User profile for user: petterihiisila
petterihiisila Author
User level: Level 1
8 points

iCloud Keychain fails to sync on one device (out of five)

This is the first time I'm getting this behavior, so I thought I'd ask if anyone has encountered it here. My iCloud Keychain passwords were gone after a reboot on a Retina Macbook 12" 2017, so I disabled the sync, rebooted and enabled it again.


Now I get the first dozen or so passwords to show up in Keychain Access.app, but the rest of them don't, not even overnight. Disabling and re-enabling sync reproduces the problem. Passwords sync just fine to and from other devices. But on the Macbook (latest Mojave) I get only about ten of them, the rest never come.


Opening console log and filtering for "keychain" shows a ton of these rows, and they keep coming:

"SecDbKeychainItemV7: error unwrapping item metadata key (class 6, bag -3): Error Domain=SFCryptoServicesErrorDomain Code=3 "(null)""


Google doesn't provide useful answers trying to search with those terms.


A possible fix could be to disable iCloud Keychain on all devices, keeping them on one, making it reset the cloud version, and starting over on all devices, but that seems overkill and a lot of trouble. I'm not too keen on doing that.


Signing out of iCloud also results in long overnight sync operations, so not my first or second option.


Can anyone think of fixes I could do locally on this machine, something that might help? And any guesses why (if I read the log message correctly) it might have trouble "unwrapping" the secrets from the cloud keychain? What's the most complete iCloud Keychain reset I can do on a local machine, without wiping the cloud instance or messing with the other Apple devices?


Another weird behavior is that I'm unable to turn on iCloud Keychain sync authorization/security code on any of the devices. It was already on once, but now it's disabled. If I turn it on, it asks for a new 6-digit code, asks for my phone number, asks for a password, and after OKing that all and opening the dialog again, the security code is still not enabled.


Finally, receiving the iCloud Keychain authorization code seems to work in an unreliable manner. I get it maybe every 3 tries on those other devices. That's what makes it somewhat tedious to disable and then enable keychain sync to begin with.


The problem is isolated on this one Macbook. I've also got iPhone, iMac, iPad and Apple Watch. No problem (yet) with them. The Macbook was not modified in any way, this started to happen after I changed my login password and rebooted.


Login keychain password and user account password itself are in sync. For instance, I'm able to enable Apple Watch log in authorization.


All devices have the latest updates installed, always.

MacBook, macOS 10.14

Posted on Jun 20, 2019 11:30 PM

Reply

Similar questions

6 replies
User profile for user: petterihiisila
petterihiisila Author
User level: Level 1
8 points

Jun 22, 2019 10:04 AM in response to tygb

I'm starting to suspect that there's a server-side issue, the keychain is somehow corrupted in the cloud. I think I might disable keychain sync on all devices, and make sure I have a backup of the resulting Login.keychain on the most current device (iMac).


Then I plan to reset the iCloud Keychain, re-enable the sync on the iMac, let it sync, and then one by one enable it on my other devices: Macbook, iPhone+Watch, iPad.


The plan is to, when asked, save the logins locally on each of those devices when I disable the cloud sync, just to be sure I end up with multiple local copies for backup purposes. And the hope is that once I enable sync on all devices, the servers can merge them successfully, as I don't want to end up with lots of duplicates in the cloud.


Let's see how it goes. I'll take a few snapshots of the Library/Keychains folder along the way.

Reply
User profile for user: petterihiisila
petterihiisila Author
User level: Level 1
8 points

Jun 24, 2019 5:08 AM in response to tygb

I've contacted Apple support. It appears that the iCloud Keychain configuration, or remaining of an older configuration, in the Macbook's end is somehow corrupted. Things behave fine on the server side, and on a new account.


This is what we tried:


  • Adding, modifying or removing secrets from iCloud Keychain do sync to the problematic Mac: sync works for NEW changes and for about 30 items already on the keychain
  • But about 350 missing secrets never show up on the problematic Mac, e.g. it does not sync all of the OLDER entries
  • Creating a new user, logging into iCloud with it, turning in iCloud Keychain --> now sync works for all items, old and new
  • Safe mode on/off had no effect on behavior


So, the hypothesis is that there's a problematic keychain-related configuration file or folder in the User/Library folder, which needs to be cleaned up before turning on iCloud Keychain on this Mac. The support rep went on to find out what that file/folder might be.


