Item Attribute Keys and Values

Specify the attributes of keychain items.

Overview

In addition to the data that you want to store, keychain items also have attributes that allow you to find them later and that allow you to control how the data is used or shared.

You specify attributes as the keys and values of a dictionary. The available attribute keys are listed below. Typically, the corresponding value is a string, a number, or some other basic type, as given in each key description. In a few cases, the value comes instead from a list of a known constants. These predefined attribute values are also listed below, grouped according to the key that they serve.

Topics

General Item Attribute Keys

kSecAttrAccess

A key whose value in an access instance indicating access control list settings for this item.

kSecAttrAccessControl

A key whose value in an access control instance indicating access control settings for the item.

kSecAttrAccessible

A key whose value indicates when a keychain item is accessible.

kSecAttrAccessGroup

A key whose value is a string indicating the access group an item is in.

kSecAttrSynchronizable

A key whose value is a string indicating whether the item is synchronized through iCloud.

kSecAttrCreationDate

A key whose value indicates the item's creation date.

kSecAttrModificationDate

A key whose value indicates the item's last modification date.

kSecAttrDescription

A key whose value is a string indicating the item's description.

kSecAttrComment

A key whose value is a string indicating a comment associated with the item.

kSecAttrCreator

A key whose value indicates the item's creator.

kSecAttrType

A key whose value indicates the item's type.

kSecAttrLabel

A key whose value is a string indicating the item's label.

kSecAttrIsInvisible

A key whose value is a Boolean indicating the item's visibility.

kSecAttrIsNegative

A key whose value is a Boolean indicating whether the item has a valid password.

kSecAttrSyncViewHint

A key whose value is a string that provides a sync view hint.

Password Attribute Keys

kSecAttrAccount

A key whose value is a string indicating the item's account name.

kSecAttrService

A key whose value is a string indicating the item's service.

kSecAttrGeneric

A key whose value indicates the item's user-defined attributes.

kSecAttrSecurityDomain

A key whose value is a string indicating the item's security domain.

kSecAttrServer

A key whose value is a string indicating the item's server.

kSecAttrProtocol

A key whose value indicates the item's protocol.

kSecAttrAuthenticationType

A key whose value indicates the item's authentication scheme.

kSecAttrPort

A key whose value indicates the item's port.

kSecAttrPath

A key whose value is a string indicating the item's path attribute.

Certificate Attribute Keys

kSecAttrSubject

A key whose value indicates the item's subject name.

kSecAttrIssuer

A key whose value indicates the item's issuer.

kSecAttrSerialNumber

A key whose value indicates the item's serial number.

kSecAttrSubjectKeyID

A key whose value indicates the item's subject key ID.

kSecAttrPublicKeyHash

A key whose value indicates the item's public key hash.

kSecAttrCertificateType

A key whose value indicates the item's certificate type.

kSecAttrCertificateEncoding

A key whose value indicates the item's certificate encoding.

Cryptographic Key Attribute Keys

kSecAttrKeyClass

A key whose value indicates the item's cryptographic key class.

kSecAttrApplicationLabel

A key whose value indicates the item's application label.

kSecAttrApplicationTag

A key whose value indicates the item's private tag.

kSecAttrKeyType

A key whose value indicates the item's algorithm.

kSecAttrPRF

A key whose value indicates the item's pseudorandom function.

kSecAttrSalt

A key whose value indicates the salt to use for this item.

kSecAttrRounds

A key whose value indicates the number of rounds to run the pseudorandom function.

kSecAttrKeySizeInBits

A key whose value indicates the number of bits in a cryptographic key.

kSecAttrEffectiveKeySize

A key whose value indicates the effective number of bits in a cryptographic key.

kSecAttrTokenID

A key whose value indicates that a cryptographic key is in an external store.

Cryptographic Key Usage Attribute Keys

kSecAttrIsPermanent

A key whose value indicates the item's permanence.

kSecAttrIsSensitive

A key whose value indicates the item's sensitivity.

kSecAttrIsExtractable

A key whose value indicates the item's extractability.

kSecAttrCanEncrypt

A key whose value is a Boolean that indicates whether the cryptographic key can be used for encryption.

kSecAttrCanDecrypt

A key whose value is a Boolean that indicates whether the cryptographic key can be used for decryption.

kSecAttrCanDerive

A key whose value is a Boolean that indicates whether the cryptographic key can be used for derivation.

kSecAttrCanSign

A key whose value is a Boolean that indicates whether the cryptographic key can be used for digital signing.

kSecAttrCanVerify

A key whose value is a Boolean that indicates whether the cryptographic key can be used for signature verification.

kSecAttrCanWrap

A key whose value is a Boolean that indicates whether the cryptographic key can be used for wrapping.

kSecAttrCanUnwrap

A key whose value is a Boolean that indicates whether the cryptographic key can be used for unwrapping.

