Keychain (Mac OS)

Keychain

Developer(s)	Apple, Inc.
Operating system	Mac OS X/9
Type	System Utility
License	APSL
Website	Keychain programmers guide

Keychain is Apple Inc.'s password management system in Mac OS. It was introduced with Mac OS 8.6, and has been included in all subsequent versions of Mac OS, including Mac OS X. A Keychain can contain various types of data: passwords (for Websites, FTP servers, SSH accounts, network shares, wireless networks, groupware applications, encrypted disk images), private keys, certificates, and secure notes.

Contents 1 Storage and access 2 Locking and unlocking 3 Password synchronization 4 History 5 Notes 6 See also 7 External links

Storage and access

In Mac OS X, keychain files are stored in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/, and the Keychain Access GUI application is located in the Utilities folder in the Applications folder^[1]. It is free, open source software released under the terms of the APSL^[2]. The command line equivalent of Keychain Access is /usr/bin/security.

The keychain file(s) stores a variety of data fields including a title, URL, notes and password. Other than Secure Notes created with Keychain Access, only the password is encrypted, with Triple DES.^[3] The contents of Secure Notes are also encrypted.

Locking and unlocking

The default keychain file is the login keychain, typically unlocked on login by the user's login password, although the password for this keychain can instead be different from a user’s login password, adding security at the expense of some convenience ^[4]. The Keychain Access application does not permit setting an empty password on a keychain.

The keychain may be set to be automatically "locked" if the computer has been idle for a time^[5], and can be locked manually from the Keychain Access application. When locked, the password has to be re-entered next time the keychain is accessed, to unlock it. Overwriting the file in ~/Library/Keychains/ with a new one (e.g. as part of a restore operation) also causes the keychain to lock and a password is required at next access.

Password synchronization

If the login keychain is protected by the login password, then the keychain's password will be changed whenever the login password is changed from within Mac OS X. However, on a shared Mac/non-Mac network, it is possible for the login keychain's password to lose synchronization if the user's login password is changed from a non-Mac system. Some network administrators react to this by deleting the keychain file on logout, so that a new one will be created next time the user logs in. This means keychain passwords will not be remembered from one session to the next, even if the login password has not been changed. If this happens, the user can restore the keychain file in ~/Library/Keychains/ from a backup, but doing so will lock the keychain which will then need to be unlocked at next use.

History

Keychains were initially developed for Apple's e-mail system, PowerTalk. Among its many features, PowerTalk used plug-ins that allowed mail to be retrieved from a wide variety of mail servers and online services. The keychain concept naturally "fell out" of this code, and was used in PowerTalk to manage all of a user's various login credentials for the various e-mail systems PowerTalk could connect to. Keychain placed these passwords in an encrypted file, and automatically returned them on command if the file was "opened" using a password.

The passwords were not easily retrievable due to the encryption, yet the simplicity of the interface allowed the user to select a different password for every system without fear of forgetting them, as a single password would open the file and return them all. At the time, this was a truly innovative concept that was not available on other platforms. Keychain was one of the few parts of PowerTalk that was obviously useful "on its own", which suggested it should be promoted to become a part of the basic Mac OS. But due to internal politics, it was kept inside the PowerTalk system and, therefore, available to very few Mac users.

It was not until the return of Steve Jobs that Keychain was liberated from the now-dead PowerTalk. By this point in time the concept was no longer so unusual, but it was still rare to see a keychain system that was not associated with a particular piece of application software, typically a Web browser. Keychain became a standard part of Mac OS 9, and was included in Mac OS X in the first commercial versions.

Third-party adoption of Keychain has been somewhat uneven to date. Although most Apple software uses it (notably Apple Mail and Safari), and Macintosh-only applications such as Transmit and Camino do as well, some cross-platform applications such as Firefox do not use Keychain, (sticking to other cross-platform solutions instead) though others like Google Chrome have chosen to use the Keychain on Mac OS X. Many programs continue to store their login credentials in plain text files, although this is becoming rare for newer programs. Recent versions of the Subversion command-line client use the Keychain on Mac OS X.

Notes

1. ^ http://docs.info.apple.com/article.html?path=Mac/10.5/en/9066.html and http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh463.html
2. ^ http://www.opensource.apple.com/source/libsecurity_keychain/libsecurity_keychain-27723/
3. ^ http://images.apple.com/macosx/security/docs/MacOSX_Security_TB.pdf
4. ^ http://docs.info.apple.com/article.html?path=Mac/10.5/en/9066.html
5. ^ http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh848.html

See also

• Keychain Access

External links

• Keychain Services Programming Guide

Mac OS X Versions Public Beta 10.0 "Cheetah" 10.1 "Puma" 10.2 "Jaguar" 10.3 "Panther" 10.4 "Tiger" 10.5 "Leopard" 10.6 "Snow Leopard" 10.7 "Lion" Applications Address Book Automator Calculator Chess Dashboard Dictionary DVD Player FaceTime Finder Front Row Grapher iCal iChat iSync iTunes (version history) Mac App Store Mail Photo Booth Preview QuickTime Safari (version history) Stickies TextEdit Utilities Activity Monitor AirPort Utility Archive Utility Audio MIDI Setup Bluetooth File Exchange ColorSync Console Crash Reporter DigitalColor Meter Directory Utility DiskImageMounter Disk Utility Font Book Grab Help Viewer Image Capture Installer Keychain Access Migration Assistant Network Utility ODBC Administrator Remote Install Mac OS X Screen Sharing Software Update System Preferences System Profiler Terminal Universal Access VoiceOver X11.app Technology and user interface AirDrop Command key Option key Apple menu Apple Push Notification Service AppleScript Aqua Audio Units Bonjour Boot Camp BootX Brushed metal Carbon Cocoa ColorSync Core Animation Core Audio Core Data Core Foundation Core Image Core OpenGL Core Text Core Video CUPS Cover Flow Darwin Dock Exposé FileVault Grand Central Dispatch icns Inkwell I/O Kit Kernel panic Keychain launchd Launchpad Mach-O MacRuby Menu extra OpenCL Preference Pane Property list Quartz QuickTime Quick Look Rosetta Smart Folders Spaces Speakable items Spotlight Stacks Time Machine Uniform Type Identifier Universal binary WebKit Xgrid XNU

Mac OS Applications Calculator Chooser Drive Setup DVD Player Finder Graphing Calculator Keychain Access PictureViewer PowerTalk QuickTime Player Network Browser Scrapbook Sherlock Software Update Stickies Apple System Profiler SimpleText Developer MacsBug Macintosh Programmer's Workshop ResEdit Technology Alias Apple menu Balloon help Bomb Error Command (⌘) Control Panel Control Strip Creator code Hierarchical File System HFS Plus Keychain Labels Macintosh File System Option (⌥) OSType PICT QuickDraw QuickTime Resource fork Special menu Startup Screen System Folder System suitcase Type code WorldScript Related articles Manager Toolbox Memory Management Old World ROM New World ROM EFI