Convenient way to store sensitive information on Mac/iPad

The system keychain is stored in /Library/Keychains/System.keychain and the key to unlock it is stored in /var/db/SystemKey (its default file permissions are readable by root only). The location of these files is referenced in the security-checksystem script (from the security_systemkeychain source). It is even possible to test to automatic locking/unlocking of the system keychain by using

systemkeychain -vt

The keychain security framework allows non-privileged programs to make requests for information provided they are in the ACL stored within the keychain entry. Obviously if a user has root they on a system they can directly access both the file storing the system keychain and the key to unlock it, thus they do not have make requests via the security framework and are not beholden to the ACLs stored within the keychain itself.

(I didn't actually answer the original questions so let's give this another go)

How are the keys architected such that any administrative user can unlock the System Keychain?

The libsecurity keychain framework allows regular processes to interact with the system keychain in an authenticated manner using Apple's XPC interprocess communication framework (IPC).

Program A sends a request to access the system keychain information using IPC. A check is made that the requesting user is already in the wheel group and also knows the password of a user in the wheel group. Once authorization is confirmed, the privileged kcproxy daemon can be used to access material in /var/db/SystemKey, unlock the system keychain and return the requested information.

Are there cryptographic restrictions that limit what an administrative user can do with information in the System Keychain in any way?

No - an administrative user is allowed to access/change anything in the system keychain. Even if they couldn't, they could copy the underlying files to another machine on which they have complete control and just unlock/access it there.

Given an unencrypted system backup without /Users, how would you gain access to the keys in the System Keychain?

If the backup contained copies of /Library/Keychains/System.keychain and /var/db/SystemKey then I would copy them to their respective locations on a new OS X system and use systemkeychain to make the later unlock the former and dump the keychain database using security dump-keychain.

You can probably trust the average genius team (since the machine will be under the watch of many people while it is out of your possession). From a legal standpoint, you have agreed to the AppleCare Repair Service terms and conditions by signing your property and data over to Apple. For the rest of this discussion on the contract between you and Apple relating to your data, I'll focus on the English north american contract.

It lays responsibility on the person bringing in the equipment to remove all confidential or proprietary information from the system. It also lays responsibility on Apple for having "security measures, which should protect your data against unauthorized access or disclosure as well as unlawful destruction." which a lawyer will focus on should which is more binding than may but less binding than shall/must. It continues with

You will be responsible for the instructions you give to Apple regarding the processing of data, and Apple will seek to comply with those instructions as reasonably necessary for the performance of the service and support obligations under the Plan. If you do not agree with the above or if you have questions regarding how your data may be impacted by being processed in this way, contact Apple at the telephone numbers provided.

But why not be a bit skeptical and ask why you might trust them. Sure they are probably trained to protect personal data of customers and respect privacy and there is social pressure to not be a jerk with your personal data.

Some devices (iPhones, iPads, Air and retina MacBook) require advanced skills and potentially damage to the equipment to remove the storage module, so this is something worth exploring a bit as not everyone can simply pop out the hard drive during service like older MacBooks allowed.

I would say never give your password until you understand why it is being used and you are fully informed and willing to take that risk by disclosing your secret. I would also say, when I choose to not entrust a specific password, that I've done one of four things when I have something in for service that was in the category of data requiring more protection than none.

• Wipe the drive - if things are truly sensitive - I have no business saving time by not securely wiping all data that's sensitive before it leaves my control. (or paying for a higher level of service to ensure confidentiality)
• Change the password to either my account or my keychain.
• Make a new temporary account for the testing and give that. Sometimes I give them admin rights - other times I do not.
• Give them a cell phone number and permission to call me 24/7 if they need the password and can explain why it's needed at that point of the repair.

Basically, If you hand your computer to Apple - you are handing it to someone with the tools and help to bypass all passwords(including firmware and normal physical security of the case) and read the data from the hard drive or just take the storage and keep it. Unless you have FileVault or other encryption (like 1Password) and withhold that pass phrase. A technician could if they wanted, make a full copy of your data and perhaps even go snooping. I would ask the genius (or technician) to help educate you to how security works before you proceed with this repair.

If you had a few extra-secret files, you cold put them into encrypted disc images.

There are many repairs where a password is needed to complete the service if your service involves software changes. Normally, this password is asked for to speed up the repair for you and let them replace any and all parts needed to complete the repair. If they are in and find you need a new motherboard, they could just do that if you give them the extra permission and password they need to do all possible work without stopping to contact you and explain what/why.

In your case, I would simply say you'd like to know a bit more about how they secure your password and your data during service. I would bet that the person asking for your password was lulled by the 100th time they've checked in a machine and forgot to ask you if you had any questions or perhaps missed your uneasiness about what was being asked. Once you've made your concern concrete by asking why they need it - you can then say you'd feel better not giving it and ask if that will either delay or prevent the repair. Any shop I trust will spend time to address these concerns to your satisfaction before they would accept your password. They would also lay out for you how to secure things again after the repair - change these three passwords, etc...

As a class, my opinion and experience is that Apple service technicians are highly professional, trained on privacy of your equipment and information and have thought out very well what, how and why they ask for someone's password. But even if bad things have never happened despite good training and policy, mistakes can and will happen in returning the wrong laptop or theft and your data is at risk when in the shop.

It is you in the end who have the right (and responsibility) to be a little suspicious - especially when it's not clear how your password will be used during a repair. The clearer you can be with your concerns - the more comfortable you will be with your choice to trust the specific team you interact with on a case-by-case basis.