Understanding the Mac OS X Keychain
Online services, banking, social media, encrypted hard drives, everything wants to know your password before allowing you access.
My list of login credentials is growing slowly and remembering them is not possible anymore. With the advance of the internet and the world of IT becoming so ubiquitous, security policies require stronger and stronger passwords that often need changing.
Well, Apple has the answer to that problem – Keychain.
The Apple Keychain Utility has been around since Mac OS 9. Its deep integration into the system allows us to work without having to enter passwords to access resources. It just makes my life so much easier without sacrificing security. The types of data stored in the Keychain utility is WiFi network passwords, credit card numbers, website passwords, certificates and secure notes.
All keychain data is stored on the hard drive of my computer. I know it is safe because the keychain data itself is an encrypted database. To unlock the keychain, I will need to know my keychain password which is also my login password.
I hope everyone understands the importance of this password. Anyone who knows it and can gain access to your Mac, can unlock your keychain and access all this sensitive data. This is why it has to be a strong one.
Over the years, I have seen people using passwords like “apple”, “password” or even a blank password. Well, you can guess the risk taken by that. So, please, use a stronger one and don’t write it down where people can easily find it.
Where is my data and how do I access it?
The keychain data is stored in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/. The first location is where my personal keychain is stored. To access their data, I need the Keychain Utility located in the Utilities folder in the Applications folder.
I like using spotlight to access the Keychain Utility as it only takes a few keys to get there – click on the spotlight icon in the top right corner and type “keychain”. Spotlight is quick and will predict what you are looking for and get it on top of the search quickly, so you don’t even need to type the whole word. Once you open it, you have access to your Keychain.
Understanding Local Keychain Files
I will briefly explain the purpose of the most important files in these directories.
/Users//Library/Keychains/login.keychain – This keychain is created when your user account in Mac OS X is created and normally has its password synchronised with your login password. It is unlocked at login and locked a logout. This is where most of your passwords will end up in. Its password is changed when you change your login password or using the Keychain Access utility.
/Users//Library/Keychains/ – UUID stands for Unique User ID – This identifier does not match your OS UUID. It is created when the account is created. This is where your iCloud keychain is stored but if the service is not enabled, it will appear as “Local Items” and be renamed to “iCloud” when the service is enabled. The iCloud keychain service allows passwords and other types of data from it to be synchronised with your other Apple devices like you iPad, iPhone or another Mac. The only requirements are that all these devices are using the same Apple ID account, and the OS supports the iCloud keychain service (Mac OS X 10.9 and above, iOS 7.0.3 and above).
/Library/Keychains/System.keychain – The System keychain stores items that are accessed by the OS and shared between user to allow, for example, everyone on the Mac to be able to connect to a WiFi network. Only administrators can change its content.
/Library/Keychains/FileVaultMaster.keychain – This file is created by the system when FileVault encryption service is enabled on your Mac. The OS manages its content.
/System/Library/Keychains/ – This is another location that can store loads of keychain files. Its content is managed by the system and other application. Most of them will not appear in the Keychain Access utility however, all users benefit from it.
A major change to the Keychain was the introduction of the iCloud Keychain. This is my favourite feature because it takes all iOS compatible keychain entries and uploads them securely to your Apple ID account. This not only allows all your compatible devices to be able to access usernames and passwords but keeps them safe in a form of a backup in case of a disaster. I know my data is safe as a 2-step verification process is activated automatically allowing you to set an additional code and SMS verification from another device.
The Keychain Access Utility
The Keychain Utility is located in the Utilities folder in the Applications folder. Your password is not required to open it, however, if you want to view a password of any of its items, you will be prompted for your login password.
When you double click on an entry, the window will display its Attributes and Access Control parameters. These attributes include the name and type of the service, network location or the application the entry is for, your username if one exists and a field for the password which appears blank until the “Show password:” box is ticked, and you authenticate. The Access control tab will show you what is allowed access to that specific entry with a few adjustments available.
There may be times when the keychain gets corrupted, and you cannot access your data. Fortunately, the Keychain Access application has a built-in repair tool called Keychain First Aid that can be accessed from the Keychain Access menu. The tool requires your keychain password to allow you to verify and rebuild it and will only work on keychains you own as a user.
So, what do you think? Feeling a bit more comfortable with the idea of trusting machines with your passwords over your notepad? I certainly do myself.