i use touch id to unlock my vault in cryptomator.
If i enable the full icloud backup of my iphone, will the plain password for opening my vault be backed up to the apple cloud?
Thanks in advance
If you use Touch ID your password ist stored in apples icloud keychain on your phone. If you have enabled the keychain to be included into your icloud backup, then the keychain and all its passwords is backuped into the cloud. (But of course never in plain text).
I don’t think that’s quite correct. When you use touchID to unlock the vaults, the passphrase is stored in the Secure Enclave. Not in the iCloud Keychain.
So no, you’re passphrase is not going anywhere.
mhm.
I got my information from here:
There is one exception though: Cryptomator actually stores the cleartext credentials for WebDAV. But(!) the password is stored inside the iOS keychain.
Maybe i got something wrong.
Just to clarify, iOS keychain could indeed be mixed up with the iCloud Keychain. But I meant the so-called Keychain Services (software) which indeed uses the Secure Enclave (hardware).
To answer the initial question: Yes, the password will be backed up. We’re using the attribute kSecAttrAccessibleWhenUnlocked for the passwords accessible via Touch/Face ID.
Items with this attribute migrate to a new device when using encrypted backups.
1 Like
Sorry to revive a message 5 years old…
Doesn’t the backup of vault password break Cryptomator’s security target? I have my encrypted files and password on the same cloud provider without explicit insight that that is what is happening.
If I remember a password locally on my iOS device, why do I have to also have that go online?
I know on MacOS when you remember locally, it stores it in login keychain, not iCloud.
Edit: Just found this apple article that says kSecAttrAccessibleWhenUnlocked is not backed up to iCloud: Keychain data protection - Apple Support
Edit x2: oops read that wrong, that applied only to the other attribute.
Yeah, we have changed that in the new iOS app. Well, it’s not that new anymore, but since you’ve revived an old thread… 
We are now using kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly:
After the first unlock, the data remains accessible until the next restart. This is recommended for items that need to be accessed by background applications. Items with this attribute do not migrate to a new device. Thus, after restoring from a backup of a different device, these items will not be present.
But still, in the old app, it was also not stored in the iCloud keychain. Back then, encrypted backups were only possible via macOS if I recall correctly. I think it’s fairly new that iCloud backups are encrypted when they introduced Advanced Data Protection (I believe last year?). That’s why we didn’t think that it broke Cryptomator’s security target.
1 Like