Apple Keychain
Encyclopedia
Keychain is Apple Inc.'s password management system
in Mac OS
. It was introduced with Mac OS 8.6
, and has been included in all subsequent versions of Mac OS, including Mac OS X
. A Keychain can contain various types of data: password
s (for Website
s, FTP servers
, SSH
accounts, network shares, wireless network
s, groupware applications, encrypted
disk image
s), private key
s, certificate
s, and secure notes.
, open source
software released under the terms of the APSL
.
The keychain file(s) stores a variety of data fields including a title, URL, notes and password. Other than Secure Notes created with Keychain Access, only the password is encrypted, with Triple DES
. The contents of Secure Notes are also encrypted.
The keychain may be set to be automatically "locked" if the computer has been idle for a time, and can be locked manually from the Keychain Access application. When locked, the password has to be re-entered next time the keychain is accessed, to unlock it. Overwriting the file in ~/Library/Keychains/ with a new one (e.g. as part of a restore operation) also causes the keychain to lock and a password is required at next access.
. Among its many features, PowerTalk used plug-ins that allowed mail to be retrieved from a wide variety of mail servers and online services. The keychain concept naturally "fell out" of this code, and was used in PowerTalk to manage all of a user's various login credentials for the various e-mail systems PowerTalk could connect to. Keychain placed these passwords in an encrypted file, and automatically returned them on command if the file was "opened" using a password.
The passwords were not easily retrievable due to the encryption, yet the simplicity of the interface allowed the user to select a different password for every system without fear of forgetting them, as a single password would open the file and return them all. At the time, this was a truly innovative concept that was not available on other platforms. Keychain was one of the few parts of PowerTalk that was obviously useful "on its own", which suggested it should be promoted to become a part of the basic Mac OS. But due to internal politics, it was kept inside the PowerTalk system and, therefore, available to very few Mac users.
It was not until the return of Steve Jobs
that Keychain was liberated from the now-dead PowerTalk. By this point in time the concept was no longer so unusual, but it was still rare to see a keychain system that was not associated with a particular piece of application software, typically a Web browser
. Keychain became a standard part of Mac OS 9, and was included in Mac OS X in the first commercial versions.
Third-party adoption of Keychain has been somewhat uneven to date. Although most Apple software uses it (notably Apple Mail
and Safari
), and Macintosh-only applications such as Transmit
and Camino
do as well, some cross-platform applications such as Firefox
do not use Keychain, (sticking to other cross-platform solutions instead) though others like Google Chrome
have chosen to use the Keychain on Mac OS X. Many programs continue to store their login credentials in plain text files, although this is becoming rare for newer programs. Recent versions of the Subversion command-line client use the Keychain on Mac OS X.
Password manager
A password manager is software that helps a user organize passwords and PIN codes. The software typically has a local database or a file that holds the encrypted password data for secure logon onto computers, networks, web sites and application data files. Many password managers also work as a form...
in Mac OS
Mac OS
Mac OS is a series of graphical user interface-based operating systems developed by Apple Inc. for their Macintosh line of computer systems. The Macintosh user experience is credited with popularizing the graphical user interface...
. It was introduced with Mac OS 8.6
Mac OS 8
Mac OS 8 is an operating system that was released by Apple Computer on July 26, 1997. It represented the largest overhaul of the Mac OS since the release of System 7, some six years previously. It puts more emphasis on color than previous operating systems...
, and has been included in all subsequent versions of Mac OS, including Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
. A Keychain can contain various types of data: password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
s (for Website
Website
A website, also written as Web site, web site, or simply site, is a collection of related web pages containing images, videos or other digital assets. A website is hosted on at least one web server, accessible via a network such as the Internet or a private local area network through an Internet...
s, FTP servers
File Transfer Protocol
File Transfer Protocol is a standard network protocol used to transfer files from one host to another host over a TCP-based network, such as the Internet. FTP is built on a client-server architecture and utilizes separate control and data connections between the client and server...
, SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
accounts, network shares, wireless network
Wireless network
Wireless network refers to any type of computer network that is not connected by cables of any kind. It is a method by which homes, telecommunications networks and enterprise installations avoid the costly process of introducing cables into a building, or as a connection between various equipment...
s, groupware applications, encrypted
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
disk image
Disk image
A disk image is a single file or storage device containing the complete contents and structure representing a data storage medium or device, such as a hard drive, tape drive, floppy disk, CD/DVD/BD, or USB flash drive, although an image of an optical disc may be referred to as an optical disc image...
s), private key
Public-key cryptography
Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private...
s, certificate
Public key certificate
In cryptography, a public key certificate is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth...
s, and secure notes.
Storage and access
In Mac OS X, keychain files are stored in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/, and the Keychain Access GUI application is located in the Utilities folder in the Applications folder. It is freeFree software
Free software, software libre or libre software is software that can be used, studied, and modified without restriction, and which can be copied and redistributed in modified or unmodified form either without restriction, or with restrictions that only ensure that further recipients can also do...
