icloud #542
Comments
|
No it's not, private keys are not even available to macOS, let alone be exported. |
|
I understand there are security tradeoffs here, but if the user were to opt in, would specifying kSecAttrSynchronizable be straightforward? |
|
@aschw theoretically someone could build a Secretive-like app that uses iCloud Keychain for key storage instead of the Secure Enclave – setting This is pretty explicitly contradictory to the purpose of this project though – this project is built around the Secure Enclave and its associated security guarantees, so we probably won't be pursuing it here. |
maxgoedjen
added
won't fix
|
I recognize the importance of the Secure Enclave’s role in this project and its significant security benefits. However, transitioning to a new macOS device under the current setup can be notably burdensome, primarily because users need to track down all the uses of their old public key and update them. Enabling kSecAttrSynchronizable for keys in the Secure Enclave may reduce their security attributes, but compromising these keys would still require overcoming robust security measures—specifically, breaching the Secure Enclave itself or obtaining the user's iCloud credentials and successfully adding a new device to their iCloud account, which involves additional verification steps. The Secure Enclave remains crucial to each signing operation, ensuring that keys stay secure even if an attacker obtains an unencrypted copy of the Mac's hard drive[1]. The evolution of WebAuthn and Passkeys in Safari echoes this situation. With the release of Safari 14, WebAuthn platform authenticators like Face ID or Touch ID were introduced without iCloud sync capability. It was only in Safari 15 that Passkeys, which synchronize with the iCloud Keychain, were made available. This shift towards integrating user-friendly features without fully compromising security has been well-received as a positive development. Many users of Secretive are likely using iCloud-synchronized Passkeys and would appreciate similar features for ease of device migration and backup in the Secretive project, especially when replacing a lost device or transitioning to a new one. |
|
@aschw interesting link – I'm not... 100% confident that what that article is describing is accurate (at least for third party apps), but I'm also not 100% I'm correct here either ;)
I'm not positive I agree with their reading of this statement – what this is describing, as far as I can tell, is how general synchronizable items in the keychain behave, not SEP-backed ones specifically. That being said, I'm not sure how to reconcile the source code they linked with my understanding of the current limitations of the SEP – my understanding was that iCloud Keychain keys were in the data protection keychain but not processed by the SEP itself. It's possible that code they linked is an artifact of a previous beta incarnation of passkeys where that was (iirc) the case. Apple's security guide itself does not mentioned the SEP at all when discussion passkeys: https://support.apple.com/en-us/102195 Anyway, I'll poke around this a little more. |
|
Admittedly my disassembly reading is very weak so I could be wrong here, but I think they might have misread that assembly as a pure "add the sync key" when it actually reassigns the attributes dict to a new object without that key.
in the |
|
I'm definitely out of my depth, but this is worth a look: I might be looking in the wrong place, but it looks like kSecAttrSynchronizable is discussed right next to kSecAttrTokenIDSecureEnclave without any discussion of them being mutually exclusive. |
|
Is it worth reopening the issue? |
|
Just for experimentation's sake, I did try this and it didn't appear to sync (I'm surprised it allowed creation at all without throwing an error tbh): |
|
I’d also expect it to either work or throw an error… Out of curiosity, did you try specifying kSecAttrSynchronizable and not kSecAttrTokenIDSecureEnclave to ensure that configuration syncs? |
|
FYI, for what it is worth, I recently "reset" an Apple Silicon Mac running macOS Sonoma and then "migrated" from a SuperDuper! backup and all my Secretive private keys were migrated/preserved. So somehow, the private keys were exported from the Secure Enclave and restored via Migration or the "Reset" didn't correctly erase the Secure Enclave. I believe the case is the former and not the later and therefore, then "syncing" may work if implemented correctly. |
This seems unlikely. For example, a few weeks ago, I migrated from an M1 Macbook Air to an M3 Macbook Air, and all of my Secretive private keys disappeared. If you believe your experience accurately reflects how the migration process preserves data within the Secure Enclave, it might be best to open a separate issue to discuss this, as it isn't directly relevant to the current discussion. This will help keep the focus here while properly addressing your observations. The scenario you describe is not particularly relevant to the interplay between kSecAttrSynchronizable and kSecAttrTokenIDSecureEnclave. |
@maxgoedjen There seems to be some configuration needed in the Apple developer portal. For example: https://developer.apple.com/help/account/manage-identifiers/enable-app-capabilities/ |
I'm curious -- does the app have the relevant iCloud permissions? That could be the issue. Also, did you try specifying kSecAttrSynchronizable and not kSecAttrTokenIDSecureEnclave to ensure that configuration syncs? Sorry to ask you to keep trying. I'd happily fork the code and try this out myself, but I'm not set up as an apple developer, so I think it'd be a pretty heavy lift just to get started. |
|
@maxgoedjen can you reopen this issue? |
Is it possible to synchronize Secretive's 256-bit EC keys to iCloud keychain? Doing so might provide a backup option and make it easier to migrate to new machines.
The text was updated successfully, but these errors were encountered: