hoakley June 19, 2024 Macs, Technology

Does Sequoia’s Password app change keychains?

Way back in the days of Classic Mac OS, Apple decided to provide system-level support for the secure storage of passwords, making it far easier to manage and use unguessable passwords by storing them in a secure database, the keychain. From the moment you log into your Mac until you log out again (and, for some services, even when there’s no user logged in at all), it depends on keychains.

Traditionally these have been kept as files in Keychains folders in each of your Mac’s Library folders, where they store, access and manage secrets, including passwords for various purposes, security certificates, private keys, and secure notes. The master is the keychain opened automatically at login, the login keychain.

In OS X 10.9, iCloud keychains were introduced to Macs from iOS devices. Those have always been different; for a start, while Macs have multiple keychains, iOS only has one, and from the outset that single keychain is designed to be stored in iCloud and protected by the Secure Enclave. Apple refers to these two types as file-based and Data Protection keychains.

login keychain

For each user, their default personal file-based keychain is the login keychain, located in ~/Library/Keychains/login.keychain-db. This is unlocked automatically when the user logs in as it has the same password as that user account. It’s here that each user should store their certificates, secure notes, etc. for general use on that Mac.

Although kept unlocked, readable and writeable while the user is logged in, that doesn’t guarantee access to its contents. If an app makes a call to the macOS security system to retrieve a stored password for its use, that system determines whether the app is trusted to access that information, and whether that keychain is locked. Assuming the password is stored there, the app is trusted, and the keychain is unlocked, then the password is retrieved and passed back to the app. If the app isn’t trusted or the keychain is locked, then the security system, not the app, displays a distinctive standard dialog asking for the password to that keychain to authenticate before it will provide the password to the app.

The user cannot determine which apps are trusted as far as the security system is concerned. Those are determined by the security system, the specific access it grants to an app, and to individual items in that user’s keychain. At its most restrictive, the system can limit all other apps from accessing a particular secret in the keychain, but specific secrets can also be shared across several different apps.

System keychains

For the system, there are two vital groups of keychains:

in /System/Library/Keychains, in the SSV, are SystemRootCertificates and others providing the set of root security certificates for that version of macOS;
in /Library/Keychains is the System keychain and others providing certificates and passwords required for all users, including those to gain access to that Mac’s Wi-Fi connections.

Custom keychains

Apps and users are also able to create their own keychains. Among those I have on my Macs are shared keychains with Parallels virtual machines, several for Microsoft apps, and some for Adobe’s products. I also tend to make a copy of the login keychain from my last Mac and copy it across under another name to ~/Library/Keychains, so that if I happen to have left any important certificates or passwords behind when migrating to a new Mac, I should be able to find them there.

Although these additional keychains may be included in the keychain search path, when macOS is looking for a secret kept in a keychain, unlike the login keychain they’re normally kept locked. If I or an app want access to them, I’ll be prompted for that keychain’s password. For old login keychains, that’s just my old login password from that Mac, of course.

One of the biggest security problems with file-based keychains is that they’re relatively easy for malware to exfiltrate, and given suitably powerful hardware to brute-force access to their contents.

Data Protection keychain

Since OS X 10.9, Macs have also had one and only one Data Protection keychain that’s accessed using a different API. If you share your keychain in iCloud, this is the local copy of that shared keychain and is known as iCloud Keychain; if you don’t share it in iCloud, then it’s known as Local Items instead. The local copy of this is normally stored in ~/Library/Keychains/[UUID]/keychain-2.db, where the UUID is that assigned to that Mac.

The Data Protection keychain stores all the standard types of secret, including internet and other passwords, certificates, keys and passkeys, but not normally secure notes. Prior to macOS 11, it only synchronised internet passwords using iCloud, but from Big Sur onwards it synchronises all its content, including passkeys, which have now become first class citizens. Unlike file-based keychains, secrets in the Data Protection keychain can be protected by the Secure Enclave, and can therefore be protected by biometrics including Touch ID, and Face ID on iOS and iPadOS. Hence they’re required for passkeys, which don’t appear to be supported by traditional file-based keychains.

Tools

Prior to Sequoia, the best way to work with passwords and passkeys stored in a Data Protection keychain has been the Passwords section of System Settings, or its equivalent in Safari’s Settings. In macOS Sequoia, those are due to be replaced by a new Passwords app, looking much like one of the better third-party password managers.

The bundled tool for working with file-based keychains is the Keychain Access app, together with some of the features of the command tool security. As it appears unlikely that the new Passwords app will be able to work with the login and other file-based keychains, Sequoia is expected to retain Keychain Access, although you might find it moved away from its current location in /Applications/Utilities, into hiding.

