Understanding the Mac OS X Keychain

Online services, banking, social media, encrypted hard drives, everything wants to know your password before allowing you access.

My list of login credentials is growing slowly and remembering them is not possible anymore. With the advance of the internet and the world of IT becoming so ubiquitous, security policies require stronger and stronger passwords that often need changing.

Well, Apple has the answer to that problem – Keychain.

The Apple Keychain Utility has been around since Mac OS 9. Its deep integration into the system allows us to work without having to enter passwords to access resources. It just makes my life so much easier without sacrificing security. The types of data stored in the Keychain utility is WiFi network passwords, credit card numbers, website passwords, certificates and secure notes.

All keychain data is stored on the hard drive of my computer. I know it is safe because the keychain data itself is an encrypted database. To unlock the keychain, I will need to know my keychain password which is also my login password.

I hope everyone understands the importance of this password. Anyone who knows it and can gain access to your Mac, can unlock your keychain and access all this sensitive data. This is why it has to be a strong one.

Over the years, I have seen people using passwords like “apple”, “password” or even a blank password. Well, you can guess the risk taken by that. So, please, use a stronger one and don’t write it down where people can easily find it.

Where is my data and how do I access it?

The keychain data is stored in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/. The first location is where my personal keychain is stored. To access their data, I need the Keychain Utility located in the Utilities folder in the Applications folder.

I like using spotlight to access the Keychain Utility as it only takes a few keys to get there – click on the spotlight icon in the top right corner and type “keychain”. Spotlight is quick and will predict what you are looking for and get it on top of the search quickly, so you don’t even need to type the whole word. Once you open it, you have access to your Keychain.

Understanding Local Keychain Files

I will briefly explain the purpose of the most important files in these directories.

/Users//Library/Keychains/login.keychain – This keychain is created when your user account in Mac OS X is created and normally has its password synchronised with your login password. It is unlocked at login and locked a logout. This is where most of your passwords will end up in. Its password is changed when you change your login password or using the Keychain Access utility.

/Users//Library/Keychains/ – UUID stands for Unique User ID – This identifier does not match your OS UUID. It is created when the account is created. This is where your iCloud keychain is stored but if the service is not enabled, it will appear as “Local Items” and be renamed to “iCloud” when the service is enabled. The iCloud keychain service allows passwords and other types of data from it to be synchronised with your other Apple devices like you iPad, iPhone or another Mac. The only requirements are that all these devices are using the same Apple ID account, and the OS supports the iCloud keychain service (Mac OS X 10.9 and above, iOS 7.0.3 and above).

/Library/Keychains/System.keychain – The System keychain stores items that are accessed by the OS and shared between user to allow, for example, everyone on the Mac to be able to connect to a WiFi network. Only administrators can change its content.

/Library/Keychains/FileVaultMaster.keychain – This file is created by the system when FileVault encryption service is enabled on your Mac. The OS manages its content.

/System/Library/Keychains/ – This is another location that can store loads of keychain files. Its content is managed by the system and other application. Most of them will not appear in the Keychain Access utility however, all users benefit from it.

iCloud Keychain

A major change to the Keychain was the introduction of the iCloud Keychain. This is my favourite feature because it takes all iOS compatible keychain entries and uploads them securely to your Apple ID account. This not only allows all your compatible devices to be able to access usernames and passwords but keeps them safe in a form of a backup in case of a disaster. I know my data is safe as a 2-step verification process is activated automatically allowing you to set an additional code and SMS verification from another device.

The Keychain Access Utility

The Keychain Utility is located in the Utilities folder in the Applications folder. Your password is not required to open it, however, if you want to view a password of any of its items, you will be prompted for your login password.

