How is the Private Key of a Passkey Synced?

The private key of passkeys is securely synced across devices using end-to-end encryption through iCloud Keychain (on Apple devices), ensuring that the plaintext private key is never exposed during transfer or storage. The key is wrapped (encrypted) on the original device using a combination of device-specific and iCloud Keychain data before being synced. On a new device, this encrypted key is downloaded and reconstructed within the Secure Enclave, which ensures the key material remains protected throughout the process.

Our explanation in this FAQ applies to Apple devices and iCloud Keychain. Google operates in similar ways with Google Password Manager, as do cloud-based third-party password managers that provide integrated passkey sync (e.g. 1Password, Dashlane). Note: KeePassXC stores passkeys in a local database and relies on user-managed file synchronization rather than providing integrated cloud sync.

---

To fully understand how the private key of passkeys is synced, it’s important to understand the roles of iCloud Keychain, the Secure Enclave, and the encryption processes involved.

Let's explain the functionality at a scenario where the user creates a passkey on their iPhone (old device) and wants to sync this passkey to their MacBook (new device) via iCloud Keychain.

• The private key for your passkey is originally stored after passkey creation in the Secure Enclave of the iPhone.
• Before syncing, the private key is encrypted using a strong key derived from both the iPhone and iCloud Keychain data. This encryption ensures that the private key is protected even when stored in iCloud.
• The encrypted private key is then stored in iCloud Keychain, waiting to be accessed by the MacBook (which is connected to your Apple account).

• Every Apple device has a Secure Enclave, a dedicated hardware component (hardware security module - HSM) designed for cryptographic operations. The Secure Enclave is crucial because it generates a device-specific key that is unique to each device (the iPhone has its own device-specific key and the MacBook has its own device-specific key, too).
• When the user signs in to iCloud on the MacBook, iCloud Keychain downloads the encrypted private key to the MacBook. The Secure Enclave on the MacBook combines its unique, device-specific key with the information stored in iCloud Keychain to derive the decryption key.
• This ensures that even if the encrypted private key were intercepted, it could not be decrypted without access to the specific Secure Enclave on the MacBook.

• The Secure Enclave of the MacBook reconstructs and decrypts the private key using its device-specific key in combination with iCloud Keychain data. This process is entirely internal, meaning the plaintext private key is never exposed—the wrapped key material is transferred via iCloud, then securely reconstructed in the Secure Enclave.
• Once reconstructed, the private key is ready for use on the MacBook, allowing seamless authentication with your passkeys across all your Apple devices (so you can use it with your iPhone and MacBook).

• The use of the Secure Enclave and iCloud Keychain’s end-to-end encryption ensures that your private key is always protected, whether at rest or in transit.
• Even if someone gains access to your iCloud account, they cannot decrypt your private key without having physical access to one of your authorized devices.
• This level of security is critical for maintaining the integrity of your passkeys and ensuring that your authentication processes remain safe from unauthorized access.

---