I plan to use Time Machine to back up by data.
If the backup is not encrypted, can someone with access to the TimeMachine disk access my keychain passwords? Do they at least need to know my system login password in order to be able to do this?
Mac – protecting keychain data when using Time Machine
encryptionkeychaintime-machine
Related Solutions
To answer your first question about the keychain and whether you should encrypt backups: the passwords in your keychain are already encrypted, that's why you always have to type a password (by default your login password) to show stored passwords. So there's no immediate need to encrypt.
Of course, you could add Time Machine encryption to provide a further layer of security. This is possible starting with OS X Lion and Mountain Lion (from http://support.apple.com/kb/ht1427):
OS X Lion and Mountain Lion let you encrypt the Time Machine backup external drive using FileVault 2.
FileVault2 also uses your login password, though. So if the bad guys are able to guess or crack that password, they will have also access to your keychain information. Choosing different passwords for login and for accessing your keychain would protect the keychain passwords in such an event.
Either way, use strong passwords, password quality is of foremost importance to protect your data.
EDIT:
The OP asked in a comment how to set different passwords for login and keychain. Here is how:
Open Utilities>Keychain Access.
Right click each keychain and select 'Change Password for Keychain XYZ':
If you prefer to use your current password as keychain password and change your login password, log in using another account and change your account's password from System Preferences>Users & Groups. That will only change your login password, not your keychain password.
I was having this same problem. According to discussion at this thread on Ars Technica, it’s caused by a bug in iStat Server. Are you running this?
I was, and can confirm that the work-around solution posted there of removing iStat Server and deleting the iStat Server entry in /Library/Preferences/com.apple.security.plist has worked for me. The relevant entry looks like this:
<key>DefaultKeychain</key>
<array>
<dict>
<key>DbName</key>
<string>/Library/Application Support/iStat Server/iStatServer.keychain</string>
<key>GUID</key>
<string>{87191ca3-0fc9-11d4-849a-000502b52122}</string>
<key>SubserviceType</key>
<integer>6</integer>
</dict>
</array>
Bjango, the developer of iStat Server, has further posted on the Ars Technica thread that a new version of iStat Server is now available. I have not independently verified that this addresses the problem, since the above work-around had already taken care of my issue, but their release notes say simply “Fixed a Keychain issue.” Both the new version and the release notes can easily be found at the iStat Server link above.
Related Question
- Mac – Creating encrypted disk image passphrase in Keychain, and strange GUID account
- Mac – Unlock System Keychain from Time Machine Backup
- Mac – How does encryption work when data is backed up to a NAS Time Machine backup
- Mac – Missing Disk Image password in Keychain after Time Machine restore
- Mac – Cannot enable Time Machine encrypted backups since updating to Catalina
- Mac – Double encryption when using encrypted Time Machine on MacOS Extended encrypted
Best Answer
Keychain files are password protected, your login password is required to access their content. In the file itself only passwords and the content of secure notes are encrypted so a potential attacker could at least read the URLs and the associated login names for web accounts etc.
For details about Keychain see Wikipeda and the pages referenced from there.