iCloud keychain reverting to old passwords after migration

[dal71]

I recently migrated all data from an old desktop running Mavericks to a new desktop running Yosemite using a Time Machine backup and Migration Assistant. Since then, the iCloud keychain on my various devices (iPhone, iPad, laptop, new desktop) is filled with very old passwords. These old passwords are the passwords still stored in the login keychain of my old desktop, left over from before iCloud keychain existed. My guess that when these login keychain items were first loaded onto the new computer, they were considered newer than the corresponding iCloud keychain items and so the Mac decided that the iCloud keychain items needed to be updated. Of course, I could have a completely incorrect diagnosis.

The most pressing question:

1. How do I restore my iCloud keychain to its pre-migration state? I still have the old iCloud keychain on my old Mavericks desktop (which hasn't been connected to the internet since the migration started) and, presumably, in my Time Machine backups. Is there some way for me to reload these old values into the iCloud keychain in batch?

The less pressing question:

2. What did I do wrong? Presumably many people have keychains in the same state as mine: current passwords in the iCloud keychain and older passwords in the login keychain, but google searches haven't revealed anyone experiencing this same problem.

Thanks for any help.

David

 

[Lifeisabeach]

1. How do I restore my iCloud keychain to its pre-migration state? I still have the old iCloud keychain on my old Mavericks desktop (which hasn't been connected to the internet since the migration started) and, presumably, in my Time Machine backups. Is there some way for me to reload these old values into the iCloud keychain in batch?

Copy them over.
Copy Keychain Logins & Passwords from One Mac to Another | OSXDaily

The less pressing question:

2. What did I do wrong? Presumably many people have keychains in the same state as mine: current passwords in the iCloud keychain and older passwords in the login keychain, but google searches haven't revealed anyone experiencing this same problem.

When you migrated your user data and told it to include the Keychain data, you effectively said that the backup takes priority. If you had let that option unchecked, then when you signed in to iCloud, the Keychain would have synced up with the existing iCloud items. It may not have overridden the newer passwords, but rather merged them all together in one big mess. I had to go on a cleaning spree myself a year or so ago when I found numerous duplicates spread over various categories in Keychain as a result of the migration to iCloud.

 

[dal71]

Thanks for taking the time to reply. Unfortunately, I don't see how I can copy over my iCloud keychain with that method. That seems to work for local keychains, like the login keychain, but there is no file called icloud.keychain in ~/Library/Keychains. There are two directories with cryptic and long alphanumeric names, only one of which occurs on my old desktop and old backups. I think that those directories correspond to the iCloud keychains (one for the old iCloud keychain that was copied over by migration assistant and one that was created on the new device) but doing the obvious things (deleting the new directory and/or replacing its contents with the contents of the old one, etc.) do not successfully restore the old iCloud keychain. And even if something like that did work, I fear that the successfuly restored values would be overwritten by the undesirable values upon first sync since the undesirable values look newer: they were copied into the iCloud keychain from the login keychain when I migrated a few days ago.

What a mess!

David

 

[Lifeisabeach]

When you open Keychain Access, you should see a "login" category; "iCloud" category", and so on, on the left side. If I'm understanding the problem here better now, it's not that you lost all the current passwords from iCloud when you restored your backup, it's that you restored old duplicates that reside under "login", dating back to before iCloud came about? In that case, start manually pruning everything that is a duplicate under "login". Tedious, yes, but I had to do exactly that for myself and my wife a while back. Down in the bottom left panel, select "All Items", then sort by name (click on the "name" column). That should put the dupes in order. Just screen them one by one and delete the older one of each, which presumably would be the one in the "login" keychain (there's a column on the right that will tell you this).

 

[dal71]

Thanks for your continued help. Sorry to have disappeared but I've been traveling and have only recently had the opportunity to get back to this unpleasant problem.

You sort of have it now, but not exactly. When I migrated the account, the old login items (from before iCloud) moved, as expected. But for some reason (perhaps because it used the migration date rather than the date those items were created on the old computer?), the computer proceeded to sync those old items to iCloud. Worse yet, it didn't just add newly dated entries to the iCloud keychain, but overwrote the existing, correct entries. So now all of my synced devices have completely lost the proper iCloud passwords.

I still have one computer with the old iCloud keychain. It is the computer I migrated from, which has been disconnected from the network since the migration.

From what I've seen online, I think it might be possible to force that iCloud keychain to overwrite the version in the cloud and my other devices. It seems to involve disconnecting my devices from iCloud, then adding back the computer with the definitive version, but failing to authenticate it with my code or another trusted device. Apparently, at that point I should be offered the option of overwriting the cloud version with the version on that computer.

Any better ideas?

 

[Lifeisabeach]

I still have one computer with the old iCloud keychain. It is the computer I migrated from, which has been disconnected from the network since the migration.

From what I've seen online, I think it might be possible to force that iCloud keychain to overwrite the version in the cloud and my other devices. It seems to involve disconnecting my devices from iCloud, then adding back the computer with the definitive version, but failing to authenticate it with my code or another trusted device. Apparently, at that point I should be offered the option of overwriting the cloud version with the version on that computer.

Before doing anything, make a backup (or 3!) of that Keychain database! Pop a USB stick into that offline Mac and copy the contents of ~/Library/Keychains. Then insert that into one of the online Macs. Delete the contents of that same folder on that (make a backup if you think that has anything to preserve); then copy the contents off that USB stick onto that Mac. Perhaps that will get it done.

 

[dal71]

Yeah, I made those backups long ago! I've also got the Time Machine backup from which I migrated in the first place. I already tried replacing the ~/Library/Keychains folder with the backup one and it doesn't work. It restores the old Login keychain (as it must) but doesn't restore the old iCloud keychain.

Inside the new ~/Library/Keychains, there are two directories with cryptic and long alphanumeric names, only one of which occurs on my old desktop and old backups. I think that those directories correspond to the iCloud keychains (one for the old iCloud keychain that was copied over by migration assistant and one that was created on the new device) but doing the obvious things (deleting the new directory and/or replacing its contents with the contents of the old one, etc.) do not successfully restore the old iCloud keychain. So I don't seem to be able to get the new machine to see the old iCloud keychain.

 

[Lifeisabeach]

Yeah, I made those backups long ago! I've also got the Time Machine backup from which I migrated in the first place. I already tried replacing the ~/Library/Keychains folder with the backup one and it doesn't work. It restores the old Login keychain (as it must) but doesn't restore the old iCloud keychain.

Inside the new ~/Library/Keychains, there are two directories with cryptic and long alphanumeric names, only one of which occurs on my old desktop and old backups. I think that those directories correspond to the iCloud keychains (one for the old iCloud keychain that was copied over by migration assistant and one that was created on the new device) but doing the obvious things (deleting the new directory and/or replacing its contents with the contents of the old one, etc.) do not successfully restore the old iCloud keychain. So I don't seem to be able to get the new machine to see the old iCloud keychain.

Hmmmm. This is a tough one. Normally I'd recommend using the export option in Keychain Access, but that option is completely grayed out (unusable) for me, no matter what I select. That's downright odd. I'll try to research this some more and come up with a solution, but it's not looking good. You may want to call Apple to see if they have any advice. Worst case scenario... you may have to manually update everything.