Where are Touch ID passwords stored in the macOS Keychain?

brianallenlevine · July 14, 2025, 10:31pm

Hi!

I’m testing storing passwords with Touch ID. I’m running a current macOS Sequoia 15.5, Cryptomator 1.17.1, and fuse-t 1.0.47.

In Cryptomator Preferences I have the box checked to store passwords with Touch ID. And in a test vault I checked the box to save the vault password. When I open the vault, I’m prompted by Touch ID, and I’m granted access to the vault. It works! Clearly the password is saved.

However, for the life of me, I can’t seem to find which entry in the macOS Keychain Access app stores the saved password. I’ve looked in all the keychains. No entry jumps out at me. Nothing has “Cryptomator” in the name, for example. Viewing entries by modification date doesn’t help either.

Can someone point me to the naming convention? I’d like to be able to eyeball this stored Cryptomator password for myself, as I can view other application passwords stored in Keychain Access.

Or perhaps I’m misunderstanding how this works? I imagine the Secure Enclave is involved here with Touch ID. But the following part of the documentation clearly states that Touch ID uses the “built-in macOS keychain”:

https://docs.cryptomator.org/desktop/password-and-recovery-key/

So I imagine something is stored in Keychain Access somewhere.

Thanks!

–Brian

Boerny · July 20, 2025, 7:47pm

I think, proof me wrong, thats the whole point.
You cant see them, because they are protected by TouchID for this specific app access only. Only the developer of an app can add biometric. It would render this useless if another tool would be able to access the same key, circumventing TouchID, from another app.

Boerny · July 20, 2025, 7:56pm

See also: Sharing access to keychain items among a collection of apps | Apple Developer Documentation

I believe, Cryptomator uses it correctly and just restricts availability of the secret in the keychain only to the Cryptomator app. Source code review or developer feedback would provide the source of truth.

I’m just speculating here about the implementation.

infeo · July 21, 2025, 8:04am

Yes, Cryptomator uses the keychain-access-group feature of the macOS keychain (the regarding source code can be found here).

tobihagemann · July 21, 2025, 8:16am

I must admit that I didn’t know this either. If you switch between “macOS Keychain” and “Touch ID” in the Cryptomator preferences, you can see the entry appear/disappear in Keychain Access. I guess that’s just how it is.

bj-2307 · July 23, 2025, 9:57am

Interesting thread. Today I was trying to figure out the same, but for a different reason

I want to better understand why and how the Cryptomator and KeepassXC Touch ID implementations differ. In fact, CM stores forever the password (unless the user removes it), while KPXC requires it at every restart of the app.

Are there any security benefits or pitfalls in the two implementations?

The CM is for sure more user-friendly, but I don’t understand if the KPXC is somehow more secure.