9 Replies Latest reply: Jul 25, 2009 8:22 AM by Barney-15E
thomas_r. Level 7 Level 7 (30,460 points)
I hate to admit being less well-versed in the Keychain than I ought to be, but I just don't usually pay it much attention. I don't trust it with any of my really important passwords, but not for any real reason other than that I don't know enough to know how safe it is.

I just got a couple certificates for a couple e-mail addresses through Thawte, and now find myself with several questions:

• How secure is the keychain that unlocks at login? Assuming that I have logged out, is there any way for someone who steals my laptop to get access to the stuff in that keychain? I would hope that resetting the account password would not also reset the keychain password!

• In Keychain Access, I see two public keys, both simply titled "Key from www.thawte.com", with no other identifying information. The private keys are similarly titled, but seem to have an association with the certificate that has the e-mail address as its name. How can I tell which public key goes with which private key?

• If I want to distribute my public keys to colleagues, on a web site or via e-mail, how do I do that? It looks like I can export to a .pem file (the other options are grayed out) which contains an RSA Public Key block. Do I just e-mail/upload that file, or the text, or what?

Thanks in advance for the help!

17" MacBook Pro, Mac OS X (10.5.7)
  • CMCSK Level 6 Level 6 (10,600 points)
    Have you tried Apple Knowledge Base Support for answers? http://support.apple.com/kb/index?page=search
  • thomas_r. Level 7 Level 7 (30,460 points)
    Yes, I've been searching various sources, including that one, to find answers to these questions with no success.
  • Barney-15E Level 8 Level 8 (42,670 points)
    • How secure is the keychain that unlocks at login? Assuming that I have logged out, is there any way for someone who steals my laptop to get access to the stuff in that keychain?

    They can go to the sites or services tied to a keychain entry, and if you have Safari set to remember usernames and passwords, they will fill in. You can show the password from keychain access, but you must enter the password to see the individual passwords, unless you set it to Always Allow when you look at it.
    I would hope that resetting the account password would not also reset the keychain password!

    It doesn't.
    • In Keychain Access, I see two public keys, both simply titled "Key from www.thawte.com", with no other identifying information. The private keys are similarly titled, but seem to have an association with the certificate that has the e-mail address as its name. How can I tell which public key goes with which private key?

    I'm not sure on that one.
    • If I want to distribute my public keys to colleagues, on a web site or via e-mail, how do I do that? It looks like I can export to a .pem file (the other options are grayed out) which contains an RSA Public Key block. Do I just e-mail/upload that file, or the text, or what?

    If you sign an email, it will send the public key with the email.
  • thomas_r. Level 7 Level 7 (30,460 points)
    They can go to the sites or services tied to a keychain entry, and if you have Safari set to remember usernames and passwords, they will fill in.


    I don't use autofill... but, wouldn't the keychain fail to unlock if someone reset my account password? Because then the password to unlock the keychain is different from the account password. Am I wrong on that?

    If you sign an email, it will send the public key with the email.


    What if I want to let someone send me an encrypted message, though? They'd have to have my public key first. Is sending a signed e-mail the best way to give someone that key?
  • Barney-15E Level 8 Level 8 (42,670 points)
    If you use the Install disk to reset the password, it doesn't change the keychain password. However, once they have an admin login, they can change the user account password which will change the password of the keychain. I'm not sure what would happen if you used a different password for your keychain.

    Based on [this article|http://support.apple.com/kb/HT1274], I would say if your account was the only administrator account, then they couldn't use this technique to access your keychain.

    From the limited experience I've had with other email programs, I think sending a signed email works well as the program knows to keep the public key and it is then tied to your email address.

    I really don't know what to do with someone's public key if they sent it to me. Somehow I'd have to link it to them, and I don't know how. Perhaps Keychain Access can walk you through, but I don't know.
  • thomas_r. Level 7 Level 7 (30,460 points)
    Okay, after a bit of playing around and more research, I think my questions are mostly answered. E-mailing signed messages seems to be the easiest way of sending a public key. I tested sending messages between Mail on Leopard and Thunderbird on a Windows Vista machine, and signed e-mails sent both ways ended up adding a public key transparently, without any user interaction needed. No downloading and importing necessary. Which makes my concern about which public key is matched with which private one a bit academic. It still bothers me that I don't know, but I can live with it if I don't have to export them.

    From what I've managed to find out about the keychain, if you reset the account password, you still need to know what the old password was to open the keychain. This is according to the following article (which I found a link to in the one you referred me to):

    http://support.apple.com/kb/HT1631

    I'm feeling a bit better about leaving these in my login keychain, but I am a little concerned at the discrepancy between this and your statement that an admin account can reset another account's keychain password. Although this doesn't affect me, as I only have one account (yeah, I know, I should have a second one), but I am a bit nervous about the uncertainty. Any other ideas here, or should I start doing some testing on my old PowerBook G4?
  • Barney-15E Level 8 Level 8 (42,670 points)
    Your questions created some doubt in my mind. I think some testing is required unless someone can confirm the discrepancy.

    It seems that if you operate in a standard account, if you lose control of your Mac, someone can use an install disk to change the admin password. This won't change the admin keychain password, but the admin can then go in and change the standard user password which will change the login keychain for that user.
  • thomas_r. Level 7 Level 7 (30,460 points)
    It seems that if you operate in a standard account, if you lose control of your Mac, someone can use an install disk to change the admin password. This won't change the admin keychain password, but the admin can then go in and change the standard user password which will change the login keychain for that user.


    Okay, I did some testing. It turns out that, when resetting a standard account's password from an admin account, it actually warns that it will not reset the keychain password. Testing confirms... the keychain is not unlocked automatically, and you are unable to look at any of the items in the keychain without entering the old password.

    I'm a little bothered that you can see what's in the keychain at all... even if you can't see/use the passwords, you can still see that there's a password stored for, say, a GMail account or a Skype account. However, all this has reassured me that even a keychain that unlocks at login is pretty secure, as long as you don't leave your Mac sitting around logged in where other people you don't trust can get access to it.
  • Barney-15E Level 8 Level 8 (42,670 points)
    Thanks, Thomas, that is good information to know.