A brute force way to fix this would be "create a new user and migrate everything there", but I'll wait for the answer. If there's a more surgical fix, I'll rather use that. Migration would take a long while itself, and restoring files could also restore the problematic keychain configuration... so the restoring process might have to be more granular and manual, and therefore more time-consuming to execute. But that's the plan B, because it would demonstrably work.

Reply
User profile for user: tygb
tygb
User level: Level 9
65,010 points

Jun 21, 2019 8:49 AM in response to petterihiisila

You can contact apple support senior care advisors , dragging the complete keychain folder from user library to the desktop sometimes help , but there is a drawback of it in the same preferences folder of user library all the .plist will be disturbed and will not be in alphabetical order .

Your login keychain is perfectly fine even you changed the password for it , and it has no connection with iCloud Keychain .

In fact in system preferences > iCloud you have unchecked the box of keychain and the passwords are not saved on the iCloud server and hence they are saved locally on the Mac hardware see this article https://support.apple.com/en-in/HT202861

On your Mac using OS X Mavericks v10.9 or later

  1. Choose Apple () menu > System Preferences.
  2. Click iCloud, then select Keychain.
  3. Enter your Apple ID password.
  4. Click Advanced, then choose one of these two options:
    • Get a Random Security Code. 
    • Don't Create Security Code. If you don't create an iCloud Security Code, then your iCloud Keychain is stored locally on your Mac instead of Apple's servers, and will update only across your approved devices.
  1. Follow the onscreen instructions to complete iCloud Keychain setup.


Now to set up iCloud Keychain you need an iPhone and that should be signed in with same Apple ID and password on the same network , I can give you only hint for it , go to keychains , click on forgot code , have to create a passcode and create a iCloud Keychain code from it .

Its a lengthy step and apple care advisors are expert on these issues contact the senior level 2 advisor see this link https://support.apple.com/en-in/HT201232

Note : even if you try to create a new test user account , run safe mode etc it will never help , the issue is of iCloud Keychain from the server end sometimes when the data is removed from the server end Apple support advisors have their own techniques to solve .

From you end the only option is erase the hard drive and reinstall the os https://support.apple.com/en-in/HT204904

But this is not be done as os is working fine , take suggestions/ help from apple support .

Reply
User profile for user: tygb
tygb
User level: Level 9
65,010 points

Jun 22, 2019 10:21 AM in response to petterihiisila

As per this article https://support.apple.com/en-in/HT203783

When ever to reset icloud keychain from an iPhone of your Mac .

  • On your Mac, did you use Keychain Access to reset your iCloud Keychain? If so, macOS deleted your iCloud Keychain items. Try setting up iCloud Keychain again. If you need to reset your Mac Keychain again, temporarily disable iCloud Keychain in iCloud Preferences before you reset your macOS Keychain.


The box of keychain is always unchecked , you don't need to try to set it by your own take help of senior apple care advisor on the phone , not through chat ( keychain settings for iCloud is very tricky , a slight incorrect step if followed will corrupt more of your Mac ) .

If the issue is from iCloud server if you enter the security code incorrectly continuously for more than three times than the code is deleted , but still apple advisors are having more techniques to solve it see this article https://support.apple.com/en-in/HT202755



Reply
User profile for user: petterihiisila
petterihiisila Author
User level: Level 1
8 points

Jun 21, 2019 8:21 AM in response to tygb

Thanks, I’ve read those and many more. They match at keyword level, but not at headline/content level to my issue. I haven’t forgotten the auth code, but the Mac does forget that I’ve enabled it just a minute ago (reproducible). And the problem isn’t about setting up keychain to sync, it’s about making it actually sync once it’s enabled. If the answer was available through Google or a support article, I wouldn’t be asking again here :)


It looks as if some part of keychain sync databases is corrupted in the MacBook’s end. But I don’t know how to clean the slate, since disable->enable keychain sync doesn’t fix it, and I haven’t yet ventured to delete the relevant files/folders manually. Not excited about iCloud log out/in option.


The log error message implies that it’s unable to decrypt the individual keychain entries. Even though all the secrets have been entered correctly. (Otherwise the sync wouldn’t even be enabled.)

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

iCloud Keychain fails to sync on one device (out of five)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up