How to make kSecClassGenericPassword object non-extractable on MacOS

Privacy & Security General
peterLeeMS OP
Created Apr ’21
Replies 1
Boosts 0
Views 412
Participants 2
Hello,

When I use Setup Assistance to backup from old device to new device, I would like to make certain keychain objects non-exportable/extractable.

I know I can make key non-exportable/extractable on kSecClassKey object by setting kSecKeyExtractable = NO. and I verified that my private keys that have kSecKeyExtractable set to NO don't get migrated from backup to the new device.

Is there any way I can do the same for metadata objects?
where we can make them non-exportable so they don't get moved from backup to new device?

Thanks,
Peter

Replies  1
Boosts  0
Views  412
Participants  2
DTS Engineer OP
Apple
Apr ’21

Is there any way I can do the same for metadata objects?

I don’t know what you mean by “metadata objects” but I’m guessing that you’re talking about non-key keychain items, for example, generic passwords. If so, the extractable concept doesn’t make sense because that concept assumes a world where crypto is done in the security daemon rather than in the app. For a generic password the app has to have access to the password and thus it can never be non-extractable.

There’s a couple of ways you could achieve this:

  • You could entangle your generic password with a value that’s not backed up. Thus, the generic password item might move across to the new machine but it wouldn’t be useful there.

  • You could switch to the iOS-style keychain and take advantage of the various ThisDeviceOnly values for the kSecAttrAccessible attribute.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
0
How to make kSecClassGenericPassword object non-extractable on MacOS
First post date Last post date
 
 
Q