{"id":46509,"date":"2025-01-23T15:29:25","date_gmt":"2025-01-23T20:29:25","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=46509"},"modified":"2025-01-23T15:29:25","modified_gmt":"2025-01-23T20:29:25","slug":"ios-and-icloud-keychain-are-hostile-to-backups","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/01\/23\/ios-and-icloud-keychain-are-hostile-to-backups\/","title":{"rendered":"iOS and iCloud Keychain Are Hostile to Backups"},"content":{"rendered":"

Jeff Johnson<\/a> (Mastodon<\/a>):<\/p>\n

\n

In my view, a useful backup system must be (1) chronological, (2) granular, and (3) redundant.<\/p>\n<\/blockquote>\n

It seems like iOS iCloud backups provide none of these. I thought iCloud Backup used to store multiple backups for each device, and that I could delete older ones to free up space, but now when I go into the settings I don’t see a list of backups, just the date of the “Last Backup.”<\/p>\n

The backups are not granular. There’s no way to restore the data for a single app.<\/p>\n

Maybe the underlying AWS or Azure storage is geographically redundant, but the most important data like photos and messages aren’t even stored by the backup system. There’s just a single copy of the current data. For most people, the data doesn’t all fit on device so there’s no redundancy that way, either.<\/p>\n\n

iCloud Keychain stores only one version of your passwords, the latest version, so it’s not chronological. You can’t extract a single password from iCloud Keychain without restoring—that is, overwriting—every password, so it’s not granular. And the only way you can restore your iCloud Keychain passwords is via Apple’s online iCloud service, so it’s not redundant. If you lose access to iCloud for some reason, such as an internet outage or an account lockout, or if your iCloud Keychain data becomes corrupted in some way—which happens!—then you’re left with no alternative backup.<\/p>

I think the fairest way to characterize iCloud Keychain is not as a backup system but rather as a sync system.<\/p>

[…]<\/p>

Contrast iCloud Keychain to the login keychain on your Mac. The login keychain is relatively friendly to backup systems. It consists of a single file on disk that can be copied to other disks and read by the Keychain Access app on any<\/em> Mac, as long as you know the login password. And you can copy individual keychain entries—a password, secure note, key, or certificate—from one keychain to another keychain, using standard copy and paste.<\/p><\/blockquote>\n\n

I use iCloud Keychain with Safari AutoFill because it’s so convenient. But, because I have so little control over it, I don’t use it as the primary storage for any of my passwords. It is<\/em> the only storage for my passkeys, since PasswordWallet doesn’t support them. Hopefully, there will be more tools for this as credential exchange gets implemented.<\/p>\n\n

You can still view your old secure notes in your keychain, but you can’t create new secure notes. Apple wants you to use the Notes app instead. This is extremely inconvenient, for several reasons. I want to manage all of my passwords and secure notes in one place. I need proper backups, but Notes app appears to suffer from the same hostility to backups as Passwords app. And for some reason, unlike the login keychain, locked Notes can’t be locked with your login password unless you enable iCloud Keychain.<\/p><\/blockquote>\n\n

Previously:<\/p>\n