A Look at Keychain Access (and Why You Should Care)
Pages: 1, 2, 3

Messing About with Keychains

Like lots of other files on your computer, a keychain can become messed up by user actions, or simply corrupted. In situations where a user has inadvertently changed the default keychain without realizing it, you might need to make use of the Keychain First Aid feature. Under the main Keychain Access menu, you'll see a First Aid command. In the resulting panel, you can choose to either verify or repair a selected keychain. This might not always fix the problem, but it's worth a try.

In cases where a keychain is somehow corrupted, even Keychain First Aid is unlikely to be any help. You're better off just starting fresh with a new keychain. In the Preferences panel, click the Reset My Keychain button. The old one will not be deleted, but simply shunted to one side to make room for the new default keychain. This new one will be empty of passwords, of course, so you'll have to do a lot of remembering to add them all back in again.

Keychains can be moved from one computer to another. You can, if you wish, copy a keychain from your computer's ~/Library/Keychains folder to another machine, and import it into Keychain Access there. You'll still need to enter the password to make use of it, of course.

Having moved a keychain, imported one from another machine, or created several, you might wish to use one of the new ones as your default, instead of login.keychain, which was created for you automatically. This is easy--in Keychain Access, click File -> "Make Keychain name Default," and it's done.

Keychains can also be shared among users. If you've got several user accounts on one machine, and want all of those users to have access rights to a server or other network resources, you can select the appropriate keychain in the Keychain List (hit Option+Apple+L, or click Edit -> Keychain List) and check the box in the Shared column.

The Bad News

Back to the beginning.

The bad news is that if you have your computer automatically set up to log you in at startup, some of the security offered by Keychain Access is thrown away.

By default, when the computer boots and asks for a password, Keychain Access provides it and unlocks your default user keychain in the process. Your computer completes the boot and login process, and displays your desktop. Your personal keychain file has been unlocked during login, and remains unlocked until you log out.

Unless you go into the Keychain Access preferences (not a System Prefs panel, as you might expect, but the preferences within the Keychain Access application itself) and change the default behavior.

By unchecking the widget that says "Set login keychain as default," you prevent the keychain automatically unlocking itself when you log in to the machine, and potentially add an extra layer of protection between your data and Evil Bob.

The Good News

The good news is that there are simple ways to give yourself a little extra security.

Simply by setting up your computer to insist that you log in manually every time, you make it a slightly more secure machine.

Another security precaution is to change your default keychain password to something that does not match your login password. That way, your keychain will not be unlocked when you log in to the machine.

If you choose to go down this route, you may quickly run into one of the disadvantages of being over-careful about security: websites and email clients and all sorts of other applications start pestering you with dialogs, asking you to enter your keychain password every single time something needs to be done. To avoid this, return to Keychain Access' preferences panel and check the "Show Status in Menu Bar" option.

Now you've got quick, easy access to your keychain controls from the menu bar, and you can lock and unlock whole keychains without having to mess around inside of Keychain Access itself.

Note that there's also a Lock Screen command, which may come in handy if you have to leave your machine unattended for short periods of time. It will ask for your username and password before letting you get back to work.

Another good policy is to create several keychains. One for boring day-to-day stuff--this might as well be your default login.keychain file, one for Secure Notes, and extras for any passwords and certificates that you need to keep extra secure.

When using the Secure Notes feature, it's a good idea to keep each note very short and restrict it to one piece of data. Also, give each note a meaningful title, but one that does not give away the contents of the note. You can use the search field in Keychain Access to search through all items, including notes, and if you have a lot of them, you'll be dependent on the titles you've created for the search to be useful.

Giles Turnbull is a freelance writer and editor. He has been writing on and about the Internet since 1997. He has a web site at http://gilest.org.

Return to the Mac DevCenter

Post your questions and comments here.
You must be logged in to the O'Reilly Network to post a talkback.

Showing messages 1 through 17 of 17.

