Keychains: iCloud, Login, Local Items. Keeping control of what goes where…

I know this discussion is somehow old. Just for registers here small comment from me, I get the impression that Login keychain is for device-specific stuff (like login-tokens), iCloud - Local Items - for stuff which can more or less be used on other devices - therefore candidate to sync with others via iCloud. This conclusion I make when analyzing passwords stored in keychains.

I'm interested in seeing your questions answered, and I'll add one to the list:

The new Local (or iCloud) Keychain is first populated with website logins from the Login Keychain. Then any changes to those items, e.g., an updated password, are stored only in the new Local or iCloud Keychain. The Login Keychain still contains the old logins, some now out-of-date, and will grow increasingly stale as more revisions are made. Shouldn't Mavericks delete the items from the Login Keychain that it copies to -- and now manages in -- the Local / iCloud Keychain?

Some additional mysteries to ponder:

Keychain Access lists my iCloud keychain, among others, but the ~/library/keychain folder lists the other (e.g., Login) keychains, but not the iCloud keychain. There is a new subfolder (B46E6943-7CDC-5AF6-B03F-993B070699E7) that contains no .keychain files, but has .plist. .db, .db-shm, .db-wal files, among others.

So, apparently, the iCloud keychain is not maintained as a .keychain file, but is -- apparently -- contained within one or several of these different file types. Or, it's a hidden file?

Also, I've got iCloud Keychain enabled with an iCloud security code, so Keychain Access does not display a Local Items keychain. But the program has prompted me for a Local Items keychain password, which I don't know: whatever it is, it's not my Login keychain password -- which also opens my iCloud keychain -- or my iCloud security code.

Björn, is the Local Items keychain showing as a .keychain file in your ~/library/keychains?

Apparently, 10.9 incorporates a significant change to keychain management -- as most items are no longer stored in .keychain file(s).

Not so for me. 10.9.2 still uses the .keychain extension.

I've actually been using Keychain Access.app as my built-in day to day password manager (testing it as a alternative to 1Password, KeePassX, LastPass, etc).

If I can get this to work smoothly I believe the benefits would include some obvious advantages such as your password manager is baked into the OS and is updated in concert with the OS. No need to download and install it after a re-install, backwards compatible with a wide range of OS X versions, etc..

I have two separate .keychain files I manage with Keychain Access.app, a personal.keychain and work.keychain.

In my personal file I also store secure notes (containing info), where some contain attached photos of scanned documents. These two files are stored in a encrypted .dmg and sync'd via a file sync'ing service which is also appropriately locked down with 2 factor authentication.

I only allow my iCloud keychain to sync passwords to non-sensitive websites. I do not, for example, allow iCloud to sync my credentials for my bank's web login.

I stumbled across this thread as Björn is describing one of the key problems with using Keychain Access as your primary password manager. When you organize passwords across multiple .keychain files, then update a password via Safari, the NEW password is then stored in your iCloud Keychain (not my preference) and old one remains left behind to be outdated.

So, I'm not entirely sure if this is just a sign that the concept of using Keychain Access as a all-purpose password manager is a bad idea, or if I should voice my interest to Apple in having the choice to set which keychain Safari updates.

Thoughts?

--

Andrew

Thanks for the reply, Björn.

Do you remember the bug ID that is still open? Can you vote to show interest in this being resolved?

The "significant change" I cited in 10.9.xx's keychain management is that new items are stored by default in the iCloud (or Local Items) Keychain, which is not a discrete keychain file but, rather, a series of .db (among other) files in a subdirectory under ~/library/keychains.

I've settled into using the iCloud Keychain as my default PW manager as it syncs pretty seamlessly between my iMac and iOS devices. Of course, I've had to place my faith in Apple's encryption; time will tell if this was or was not a smart idea.

I have an issue with iCloud keychain and passwords for my home wifi that may fit into this discussion. I recently enable iCloud keychain on my Mac and then on my iPhone 5 and then my iPad2. After setting this up, I was unable to connect my iPhone and my iPad to my wifi router. I kept receiving the error "Unable to join network". My Mac was connected via wifi just fine.

I tried hard resets, resetting network settings, turning off iCloud keychain on my iPad and iPhone and Mac, going into keychain access on my Mac and deleting the airport network password (I have a non-airport router) and rejoining my wifi network with my Mac hoping to force keychain to sync the password.

I can only connect to my wifi by disabling the password on my network, which I do not want to leave like that. I was able to fix my iPad by restoring to a backup before I turned on iCloud keychain, but I do not have a recent backup of my iPhone without iCloud keychain enabled. I can completely wipe my iPhone and start over, but I'd rather not have to. Does anyone have any suggestions on how to fix this? Is it the problem that is mentioned above with local items for keychain vs iCloud keychain items?

I did contact Apple support and they haven't heard of this problem before so they were of no help. Thanks!

• What brand / model router do you use?
• Is it running it's default firmware or custom?
• What security settings are you using? (WPA2 Personal?)
• Have you tried resetting the router to it's factory settings?
• Are other routers near by broadcasting a similar ESSID?
• Does this issue occur with other wireless networks? Or only at home?