Volume Number: 21
Issue Number: 10
Column Tag: Programming

All Keyed Up

Up Close and Personal With the Keychain: A First Look

by Ilene Hoffman

Our Own Little Corner of the Directory

As your car and house keys provide you access to your stuff behind closed doors, so does the keychain in Mac OS X. A keychain is Apple's designation for a file used to store your passwords, i.e. it is a container for changeable data, where you "write" passwords and save them in a secure file format. These are passwords you created to access software, instant message accounts, mail accounts, web sites, remote servers, such as AppleShare servers, database servers plus other types of personal information you don't want to forget. When a keychain is unlocked, you no longer have to remember or even type in a requested password for any item you've stored in a keychain. You can create as many different keychains as you like and can name them to differentiate the content, according to your personal preferences. The items in a keychain are keys that encrypt or decrypt data. Each keychain can hold as many passwords or keys as needed.

Unless you're some flavor of system or network administrator or your significant other has broken into your coveted system, the keychain is of little concern to you - it just works. In fact, the most common question received from my small business clients is: How do I turn off the keychain? Before you jump the gun and disable this too often maligned system utility, let's take a closer look at its use, functions, and benefits. Remember it is the only place Apple gives you to securely store all your private information.

When you start-up and log-in to with your own password Mac OS X your preferences, customized environment and your keychains are loaded. The main or default keychain, named login, is unlocked automatically. If you set up a .Mac email account when you set up your machine, that password is also stored in the login keychain. Any passwords you add to that keychain are available to you when you log in, so you should be careful if you leave your machine unattended in a populated environment. This is because your passwords are available to any stored item. Logging out of your user account locks the keychain or, if you prefer, you can set Automatic Locking, which is discussed below. For enhanced protection you can change your login keychain password, so that it is not unlocked at startup.

(Source: Enabling Secure Storage With Keychain Services, (c) 2004 Apple Computer, Inc., page 10.)

Keychain Access

The application Keychain Access, found inside the Utilities folder inside your Applications folder, is used to add, delete, and edit keys and keychains. You can also create new keychains, change the default keychain, or troubleshoot keychains. When you first open the application, you see your login keychain with a list of all of its stored passwords, a toolbar, and buttons to view each password key's attributes and access control.

When you first launch Keychain Access you see the login keychain with each of the default keys already entered. Any email address you entered when you set up Mac OS X is entered into the login keychain. In Figure 2, you can see an Earthlink address is active. The toolbar contains buttons to add a new Password, create a Note, Delete a key, Go to a web site, and Lock (or Unlock) the whole Keychain. Click Show Keychains to open a drawer to view all your keychains. The drawer has a nice feature where, if you can run your mouse over the name and location, the path to the keychain appears.

Each key includes a name , the kind of password, and its creation and modification date in a list view, as seen in Figure 2. When you choose an item (click once) the Delete button activates, so removing a key is easy. A dialog appears with a Delete button to confirm the action. Any item that contains the @ sign signifies that a web-related application is opened when you select the key and press the Go button. Applications include web browsers, email, and ftp applications.

Use the Attributes and Access Control buttons to view more information or edit a key. As seen in Figure 3 below, under the Attributes button you can change or edit any of the items, although some items add information automatically which is useful, such as the Comments for Safari's Forms Autofill utility. Generally, editing these items is not encouraged. A checkbox to Show Password is helpful, but leaving it unchecked is recommended. If you prefer to paste in your password manually, click the Copy Password to Clipboard button. If you do change any information, don't forget to Save Changes. The Comments area is especially useful as it allows you want to make notes on an account.

Access Control is one of the areas that allow you control over when you are prompted for your password(s). As I tell my clients, if you don't want to be bothered with password dialogs, check Access Control to make sure the radio button Allow all applications to access this item is selected. If you want a more secure system, select Confirm before allowing access, so that applications will request your input, and, for an additional layer of security, add the checkbox Ask for Keychain password. You can also use the`Add button and exempt some applications from requesting a password. When you change the permissions for any item, you must Confirm Access to Keychain and type in your Keychain password. Figure 4 shows a Safari Forms AutoFill key that requires a confirmation before any application other than Safari can access the stored information. Remember that the Finder is just another application in Mac OS X.

Create and Use New Keychains

If you think about it, it makes more sense in an environment where a lot of other people are running around to have at least one other keychain that isn't opened automatically when you boot up. So, just how do you create those secondary keychains? Keychain Access, of course! The steps are simply: Launch Keychain Access, choose New Keychain from the File menu, name the keychain, choose where to save it, and click Create. You will be asked to enter and verify a password for that new keychain. If you don't specify saving the keychain in another location, it is stored by default as the follows: (~/Library/Keychains). After you click Create you choose a password for the keychain and that's it, or is it?

Hidden Cool Resources

There are some very useful resources tucked away behind some innocuous buttons in the New Keychain Password dialog. The blue Details button shows information on the location of your new keychain, plus the application associated with it (in this case, Keychain Access.app). Details appear in a number of the dialogs in Keychain Access. The question mark button in the Password dialog takes you to a Mac Help screen on how to choose good passwords.