• Keychain Access - security
  2008-01-12 17:35:21  abbeytowers [Reply | View]
  
  
  I'm new to Mac and would be interested in using Keychain to store sensitive info in Secure Notes. The problem I have is that it appears to be all too easy to delete a Secure Note (and passwords etc) held in a keychain. Right click on the item and select delete - and it's gone. No password, or other security measure prevents this from happening. As such, a malicious person able to access your computer can wipe out all the information you hold in a very few minutes. Am I missing something?

• Sharing Keychains is a Bear!
  2005-12-19 19:43:34  FHB [Reply | View]
  
  
  I've got to agree that the program's UI is non-intuitive. I still haven't figured out how to share a keychain from another Mac!
  
  Before giving up an old Mac, I specifically copied the keychain onto the new Mac's HD. What a joy, I thought, if I could avoid having to recall all of those passwords. The only problem is that Keychain won't import the file! It isn't highlighting it (and therefore allowing me to select it for import).
  
  I also tried another approach: using the .Mac Backup program, I regularly backed up my keychain. So, I thought it would be simple to head over to .Mac and download it into Keychain. No luck.
  
  I'd say the security on Keychain is quite good! It won't do anything to share it's secrets!
• Sharing Keychains is a Bear!
  2005-12-26 02:02:29  mr.gadget [Reply | View]
  
  
  I ran into the same problem, but found the solution: try adding the extension .keychain to the file. It worked for me!
  
  mr.Gadget
• Sharing Keychains is a Bear!
  2006-01-01 19:06:27  FHB [Reply | View]
  
  
  MR Gadget, thanks for the advice! It's gotten me somewhat further, but still hasn't solved the problem.
  
  I'm able to get the old keychain to appear in the list of keychains now -- however, I'm still unable to import the items in the old keychain into the login keychain. any thoughts?
  
  Frank

• Sharing Keychains is a Bear!
  2005-12-19 19:42:23  FHB [Reply | View]
  
  
  I've got to agree that the program's UI is non-intuitive. I still haven't figured out how to share a keychain from another Mac!
  
  Before giving up an old Mac, I specifically copied the keychain onto the new Mac's HD. What a joy, I thought, if I could avoid having to recall all of those passwords. The only problem is that Keychain won't import the file! It isn't highlighting it (and therefore allowing me to select it for import).
  
• 
  I also tried another approach: using the .Mac Backup program, I regularly backed up my keychain. So, I thought it would be simple to head over to .Mac and download it into Keychain. No luck.
  
• 
  I'd say the security on Keychain is quite good! It won't do anything to share it's secrets!

• Problem is with auto-login, not keychains
  2005-12-19 10:56:12  Occam [Reply | View]
  
  
  The so-called "Bad News" has nothing to do with the security offered by keychains. If you're at all concerned about your system's security, don't enable automatic login. The keychain framework is very securely designed, and there are no problems with keychains themselves. Requiring a password to login, and using a password-protected screen lock when away from your computer, are basic precautions on any platform. The keychain framework is undeserving of this ridiculous fear-mongering.
  
  And no, you can't access keychain contents by simply starting up the machine in Target Disk Mode. (One wonders why that was even mentioned in this article...) You still need the keychain password.
• Problem is with auto-login, not keychains
  2005-12-19 11:15:06  Giles Turnbull | [Reply | View]
  
  
  I included advice about disabling automatic login in the 'Good News' section, just after the 'Bad News'.
  
  As for mentioning Target Disk Mode; just because I thought that if I didn't mention it, someone would in the comments. You're right to point out that the keychain contents are not wide open in this context, however, and I apologise if I didn't make that clear enough in the article text.

