Encrypting and Hashing Data
You typically use asymmetric encryption for sending data across trust boundaries, such as one person sending another person an encrypted email. You also use it for sending a symmetric session key across an insecure communication channel so that you can then use symmetric encryption in further communication. On the other hand, you often use symmetric encryption for data at rest—on your hard drive, for example—and as a session key in a number of encrypted networking schemes.
Encryption Technologies Common to macOS and iOS
macOS and iOS provide a number of encryption technologies, including:
Keychain Services. Use this API, described in Keychain Services Reference, to encrypt and store passwords, keys, and other small secrets in a special database called a keychain. By storing user secrets this way, you ensure that they are kept secure, including in device backups, without having to implement your own encryption algorithms or storage protocols. On a Mac, you can use the Keychain Access app to inspect keychains, as described in Keychain Access in Security Overview.
Certificate, Key, and Trust Services. This interface provides cryptographic support services, including methods for general encryption and decryption, as well as trust validation. See Certificate, Key, and Trust Services Reference for details.
Cryptographic Message Syntax. Use this service to encrypt or add a digital signature to S/MIME messages. S/MIME is a standard for encrypting and signing messages, most commonly used with email. See Cryptographic Message Syntax Services Reference for more information.
Encryption Technologies Specific to macOS
macOS provides a few additional APIs for performing encryption:
Security Transforms API. Based on the concept of data flow programming, the Security Transforms API lets you construct graphs of transformations that feed into one another, transparently using Grand Central Dispatch to schedule the resulting work efficiently across multiple CPUs. As the data objects pass through the object graph, callbacks within each individual transform operate on that data, then pass it on to the transform’s output, which may be connected to the input of another transform object, and so on.
Using the built-in transforms, the Security Transforms API allows you to read files, perform symmetric encryption and decryption, perform asymmetric signing and verifying, and perform Base64 encoding. The Security Transforms API also provides support for creating custom transforms that perform other operations on data. For example, you might create a transform that byte swaps data prior to encrypting it or a transform that encodes the resulting encrypted data for transport.
For more information, see Security Transforms Reference.
CDSA/CSSM. This open source security architecture provides a wide array of security services, including fine-grained access permissions, authentication of users’ identities, encryption, and secure data storage. However, this interface is deprecated starting in macOS 10.7, and should not be used for any new apps.