{
	"id": "7bc862c1-6ad1-469e-a175-827b18b0e2b7",
	"created_at": "2026-04-06T00:17:37.36365Z",
	"updated_at": "2026-04-10T03:21:20.417922Z",
	"deleted_at": null,
	"sha1_hash": "bfce8680631b681616e6420a2233b273fd9727d9",
	"title": "A Deep Dive into Apple Keychain Decryption",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2301358,
	"plain_text": "A Deep Dive into Apple Keychain Decryption\r\nPublished: 2025-01-20 · Archived: 2026-04-05 13:13:37 UTC\r\nWhen it comes to the forensic investigation of Apple devices, a Keychain analysis is of particular importance. Not\r\nonly does Keychain contain passwords from websites and applications, but it can also provide computer forensics\r\nwith access to the same user’s other Apple devices. Let’s take a closer look.\r\nTypes of Keychains\r\nUse Cases\r\nSummary\r\nTypes of Keychains\r\nKeychain or Keychain Services is the password management system in macOS and iOS. It stores account names,\r\npasswords, private keys, certificates, sensitive application data, payment data, and secure notes. These records are\r\ndynamically linked to users’ particular login passwords so that, when they log on to a Mac device, all of their\r\nvarious accounts and passwords are made available to the operating system and select applications.\r\nThe Keychain storage is located in: \r\n~/Library/Keychains/ (and subfolders)\r\n/Library/Keychains/ \r\n/Network/Library/Keychains.\r\nThere are three types of Mac Keychains: Login Keychain, System Keychain, and Local Items (iCloud)\r\nKeychain. They can be decrypted in Passware Kit within the Password Managers | MacOS Keychain section.\r\nThe Keychain files are viewed and edited through an application called Keychain Access. There is also a\r\ncommand-line equivalent to Keychain Access: /usr/bin/security. While there is no Keychain Access utility for\r\niOS, passwords are synchronized across all of the Apple devices tied to a given iCloud account provided that the\r\nuser has enabled the iCloud Keychain option. When this option is enabled, synchronization of the data occurs\r\npartially, as some applications and services may set a special flag in a Keychain to prevent the transmission of the\r\ncorresponding data to iCloud.\r\nLogin Keychain\r\nThe Login Keychain is the default Keychain file that stores most of the passwords, secure notes, and other data.\r\nThe data is stored in a file named login.keychain-db (or login.keychain in macOS prior to 10.12 Sierra) located\r\nin /Users/\u003cUserName\u003e/Library/Keychains. \r\nBy default, the Login Keychain password is the same as the Mac user password. \r\nhttps://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption\r\nPage 1 of 8\n\nThe password recovery process for this Keychain is time-consuming, but it can be accelerated by using GPU,\r\nreaching speeds of up to 1,200,000 passwords per second on an AMD 6900 XT.\r\nSystem Keychain \r\nThe System Keychain stores items that are accessed by the OS, such as Wi-Fi passwords, and shared among users.\r\nThe file, which is usually located in /Library/Keychains/, can be decrypted instantly if a “Master Key” file is\r\navailable (usually located in /private/var/db/SystemKey).\r\nhttps://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption\r\nPage 2 of 8\n\nLocal Items (iCloud) Keychain\r\nThe Local Items Keychain is used for keychain items that can be synced with iCloud Keychain. It contains\r\nencryption keys, applications data, webform entries, and some iOS data synced with iCloud. It presents two files:\r\na keybag (user.kb file) and an SQLite database with encrypted records (keychain-2.db). If the iCloud\r\nsynchronization is turned on, the keychain-2.db may contain passwords from other devices as well. Passware Kit\r\nrecovers a password for the user.kb file and then decrypts the keychain-2.db database. By default, the user.kb\r\npassword is the same as the macOS user password. \r\nTo recover the user.kb password on a Mac without a T2 chip, Passware Kit requires the 128-bit universally unique\r\nidentifier number (UUID), which is the same as the name of the Keychain folder. Unfortunately, the password\r\nrecovery for Local Items Keychain cannot be accelerated on GPU. After the successful recovery of a password,\r\nPassware Kit extracts all records that appear readable and saves the rest of the data in a file. Strings shorter than\r\n128 symbols are considered passwords and saved to a Passwords.txt file, while json and bplist binary files are\r\nextracted as-is. Passware Kit also creates an extracted-records.json file with the complete extracted data.