• switching Keychains to tedious
  2005-12-19 03:57:37  magka [Reply | View]
  
  
  I've had the same idea to use several keychains for different purposes but what drove me nuts and away from the whole Keychain system is that new passwords can only be written to the keychain currently set as "default", and that only the current default keychain can supply passwords to applications. OK, maybe that's a feature.. The real bad is that switching the default keychain is so tedious. At least, it should be possible to switch the default chain from the keychain Access menu but again, but indeed "it's not a terribly user-friendly bit of software". I feel I am better off with FireFox' password storage, plus app like "Pastor". As so often with Apple software, Keychain does have a lot of potential but missing details make it a showstopper.

• What is the "System" keychain for, anyway?
  2005-12-17 06:16:28  ObviousTroll [Reply | View]
  
  
  Several times since upgrading to Tiger, OS X has asked me to unlock the "System" keychain.
  
  The only problem is that I don't know the password for the system keychain.
  
  Clicking Cancel on these requests seems to be harmless, but I'm still left wondering what's going on. In particular, there was one time when I rebooted my PB and the dialog asking me to unlock the System keychain appeared *before* the login panel did!
  
  what's up with that?
• What is the "System" keychain for, anyway?
  2006-01-28 19:48:49  beebopado [Reply | View]
  
  
  I bought this computer off of ebay and need to know what I need to do so that I can download into my computer.I try to down load and the computer says that I dont have read and write capabilities.I would like to be able to do this but computer will not allow it.What do I need to do to get these download installed it also says I need to create a file and can not figure it out.Please help me out if you can

• Security vs usability, and tips for the paranoid
  2005-12-17 02:36:11  blech [Reply | View]
  
  
  Thanks for the article. I'm the sort of person who already has Keychain set up seperately from the login password, and a machine that doesn't log in by default, but you do a good job of explaining how those things are desirable.
  
  A couple of points. If you want a bit more security when away from your machine, then consider switching on "Require password to wake this machine from sleep or screen saver" in the Security preference pane. It's pretty self-explanatory, I hope.
  
  For the truly paranoid, to prevent someone using Target Disk Mode to clone your machine, you can use Open Firmware passwords (described in this MacDevCenter article by Ian Darwin (http://www.macdevcenter.com/pub/a/mac/2003/02/18/secure_tibook.html) ) to prevent a user booting your machine without authorisation.
  
  (As a complete aside, I wonder if there'll be a similar locking mechanism on Intel Macs? If FireWire goes- which, given the way iPods have been going, it might- then maybe Target Disk Mode will go too. Which would be a big step backwards, if you ask me, although it would prevent you needing such things.)

• FileVault
  2005-12-16 17:07:29  Roshambo [Reply | View]
  
  
  Regarding someone stealing your Powerbook and stealing all your sekret fielz, FileVault (in System Preferences > Security) can do a pretty good job at preventing this, even if someone boots up the drive in target disk mode. Well worth a look.
• FileVault
  2005-12-17 02:35:41  LeeNoble [Reply | View]
  
  
  Although if you were that concerned about unauthorised access then you'd have set your Open Firmware password a long time ago to stop anyone utilising Target Disk Mode at all.
• FileVault
  2005-12-19 01:35:15  nosumo [Reply | View]
  
  
  FileVault will serve you a whole lot better than the Open Firmware Password, which will be reset if a user changes the amount of the physical memory in the machine and then reboots.
• FileVault
  2005-12-19 09:36:20  consumer [Reply | View]
  
  
  For clarification to a simpleton like myself, one can just take a stolen laptop, place it in target disk mode, and subsequently acquire all keychain info?!? egads!
  
  Filevault scares me. I personally make password protected images. Fortunately I have never had keychain save the passwords, so I guess my sekrits is safe!
  
  
  
• FileVault
  2005-12-19 11:12:10  Giles Turnbull | [Reply | View]
  
  
  Not the Keychain contents, no. Just everything else on the disk that isn't encrypted. Apologies if I gave the wrong impression.
• FileVault
  2005-12-19 12:36:37  consumer [Reply | View]
  
  
  Ah. thanks for the response!