Future

Currently macOS still supports keychains in their original Classic Mac OS format, and file-based keychains remain in wide use. As they can never provide the same level of security as Data Protection keychains, and can’t benefit from biometrics or the Secure Enclave, Apple is moving on to Data Protection keychains as much as possible. The Passwords app looks to be a good step in that direction, particularly for those who share their Data Protection keychain in iCloud.

Apple still has one significant problem to solve: code such as LaunchDaemons and LaunchAgents that don’t run in a user context, but through launchd, can’t currently access a Data Protection keychain, and must rely on file-based keychains. Traditional keychains aren’t going away yet.

References

Apple TN3137: On Mac keychain APIs and implementations
Apple Keychain Services

22Comments

Add yours

1

Walt on June 19, 2024 at 8:29 am

Protection keychain can be protected by the Secure Enclave, and can therefore be protected by biometrics including Touch ID, and Face ID on iOS and iPadOS.

What about M* or T2 Macs with Touch ID capabilities?

LikeLiked by 1 person
- 2
  
  hoakley on June 19, 2024 at 8:37 am
  
  Yes, that’s what I wrote. Touch ID applies to those Macs and devices that support it, while Face ID is only available on certain iOS and iPadOS devices.
  Howard.
  
  LikeLike
3

Will Carson on June 19, 2024 at 11:32 am

This change in location of key chains has me a bit worried if -for instance, the caches are accidentally erased. That has happened and require knowing where the lost password is located.

” Sequoia is expected to retain Keychain Access, although you might find it moved away from its current location in /Applications/Utilities, into hiding.“

How would you then locate a password if it will be in a hidden different location?

LikeLiked by 1 person
- 4
  
  hoakley on June 19, 2024 at 12:30 pm
  
  There’s no indication that any keychains are being relocated, however the Keychain Access *app* looks likely to move from its current location in /Applications/Utilities. That’s standard Apple practice in this situation.
  Only in exceptional circumstances should users ever have to know the location of keychains anyway. Currently, you edit the DP keychain using the Passwords settings or its equivalent in Safari’s Settings, and you edit the file-based keychains using Keychain Access. So long as those apps, and the apps that use keychains, know how to access them, that’s all that should be important to the user.
  While macOS might cache keychain contents (I very much doubt that it does, though), caches are intended to emptied. It’s the original keychains that are important, and should remain perfectly good in Sequoia, or we’re all in deep trouble!
  Howard.
  
  LikeLike
5

bwillius on June 19, 2024 at 2:46 pm

So we now have 2 apps to use instead of one? And I have to make another fork like for Settings/Preferences?

I haven’t looked at Sequoia, yet, because my internet connection is crap at the moment.

LikeLiked by 1 person
- 6
  
  hoakley on June 19, 2024 at 3:12 pm
  
  Going from what Apple has shown, there should be two apps, although few will need to use anything other than the new Passwords app.
  The Passwords app is based on what is currently in Password settings, and Safari settings, and is the one that gives access to all the commonly used passwords, passkeys, etc., in the DP keychain. Although Keychain Access has given access to those, it’s not a patch on a proper app, and from the looks of it, the Passwords app should be in the same league as (e.g) the 1Password app, only native, not Electron.
  For those who still need access to their login and other file-based keychains, I don’t see Keychain Access going away, but it’s most likely to be hidden away from the casual user. I still use that, e.g. for my Apple dev certificates, which I don’t think can go in the DP keychain.
  If the Passwords app proves as good as it looks, the great majority of users will only ever use that, and I don’t think Apple intends giving that access to file-based keychains, which would make it really messy and confusing.
  Howard.
  
  LikeLike
7

gurple on June 19, 2024 at 3:54 pm

This presumed slow deprecation of the file-based keychain stores has me wondering what the correct means of migrating that data to Data Protection keychains.

There’s a lot of cruft that’s built up in there as my accounts have migrated to new machines over twenty years.

LikeLiked by 1 person
- 8
  
  hoakley on June 19, 2024 at 5:24 pm
  
  The simplest way is to copy and paste usernames and passwords from Keychain Access to the new Passwords app. As file-based keychains can’t store passkeys, which would be more complex, it’s a bit tedious but straightforward. There’s no rush to do that, and it may be simpler to let them migrate over time.
  Howard.
  
