Managing Keys, Certificates, and Passwords

The keychain provides storage for passwords, encryption keys, certificates, and other small pieces of data. After an app requests access to a keychain, it can store and retrieve sensitive data, confident that untrusted apps cannot access that data without explicit action by the user.

In OS X, the user is prompted for permission when an app needs to access the keychain; if the keychain is locked, the user is asked for a password to unlock it.

In iOS, an app can access only its own items in the keychain—the user is never asked for permission or for a password.

There are two recommended APIs for accessing the keychain:

Certificate, Key, and Trust Services

Certificate, Key, and Trust Services is a C API for managing certificates, public and private keys, symmetric keys, and trust policies in iOS and OS X. You can use these services in your app to:

In OS X, functions are also available to retrieve anchor certificates and set user-specified settings for trust policies for a given certificate.

In iOS, additional functions are provided to:

Certificate, Key, and Trust Services operates on certificates that conform to the X.509 ITU standard, uses the keychain for storage and retrieval of certificates and keys, and uses the trust policies provided by Apple.

Because certificates are used by SSL and TLS for authentication, the Secure Transport API includes a variety of functions to manage the use of certificates and root certificates in a secure connection.

To display the contents of a certificate in an OS X user interface, you can use the SFCertificatePanel and SFCertificateView classes in the Security Objective-C API. In addition, the SFCertificateTrustPanel class displays trust decisions and lets the user edit trust decisions.

Keychain Services

In OS X and iOS, Keychain Services allows you to create keychains, add, delete, and edit keychain items, and—in OS X only—manage collections of keychains. In most cases, a keychain-aware app does not have to do any keychain management and only has to call a few functions to store or retrieve passwords.

By default, backups of iOS data are stored in cleartext, with the exception of passwords and other secrets on the keychain, which remain encrypted in the backup. It is therefore important to use the keychain to store passwords and other data (such as cookies) that are used to access secure web sites. Otherwise, this data might be compromised if an unauthorized person gains access to the backup data.

To get started using Keychain Services, see Keychain Services Programming Guide and Keychain Services Reference.

In OS X, the Keychain Access application provides a user interface to the keychain. See “Keychain Access” in Security Overview for more information about this application.

To Learn More

For more information about using Keychain Services to store and retrieve secrets and certificates, read Keychain Services Programming Guide and Keychain Services Reference.

For more information about Secure Transport, read “Secure Transport.”

For more information about the certificate user interface API, read “Security Objective-C API” in Security Overview.