iCloud Key Chain - External Disk Encryption

[MacOG728893]

I just want to verify with the community. Am I correct in thinking there is no way for iCloud keychain to generate and store an encryption password for Time Machine or a comparable backup?

Thanks in advanced.

 

[laurihoefs]

I just want to verify with the community. Am I correct in thinking there is no way for iCloud keychain to generate and store an encryption password for Time Machine or a comparable backup?

Thanks in advanced.

Not in a convenient way.

In Keychain Access you can create Keychain items which contain the encryption keys, and even generate them. But unlike keys stored in the local keychain, they will not be applied automatically. To use the stored key you'll have to open Keychain Access, find the key, enter your password, and then copy and paste the key to where you need it.

Though storing an encryption key in an on-line service is not a good solution anyway.

 

[MacOG728893]

Not in a convenient way.

In Keychain Access you can create Keychain items which contain the encryption keys, and even generate them. But unlike keys stored in the local keychain, they will not be applied automatically. To use the stored key you'll have to open Keychain Access, find the key, enter your password, and then copy and paste the key to where you need it.

Though storing an encryption key in an on-line service is not a good solution anyway.

Just to make sure I am following and thank you for your help by the way. In keychain access on my Mac, I can create/generate a password for the encryption to my external drive/Time Machine. With that newly generated password, I can access it anytime by entering my Mac's admin password and copy it into the field to access my disk. Hopefully I am right so far 😱

A couple quick questions. If I need to access my Time Machine or stand alone external, will I need to enter the password for the encryption every time or only when the external is ejected / powered off? Also, will Time Machine automatically back up my data or every time it tries to auto back up, will it require the password?

Also may I ask why I should not store the encryption key in iCloud keychain? Obviously I know any web-based storage has security issues, but is iCloud key chain not extremely safe?

Sorry for the questions, I greatly appreciate your help!

 

[laurihoefs]

If you open Keychain Access on your Mac, you'll see there are separate keychains called "login" and "iCloud". The login keychain is local, its contents won't be synced to other devices.

The login keychain is where the passwords for local applications and encrypted volumes, and some security certificates etc. are stored. When you encrypt a volume, you get an option to store the key to the login keychain. The stored passwords are read from the local keychain every time you mount the encrypted volume, and Time Machine also reads the keychain automatically.

You do not need iCloud keychain to store the encryption passwords/keys. I explained how to do so, because I thought you were asking if it was possible to sync the keys between different computers or locations. Sorry for the confusion 😱

iCloud keychain is a well secured service, but it's still an on-line service.

 

[MacOG728893]

If you open Keychain Access on your Mac, you'll see there are separate keychains called "login" and "iCloud". The login keychain is local, its contents won't be synced to other devices.

The login keychain is where the passwords for local applications and encrypted volumes, and some security certificates etc. are stored. When you encrypt a volume, you get an option to store the key to the login keychain. The stored passwords are read from the local keychain every time you mount the encrypted volume, and Time Machine also reads the keychain automatically.

You do not need iCloud keychain to store the encryption passwords/keys. I explained how to do so, because I thought you were asking if it was possible to sync the keys between different computers or locations. Sorry for the confusion 😱

iCloud keychain is a well secured service, but it's still an on-line service.

Thanks for the reply. Right now, I have 4 digit password my main account on my computer. I'm feeling this isn't safe and might be easily cracked. Am I right?

Also, if I allow iCloud Keychain to create a password for my iCloud account, will it also remember every time I download a new app on my iPhone?

 

[laurihoefs]

Thanks for the reply. Right now, I have 4 digit password my main account on my computer. I'm feeling this isn't safe and might be easily cracked. Am I right?

You have to think if there realistically is a chance someone might crack it. If you want to be safe, the longer (and more complex) the password, the better. But of course you also have to be able to remember it.

Check the section 'Guidelines for strong passwords' from this Wikipedia article on password strength.

In most cases it does not matter much how long the user password is, as long as there is one in the first place. But using encrypted volumes changes this a bit. The user password is also by default the password for the local keychain, and if you store the encryption keys there, the safety of the whole encryption rests on the weak user password.

Also, if I allow iCloud Keychain to create a password for my iCloud account, will it also remember every time I download a new app on my iPhone?

iCloud Keychain does not save the iTunes/App Store/iCloud password, or other application passwords. You'll have to enter the passwords manually.

 

[MacOG728893]

You have to think if there realistically is a chance someone might crack it. If you want to be safe, the longer (and more complex) the password, the better. But of course you also have to be able to remember it.

Check the section 'Guidelines for strong passwords' from this Wikipedia article on password strength.

In most cases it does not matter much how long the user password is, as long as there is one in the first place. But using encrypted volumes changes this a bit. The user password is also by default the password for the local keychain, and if you store the encryption keys there, the safety of the whole encryption rests on the weak user password.

This is what I fear, a person stealing my computer, cracking my password and taking the keychain info. With that said, other than specialized software in the black market, is there any way for a person through OS X or terminal to gain access to my machine without the password?

iCloud Keychain does not save the iTunes/App Store/iCloud password, or other application passwords. You'll have to enter the passwords manually.

Ah, I didn't think so. It would be cool if I had a 5S. Then I could let iCloud keychain generate a password for my account and user my finer print so I don't have to remember it. Oh the possibilities!

 

[laurihoefs]

This is what I fear, a person stealing my computer, cracking my password and taking the keychain info. With that said, other than specialized software in the black market, is there any way for a person through OS X or terminal to gain access to my machine without the password?

User passwords can be reset by booting to single user mode. But resetting a users password this way does not change the keychain password, so the keychain will remain secured.

Booting the computer with something like Ubuntu Live CD, Ultimate Boot Disk, PartedMagic, etc, whatever bootable recovery/install/live disk will make it possible to acces files on the hard drive. The keychain still remains inaccesible without the password though.

Setting up an EFI password will prevent unauthorized booting from external drives, CDs or recovery partition.

Using FileVault will protect files on the hard drive from being read, even if someone managed to boot the computer or took the hard disk out.

But if you enable these measures, you have to make absolutely sure to select passwords you can remember. A forgotten EFI password means a visit to an Apple Store or a certified partner to regain access. A forgotten FileVault password means having to use a recovery key which is generated when FileVault is enabled. If you haven't stored that 25-letter key, then everything on the encrypted volume is as good as gone.

Think very hard if you need to implement any of these measures, as they also involve risks, and make using the computer somewhat more complicated.

Ah, I didn't think so. It would be cool if I had a 5S. Then I could let iCloud keychain generate a password for my account and user my finer print so I don't have to remember it. Oh the possibilities!

iCloud Keychain is still fairly new, so I would not be surprised if it gained many new useful features in future updates 🙂