How is the Private Key of a Passkey Synced?#
The private key of passkeys is securely synced across devices using end-to-end encryption through iCloud Keychain (on Apple devices), ensuring that the private key is never exposed during transfer or storage. The key is encrypted on the original device using a combination of device-specific and iCloud Keychain data before being synced. On a new device, this encrypted key is downloaded and decrypted within the Secure Enclave, which ensures the key remains protected throughout the process.
- The private key of passkeys is synced securely via iCloud Keychain using end-to-end encryption.
- The Secure Enclave on each device ensures the private key is decrypted only on authorized devices.
- The private key never leaves the secure environment of the Secure Enclave, maintaining its integrity during transfer and storage.
Our explanation in this FAQ applies to Apple devices and iCloud Keychain. Google operates in a similar ways as do third-party password managers that sync passkeys (e.g. KeePassXC, 1Password, Dashlane).
To fully understand how the private key of passkeys is synced, it’s important to understand the roles of iCloud Keychain, the Secure Enclave, and the encryption processes involved.
Let's explain the functionality at a scenario where the user creates a passkey on their iPhone (old device) and wants to sync this passkey to their MacBook (new device) via iCloud Keychain.
The Private Key is Encrypted and Uploaded to the iCloud Keychain#
- The private key for your passkey is originally stored after passkey creation in the Secure Enclave of the iPhone.
- Before syncing, the private key is encrypted using a strong key derived from both the iPhone and iCloud Keychain data. This encryption ensures that the private key is protected even when stored in iCloud.
- The encrypted private key is then stored in iCloud Keychain, waiting to be accessed by the MacBook (which is connected to your Apple account).
Become part of our Passkeys Community for updates and support.
Join
The Secure Enclave Generates a Device-Specific Key Uses For Private Key Decryption#
- Every Apple device has a Secure Enclave, a dedicated hardware component (hardware security module - HSM) designed for cryptographic operations. The Secure Enclave is crucial because it generates a device-specific key that is unique to each device (the iPhone has its own device-specific key and the MacBook has its own device-specific key, too).
- When the user signs in to iCloud on the MacBook, iCloud Keychain downloads the encrypted private key to the MacBook. The Secure Enclave on the MacBook combines its unique, device-specific key with the information stored in iCloud Keychain to derive the decryption key.
- This ensures that even if the encrypted private key were intercepted, it could not be decrypted without access to the specific Secure Enclave on the MacBook.
The Private Key is Decrypted and Makes It Usable on the New Device#
- The Secure Enclave of the MacBook decrypts the private key using its device-specific key in combination with iCloud Keychain data. This process is entirely internal, meaning the private key never leaves the Secure Enclave or becomes exposed.
- Once decrypted, the private key is ready for use on the MacBook, allowing seamless authentication with your passkeys across all your Apple devices (so you can use it with your iPhone and MacBook).
Subscribe to our Passkeys Substack for the latest news, insights and strategies.
Subscribe
Why This Matters from a Security Point of View#
- The use of the Secure Enclave and iCloud Keychain’s end-to-end encryption ensures that your private key is always protected, whether at rest or in transit.
- Even if someone gains access to your iCloud account, they cannot decrypt your private key without having physical access to one of your authorized devices.
- This level of security is critical for maintaining the integrity of your passkeys and ensuring that your authentication processes remain safe from unauthorized access.