Protocol Values

Values you use with the kSecAttrProtocol attribute key.

kSecAttrProtocolFTP

FTP protocol.

kSecAttrProtocolFTPAccount

A client side FTP account.

kSecAttrProtocolHTTP

HTTP protocol.

kSecAttrProtocolIRC

IRC protocol.

kSecAttrProtocolNNTP

NNTP protocol.

kSecAttrProtocolPOP3

POP3 protocol.

kSecAttrProtocolSMTP

SMTP protocol.

kSecAttrProtocolSOCKS

SOCKS protocol.

kSecAttrProtocolIMAP

IMAP protocol.

kSecAttrProtocolLDAP

LDAP protocol.

kSecAttrProtocolAppleTalk

AFP over AppleTalk.

kSecAttrProtocolAFP

AFP over TCP.

kSecAttrProtocolTelnet

Telnet protocol.

kSecAttrProtocolSSH

SSH protocol.

kSecAttrProtocolFTPS

FTP over TLS/SSL.

kSecAttrProtocolHTTPS

HTTP over TLS/SSL.

kSecAttrProtocolSMB

SMB protocol.

kSecAttrProtocolRTSP

RTSP protocol.

kSecAttrProtocolDAAP

DAAP protocol.

kSecAttrProtocolEPPC

Remote Apple Events.

kSecAttrProtocolIPP

IPP protocol.

kSecAttrProtocolNNTPS

NNTP over TLS/SSL.

kSecAttrProtocolLDAPS

LDAP over TLS/SSL.

kSecAttrProtocolTelnetS

Telnet over TLS/SSL.

kSecAttrProtocolIMAPS

IMAP over TLS/SSL.

kSecAttrProtocolIRCS

IRC over TLS/SSL.

kSecAttrProtocolPOP3S

POP3 over TLS/SSL.

Authentication Type Values

Values you use with the kSecAttrAuthenticationType attribute key.

kSecAttrAuthenticationTypeNTLM

Windows NT LAN Manager authentication.

kSecAttrAuthenticationTypeMSN

Microsoft Network default authentication.

kSecAttrAuthenticationTypeDPA

Distributed Password authentication.

kSecAttrAuthenticationTypeRPA

Remote Password authentication.

kSecAttrAuthenticationTypeHTTPBasic

HTTP Basic authentication.

kSecAttrAuthenticationTypeHTTPDigest

HTTP Digest Access authentication.

kSecAttrAuthenticationTypeHTMLForm

HTML form based authentication.

kSecAttrAuthenticationTypeDefault

The default authentication type.

Key Class Values

Values you use with the kSecAttrKeyClass attribute key.

kSecAttrKeyClassPublic

A public key of a public-private pair.

kSecAttrKeyClassPrivate

A private key of a public-private pair.

kSecAttrKeyClassSymmetric

A private key used for symmetric-key encryption and decryption.

Key Type Values

Values you use with the kSecAttrKeyType attribute key.

kSecAttrKeyTypeRSA

RSA algorithm.

kSecAttrKeyTypeDSA

DSA algorithm.

kSecAttrKeyTypeAES

AES algorithm.

kSecAttrKeyTypeDES

DES algorithm.

kSecAttrKeyType3DES

3DES algorithm.

kSecAttrKeyTypeRC4

RC4 algorithm.

kSecAttrKeyTypeRC2

RC2 algorithm.

kSecAttrKeyTypeCAST

CAST algorithm.

kSecAttrKeyTypeECDSA

Elliptic curve DSA algorithm.

kSecAttrKeyTypeEC

Elliptic curve algorithm.

kSecAttrKeyTypeECSECPrimeRandom

Elliptic curve algorithm.

Synchronizability Values

Values you use with the kSecAttrSynchronizable attribute key.

kSecAttrSynchronizableAny

Specifies that both synchronizable and non-synchronizable results should be returned from a query.

Token ID Values

Values you use with the kSecAttrTokenID attribute key.

kSecAttrTokenIDSecureEnclave

Specifies an item should be stored in the device's Secure Enclave.

Accessibility Values

Values you use with the kSecAttrAccessible attribute key, listed from most to least restrictive.

kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly

The data in the keychain can only be accessed when the device is unlocked. Only available if a passcode is set on the device.

kSecAttrAccessibleWhenUnlockedThisDeviceOnly

The data in the keychain item can be accessed only while the device is unlocked by the user.

kSecAttrAccessibleWhenUnlocked

The data in the keychain item can be accessed only while the device is unlocked by the user.

kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly

The data in the keychain item cannot be accessed after a restart until the device has been unlocked once by the user.

kSecAttrAccessibleAfterFirstUnlock

The data in the keychain item cannot be accessed after a restart until the device has been unlocked once by the user.

kSecAttrAccessibleAlwaysThisDeviceOnly

The data in the keychain item can always be accessed regardless of whether the device is locked.

Deprecated
kSecAttrAccessibleAlways

The data in the keychain item can always be accessed regardless of whether the device is locked.

Deprecated

Pseudorandom Function Values

Values you use with the kSecAttrPRF attribute key to indicate the item's pseudorandom function.

kSecAttrPRFHmacAlgSHA1

Use the SHA1 algorithm.

kSecAttrPRFHmacAlgSHA224

Use the SHA224 algorithm.

kSecAttrPRFHmacAlgSHA256

Use the SHA256 algorithm.

kSecAttrPRFHmacAlgSHA384

Use the SHA384 algorithm.

kSecAttrPRFHmacAlgSHA512

Use the SHA512 algorithm.

Access Group Values

Values you use with the kSecAttrAccessGroup attribute key.

kSecAttrAccessGroupToken

The access group containing items provided by external tokens.

See Also

Adding Keychain Items

Adding a Password to the Keychain

Add network credentials to the keychain on behalf of the user.

SecItemAdd

Adds one or more items to a keychain.

Item Class Keys and Values

Specify the class of a keychain item.