Apple Developer Connection
Member Login Log In | Not a Member? Contact ADC

< Previous PageNext Page > Hide TOC

Keychain Services Concepts

Computer users typically have to manage multiple accounts that require logins with user IDs and passwords. Secure FTP servers, AppleShare servers, database servers, secure websites, instant messaging accounts, and many other services require authentication before they can be used. Users often respond to this situation by making up very simple, easily remembered passwords, by using the same password over and over, or by writing passwords down where they can be easily found. Any of these cases compromises security.

The Keychain Services API provides a solution to this problem. By making a single call to this API, an application can store login information on a keychain where the application can retrieve the information—also with a single call—when needed. A keychain is an encrypted container that holds passwords for multiple applications and secure services. Keychains are secure storage containers, which means that when the keychain is locked, no one can access its protected contents. Users can unlock a keychain—thus providing trusted applications access to the contents—by entering a single master password. From the user’s point of view, a keychain provides transparent authentication, which means that after unlocking the keychain, the user does not have to log in separately to any services whose passwords are stored in the keychain. The user only has to enter one password once to access any number of applications, servers, websites, and so on. Figure 1-1 shows the relationship between the user, the keychain, and the password-protected services.

Note: In addition to passwords, keychains can store keys, certificates, and text strings (notes). Notes are generally entered by the user with the Keychain Access application. Most applications that use Keychain Services need to store or retrieve passwords, and that is the subject of this document. If you need to store or retrieve keys or certificates, see Certificate, Key, and Trust Services Reference.


Figure 1-1  Accessing password-protected services using a keychain

Accessing password-protected services using a keychain

By default, each Mac OS X login account has one keychain (for a new login on Mac OS X v10.3, this keychain is named login.keychain); however, a user or application can create as many keychains as desired. The login keychain is automatically unlocked during login if it has the same password as the user’s login account password. When first created, the login keychain is also the default keychain. The default keychain is used to store newly-created keychain items unless a different keychain is specified in the function call; certain other Keychain Services functions also use the default keychain when no other keychain is specified. The user can use the Keychain Access utility to designate another keychain as the default; however, the login keychain doesn’t change.

Contents:

Keychain Services and CDSA
Structure of a Keychain
Keychain Access Controls
Keychain Services Ease of Use
Keychain Services Advanced Features




< Previous PageNext Page > Hide TOC

Last updated: 2007-01-08

Did this document help you?
Yes: Tell us what works for you.

It’s good, but: Report typos, inaccuracies, and so forth.

It wasn’t helpful: Tell us what would have helped.
Get information on Apple products.
Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Copyright © 2007 Apple Inc.
All rights reserved. | Terms of use | Privacy Notice