Closed AlessandroZ closed 6 years ago
So I cannot understand why "Keychain Access" manage to do it ?
The key stored on /var/db/SystemKey
of System Keychain is loaded on to the physical memory when OS is booted. The Keychain Access
can decrypt system keychain info though the key on physical memory. It is most like sudo
.
Another thing, does user have user key (such as the system key stored on /private/var/db/SystemKey) and where I can find it?
Thank you for your time. I was confused about the Keychain mechanism. I will take a look on the document. Have a nice day.
@n0fate, I have a question that I cannot understand.
When you open the keychain using the "Keychain Access" applicaton on a Mac, you could unlock all keychains (in my case, I have "Login", "Local Items" and "System") using your system password (of course I assume you do not change the password of the keychain after the creation).
However, using chainbreaker, I could decrypt the user keychain using the password system account, however it does not work when I try to decrypt the system keychain (whereas using the "Keychain Access" application, it works).
At contrary, it's the same problem to decrypt the system keychain, it works using the system key but this key does not work to decrypt the user keychain.
So I cannot understand why "Keychain Access" manage to do it ?
Another thing, does user have user key (such as the system key stored on
/private/var/db/SystemKey
) and where I can find it? When I see your Readme, you manage with volafox to retrieve multiple master keys from memory:And then you decrypt the user keychain using one of these key:
So I guess that there are a system key and a user key stored in two different places and both keychains are encrypted using these two different keys.
I tried to understand by myself without success so if you could help to understand this behaviour it would be awesome.
Thanks for your time !