The CCC Private Keychain

This documentation is for an older version of CCC. You can find the latest version here.
Last updated on June 24, 2022

CCC creates a private keychain on your startup disk for the purpose of storing authentication credentials that facilitate automated backup tasks. Specifically, CCC will store these sorts of credentials:

  • SMTP account settings that you define in CCC's Preferences > Email Settings
  • NAS device username/password for mounting NAS volumes specified as a source or destination to a CCC task
  • Encrypted volume passwords that you ask CCC to store
  • Encrypted disk image passphrases for disk images that you ask CCC to create

To protect these credentials, CCC stores them in a standard macOS keychain file on your startup disk at Macintosh HD > Library > Application Support > com.bombich.ccc > CCC-global.keychain. Beyond the protections provided by the macOS keychain, CCC applies the following restrictions on the CCC keychain file:

  • The keychain file is readable only by the macOS system administrator account (i.e. the "root" user)
  • The keychain file can only be unlocked by CCC (specifically, by CCC's privileged helper tool)
  • The keychain file can only be unlocked on the Mac upon which it was originally created — it is purposefully Mac-specific

You can remove individual keychain entries, or reset the CCC private keychain

If you would like to see and/or remove individual keychain entries, open CCC's Preferences and click Passwords in the toolbar. To remove a keychain entry, simply select the entry and press the Delete key.

CCC never reveals passwords stored in its keychain

Alongside the security measures applied to CCC's keychain file, CCC will never reveal a password entry once it is stored in the keychain. That's a deliberate security measure. If you have lost/forgotten a password and it is retained in CCC's keychain, you will not be able to recover that password from CCC's keychain. You may, however, be able to use CCC to unlock and mount the associated encrypted volume or disk image, then copy the content of that volume to other storage.

The CCC private keychain is not transferrable to other Macs

If you purchase a new Mac and migrate your data to the new Mac, CCC's keychain will not work on the new system. If you configured CCC to send email notifications, open CCC Preferences > Email Settings, then click the Edit button to re-enter your SMTP account password (or "App Password"). If any backup tasks run that require NAS volume or encrypted volume passwords, those tasks will fail, and then CCC will prompt for those credentials. You may provide those passwords proactively after migration; hold down the Command key and click on the Destination selector to be prompted for the destination volume's credentials.

Most passwords that CCC retains are created outside of CCC (e.g. SMTP passwords, NAS device credentials, and encrypted volume passwords), so you'll typically have a copy of that password stored elsewhere (e.g. your login keychain or another password manager). Bear this in mind, however, when creating encrypted disk images. CCC offers an option to store the password that you specify in your login keychain (and that option is enabled by default). If you do not store the password in your login keychain, however, and if you migrate to a new Mac and forget the password, you will not be able to open the disk image.