When choosing to remember passwords on MacOS, i see that the passwords are stored on keychain, but only on “login” keychain, and not “iCloud”. I understand that this means my password is never synced with iCloud (meaning only local access to my computer could divulge the password).
Now, on iOS when you use Face ID, or set Unlock duration to anything except “Let iOS Decide Automatically” it needs to store a copy of my key on iOS keychain. Does iOS keychain also only store locally on my iPhone, or does it sync to iCloud by default? This would determine if I will use this feature or not.
Thanks in advance.
Wanted to follow up, to simplify, does anyone know if storing vault pass on iOS keychain means it leaves my device, ie syncs with iCloud?
Thank you for your reply to me in both places, Tobias 
Maybe it would be nice to mention in the UI or the learn more link that the copy of the key is stored on the local device only. It will help users feel more comfortable using the Unlock duration indefinite / face id features.
Thanks!
Keychain is local. Encrypted passwords go to cloud but that’s ok because the encryption key is on device, coming from Secure Enclave chip and tie to your device PIN.
Yes the processes behind iOS Secure Enclave are pretty advanced and tied to the physical device, I never knew that.
But even so, it seems with the attribute Tobias mentioned, even that is not stored online on backups or even included in device migrations, as mentioned in https://developer.apple.com/documentation/security/ksecattraccessibleafterfirstunlockthisdeviceonly
Thank you for your suggestion. We’ve updated the docs, see: Vault Management — Cryptomator Documentation
But I’ve noticed that we have to update the links to the docs in the iOS app. Will do that in the next update.
1 Like