How is the Private Key of a Passkey Synced?
Learn how private keys of passkeys is securely synced across devices using iCloud Keychain and the Secure Enclave, ensuring high-level encryption and security.
How is the Private Key of a Passkey Synced?#
The private key of passkeys is securely synced across devices using end-to-end encryption through iCloud Keychain (on Apple devices), ensuring that the plaintext private key is never exposed during transfer or storage. The key is wrapped (encrypted) on the original device using a combination of device-specific and iCloud Keychain data before being synced. On a new device, this encrypted key is downloaded and reconstructed within the Secure Enclave, which ensures the key material remains protected throughout the process.
- The private key of passkeys is synced securely via iCloud Keychain using end-to-end encryption.
- For synced passkeys, the private key is wrapped (encrypted) and exported from the Secure Enclave for cloud backup, then reconstructed on authorized devices.
- The Secure Enclave on each device ensures the private key material is protected during wrapping, transfer, and reconstruction—the plaintext private key is never exposed during sync, but wrapped key material is transferred via iCloud to enable multi-device use.
Our explanation in this FAQ applies to Apple devices and iCloud Keychain. Google operates in similar ways with Google Password Manager, as do cloud-based third-party password managers that provide integrated passkey sync (e.g. 1Password, Dashlane). Note: KeePassXC stores passkeys in a local database and relies on user-managed file synchronization rather than providing integrated cloud sync.
To fully understand how the private key of passkeys is synced, it’s important to understand the roles of iCloud Keychain, the Secure Enclave, and the encryption processes involved.
Let's explain the functionality at a scenario where the user creates a passkey on their iPhone (old device) and wants to sync this passkey to their MacBook (new device) via iCloud Keychain.
The Private Key is Encrypted and Uploaded to the iCloud Keychain#
- The private key for your passkey is originally stored after passkey creation in the Secure Enclave of the iPhone.
- Before syncing, the private key is encrypted using a strong key derived from both the iPhone and iCloud Keychain data. This encryption ensures that the private key is protected even when stored in iCloud.
- The encrypted private key is then stored in iCloud Keychain, waiting to be accessed by the MacBook (which is connected to your Apple account).
The Secure Enclave Generates a Device-Specific Key Uses For Private Key Decryption#
- Every Apple device has a Secure Enclave, a dedicated hardware component (hardware security module - HSM) designed for cryptographic operations. The Secure Enclave is crucial because it generates a device-specific key that is unique to each device (the iPhone has its own device-specific key and the MacBook has its own device-specific key, too).
- When the user signs in to iCloud on the MacBook, iCloud Keychain downloads the encrypted private key to the MacBook. The Secure Enclave on the MacBook combines its unique, device-specific key with the information stored in iCloud Keychain to derive the decryption key.
- This ensures that even if the encrypted private key were intercepted, it could not be decrypted without access to the specific Secure Enclave on the MacBook.
The Private Key is Decrypted and Makes It Usable on the New Device#
- The Secure Enclave of the MacBook reconstructs and decrypts the private key using its device-specific key in combination with iCloud Keychain data. This process is entirely internal, meaning the plaintext private key is never exposed—the wrapped key material is transferred via iCloud, then securely reconstructed in the Secure Enclave.
- Once reconstructed, the private key is ready for use on the MacBook, allowing seamless authentication with your passkeys across all your Apple devices (so you can use it with your iPhone and MacBook).
Subscribe to our Passkeys Substack for the latest news.
Why This Matters from a Security Point of View#
- The use of the Secure Enclave and iCloud Keychain’s end-to-end encryption ensures that your private key is always protected, whether at rest or in transit.
- Even if someone gains access to your iCloud account, they cannot decrypt your private key without having physical access to one of your authorized devices.
- This level of security is critical for maintaining the integrity of your passkeys and ensuring that your authentication processes remain safe from unauthorized access.
About Corbado
Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →
Share this article
Table of Contents
Related FAQs
Related Terms
Related Articles