, open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
software released under the terms of the APSL
Apple Public Source License
The Apple Public Source License is the open source and free software license under which Apple's Darwin operating system was released. A free software and open source license was voluntarily adopted to further involve the community from which much of Darwin originated.The first version of the Apple...
.
The keychain file(s) stores a variety of data fields including a title, URL, notes and password. Other than Secure Notes created with Keychain Access, only the password is encrypted, with Triple DES
Triple DES
In cryptography, Triple DES is the common name for the Triple Data Encryption Algorithm block cipher, which applies the Data Encryption Standard cipher algorithm three times to each data block....
. The contents of Secure Notes are also encrypted.
Locking and unlocking
The default keychain file is the login keychain, typically unlocked on login by the user's login password, although the password for this keychain can instead be different from a user’s login password, adding security at the expense of some convenience . The Keychain Access application does not permit setting an empty password on a keychain.The keychain may be set to be automatically "locked" if the computer has been idle for a time, and can be locked manually from the Keychain Access application. When locked, the password has to be re-entered next time the keychain is accessed, to unlock it. Overwriting the file in ~/Library/Keychains/ with a new one (e.g. as part of a restore operation) also causes the keychain to lock and a password is required at next access.
Password synchronization
If the login keychain is protected by the login password, then the keychain's password will be changed whenever the login password is changed from within Mac OS X. However, on a shared Mac/non-Mac network, it is possible for the login keychain's password to lose synchronization if the user's login password is changed from a non-Mac system. Some network administrators react to this by deleting the keychain file on logout, so that a new one will be created next time the user logs in. This means keychain passwords will not be remembered from one session to the next, even if the login password has not been changed. If this happens, the user can restore the keychain file in ~/Library/Keychains/ from a backup, but doing so will lock the keychain which will then need to be unlocked at next use.History
Keychains were initially developed for Apple's e-mail system, PowerTalkApple Open Collaboration Environment
Apple Open Collaboration Environment, or AOCE , was a collection of messaging-related technologies introduced for the Mac OS in the early 1990s...
. Among its many features, PowerTalk used plug-ins that allowed mail to be retrieved from a wide variety of mail servers and online services. The keychain concept naturally "fell out" of this code, and was used in PowerTalk to manage all of a user's various login credentials for the various e-mail systems PowerTalk could connect to. Keychain placed these passwords in an encrypted file, and automatically returned them on command if the file was "opened" using a password.
The passwords were not easily retrievable due to the encryption, yet the simplicity of the interface allowed the user to select a different password for every system without fear of forgetting them, as a single password would open the file and return them all. At the time, this was a truly innovative concept that was not available on other platforms. Keychain was one of the few parts of PowerTalk that was obviously useful "on its own", which suggested it should be promoted to become a part of the basic Mac OS. But due to internal politics, it was kept inside the PowerTalk system and, therefore, available to very few Mac users.
It was not until the return of Steve Jobs
Steve Jobs
Steven Paul Jobs was an American businessman and inventor widely recognized as a charismatic pioneer of the personal computer revolution. He was co-founder, chairman, and chief executive officer of Apple Inc...
that Keychain was liberated from the now-dead PowerTalk. By this point in time the concept was no longer so unusual, but it was still rare to see a keychain system that was not associated with a particular piece of application software, typically a Web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
. Keychain became a standard part of Mac OS 9, and was included in Mac OS X in the first commercial versions.
Third-party adoption of Keychain has been somewhat uneven to date. Although most Apple software uses it (notably Apple Mail
Mail (application)
Mail is an email program included with Apple Inc.'s Mac OS X operating system. Originally developed by NeXT as NeXTMail, a part of their NeXTSTEP operating system, it was adapted, following Apple's acquisition of NeXT, to become OS X's Mail application.Mail uses the SMTP, POP3, and IMAP protocols,...
and Safari
Safari (web browser)
Safari is a web browser developed by Apple Inc. and included with the Mac OS X and iOS operating systems. First released as a public beta on January 7, 2003 on the company's Mac OS X operating system, it became Apple's default browser beginning with Mac OS X v10.3 "Panther". Safari is also the...
), and Macintosh-only applications such as Transmit
Transmit (FTP client)
Transmit is an FTP client for Mac OS X and Mac OS Classic . Developed by Panic, Transmit is shareware – after a seven-day trial period, the product can only be used for seven-minute sessions until it has been purchased....
and Camino
Camino
Camino is a free, open source, GUI-based Web browser based on Mozilla's Gecko layout engine and specifically designed for the Mac OS X operating system...
do as well, some cross-platform applications such as Firefox
Mozilla Firefox
Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...
do not use Keychain, (sticking to other cross-platform solutions instead) though others like Google Chrome
Google Chrome
Google Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
have chosen to use the Keychain on Mac OS X. Many programs continue to store their login credentials in plain text files, although this is becoming rare for newer programs. Recent versions of the Subversion command-line client use the Keychain on Mac OS X.