeLiked by 1 person
- 28
  
  hoakley on October 23, 2023 at 8:13 pm
  
  I didn’t create those – Microsoft, Adobe and Parallels apps did. I strongly suspect that you’ll find at least one Adobe keychain on your Mac.
  Apps create them for different reasons. Normally it’s for them to store secrets, and you aren’t allowed to know their password. So by using their own keychain, they can lock you out.
  Howard.
  
  LikeLiked by 1 person
  - 29
    
    Michele Galvagno on October 23, 2023 at 8:16 pm
    
    Interesting that apps are allowed to do that by Apple. Thanks for explaining!
    
    LikeLiked by 1 person
    - 30
      
      hoakley on October 23, 2023 at 8:24 pm
      
      I don’t see why Apple should prevent it – it’s one of the purposes of traditional keychains. However, they can’t create the new type of keychain, as only one is permitted. Should Apple ever do away with old file-based keychains, I suspect they’ll have to reinvent them.
      Howard.
      
      LikeLiked by 1 person
    - 31
      
      Michele Galvagno on October 23, 2023 at 8:25 pm
      
      Well… you mentioned that they could lock the user out by using their own keychain, so I’m surprised this is something allowed. But sure, these are needed things, in one way or another.
      
      LikeLiked by 1 person