Home > Articles

  • Print
  • + Share This
This chapter is from the book

Keychain Access

Using the Internet is a never-ending struggle to keep track of passwords for email servers, file servers, Web sites, and other private information. The Keychain Access software (path: /Applications/Utilities/Keychain Access) automatically stores passwords from Keychain-aware applications such as Mail and Safari. Users can also manually add their own passwords to the keychain. Later, the keychain can be unlocked to reveal the original cleartext password.


The default keychain is unlocked by your account password. Sensitive information is best placed in a secondary keychain with a different password; otherwise, a single compromise of your account unlocks access to all your information.

Read how to add new keychains in the "Managing Keychains" section later in the chapter.

Keychains and Keychain Scope

By default, all users have their own keychain named login. This is called the User keychain. Additional User keychains can be created to store specific information, such as credit card numbers, PINs, and so on. Think of the keychain as a database of your most sensitive information, all accessible through your Mac OS X account password.

In addition to User keychains, Global keychains are accessible by all users on the system. A Global keychain can be created by an administrator and shared to the other users on the system. An example of the usefulness of this feature is creating a keychain with corporate login data for intranet file servers that should be available to everyone.

User keychains are stored in ~/Library/Keychains, whereas Global keychains are located in /Library/Keychains.

Automated Access

Launching Keychain Access displays the contents of your default keychain—named login. For an account that has been using the keychain to store file server passwords, HTTP authentication information, and so on, the Keychain Access window should look similar to that shown in Figure 3.32.

Figure 3.32Figure 3.32 The Keychain Access window displays a list of stored passwords and other information.

The obvious question is, "How did these items get here?" They were added by Mac OS X applications. Typically, when an application wants to store something in the keychain, you'll be given the option of storing it. For example, when accessing a site that requires HTTP authentication, some Web browsers present a dialog box requesting a username and password, and offering to "remember" it or "add to keychain." Choosing these options automatically adds the entered password to the default keychain. Over time, your keychain could become populated with hundreds of items, and you might not ever know it!

When an application wants to access information from your keychain, it must first make sure that the keychain is unlocked. Your default Mac OS X keychain is automatically unlocked when you log in to your account, making its passwords accessible to the applications that stored them. To manually lock or unlock a keychain, click the Lock button at the top of the Keychain Access window. The Keychain Access window, along with its Dock icon, changes to reflect its security status. If an application attempts to access information on a locked keychain, it displays a dialog box, as shown in Figure 3.33. Entering the correct password (your account password for the default keychain) unlocks the keychain that your application is attempting to access. Clicking the Details disclosure pushbutton displays what keychain is being unlocked and the application making the keychain request.

Figure 3.33Figure 3.33 If an application attempts to access data in a locked keychain, you are prompted for the keychain's password.

Even after a keychain is unlocked, an application might still need a bit more help before it can retrieve the information it needs from the keychain. Each stored piece of information can be controlled in a way that makes it accessible to only specific applications. Mail passwords, for example, are accessible only by the Mail application. If a program you just downloaded off the Internet attempts to unlock your Web or email passwords, you'll know something nefarious is afoot. Sometimes, usually after a system upgrade, you will have to re-educate your Mac OS X computer about what applications can access what passwords. This is a simple process.

When the keychain notices an unauthorized application attempting to access a piece of information, it prompts the user with a window to deny the access, allow it only once (Allow Once), or allow the application to access the information whenever it wants (Always Allow), demonstrated in Figure 3.34.

Before making a choice, always click the Details disclosure pushbutton to view which keychain is being accessed and which application wants the data. If you don't recognize the application, click Deny to disallow access.

Figure 3.34Figure 3.34 Each application must be authorized to access a specific piece of information.

Working with Keychain Items

Users who want to access stored data, or manually add new information to a keychain, can do so through the Keychain Access program. Each item listed in the Keychain window can be viewed by selecting it. Web entries can be launched in a Web browser by selecting the resource and clicking the Go toolbar button. You can sort the Keychain item list by using View, Sort or by clicking the headings in the List view.

The lower portion of the window displays information about a keychain entry using a button bar with two entries: Attributes and Access Control.