When you double click on an entry, the window will display its Attributes and Access Control parameters. These attributes include the name and type of the service, network location or the application the entry is for, your username if one exists and a field for the password which appears blank until the “Show password:” box is ticked, and you authenticate. The Access control tab will show you what is allowed access to that specific entry with a few adjustments available.

os x keychain yosemite

Troubleshooting

There may be times when the keychain gets corrupted, and you cannot access your data. Fortunately, the Keychain Access application has a built-in repair tool called Keychain First Aid that can be accessed from the Keychain Access menu. The tool requires your keychain password to allow you to verify and rebuild it and will only work on keychains you own as a user.

So, what do you think? Feeling a bit more comfortable with the idea of trusting machines with your passwords over your notepad? I certainly do myself.

14 Replies to "Understanding the Mac OS X Keychain"

  • MonkeyT

    In the Keychain Utility Preferences is the option to add a keychain status indicator and menu to the menu bar. You can lock or unlock the primary keychain, lock the screen without “logging out” and launch the Keychain Utility at will.

  • pam

    Interesting article and I think I have started to understand how keychains work! Please, please, please write me a very simple way of organising a keychain… like Step 1, Step 2 and so on.

    Also tell me how I find out if I already started a keychain when I bought my Mac over 5 years ago as I do remember trying to understand it all ages ago. I tried to learn at AppleStore too, but it all went over my head.

    Maybe a Simple Organisational Chart method would work, preferably a horizontal layout?

    • Hi Pam,

      One method you may find useful is by creating a few keychains and moving entries around.

      How to create a new keychain:
      1. Open Keychain Access utility
      2. From the File menu choose New Keychain. Give it a name and choose where on the Mac to store it.
      3. Enter a password for the keychain, it will be used to encrypt the data inside the keychain. It will appear under Keychains in Keychain Access
      4. Click on the login keychain and drag and drop the entries you would like to move to the new keychain
      5. You can lock and unlock your new keychain either from the button above the keychains list or from the context menu with a secondary click over it.

      Every time you add a new entry to the keychain from Safari for example, it will be added to your Login Keychain, which is your default keychain and you have to move it to the desired keychain manually.

      I hope this helps Pam

  • Matthias

    Great Article – very helpful. But i have two questions on it: First is there a difference to OS X Server in the certificate store locations or management? On Windows Server there are much more stores etc.

    And there ae access control for certificates? When i click on get info on a certificte i see no tab access control where i can allow or deny applications to access them? Is this by default only for kyes and passwords and notices and not for certificates? because certificates are bound on the private key, so if the private key did not allow the usage, the certificate will not used, too?

    thanks!

  • Hi Matthias,

    The keychain data is stored in the same location regardless of the version of the OS (the last few major releases). The entries are shared with applications of the system including the Server app. Certificates are also stored in the keychain.

    In Keychain Access, you can choose which services can use/trust the certificate be trusted for.

  • Tried to print these pages but most print comes out too light. Very difficult to read. My printer, Epson WF-3640 is not the problem. Help.
    I’ve had my iMac since 2012 and never heard about Keychain until recently. Also got an iPad…no iPhone.
    Wanted to print this out to help me understand Keychain access.

  • Thank you for good info. I have always kept track of my pwds in a spreadsheet. Not very secure but it only resides on my personal computer and I can view it easily enough for reference. Is there a way to format my spreadsheet to enable easy importing into keychain? There are many pwds I use that aren’t integrated with my browser and/or don’t originate on my computer…like for work stuff. I’m hoping there’s an easier way than manually creating new items in keychain.

    Thanks

  • Now that apple has dispensed with the keychain first aid feature in its keychain access, is there anything that can be done for buggy keychain issues? I notice in my console log innumerable keychain access calls and errors,. but I don’t know how to fix them.

  • Is there a way to query the iCloud Keychain using the security command-line utility? security find-generic-password will pull items from the (local) login keychain but I’m trying to find a way to create keychain entries that are sync’ed between all of my Macs and can be parsed on the command-line. (it’s for a small utility that will mount encrypted filesystems on top of cloud storage.)

    Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *