iOS Backups & Device Migration

Or: I got a new iPhone. Where are my passwords?

tl;dr: When moving to a new device, use an encrypted iTunes backup to transfer as much of your keychain as possible to the new device. Some third party apps may exclude their keychain items from backups all together, so don’t wipe the old device until you’re sure you have a way of exporting important keys or re-authenticating your new device.

This doesn’t cover the “iCloud Keychain” service for Safari passwords, but the keychain within iCloud and iTunes backups, which is a separate storage for secure items.

The iOS Security Guide explains:

[The] Backup keybag is created when an encrypted backup is made by iTunes and stored on the computer to which the device is backed up… Non-migratory keychain items remain wrapped with the UID-derived key, allowing them to be restored to the device they were originally backed up from, but rendering them inaccessible on a different device.

The UID is a unique secret burned into each single CPU, unknown to Apple or their suppliers.

If a user chooses not to encrypt an iTunes backup, the backup files are not encrypted regardless of their Data Protection class, but the keychain remains protected with a UID-derived key. This is why keychain items migrate to a new device only if a backup password is set.

So, to summarise for iTunes backups:

  • Non-migratory items never migrate to new devices (duh.)
  • Other keychain items only migrate to new devices when an iTunes backup password is set

For iCloud backups, there currently is no way for the user to set any additional encryption key or password. The keychain class keys sent to iCloud are “wrapped with a UID-derived key in the same way as an unencrypted iTunes backup”, providing a kind of hardware-dependent password.

What items are non-migratory, you ask? Apple publishes this list: iTunes backup, VPN certificates, Bluetooth keys, Apple Push Notification service token, iCloud certificates and private key, iMessage keys, Certificates and private keys installed by Configuration Profile, SIM PIN.

For third party apps, the third party developer decides by choosing one of the Keychain Item Accessibility Constants, they exist in two versions: The default is “for any device”, and can be set to “for this device only”.

The documentation states that “any device” items will only migrate for encrypted backups. This means that for iTunes backups, the user has to set a password, and for iCloud that they will only transfer to the very same device because of the UID-derived key.

iTunes iCloud
unencrypted encrypted n/a
same device all all all
new device none only non-migratory items none

This also means that the explanation, that “this will also back up account passwords” within iTunes is a little imprecise.

itunes-backup