  LikeLike
  - 9
    
    gurple on June 19, 2024 at 8:09 pm
    
    That’s mostly the approach I’ll be taking. Though the entries I mostly think of are all the private keys and credentials for objects like NAS filers or certificate identities, etc.
    
    LikeLiked by 1 person
    - 10
      
      hoakley on June 20, 2024 at 5:38 am
      
      Private keys and credentials are a bit different, and I don’t see that they should migrate to any password manager. Maybe in the fullness of time they might.
      Howard.
      
      LikeLike
11

Maurizio on June 20, 2024 at 8:10 am

Thank you very much for spending time on this topic. I still have some curiosities. If I understand, The keychains data protection continues to be managed via an encrypted database but the key does not correspond to the login password but is managed via an enclave (unlocked by touch id). I was wondering what happens when you migrate a profile to new hardware (via migration assistant), will the uuid change and a new key will be generated? Since the database is still stored in a local file, what prevents an attack similar to that of the “classic” keychain in the event of exfiltration?

LikeLiked by 1 person
- 12
  
  hoakley on June 20, 2024 at 8:54 am
  
  AFAIK the big difference here is that a file-based keychain is encrypted as a whole, so brute-force attack is feasible, and will then reveal the entire contents. Individual items like passkeys are encrypted individually in the DP keychain, so are much harder to break.
  Howard.
  
  LikeLike
13

Jerry on June 22, 2024 at 10:43 am

What is better with working with passwords in the “Passwords section of System Settings” than Keychain? I have maybe used that section once or if it was in Safari. In Keychain I know I will find all passwords (which I know I cannot do at least in Safari) and can conveniently sort them by date which is normally the most important thing apart from seeing the password.

LikeLiked by 1 person
- 14
  
  hoakley on June 22, 2024 at 4:13 pm
  
  Wait until you use the new app, which also gives access to passkeys. Keychain Utility is primitive and far less capable when working with DP keychains.
  Howard
  
  LikeLike
15

Лёша Захарченко on September 6, 2024 at 8:36 am

Hi, what way you can recomend to correctly fully backup all data from the Data Protection keychain? For the passwords I use CSV export in System Settings → Passwords on Mac, but what about secure notes and certificates?Is the only option to copy and paste them one-by-one? And how can people w/o Mac deal with backups?

LikeLiked by 1 person
- 16
  
  hoakley on September 6, 2024 at 9:06 am
  
  As far as I’m aware, as the local copy of that keychain lies within the scope of regular backups made by Time Machine and many third-party backup utilities, then using one of those should back it up fully. It’s also straightforward to check that it’s in your backups.
  If you want to export its contents for storage or use elsewhere, then you will have to resort to manual export methods, which are painful and tedious.
  By far the easiest option is to use Keychain in iCloud, then any Mac or device that connects to that iCloud account can share them too.
  Howard.
  
  LikeLike
17

User on November 8, 2024 at 11:14 am

Thanks Howard. Maybe I missed it, but for me it seems that my regular saved passwords (say for websites) have migrated to Passwords and are no longer available in Keychain Access. Any details on when and how this happened? (I’m on Mac OS 15.1)

LikeLiked by 1 person
- 18
  
  hoakley on November 8, 2024 at 3:15 pm
  
  If they’re saved for websites using Safari, then they’re saved to the Data Protection (alias iCloud Shared) keychain, as they long have been. Although you can access that in Keychain Access, you should avoid doing so, preferring to use the new Passwords app instead.
  However, app passwords and similar that have always been saved to the login keychain remain there, and you can edit those using Keychain Access.
  Howard.
  
  LikeLike
  - 19
    
    User on November 8, 2024 at 5:37 pm
    
    Thanks, that’s my surprise Howard, Safari passwords are no longer in Keychain Access (since, I think, Mac OS 15). 🤔
    
    LikeLiked by 1 person
    - 20
      
      hoakley on November 8, 2024 at 5:38 pm
      
      That’s what the Passwords app is for, and why Keychain Access is hidden away.
      Howard.
      
      LikeLike
21

samuel harris on November 10, 2024 at 5:27 pm

Another thing that has changed is Secure Notes. I haven’t been able to find anything about Secure Notes in iCloud Keychain being depreciated… but it certainly has. You can no longer create new entries. I guess there is no easy way of moving these notes out of keychain? We will just have to copy and paste into the Notes app or else where.

LikeLiked by 1 person
- 22
  
  hoakley on November 10, 2024 at 11:05 pm
  
  Other comments suggest that you can still add Secure Notes, but I don’t know how. It might be worth contacting Apple Support.
  Howard.
  
  LikeLike