The Attributes button as its name suggests, provides basic information about the stored information. For example, Figure 3.35 shows the attributes for an IMAP password in my default keychain. The Kind field identifies the type of information, Where shows the resource that stored the information, and Account displays the creating user account. Users can add any additional comments about the item by typing in the Comments field. Click the Show Password button to display the password in cleartext.


When you click Show Password, you often are prompted to allow Keychain Access to retrieve the data. Although this might seem strange, it is because Keychain Access itself must obey the same rules as the rest of the system. Because Keychain Access isn't listed as having unlimited access to stored items, it asks each time it needs to retrieve the information.

You can edit any of the item attributes within the Attributes pane. Click the Save Changes button in the lower-right corner to save any modifications you've made.

Figure 3.35Figure 3.35 The Attributes pane displays what type of data is stored, and when it was added to the keychain.

Access Control

The Access Control pane enables the user to pick and choose which applications can access a given piece of information in the keychain. Shown in Figure 3.36, the controls of this pane are straightforward. Click Allow All Applications to Access This Item to transparently provide access to the resource with no user interaction.

You can specify individual applications by clicking the Confirm Before Allowing Access radio button; then use the Add and Remove buttons to add and remove applications from the list. Leave the application list blank to always force a confirmation. Finally, check the Ask for Keychain Password check box to force the user to enter a password each time access is confirmed.

Figure 3.36Figure 3.36 The Access Control pane provides control over what applications can access a piece of data.

Adding New Entries

New pieces of information can be added to the keychain by clicking the Add button in the main Keychain window or choosing File, New, then Password Item or Secure Note from the menu or clicking the Password or Note buttons in the toolbar. This action opens a new window, such as that shown in Figure 3.37, for entering the data to be stored. Enter the name or URL of the stored item in the Name field, the account name associated with the data in the Account field, and, finally, the sensitive data in the Password field. By default, the password is hidden as you type. To display the password as it is typed, click the Show Typing check box. Click Add when finished. When creating a Secure Note, only a name and note field are displayed.

Figure 3.37Figure 3.37 New items can easily be added manually to an existing keychain.

To remove any item from the keychain (either automatically or manually entered), select its name in the list and then click the Delete toolbar button, or choose Edit, Delete.

Adding Certificates

Digital certificates are used to provide authoritative identification information for people and services online. Secure Web sites use certificates to prove that they are legitimate (as you'll see in Chapter 27). Another use, fully supported in Panther, is that of providing secure mail services to and from clients that support the S/MIME standard (see http://www.rsasecurity.com/standards/smime/faq.html for details).

To support encryption in mail, you must add an X.509 digital certificate containing a private and public key. The public key is used to sign outgoing messages so that other users can encrypt mail to you, which, subsequently is decrypted with your private key. Other users who sign their outgoing messages with their public key (using the S/MIME standard) can send you mail, and the Mac OS X Mail application automatically saves a certificate with their public key to your keychain. This, in turn, allows you to send encrypted messages to that person.

To obtain a certificate for signing mail, contact a Certificate Authority (CA), such as http://www.verisign.com/products/class1/index.html or http://www.thawte.com/html/COMMUNITY/personal/. Or do a Google search for "free email certificate" to turn up several dozen free options.

Unfortunately, not many certificate services (if any) can easily provide the certificates in a format that is Mac OS X "Mail" ready. As a result, it is difficult to predict how you will "get" your certificate. Some users in similar situations report success importing the certificates into browsers such as Netscape (http://www.netscape.com) or Opera (http://www.opera.com) and then using the export options in these browsers to save the certificate in a .cer, .crt, or .p7c (among others) file. I've personally had success importing the certificate into Outlook (most certificate services are already set up to import into Outlook) and then exporting from Outlook. Whatever your technique, you should eventually end up with a certificate that can be imported into Keychain Access.

To import a certificate, double-click it (if it is a recognized type), or choose File, Import and choose the file. Keychain Access displays an import dialog box, as shown in Figure 3.38.

Figure 3.38Figure 3.38 Import a digital certificate into Keychain Access.

Choose the keychain to add the certificate to and then click OK. If you want to view the certificate before saving it, click the View Certificates button. After an S/MIME certificate has been added, the encryption features "appear" in Mail, as described in Chapter 4.

Certificates can be selected in the Keychain element list to view their contents and change their Trust settings. Trust Settings can be altered such that permission is required each time a certificate is accessed, or a certificate is always trusted.

