Fixing iCloud Keychains, and Backing Them Up
iCloud Keychain is, in the words of the cliché, wonderful when it works. And it works a great deal of the time, unless it goes wrong. Even more unfortunately, it most often goes wrong when a user tries to solve another problem, by doing something which inadvertently messes iCK up. Then they are in trouble.
[…]
But with iCK turned on, your login keychain is in iCloud, and is not something which you can access as a file, as you can a local keychain. If you use iCloud for backups, then it is specifically excluded from those backups, because Apple argues that it is already stored in iCloud, therefore doesn’t need to be backed up. Unless of course something happens to it, like all its password entries get wiped: then you’re apparently stuck, contacting iCloud support to try to recover a copy of it before disaster struck.
[…]
When you turn iCK off, the current keychain held in iCloud is downloaded to your Mac (or iOS device), and used as its local keychain. So to make a backup copy of your iCloud keychain, turn iCK off, wait a little while, and back up login.keychain-db from your ~/Library/Keychains folder. Once you have made that copy, turn iCK back on, and it should carry on where it left off.
