When you set up macup on a new Mac signed in to the same Apple ID as an existing one, macup can find your encryption key already synchronised through iCloud Keychain and unlock your snapshots without you having to type your passphrase or recovery code. This is the fastest path back from a stolen, lost, or replaced Mac — but it’s never the only path, and that distinction matters.
What gets stored in iCloud Keychain
A single item, written to the user’s iCloud Keychain at first-run on the source Mac:
- Service:
app.macup.dek - Account: the macup account email
- Generic password: a copy of your wrapped Data Encryption Key (DEK)
The key is wrapped with a per-account secret derived locally — Apple syncs it across your devices through the same end-to-end-encrypted Keychain channel that handles your Safari passwords and Wi-Fi creds. Apple cannot read it. macup cannot read it. Only a Mac signed in to your Apple ID with iCloud Keychain enabled can unwrap it.
What this is not
- Not a substitute for your passphrase. Your passphrase is the canonical recovery factor and is what you’ll use whenever iCloud Keychain isn’t available — old Mac, different Apple ID, sign-out/in, family member’s machine.
- Not a substitute for your recovery code. Your 24-word recovery code is the canonical “I forgot my passphrase” path. It exists exactly so that a single forgotten password doesn’t strand you. Save it in a password manager and a second offline location. See Recover a lost encryption key.
- Not enabled silently. macup asks before writing to iCloud Keychain at first-run, and you can opt out then or remove the entry later from
macup > Preferences > Account > iCloud Keychain.
What it is good for
The “I got a new Mac” flow. You unbox the new machine, sign in to your Apple ID, install macup, sign in to your macup account — and macup detects the synchronised DEK in iCloud Keychain, asks you to confirm, and unlocks your snapshots. No typing required, no risk of a typo, no need to dig out the recovery code from your fireproof safe. We’ve seen this take users from “I just dropped my MacBook in a pool” to “everything’s restoring” in under five minutes.
The full new-Mac walkthrough lives in I got a new Mac.
When it’s not available
A few common cases where iCloud Keychain won’t recover your key, and what to do instead:
- iCloud Keychain is off on the new Mac. Turn it on in System Settings → Apple ID → iCloud → Passwords & Keychain. If you don’t want it on for general use, that’s fine — use your passphrase or recovery code instead.
- The Mac is signed into a different Apple ID (work vs personal, family member’s machine, second account). iCloud Keychain only syncs within an Apple ID. Use your passphrase or recovery code.
- You disabled iCloud Keychain during setup on the source Mac. The key was never written. Use your passphrase or recovery code on the new Mac. (You can opt back in later — a re-enable on the source machine syncs the key forward.)
- iCloud Keychain is still syncing. The first sync after enabling can take a few minutes; macup polls every 30 seconds while you wait. If it’s been more than 10 minutes, fall back to the passphrase or recovery code rather than waiting indefinitely — those work right now.
How macup balances the trade-off
iCloud Keychain integration is a quality-of-life feature on top of an explicitly verifiable recovery model. The two paths we guarantee in v1 — passphrase and recovery code — both let you prove your key works without spending it. iCloud Keychain is additive: it’s faster when it works and silently absent when it doesn’t, but it never replaces the canonical paths. If Apple changes how Keychain sync behaves, if you change Apple IDs, if you decide you don’t trust Keychain — your backups are still recoverable.
That asymmetry is intentional. We never want a single dependency between you and your data, and Apple’s Keychain is one of the better dependencies you can have, but it’s still a dependency. The passphrase and recovery code are not.
Removing the synchronised key
If you’ve decided you don’t want macup’s DEK in iCloud Keychain — say, before handing a Mac to someone else, or if your trust model changes — you can remove it from macup > Preferences > Account > iCloud Keychain > Remove from Keychain. The local wrapped key on each Mac running macup is unaffected; only the synchronised copy goes. Re-enabling later writes a fresh synchronised copy.
If your only goal is to leave the account on this particular Mac, the right tool is Sign out of macup (Preferences > Account > Sign out) or Uninstall macup (Uninstall macup). Both clean up the local Keychain entry on the way out.