Keychain is a password management system for macOS and iOS that was originally released with Mac OS 8.6 back in 1999 as a way of holding passwords, private keys, certificates and secure notes in encrypted files on the machine. Since then, Keychain has expanded to Apple’s mobile devices and synchronizes keychain files between devices through iCloud. This Tech 101 article explains the functions of Keychain in macOS Sierra as well as how to access and edit Keychain files.
What Does Keychain Store?
Keychains were originally developed in the early 1990s for use with an Apple email system called PowerTalk. The idea was that PowerTalk could communicate with many mail servers and online services, so it would use a keychain file to hold user authentication information within the application to automatically and securely log the user into the variety of services. With the creation and release of Mac OS X in the early 2000s, Keychain became part of the operating system and was used to hold much more information.
Keychain can hold passwords for websites, web forms, FTP servers, SSH accounts, network shares, Wi-Fi networks, groupware apps, encrypted disk images and more. The passwords are dynamically linked to a particular user’s login password, so that when the user logs into a Mac, all of the various accounts and passwords are made available to the operating system and select applications. Keychain also manages root certificates, keys, and secure notes.
Where Can The Keychain Files Be Found On My Mac?
Under macOS Sierra, the keychain files are stored in
/Network/Library/Keychains/. These files are viewed and edited through an application called Keychain Access, found in the Utilities folder in the Applications folder. There’s also a command line equivalent to Keychain Access:
These keychain files store several data fields including a title, URL, notes and password. While the title, URL and some other fields are plaintext, the passwords and Secure Notes are encrypted with Triple DES.
Common keychains include login, iCloud, System and System Roots. The login keychain is unlocked upon login, while the other keychains can be unlocked by clicking on their icons in Keychain Access, clicking on the “lock” icon, and then entering the administrative password for the Mac.
What Can I Use Keychain Access For?
Since it holds a lot of important information, the Keychain Access app should be used sparingly. However, it’s a useful place to recover passwords that you may have forgotten, get details on secure certificates, and to keep secure notes that you don’t want anyone to see.
In the screenshot seen above, I’ve launched Keychain Access and I’m currently looking at the unlocked login keychain. It shows a number of application, network, internet and web form passwords; public and private keys used to encrypt/decrypt messages, and certificates.
Let’s say that there’s a password that I’ve totally forgotten and haven’t stored somewhere else, like in a third-party password management application. For this example, I’ve misplaced my password for an old ftp server, so I scroll through the list until I find an entry for ftp.im4macs.com that is tagged as “Internet password”. Double-clicking the entry, the following window appears:
See the field at the bottom that says “Show password”? Check the box next to it, and a dialog appears asking for the login keychain password — that’s going to be the password you use to log into your Mac. Type it in, then click “Allow”, and the password becomes visible in the field next to the checkbox:
If I’d like to create a new password for that FTP site (of course, I’d have to change it on the FTP server as well), clicking the key icon at the far right of the password field displays the Password Assistant, which can be used to create new and very difficult to break passwords. Here, I’ve told it to create a “memorable” password of 20 characters length:
Twenty characters is pretty long, and it has suggested “burro7:astrophysical” as a password. Clicking the Save Changes button in the Attributes window saves the newly-generated password.
One other common use of Keychain Access is to create secure notes. Of course, you can also create password-protected notes in the Notes application on Mac and iOS, but people know to look in Notes for “notes”. Not many people would think of looking in the Keychain Access utility for secure notes.
To create a secure note, click the item marked “Secure notes” under Category in the left sidebar of the Keychain Access window, then click the + sign at the bottom of the window. Type in a name for the Keychain Item, type in your note (see image below), and then click Add to store it as an encrypted secure note in your login keychain.
As part of our ongoing series on macOS Server, I’ve discussed the need to have certificates issued in order to secure your server. That can be done with Keychain Access. Although the process involved is rather detailed and beyond the scope of this post, note that by going to the Keychain Access menu and selecting Certificate Assistant, it’s possible to create certificates for yourself and for others (see image below):
What About That iCloud Keychain?
If you use use iCloud Keychain to synchronize passwords between all of the Apple devices you have tied to one iCloud account, then you can use Keychain Access to see what those passwords are by clicking on the iCloud item under “Keychains” in the left sidebar, then going through the process described earlier in this post to reveal a forgotten password.
Want to see the same information on an iOS device? There’s no Keychain Access utility for iOS, but just launch Settings, scroll down to Safari, then tap on Passwords. You’ll need to use Touch ID or your passcode to obtain access, but the next thing you’ll see is a list of websites for which you have stored passwords (see image below):
Tapping any one of those entries reveals a page showing the user name used on the website, the password, and the original website URL.
A Word Of Warning
Since Keychain contains so many passwords, encryption keys, certificates, and more, it’s not something that should be played with without a lot of respect. Don’t delete any entries unless you really know what they’re used for, don’t delete full keychains, and if you’re asked to verify any changes, think twice before committing to them.