5.19 Create specialized keychains for different purposes

Information

The keychain is a secure database store for passwords and certificates and is created for each user account on macOS. The system software itself uses keychains for secure storage. Users can create more than one keychain to protect various passwords separately.

Rationale:

If the user can logically split password and other entries into different keychains with different passwords, a compromise of one password will have limited effect.

Impact:

Using multiple keychains can be inconvenient. It is also not necessarily possible for all kinds of data, such as Safari auto-fill information, to be stored in secondary keychains. Not all keychain-aware applications may provide an interface to choose secondary keychains.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Open Utilities

Select Keychain Access

Select File

Select New Keychain

Input name of new keychain next to Save As

Select Create

Drag and drop desired keychain items into new keychain from login keychain

Additional Information:

One useful separation of keychains might be in a business environment. Personal information might be stored in one keychain and business information in a different keychain.

See Also

https://workbench.cisecurity.org/files/3092

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 9f39ee4222740281b0c1fb8ab697e2df673fef724a502c80cf0708e3704eb3c3