Keychain

Keychain is macOS’s native credential-storage system — an encrypted, access-controlled database that holds passwords, certificates, cryptographic keys, and app secrets on your Mac.

There are two layers worth separating. The local login Keychain lives in ~/Library/Keychains/, unlocks when you log in, and never leaves the machine; individual items are protected with access-control lists (ACLs) so one app can’t silently read another app’s secrets. iCloud Keychain is the optional sync layer: items you mark as syncable are end-to-end encrypted with keys derived from your device passcodes, then replicated through iCloud to your other Apple devices. Apple can’t read iCloud Keychain contents — the server sees ciphertext only.

For backup software, the Keychain is the right place — really the only right place — to store repository passphrases and derived encryption keys. Writing a passphrase to a plist, a config file, or an environment variable means any process running as your user can read it. The Keychain item is gated by the system, requires user consent on first access from a given binary, and is bound to the app’s code signature; swapping in a tampered binary invalidates access.

In macup, your repository passphrase is stored in the login Keychain under an ACL scoped to the signed macup daemon. When you enable the optional “sync to iCloud Keychain” recovery path, we write a second copy into the iCloud-syncable Keychain so another one of your Apple devices can unlock a restore if this Mac is gone.