In my app, I use SecItem to store some data in the Keychain. I’d like to know — when a user sets up a new iPhone and transfers data from the old device, will those Keychain items be migrated or synced to the new device?
App Keychain will sync secitem from old device to new device
Keychain items stored using SecItem
in your app will generally be migrated or synced to a new iPhone when a user transfers data from their old device, but the specifics depend on how the transfer is performed and the Keychain item attributes you’ve set. Here’s a concise explanation:
-
iCloud Keychain Syncing:
- If iCloud Keychain is enabled on both devices, Keychain items with the
kSecAttrSynchronizable
attribute set totrue
are automatically synced to the new device via iCloud. This includes passwords, certificates, and other secure data stored in the Keychain. - Items without this attribute (i.e., non-syncable items) are not synced via iCloud and require a different transfer method.
- If iCloud Keychain is enabled on both devices, Keychain items with the
-
Device-to-Device Transfer (Encrypted Backup or Direct Transfer):
- When using iCloud Backup or iTunes/Finder encrypted backup, Keychain items (both syncable and non-syncable) are included in the encrypted backup. Restoring this backup to a new iPhone will transfer all Keychain items.
- During a direct device-to-device transfer (e.g., using Quick Start), Keychain items are typically transferred securely as part of the process, provided the transfer is encrypted.
-
Non-Syncable Items:
- If your app’s Keychain items are not marked as synchronizable (
kSecAttrSynchronizable
isfalse
or not set), they will only transfer via encrypted backups or direct device transfers. Without an encrypted backup or direct transfer, these items will not migrate.
- If your app’s Keychain items are not marked as synchronizable (
-
Edge Cases and Considerations:
- Access Groups: If your app uses Keychain access groups (e.g., for sharing between apps), ensure the new device has the same app installed with the correct entitlements to access those items.
- User Settings: If the user disables iCloud Keychain or does not use an encrypted backup, non-syncable items may not transfer.
- iOS Version: Ensure both devices are running compatible iOS versions, as Keychain behavior may vary slightly with older systems.
Best Practices for Your App:
- If you want Keychain items to sync across devices, explicitly set
kSecAttrSynchronizable
totrue
when adding items withSecItemAdd
. - Inform users that enabling iCloud Keychain or using encrypted backups ensures their Keychain data is transferred.
- Test the migration process to confirm your app’s Keychain items behave as expected during device setup.
@kxdev Thanks for your reply and is very helpful for me.
Can I understand that my app has enabled Keychain sharing in "signing and capabilities" and my code does not set kSecAttrSynchronizable. So the data I added using SecItemAdd will not be migrate or sync during device to device transfer (e.g. using Quick Start)?
When using or …
That’s not right, or least it’s not the full story. For more on this topic, see the table in my post here.
Can I understand that my app has enabled Keychain sharing in "signing and capabilities" and my code does not set kSecAttrSynchronizable.
You are mixing up two things:
-
The Keychain Sharing capability is about sharing keychain items between apps on one device.
-
iCloud Keychain is about synching keychain items between the user’s various different devices.
If you don’t kSecAttrSynchronizable
then it defaults to false, meaning that the item won’t be synched to other devices. However, it can still end up moving to a different device by:
-
Encrypted backup and restore
-
Quick Start
If you don’t want that, set kSecAttrAccessible
to one of the ThisDeviceOnly
values.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"