In the projects I work on it's common for Keychain p12 files, containing signing certificates & private keys, to be further encrypted before being stored in a repository.
Given the p12 file is an industry standard storage format that uses password protected encryption, I was wondering if this extra encryption step was really necessary.
One reason the extra step may have been added is that the Triple DES encryption that Keychain uses by default was not considered to be secure enough. A Google search on the topic does suggest that newer algorithms are preferred.
However, it seems unlikely that Apple would use an insecure export format in Keychain, so the general advice found online may not apply here?
I also noticed that Triple DES may be officially disallowed by NIST [800-131A Revision 2] at the end of 2023. Does that mean that Keychain will be updated before then?