\r\nhttps://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption\r\nPage 3 of 8\n\nUse Cases\r\nIt is extremely important to analyze as many Apple devices linked to the same iCloud account as possible. A\r\ndecrypted Keychain from one device can gain entry into a device with stronger encryption, such as a Mac with a\r\nT2 chip. The following are some examples of cases in which Passware Kit facilitates the extraction of data from\r\nlocked devices. Note that instant decryption is possible only if iCloud was selected as the backup option while the\r\nencryption was enabled.\r\nIf there are no additional devices to extract the Keychain from, Passware offers a T2 Decryption Add-on to\r\ndecrypt APFS disks from Mac computers protected with an Apple T2 security chip.\r\nhttps://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption\r\nPage 4 of 8\n\nCase 1\r\nA Macbook Air 2017 and a Mac Pro 2019 with a T2 chip of the same iCloud account \r\nFor the MacBook Air without a T2 chip, Passware Kit decrypts or recovers a password for an APFS disk using the\r\nFull Disk Encryption | FileVault/APFS option. Having gained access to the Keychain folder, Passware Kit\r\nrecovers the Keychain password from a user.kb file by means of the Password Managers | MacOS Keychain |\r\nLocal Items Keychain option and then extracts the data from the Local Items Keychain. The extracted data\r\nincludes a decrypted-keychain.plist file that can serve to unlock an APFS disk on the Mac Pro with a T2 chip\r\ninstantly with the Full Disk Encryption | APFS/Mac T2 option.\r\nhttps://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption\r\nPage 5 of 8\n\nhttps://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption\r\nPage 6 of 8\n\nCase 2\r\nAn iPhone 7 Plus disabled with time-lock and a Mac Mini 2018 with a T2 chip of the same iCloud account \r\nPassware Kit Mobile recovers a passcode for the iPhone 7 and extracts the data from the device, including an iOS\r\nKeychain, saving a decrypted-keychain.plist file. With the Full Disk Encryption | APFS/Mac T2 option,\r\nPassware Kit Forensic for Mac uses the decrypted keychain to unlock an APFS disk on the Mac Mini equipped\r\nwith a T2 chip.\r\nCase 3\r\nAn iPhone 13 and a decrypted APFS image of a Macbook Pro 2017 of the same iCloud account\r\nPassword recovery for a Login Keychain, unlike the recovery of a Local Items Keychain password, can be\r\naccelerated on GPU. Therefore, the first step is to recover a login.keychain file password from the APFS image\r\nusing the Password Managers | MacOS Keychain | Keychain option. On an AMD 6900 XT, the speed is up to\r\n1,200,000 passwords per second. By default, the password for the Login Keychain and Local Items Keychain is\r\nthe same, so there is high chance that recovering the Login Keychain password also provides access to the Local\r\nItems (iCloud) Keychain database and, thus, to the records in the iPhone, such as mobile Safari passwords.\r\nCase 4\r\nhttps://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption\r\nPage 7 of 8\n\nAn iPhone 6 and a Macbook Pro 2017 without a T2 chip of the same iCloud account\r\nPassware Kit Mobile recovers the passcode for the iPhone 6 and extracts its data, including an iOS Keychain,\r\nsaving a decrypted-keychain.plist file. Passware Kit Forensic uses the decrypted keychain to instantly decrypt\r\nthe Macbook’s APFS image with the Full Disk Encryption | APFS / Mac T2 option. This approach avoids the\r\nneed to perform a time-consuming brute-force password recovery process.\r\nSummary\r\nThe table below summarizes the decryption and password recovery options for different types of Keychain.\r\nA comprehensive forensic investigation involves the analysis of multiple devices and artifacts. Starting from the\r\nleast-secure devices (e.g., memory images, iTunes backups, and Macs without T2/M1 chip), Passware Kit extracts\r\nand decrypts a Keychain that can then be used to access data from other devices. \r\nLearn more about Passware Kit Forensic capabilities and the best practices on the Passware Knowledge Base.\r\nSource: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption\r\nhttps://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption"
	],
	"report_names": [
		"4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption"
	],
	"threat_actors": [],
	"ts_created_at": 1775434657,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bfce8680631b681616e6420a2233b273fd9727d9.pdf",
		"text": "https://archive.orkl.eu/bfce8680631b681616e6420a2233b273fd9727d9.txt",
		"img": "https://archive.orkl.eu/bfce8680631b681616e6420a2233b273fd9727d9.jpg"
	}
}