How is the Private Key of a Passkey Synced?#
The private key of passkeys is securely synced across devices using
end-to-end encryption
through iCloud Keychain (on Apple devices), ensuring that the
private key is never exposed during transfer or storage. The key is encrypted on the
original device using a combination of device-specific and
iCloud Keychain data before being synced. On a new device,
this encrypted key is downloaded and decrypted within the
Secure Enclave, which ensures the key remains protected
throughout the process.
- The private key of passkeys is synced securely via iCloud Keychain using
end-to-end encryption.
- The Secure Enclave on each device ensures the private key is decrypted only on
authorized devices.
- The private key never leaves the secure environment of the Secure Enclave, maintaining
its integrity during transfer and storage.
Our explanation in this FAQ applies to Apple devices and
iCloud Keychain. Google operates in a similar ways as do
third-party password managers that sync passkeys (e.g.
KeePassXC,
1Password,
Dashlane).
To fully understand how the private key of passkeys is synced, it’s important to
understand the roles of iCloud Keychain, the Secure Enclave,
and the encryption processes involved.
Let's explain the functionality at a scenario where the user creates a passkey on their
iPhone (old device) and wants to sync this passkey to their MacBook (new device) via
iCloud Keychain.
The Private Key is Encrypted and Uploaded to the iCloud Keychain#
- The private key for your passkey is originally stored after
passkey creation in the
Secure Enclave of the iPhone.
- Before syncing, the private key is encrypted using a strong key derived from both the
iPhone and iCloud Keychain data. This encryption ensures that the private key is
protected even when stored in iCloud.
- The encrypted private key is then stored in iCloud Keychain, waiting to be accessed by
the MacBook (which is connected to your Apple account).
Become part of our Passkeys Community for updates & support.
Join
The Secure Enclave Generates a Device-Specific Key Uses For Private Key Decryption#
- Every Apple device has a Secure Enclave, a dedicated hardware component (hardware
security module - HSM) designed for cryptographic operations. The Secure Enclave is
crucial because it generates a device-specific key that is unique to each device (the
iPhone has its own device-specific key and the MacBook has its own device-specific key,
too).
- When the user signs in to iCloud on the MacBook, iCloud Keychain downloads the encrypted
private key to the MacBook. The Secure Enclave on the MacBook combines its unique,
device-specific key with the information stored in iCloud Keychain to derive the
decryption key.
- This ensures that even if the encrypted private key were intercepted, it could not be
decrypted without access to the specific Secure Enclave on the MacBook.
The Private Key is Decrypted and Makes It Usable on the New Device#
- The Secure Enclave of the MacBook decrypts the private key using its device-specific key
in combination with iCloud Keychain data. This process is entirely internal, meaning the
private key never leaves the Secure Enclave or becomes exposed.
- Once decrypted, the private key is ready for use on the MacBook, allowing seamless
authentication with your passkeys across all your Apple devices (so you can use it with
your iPhone and MacBook).
Subscribe to our Passkeys Substack for the latest news.
Subscribe
Why This Matters from a Security Point of View#
- The use of the Secure Enclave and iCloud Keychain’s
end-to-end encryption
ensures that your private key is always protected, whether at rest or in transit.
- Even if someone gains access to your iCloud account, they cannot decrypt your private
key without having physical access to one of your authorized devices.
- This level of security is critical for maintaining the integrity of your passkeys and
ensuring that your authentication processes remain safe from unauthorized access.

Schedule a call to get your free enterprise passkey assessment.
Schedule a call