Tumbled Logic

12.09.2007 13:35:00 ¶ ●

Managing the Mac OS X Keychain

To many people, the Keychain is some sort of deep voodoo. It magically stores passwords that you enter so that you don’t have to remember them. Everything from web forms to wireless network connections, and a whole host in between. Some people don’t use the Keychain on the just in case principle, which invariably means that their paranoia gives way to weaker passwords (because they have to remember them). In this post, I’m going to show you how to use the Mac OS X Keychain to enhance, rather than degrade, security.

First off, some definitions:

A keychain

A collection of stored credentials and secure notes kept in a .keychain file. Every Mac OS X user has at least one keychain file, termed the Login Keychain (see below). The keychain file itself is encrypted with a password, although the login keychain is encrypted with your account password and automatically unlocked when you log in (or if your screen-saver is password-protected, when you unlock the screen). User keychains are normally stored in ~/Library/Keychains.

The Keychain

This one’s a bit of a misnomer. There isn’t ever a single keychain (Mac OS X maintains its own system keychains in addition to your Login Keychain), but the term “The Keychain” is usually used to refer collectively to all of the keychains you have access to.

The Login Keychain

The Login Keychain is a special case. Although it’s stored and encrypted in the same way as other keychains, if the keychain password is set to be the same as your account password (as it is by default), the Login Keychain will be automatically unlocked when you log in or unlock the screen. When you change your account password, your Login Keychain password is automatically kept in sync. If you deliberately change the Login Keychain password to be different from your account password, none of this applies, though it stops being quite so useful if you do that.

The login keychain is usually stored in ~/Library/Keychains/login.keychain.

The System Keychain

Mac OS X actually maintains several keychains that are shared between all users on a computer without any intervention from you, though one in particular is called the System Keychain and is stored in /Library/Keychains/System.keychain. It’s generally not the best idea in the world to mess with the System Keychain.

The Default Keychain

The Default Keychain is any keychain designated as the place to store new keychain items. By default, the Login Keychain is designated the Default Keychain for a user.

You might be thinking at this point that the paranoia of some is justified: if somebody gains access to your user account, they have access to all of the passwords in the Login Keychain! This is certainly true (although they’re limited, under normal circumstances, in what they can do with them), and that’s precisely why there are better ways of managing keychain items than just putting everything in the Login Keychain. Here’s my step-by-step guide.

Buy a USB flash drive. Plug it into your Mac. Personally, I opted to reformat mine as HFS+ and told Mac OS X not to “Ignore permissions on this volume”. I don’t know how well this works on, say, a FAT32 volume—I’ve never tried, and have no intention of doing so. Mac OS X certainly seems to work better with HFS+ than FAT32, so I’m sticking with that.
Run Keychain Access, which can be found in /Applications/Utilities.
From the File menu, choose New Keychain…. When prompted, give the new keychain a sensible name and store it somewhere on your USB volume.
Make sure that you set a decent password: a mix of upper- and lower-case letters, numbers, and punctuation if you can manage it. Don’t make it so difficult to remember that you have to write it down, and don’t store the password for your new keychain as a secure note in your Login Keychain! Also, it’s probably obvious but I’ll say it anyway, don’t make it the same as your account password. On the password prompt dialog, there’s a little key button to the right of the Password field. Click that to bring up the Password Assistant which may help you generate a good password.
Next, we want to make the new keychain the default location for storing new keychain items, rather than the Login Keychain. Select the keychain from the list in Keychain Access, and then choose Make Default from the File menu. You may need to click the Show Keychains button at the bottom of the Keychain Access window if you don’t see a list of Keychains.
Next comes the long-winded part: using Keychain Access, drag and drop your items from your Login Keychain to the newly-created one. You’ll have to enter your password for each one (and you may have to enter the password for the newly-created keychain for the first item). Don’t move any items which are needed by things you run when you first log in, and this includes things used by Mac OS X when you first log in—such as Airport Network Passwords. You may find sorting the items list by “Kind” is helpful. Any “Web form password”, “Internet password” and “Secure note” items should be fine, along with most “Application password” items.
That’s it, you’re done! All of the items you moved are now stored on your USB drive, which I’m hoping you’ll store separately from your Mac.

Some important notes:

Make sure you back up the contents of your USB drive—to somewhere secure. If you lose it or break it, you lose all of the passwords on it. If you back it up somewhere and somebody gets hold of the backup, the only thing protecting it from them is the strength of your keychain password.
If you ever use “Keychain First Aid” in Keychain Access, make sure the “Set login keychain as default” option is unchecked, otherwise your default keychain will be reset back to be your Login Keychain.
There’s nothing stopping you creating more Keychains if you want (I’ve got four on my USB volume)—you may find it helpful to have different keychains with different passwords for different things (e.g., “Work” and “Home”), though only one can be the default.
The first time you attempt to access a keychain item stored on a keychain that isn’t your Login Keychain, you’ll be prompted for the keychain password. You won’t be prompted again until the keychain gets locked. You can alter the keychain locking settings via Keychain Access.
If you don’t plug the USB volume in (or unmount it), Mac OS X will behave as though none of the passwords you have stored on it have been saved (because it doesn’t have access to them).
If you try to save a password when you don’t have the USB volume mounted, and you’ve set one of the keychains stored on it to be the default, Mac OS X may get very confused. It may revert back to storing on your Login Keychain, or it may fail to save the password again entirely. I don’t know—I’ve not ever tried it. If you want to, you could create a new keychain somewhere in ~/Library/Keychains to use as your default keychain, and then periodically move all of the items in it into one of the keychains on your USB volume.
Don’t forget: a USB volume containing keychains is still just a USB volume. Mac OS X requires you to eject removable volumes (including USB volumes) before unplugging them or else you risk corrupting the data stored on them—and the last thing you want is a corrupted keychain.

(As an aside, I’ve been storing my keychains this way for about two years now, and I don’t think I’ve ever had any problems).