I want to tell you briefly about the keychain system in OS X. Keychains are used to store sensitive critical data. You can think of:

  • Resource passwords (only if allowed to save)
  • Wireless passwords
  • Kerberos items
  • Certificates
  • Keys
  • Website forms
  • Secure notes

Only the account password is not stored in the keychains.

The keychains are files encrypted with the Triple DES algorithm and located in different locations.

  • /Users/%username%/Library/Keychain/login.keychain

The login.keychain is automatically created for every user and is unlocked when the user successfully logs in. This keychain contains user specific items.

  • /Library/keychain/System.keychain

Non user specific items are stored in the System.keychain. Here you can find wireless passwords, network passwords and Kerberos items. Only administrators can make changes in this keychain.

  • /Library/Keychain/FileVaultMaster.Keychain

This keychain can only be opened with the File Vault master password. I will make a future blog post about File Vault where this is explained.

  • /System/Library/Keychains

This is also a keychain where only administrators can make changes. It is used to store root certificates.

With the Keychain Access application found in /Applications/Utilities you can open and edit the keychain. You can add, delete and modify entries. It is also possible to repair keychains. The keychain Access application opens with the user’s login.keychain as a default. Here you see different entries and you can resolve passwords. If you want to show a password you will be prompted for the user account password.

As mentioned earlier the login.keychain password is the same as the user account password. When a user changes his password the login.keychain password is also changed but if the password is reset by an administrator the login.keychain password is not changed. When the user logs in after a reset by an administrator there will be the following prompt:


The user can choose to update the keychain password but fore this the user needs to remember his forgotten password. So normally the user needs to create a new keychain. This new keychain is then created with the new user password. Because there is a new keychain the saved password etc. from the old locked keychain are not present anymore.

The old keychain is saved in the user’s  ~/Library/Keychains folder. It can still be unlocked with the Keychain Access application when the user remembers the old password. If OS X can’t open the keychain and it is corrupted you can repair it with the Keychain Access application. In the Keychain Access menu you can choose Keychain First Aid. Here you need to enter a username and password, select the repair option and click on the Start button.

Nice little extra: If you travel a lot and want to take notes etc. securely with you, you can safe them in a keychain file. With the Triple DES encryption the keychain file is securely encrypted and you can only open the keychain again with the password you used to create the keychain.