An even better resource is the Password Assistant. Click on the i button and the Assistant rates the quality of your password. In Figure 5, you can see that when I type my own name as the password it returns a low quality(6.5) because the password is not only too short, but very easy to guess. In fact, because it is under six characters , Mac OS X won't let me use my name as the password. When you've chosen a good password, the quality rating goes as high as 10% and the bar turns from red to green. As one network administrator friend of mine commented upon first seeing this help screen: "Wow, this is really helpful."

Multiple Keychains

To view all your keychains you can either select Show Keychains from the toolbar, which opens a Keychain drawer, or choose Show Keychains from the View menu, the keyboard short cut is command-shift- K.

You can also add a previously created keychain to your keychain list, even if the keychain was created on a different machine. To do this first move the keychain file to your computer and store it in your home directory ( ~/Library/Keychains). Second, open Keychain Access and choose Add Keychain... from the File menu. In the Open dialog navigate to the desired keychain and click Open. The keychain is now listed in the Keychain list.

Securing the Secure: Keychain Security

To help secure your machine, you can set each keychain lock preference separately. As noted above this helps protect prying eyes from accessing your information by mistake. You can lock your keychain manually, set it to lock after a specified amount of time or require applications to request access, as stated above. To make changes open Keychain Access, click on the keychain you want to change in the Keychains drawer, and choose Change Settings for Keychain from the Edit menu. The prompt to unlock your keychain appears, and after you type your password, the Change Keychain Settings dialog comes up.

As can be seen in Figure 6, check boxes make setting locking preferences easy. You can set a keychain to lock after any number of idle minutes and/ or you can Lock a keychain when your machine goes to sleep.

Remember that you can also change settings for a specific key in the Access Control pane, as detailed in the Keychain Access section above.

NOTE: If you find you need to access your keychains often, you can display an icon in your menu bar to open Keychain Access and have immediate access to work with your keys. In Keychain Access, choose Show Status in Menu Bar from the View menu, and a lock icon appears in your menu bar.

Adding New Keys

You can add keys in one of two ways:

1. When you launch a password protected item, such as your FTP site from an FTP app such as Fetch, Transit, Anarchie, you may be prompted to save your password in a keychain. A checkbox labeled: Add to Keychain is built into some applications. Click the box and your key is automatically added to your login.keychain. (Note: An incorrect item can be added, so please check your Keychain if you press the OK button and discover that you've made a mistake.) Whether a password can be added from an open dialog is totally up to the program's developer. As you can see in Figure 7, AOL Instant Messenger prompts you to save your password in a keychain, as does iChat.

2. The second way to add a key is to open Keychain Access and click the Password button. The New Password Item dialog appears and you can manually type in all the information to access any password-protected account you own, as you can see in Figure8. A side note to info I find useful: These passwords do not have to be computer related, you can save bank account information, your bike lock, or your account and PIN numbers for all those credit cards you own. Remember, when you click the Show Typing checkbox you can see your actual password. When an application or item is not supported by Keychain Access, these password items work perfectly as a repository to save secret items. Again, it is a good idea to save these items in a keychain other than the login.keychain (it works better and is more secure than having sticky notes stuck all over your computer). Just remember to click on the keychain you'd like to use before you create your new key.

Keychain Repair: First Aid

If you find things aren't working as expected, Keychain First Aid, available from the Window menu of Keychain Access, helps you troubleshoot your keychain problems. The main window contains three useful buttons, Verify checks passwords, settings, and the contents of your keychains. The Repair radio button fixes any problems found in your keychains. The third Options button contains settings.

Under the General Options you can clear previous logs created when you run Verify and Repair. In the unlikely event you've experienced keychain corruption, you can also Reset your selected keychain so that you can start over again. As stated in the dialog, your original keychain is moved, but not deleted.

The Expert Options allows you to set your login.keychain as the default and synchronize it when logging in. Best of all, for all those users who complain about the constant user password prompts, you can set your login keychain to remain unlocked, always!

Conclusion

As you've seen, Keychain Access is designed to protect your personal information, while providing you easy access to password protected items. Apple's Keychain Access Help is comprehensive and should be the first line place you turn when you have a question. If you want more technical information on security in Mac OS X or keychains, Apple's site has a number of informative documents:

• Mac OS X Security Features:

  http://www.apple.com/macosx/features/security/

• Security in Mac OS X Technology Brief (PDF):

  http://images.apple.com/macosx/ pdf/Security_in_Mac_OS_X.pdf

Developer Resources

• Keychain Services Reference (PDF or HTML): http://developer.apple.com/documentation/Security/Reference/keychainservices/
  
  
• Enabling Secure Storage With Keychain Services (PDF or HTML): http://developer.apple.com/documentation/Security/Conceptual/keychainServConcepts/index.html
  
  
• Certificate, Key, and Trust Services Reference (PDF or HTML): http://developer.apple.com/documentation/Security/Reference/certifkeytrustservices/index.html

Ilene Hoffman, MS is a Macintosh/ Internet Consultant. She stole her first Mac from her Dad in 1984 after asking him to buy a PC. She's worked for a bunch of major Mac sites, written for many Mac-based publications, and regularly provides troubleshooting expertise to small businesses. Ilene and her dog can be found in the Boston area under a pile of really old Macs.