Best way to transfer Keychain from Monterey to Sonoma when doing clean install?

[theorist9]

I'm having issues with my 2019 27" i9 iMac running Monterey 12.7.1. Apple Support agreed the best approach would be to do a complete disk wipe, install Sonoma, and then install my applications from scratch (i.e., a clean install, rather than using Migration Assistant, which would bring over all my old cruft).

I don't mind reinstalling the apps, but I'm not willing to manually reconfigure my Keychain and Safari Bookmarks. The Bookmarks are easily handled by exporting them in the current OS, saving the file, and then importing them when on the new OS.

But the Keychain is trickier. Apple Support says to do the following:

1) From ~Library/Keychains, select the keychains you want, copying each into a separate folder. They add that "Keychain files typically end with .keychain-db"
2) Copy this folder over to the new OS
3) On the new OS, open the Keychain Access app.
4) "Add each copied keychain one by one by choosing File > Add Keychain, selecting your keychain, then clicking Add."

Source:

Copy keychains to another Mac

Use Keychain Access on your Mac to transfer your keychains to another Mac.

support.apple.com

So is it as simple as copying over all and only those files that end with .keychain-db?

I.e., can I ignore files ending with: keychain-2-db, keychain-2.db-shm, keychain-s.db-wal, analytics.db, analytics.db-shm, analytics.db-wal, and keychain-db.sb-[bunch of nos. and letters]?

I spoke to a very experienced Apple Senior Advisor, and he recommended against following Apple's procedure, since he said I could lose a lot of the certificates for my apps if I did that, so I'd need to reauthorize them.

He suggested this as an alternative: After the disk wipe, install Monterey instead of Sonoma. Then copy over the entire Keychains folder. Then upgrade to Sonoma (which will reconfigure the Keychains to Sonoma's standard). But he acknowledged this wouldn't be as clean as installing Sonoma directly.

Thoughts? I'm inclined to try going directly to Sonoma and following the AS Support directions, copying over just the .keychain-db files, to see if that works. If not, I can wipe again and try it his way.

 

[haralds]

How about sync via iCloud?

 

[theorist9]

How about sync via iCloud?

That's a good question—I'm confused about that myself. The Apple Support article says this:

"Note: You can’t copy passwords stored in your Local Items or iCloud Keychain. To transfer these keychain items to another computer, set up iCloud Keychain on the other computer using your iCloud user name (normally your Apple ID) and password. You can manually copy keychains other than Local Items or iCloud Keychains to another Mac using the steps below."

Does this indicate there are two categories of Keychains: (1) Local Items + iCloud Keychain; and (2) everything else—where #1 is transferred using iCloud sync, but #2 isn't, and thus needs to be copied manually?

Or does it just mean that, if you do an iCloud sync on the original OS, that puts all your Keychains in iCloud, enabling you to transfer them all over using iCloud sync onto the new OS? [Or if that's not the case, how do you determine which .keychain-db files in your Keychain folder aren't included in the sync, and thus need to be transferred manually?]

 

[haralds]

Well, if you have the iCloud Keychain sync enabled, you can look in Keychain Access to see, what is where.
I have been bringing up a lot of systems around here and find I have to enter few passwords anew.

 

[auxbuss]

Does this indicate there are two categories of Keychains: (1) Local Items + iCloud Keychain; and (2) everything else?

Kind of.

If you look in Keychain Access, you'll find two entries in the Default Keychain: login and iCloud. iCloud syncs as you'd expect. It'll sync to all devices using that iCloud account (including iPhone). The login entry mostly contains Apple stuff, and things local to that machine: things like passwords for encrypted drives, secure notes, etc. It's worth going through the login entry's items to make sure there's nothing there you don't wish to lose, and if necessary, move them from login to iCloud.

 

[MacTiki]

So is it as simple as copying over all and only those files that end with .keychain-db?

I, like many others, hate when threads looking for assistance are started and then just fade off into the ether without providing a solution, resolution or conclusion.

What was your outcome? Did you come up with a solution? If so what did you do to copy the keychain(s)?

 

[gank41]

I would honestly just try relying on iCloud for syncing Passwords. Make sure you've got a good Time Machine backup first, and that you're currently signed into iCloud so that things are syncing to begin with, and then try a clean install and sign in with iCloud during setup. I've relied on iCloud for my Passwords for years now across macOS, iOS, and iPadOS. But, I have read various horror stories about people losing data.. Again, make sure you've got a Time Machine backup you can restore back to if needed.

 

[MacTiki]

I have read various horror stories about people losing data

Dealing with enough nightmares that I don't need to tempt fate and invite Murphy to the party.

 

[gank41]

Dealing with enough nightmares that I don't need to tempt fate and invite Murphy to the party.

Yup! That's why having a Time Machine backup you can revert to is ideal. But, you sign into iCloud during the OS setup process, so it's one of the initial settings already in place once you get to your Desktop initially.

 

[theorist9]

I, like many others, hate when threads looking for assistance are started and then just fade off into the ether without providing a solution, resolution or conclusion.

What was your outcome? Did you come up with a solution? If so what did you do to copy the keychain(s)?

I had some urgent work that required I keep my system as is, but will be doing this soon and keep you updated.

 

[theorist9]

Kind of.

If you look in Keychain Access, you'll find two entries in the Default Keychain: login and iCloud. iCloud syncs as you'd expect. It'll sync to all devices using that iCloud account (including iPhone). The login entry mostly contains Apple stuff, and things local to that machine: things like passwords for encrypted drives, secure notes, etc. It's worth going through the login entry's items to make sure there's nothing there you don't wish to lose, and if necessary, move them from login to iCloud.

Yes, I can see that many of the login items are things like passwords for encrypted disks that I know by heart and can thus easily re-enter. But it also contains numerous application passwords, like "TurboTax 2022 WebCrypto Master Key" that I don't want to lose--and that may have been generated internally by Turbo Tax, and that I would thus not be able to directly replicate myself.

How does one move items from login to iCloud? Does one simply drag-and-drop or copy-and-paste? And is it guaranteed that doing this won't cause problems? I ask because I assume there is a reason the system put them in login rather than iCloud, even though I have iCloud sync enabled.

Here are the four categories in Keychain Access (see screenshot).

Which of these corresponds to what's contained in the *.keychain-db files?

And what about the System Keychains?
System contains my wifi passwords.
System Roots contains some external passwords, like Amazon and others.