Managing Keychains

Each user account can have as many keychains as needed, including systemwide Global keychains. Click the Keychains toolbar button to manage the keychains stored in your user account; the window drawer shown in Figure 3.39 appears.

Figure 3.39Figure 3.39 Use the Keychain List to manage your available keychains.

As mentioned earlier, a default keychain is generated for each user account named login. Also included is a default Global keychain named System shared throughout all user accounts.

New keychains can be created by choosing File, New Keychain. You are prompted for a name and a save location for the keychain. The default for a User keychain is ~/Library/Keychains; Global keychains should be stored in /Library/Keychains.

Next, you need to enter a passphrase that unlocks the new keychain. It's best to choose something different from your account password to prevent people who might gain access to your account from seeing your most sensitive information. If you want to add an existing keychain file (perhaps from your account on another Mac OS X machine), use File, Add Keychain from the menu, and then choose the keychain file on your drive.

When the new keychain is added or created within an account, you can switch to it by choosing its name from the Keychain window drawer. You can make a keychain your default keychain (displacing login), by choosing File, Make Keychain Default.


To move entries from one keychain to another, select the items you want to move and then drag them to the appropriate keychain in the keychain drawer.

To remove a keychain from the system, highlight its name in the list and then press the Delete key.

Unlock or lock keychains in the drawer using the Lock/Unlock toolbar icons.


You can add a Keychain menu extra to your menu bar by choosing View, Show Status in the menu bar. This extra provides the capability to lock and unlock any one of your keychains at any time.

Creating Global Keychains

Global keychains are identical to User keychains but have a flag toggled to make them available to all users—the Global flag (surprise). You can convert any keychain to or from Global keychain status using the Keychain List (Window, Keychain List; Command-Option-L). The Keychain List is shown in Figure 3.40.

Figure 3.40Figure 3.40 Manage User and Global keychains.

The pop-up menu at the top of the list enables you to choose between User (your keychains) and System keychains. System keychains are keychains stored at the System (/Library/Keychains) level but not necessarily Global keychains. If installing a keychain for everyone on the system, it should be stored as a System keychain and should also be set as a Global keychain.

To convert a keychain to or from global status, highlight it in the Keychain List; then use the Global check box to change its status. System Global keychains automatically show up in other users' Keychain Lists.

Keychain Settings and Passwords

The Keychain Access application has no preferences, but it does allow some control over each keychain file, such as modifying the password that unlocks the keychain. To open the settings, highlight the appropriate keychain from the Keychains drawer and then choose Edit, Change Settings for Keychain. You should see a new window, much like the one shown in Figure 3.41.

Figure 3.41Figure 3.41 Set your keychains to lock after a certain length of time.

Within the Settings window, you can use the Lock After XX Minutes of Inactivity setting to force Mac OS X to lock a keychain if it isn't used for a certain length of time. Clicking Lock When Sleeping causes the keychain to be locked if the computer goes to sleep.

Use Edit, Change Keychain Password to edit the password that unlocks the keychain.


If you change the password on your default keychain to something other than your Mac OS X account password, it will not be automatically unlocked when you first log in.

Keychain First Aid

As you work with keychains, a variety of problems can occur, such as passwords getting out of sync and improper keychains being set as the default. The Keychain First Aid tool can repair some of these common problems for any user account on the system.

To access Keychain First Aid, choose Window, Keychain First Aid (Option-Command-A). The First Aid window, shown in Figure 3.42, appears.

Figure 3.42Figure 3.42 Keychain First Aid can repair common Keychain problems.

To verify a user's keychain, click the Verify radio button, enter the username and password, and click the Start button. If problems are found, switch to Repair mode and then click Start again.

The options button can be used to configure what "repairs" will take place and also offers an option to reset to a "factory fresh" default keychain.

The First Aid features are best for fixing problems for users who have accidentally messed up their default login keychain. It does not fix a keychain that has suffered data corruption or recover information that has otherwise been lost. It is a tool to help you, as an administrator, handle keychain problems for your users without logging in to their accounts.


Keychain Access menus provide little additional control over what is offered in the toolbar buttons. Use the File menu to quickly lock all keychains and reset the default keychain for your account. All other functions are readily accessible from the Keychain Access window.

  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020