I have been using Apple’s keychain technology to keep my passwords safe since it first debuted in Mac OS 8.6. Keychains use Triple DES encryption to store passwords, private keys, certificates, and secure notes that you can retrieved automatically using a single sign-on. When you log into your Mac your login password simultaneously unlocks your primary keychain giving the system access to all of your stored credentials. Although alternative cross-platform password storage services exist I have always preferred Apple’s built-in solution because it is an integral part of Mac OS X. If you are reading this on a Mac you are using Apple’s keychain technology.

Keychain Access

Not many people know about the Keychain Access application stored in their computer’s Utilities folder. They only discover it when there is a problem with their stored credentials, and the Keychain First Aid command is required to sort things out. But Keychain Access can be used for far more then just repairing a user’s recorded credentials.

Keychain Access can:

• Evaluate your computer’s root security certificates, and set trust settings for individual certificates.
• Create certificates for yourself, or for others as a certificate authority.
• Manage and view the encrypted credentials used to access websites, SSH accounts, network shares, wireless networks, applications, and encrypted disk images.
• Import and store private keys required for sending and receiving encrypted correspondence.
• Manage and track Kerberos tickets.
• Author and edit secure notes.

I can’t tell you how many times I have used Keychain Access to retrieve a password I had forgotten, or help a user with a credential they had lost. But Keychain Access’s capabilities don’t end with its advertised set of capabilities.

Multiple Keychains

One of the secrets of Apple’s keychain technology is that you can have more than one keychain. Apple allows you to keep your passwords, private keys, certificates, and secure notes on multiple keychains and store them where ever you like. Individual keychains can have separate passwords protecting their contents, and as long Mac OS X can locate your unlocked keychain it can access the credentials stored inside.

Serial Numbers

One way I use Keychain Access is by storing serial numbers and software license keys in a separate keychain. From the Keychain Access I create a new keychain from the file menu and populate it with new Passwords Items. I use the Keychain Item field for the software title, the Account Name field for the version number, and the Password field for the serial number. Even after all of my applications have migrated to the Mac App Store and serial numbers are obsolete I will continue to use Keychain Access as a secure database for retrieving my legacy application serial numbers. Unlike proprietary serial number storage applications my serial keychain has the benefit of being readable by any modern Mac, and can be synced across all of my Macs using SpiderOak or Dropbox. There is even an Apple command line utility called security that can be used to automate the retrieval and storage of my serial numbers.

Poor Man’s Yojimbo

Another unintended way I use Keychain Access is by storing bits of information as secure notes. I have created a separate keychain file for all of my secure notes, and label each note with the information it contains. Secure notes can be used for storing text, images, pdfs, sounds, zip files, and anything else you can copy and paste into the Notes field. Retrieving binary files from Keychain Access requires pasting the contents of each note into a TextEdit document, saving the file, and extracting the included attachments by right clicking on the file’s icon, and choosing the Show Package Contents command. I would not recommend using the keychain for storing large binary files, but instead as a modern encrypted equivalent of the classic Macintosh scrapbook. For a more effortless, reliable information organizer try Yojimbo.

Syncing Keychains without MobileMe

Soon MobileMe Keychain syncing will be a thing of the past, but the additional keychains we create can always be synchronized using third-party services. I am not afraid to let Dropbox sync my serial and scrapbook keychains because of the Triple DES encryption installed on every keychain file. There is no need to create a symbolic link. Just save all of your additional keychains into your Dropbox folder and open them in Keychain Access on any modern Mac. As long as you don’t edit your keychain entries on two different Macs at the same time you can use Dropbox to bring your keychains with you wherever you go.

Keychain Access is a powerful utility, but like most tools how you use it is up to you. From serial number archiving to scrapbooking Mac OS X’s keychain technology is more than just a single secure place to store your credentials.