This is a follow-up to my blog post macOS Sonoma silently enabled iCloud Keychain despite my precautions from five months ago. The TL;DR of that blog post is that when you have iCloud enabled but not iCloud Keychain, updating from Ventura to Sonoma causes iCloud Keychain to be silently enabled. (I don't know yet whether that still occurs when updating from Sonoma to Sequoia.) What I didn't realize at the time, indeed didn't realize until now, is that iCloud Keychain already uploaded all of my passwords and kept them in iCloud even after I disabled iCloud Keychain.
Let me start with some background. My main machine with all of my personal data including passwords is a MacBook Pro, which is still running Sonoma. It's logged into iCloud, but I don't use iCloud for anything personal. The only reason I enable iCloud is to work on sync features in my apps for my customers. Also for development purposes, I have an iPad and a Mac mini with macOS Big Sur through Sequoia installed on separate APFS volumes. Both devices are used only for software testing and contain no personal data. Finally, I have an iPhone, which I've never actually logged into iCloud.
Today I was shocked to discover a bunch of my website passwords in Safari while booted into Sequoia on the Mac mini. There shouldn't be any personal data on the mini, and iCloud Keychain is disabled in its Sequoia volume. Incidentally, the reason I was looking at Safari passwords on the Mac mini is that I noticed on the MacBook Pro that Allow Automatic Passkey Upgrades was automatically, silently enabled in Safari, and I wanted to check whether that was also true on other devices.
I looked around on other boot volumes on the Mac mini and other devices but didn't find my passwords anywhere else except in Sequoia. I was struggling to determine how my passwords got there when eventually I remembered my old blog post, which allowed me to reconstruct a plausible scenario.
The key piece of evidence was that when I opened the Sequoia Passwords app and sorted by date edited, the most recent was May 25, 2024. Coincidentally, my old blog post, written when I updated the MacBook Pro to Sonoma, was on May 26, 2024. There aren't any more recent passwords on the Mac mini, yet there are more recent passwords on the MacBook Pro.
Hence, my assumption about what happened is that when I updated the MacBook Pro to Sonoma, iCloud Keychain got silently enabled, and all of my passwords quickly got uploaded to iCloud, before I could disable it. When I disabled iCloud Keychain on the MacBook Pro, my passwords did not get removed from Apple's servers. They've been sitting up in iCloud all along. But I had no way of knowing that, because iCloud Keychain is not enabled on any of my devices. The only way to see the contents of iCloud Keychain is on an Apple device with iCloud Keychain enabled. You can't even see anything on the icloud.com website.
WWDC 2024 was in June, the month after I updated the MacBook Pro to Sonoma. I installed the new Sequoia beta on the Mac mini and signed into iCloud. When I signed into iCloud for the first time, Sequoia must have automatically enabled iCloud Keychain, which caused my already synced passwords to be downloaded. These are what I see now in Safari and the Passwords app. Once again, when I disabled iCloud Keychain in Sequoia back in June, that didn't remove the passwords from either the Mac or from iCloud.
The question is, how do you delete all data from iCloud Keychain? I found an old Apple support document from 2021 with the Wayback Machine:
What happens when I turn off iCloud Keychain on a device?
When you turn off iCloud Keychain for a device, you're asked to keep or delete the passwords and credit card information that you saved. If you choose to keep the information, it isn't deleted or updated when you make changes on other devices. If you don't choose to keep the information on at least one device, your Keychain data will be deleted from your device and the iCloud servers.
However, the URL https://support.apple.com/en-us/HT204085 now redirects to https://support.apple.com/en-us/109016, which says nothing about deleting keychain data from iCloud servers:
If you turn off iCloud Keychain
When you turn off iCloud Keychain, password, passkey, and credit card information is stored locally on your device.
When you sign out of iCloud on your device while iCloud Keychain is turned on, you're asked to keep or delete your Keychain information.
If you choose to keep the information, your passwords and passkeys are stored locally on your device, but aren't deleted or updated when you make changes on other devices.
If you don't keep the information, your passwords and passkeys aren't available on your device. An encrypted copy of your Keychain data is kept on iCloud servers. If you turn iCloud Keychain back on, your passwords and passkeys will sync to your device again.
Apparently Apple now just keeps your iCloud Keychain data forever, whether you want them to or not? I didn't even want Apple to have my keychain data in the first place!
As a workaround, I manually deleted all of my passwords in the Passwords app in Sequoia, enabled iCloud Keychain, and then disabled iCloud Keychain again. To verify the password deletion, I booted into Sonoma on the Mac mini and enabled iCloud Keychain there. Fortunately, no passwords were downloaded from iCloud. (As I mentioned in my old blog post, Sonoma System Settings still has the bug where it hangs and crashes when you disable iCloud Keychain. Apple software quality on exhibition.)
I'm still concerned about other data that may still be in iCloud Keychain. For example, what about wifi passwords? I can't very well delete my wifi password on the Mac mini and then sync the deletion to iCloud Keychain, because of course I can't sync anything without wifi! And what else does iCloud Keychain store that I can't necessarily see in the user interface? Hopefully nothing else…
By the way, after I published my old blog post about iCloud Keychain, I did ultimately find a solution to prevent iCloud Keychain from ever getting silently enabled: use a MDM profile.