Mac and iOS Keychain Tutorial: How Apple’s iCloud Keychain Works

Your need passwords to log into websites and services, and it’s hard to remember them. Since it’s a bad idea to use the same password for each different website — because if one site is compromised, hackers will have an email address and password that they can try on other sites — you need to ensure that your passwords are different, and hard to crack. (A recent episode of the Intego Mac Podcast talks about password strategies.)

Your Macs and iOS devices have a “keychain,” which is an encrypted file that stores your passwords and some other information. This file syncs via iCloud, so you can use the same passwords on all your devices. Here’s how Apple’s iCloud keychain works.

Read the rest of the article on The Mac Security Blog.

14 thoughts on “Mac and iOS Keychain Tutorial: How Apple’s iCloud Keychain Works

    • I’ve never tried, but I would have assumed you could just copy the folder from one Mac to another. Perhaps you can’t as a security protection; the keychain files might have the device’s UUID in them, as a precaution. This said, if you use the Migration Assistant, they certainly get copied; I did this a couple months ago when I updated my laptop.

  1. Kirk,

    When I migrated to a new Macbook it was completely lost, OK let’s assume I can’t fully solve that riddle, I just copied the local items passwords to a new keychain folder under the same login tree.

    I had to enter my password over 250 times but it is done.

    In your opinion, no matter what the issues are with this Local Items folder, the new keychain folder I created, let’s call it “High Sierra”, this new one should show up when I upgrade from Yosemite to High Sierra, correct?

    Question 2:

    When I am ready to migrate to a new machine, would this “High Sierra” folder again show up and not be tied to this possible UUID issue that the local items folder might have?

    Question 3:

    Obviously the problem with Question 2 is that even if the answer is yes, I’ll have to manually copy all new passwors entries or changes, unless

    Is there a way to delete the local items folder completely and have Safari exclusively use my newly created “High Sierra” folder or at the very least have Safari only add website passwords to the login folder?

    If no definitive answers to the above three questions then I must find an alternative mac password manager that allows for local non cloud only uses, free version, and either a way to migrate my keychain passwords or at least the ability to visit each website and have the new app update once Safari autofiils in the keychain password.

    This aspect of MacOS should work in a more simple and intuitive fashion.

    Thanks for your help.

    • I don’t think you should have created a new folder, you should just copy the keychain files into the correct location (/Library/Keychain in your user folder). Did you put them someplace else? Also, did you try opening them by double-clicking them?

  2. Kirk,

    I think you are addressing my first problem, the lost keychain, that was never solved, I had to rebuild and change all of my passwords, that is over.

    Now fast forward, I’m on Yosemite with the new local items folder and over 200 websites/passwords, functioning fine except if I lose this folder on the upgrade to High Sierra, it would be another disaster.

    The local items folder is in the correct location but according to my research on the web, Apple does not treat it as a keychain file when it is saved which might be why it does not migrate.

    This is why I created a new folder within my user login keychain folder, I’m just trying to confirm if this new folder will remain untouched. Perhaps if I use Finder, get more info, I will see a different extension on the local items folder and as log as my new folder has the same extension as my login folder, it won’t disappear.

    And I know I can solve this by usng the Cloud but I really hate the Cloud so if possible I’m trying to find a non cloud solution.

    Again thanks for your time, I figured if anyone could figure out a MacOS quirk, your experience might trigger an idea.

  3. Well one positive development is that when I go to Finder, User Library, Keychains folder I see the new “High Sierra” folder among the login folder, system folder, certificates folder.

    And as usual no Local Items folder so this leads me to believe that the newly created High Sierra folder will survive.

  4. Safari now stores its passwords in the “Local Items” keychain. Unfortunately, this keychain isn’t stored as ~/Library/Keychains/.keychain like the rest of the keychains. It’s stored as ~/Library/Keychains//keychain-2.db, which is a SQLite database containing mostly encrypted data. Apple’s SecKeychain routines cannot access this data, so we cannot import from it. We are unable to override Apple’s obscuring of these passwords.

    The above is from Lastpass explaining why they can’t import from the local items folder and is why many people think you can’t migrate this folder to a new machine without turning on Icloud.

    And yes, it is located within my keychains folder but behind two separate UUID numbered folders, one probably being the lost Mavericks local items folder and the other being my current Yosemite local items folder.

    When I had my original problem, even when I found the old UUID folder on a Time Machine backup, it would not open or transfer to my current Keychain. Almost as if Apple is forcing you to use Icloud with Keychain.

  5. Kirk,

    How would a sub folder look? I don’t believe what I did was create a subfolder, if you look at my kechain, it runs down straight

    local items
    system roots

  6. I probably should have not have used the word folder, I just created another keychain section or file and copied/pasted all of the local items into the newly named High Sierra section.

  7. Kirk,

    OK, perhaps this can benefit your readers. I upgraded to High Sierra, fairly smooth upgrade, everything seems to run faster than Yosemite although I still have to downloade that Spectre security update but as far as Keychain goes.

    After the initial install, the Local Items folder was present, for some reason there was an additional 40 passwords, my newly created High Sierra keychain was present.

    But when I restarted, crazy, the Local Items keychain lost everything, thank God the High Sierra keychain kept everything. Now when I visit a Safari site it asks to unlock the High Sierra keychain and I just have to click the always allow when it asks if the particular site can use Keychain’s confidential information.

    But again, why would Keychain just dump the local items section and remove all of my saved passwords.

    • I still don’t understand what you did. Why you didn’t simply copy the Keychains folder to the new Mac. It sounds like you thought making new keychains was somehow better, but that’s not how it works.

  8. Kirk,

    Because you simply can’t copy the local items section of your keychain to either a new Mac or same Mac upgraded MacOS.

    The first time this happened to me it was a new Mac, this time it was a new OS, I followed the directions here:

    I copied my Local Items passwords to a new Keychain section as a precaution and if I did not all 280 or so of my passwords would have been lost. Even if you backup your original keychain to an external drive, your local items section won’t copy over to a new Mac or OS.

    Now if anyone else is experiencing this, what will happen going forward is that none of your old websites and passwords will move to the new blank Local Items section until you change the password of a particular site, then you will have to copy that password and manually update your alternative section.

    Same thing applies if you create a new username/password at a new site, it will automatically dump into the Local Items section.

    So clearly Apple either does not care and only wants you using Icloud for a reliable Keychain UI or they have dropped the ball but I’ll use this workaround until I can find a password manager that is:

    Allows Local Only use (No Cloud option)
    And will auto update every time I visit a website, in other words after Keychain autofills the password, the non Apple password manager will accept it and save it.

    So far it looks like Enpass might fit this bill but Apple’s Keychain is one glaring example of either their recent inattention to MacOS or their arrogant way of trying to force you into their Icloud system.

  9. And one thing to understand, everything I have is in the umbrella of one keychain, look at your login keychain, it contains sections, the Icloud or Local Items if you don’t use Icloud etc., if you add another section it is still part of the original login keychain.

    It is not technically a “new” keychain, this is the MacOS defect, all I did was migrate or update my OS, all of my other settings survived, for Safari etc., but if you don’t use Icloud, Apple does not allow you to bring over or copy your Keychain without messing with it bigtime.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.