Publishers of technology books, eBooks, and videos for creative people

Home > Articles > Apple > Operating Systems

Apple Pro Training Series: OS X Support Essentials 10.10: Supporting and Troubleshooting OS X Yosemite: Keychain Architecture

  • Print
  • + Share This
The authors of Apple Pro Training Series: OS X Support Essentials 10.10: Supporting and Troubleshooting OS X Yosemite discuss keychain architecture and understanding local keychain files.
From the book

Reference 8.1 Keychain Architecture

Because so many important items are saved via the keychain architecture, the keychain files themselves are encrypted with a very strong algorithm: They are impenetrable unless you know the keychain’s password. In fact, if you forget a keychain’s password, its contents are lost forever. Not even the software engineers at Apple can help you—the keychain system is that secure. Yet probably the single best feature of the keychain architecture is that it’s entirely automatic using the default settings. Most users never know just how secure their saved passwords are, because the system is so transparent.

Understanding Local Keychain Files

Keychain files are stored throughout the system for different users and resources. Here are a few of note:

  • /Users/<username>/Library/Keychains/login.keychain—Every standard or administrative user is created with a single login keychain. As a default, the password for this keychain matches the user’s account password, so this keychain is automatically unlocked and available when the user logs in. If the user’s account password does not match the keychain’s password, it does not automatically unlock during login. This keychain appears with the name “login” when using the Keychain Access application, as covered later in Lesson 8 “Keychain Management”.

  • /Users/<username>/Library/Keychains/<UUID>—This keychain folder is also created for every user account. The chosen UUID (universally unique identifier) name of the folder does not match the user’s local account UUID, but this item is associated with the user due to its location in the user’s home folder. This folder contains the keychain database used by the iCloud Keychain service. Even if the user hasn’t enabled the iCloud Keychain service yet, this local keychain database is still created. When the iCloud Keychain service is not enabled, this keychain appears with the name Local Items in the Keychain Access application. Once the iCloud Keychain service is enabled, this keychain appears with the name iCloud in the Keychain Access application. Managing the iCloud Keychain service is covered later in “Reference 8.3 iCloud Keychain”.
  • /Library/Keychains/System.keychain—This keychain maintains authentication assets that are not user specific. Examples of items stored here include Wi-Fi wireless network passwords, 802.1X network passwords, and local Kerberos support items. Although all users benefit from this keychain, only administrative users can make changes to it. You’ll also find additional keychains in this folder for use by Legacy FileVault and the Apple Push service. This keychain appears with the name System in the Keychain Access application.
  • /Library/Keychains/FileVaultMaster.keychain —This keychain is created when the system master password is set, so it can only be unlocked with that password. This keychain, as the name implies, is used by the Legacy FileVault and FileVault 2 systems. Managing and troubleshooting Legacy FileVault and the master password is covered in Lesson 7 “System Security”. This keychain doesn’t appear in the Keychain Access application by default.
  • /System/Library/Keychains/—In this folder are several keychain files that store root certificates used to help identify trusted network services. Once again, all users benefit from these keychains, but only administrative users can make changes to them. Most of these keychain items don’t appear in the Keychain Access application by default.
  • + Share This
  • 🔖 Save To Your Account