Tell HN: macOS keychains cannot always be restored from backups
In particular, your account's Local Items keychain, which is used by Safari and some other Apple applications to store passwords, is encrypted in such a way that it can only be restored onto the exact same machine — knowing the user's password is insufficient. Thus, if your machine is lost, stolen, or damaged, a restore from Time Machine backup will not properly restore your keychain. Nor will the keychain properly migrate to another machine using Migration Assistant (luckily, this is how I discovered this behavior).
There is no warning of this behavior in any documentation, and no workaround whatsoever except to use a different browser or password manager, or to manually store all passwords yourself separately in the Login (rather than Local Items) keychain.
There's also no way to export the items in the the Local Items keychain except manually copying them to another keychain, during which you must enter your password one-by-one for each copied item (people have written some AppleScripts to automate this, e.g. https://gist.github.com/rmondello/b933231b1fcc83a7db0b).
If you use iCloud Keychain, then the Local Items keychain is just a machine-local cache of the iCloud data, which is fine, I guess. But this behavior is just dangerously broken if you do not use iCloud for this purpose.
(This was originally a comment at https://news.ycombinator.com/item?id=24624001, but it was suggested that it be its own top-level post.)
5 comments
[ 4.3 ms ] story [ 23.9 ms ] threadhttps://forums.macrumors.com/threads/data-migration-local-ke...
https://apple.stackexchange.com/questions/142123/extract-pas...
https://apple.stackexchange.com/questions/137250/export-keyc...
https://forums.macrumors.com/threads/how-do-i-copy-the-local...
https://discussions.apple.com/thread/8536461
I think this actually works "as intended". Since keychain items serve as the root for your credentials to various services, it makes sense to protect them with two factors; in this case it's "something I know" (password) with "something I have" (device). A loss of either should render the encrypted data useless.
Local keychain is precisely that; local. It is not intended to be something that is by default transferable, as opposed to say, iCloud Keychain.
I emphasise by default because yes, a user should be allowed to easily export/backup the local keychain if they want. The fact that its a PITA and requires a workaround via AppleScripts is very frustrating. And, as I said, lack of clarity by Apple/Time Machine of this fact.
Why should that only be the behavior for the Local Items keychain and not also the Login keychain? From the user’s perspective, what’s the meaningful difference between the two?
The right thing for most users is to have an encrypted backup of the keychain that’s part of the rest of the computer backup. In fact, for most users, it could easily be disastrous not to.
Also, migrations to new devices are a fact of life. It should be possible to migrate to a new device and bring your keychain along.