The iOS Keychain can do more than store a secret on one device: it can sync that secret across all of a user's devices through iCloud Keychain. That is great for credentials a user expects on their iPhone and iPad alike, and a decision worth making deliberately for sensitive material, because syncing means the item leaves the single device. You control it per item with the synchronizable attribute, and for the most sensitive secrets you can choose a device-only accessibility that never syncs and never enters backups. Here is what keychain iCloud sync is, the trade-off, and how to decide per item.
Short answer
A Keychain item can be marked synchronizable so it syncs across the user's devices through iCloud Keychain, which is convenient for credentials the user wants on all their devices and means the item survives losing or replacing a device. Per Apple's Keychain documentation, syncing places the item in iCloud Keychain, which Apple end-to-end encrypts and ties to the user's account. For the most sensitive secrets that should never leave a single device, use a device-only accessibility attribute, the ThisDeviceOnly variants, which keep the item from syncing and from being included in backups. So decide per item: sync for convenience where appropriate, device-only for secrets that must stay on the one device.
What you should know
- Keychain items can sync: across the user's devices via iCloud Keychain.
- Syncing means it leaves the device: stored in iCloud Keychain, end-to-end encrypted.
- It is per item: the synchronizable attribute controls it.
- Device-only attributes do not sync: the ThisDeviceOnly accessibility variants.
- Decide deliberately: sync for convenience, device-only for the most sensitive.
What is keychain iCloud sync?
It is the Keychain syncing a stored item across a user's Apple devices. When you store a Keychain item and mark it synchronizable, the system propagates it through iCloud Keychain to the user's other devices signed into the same iCloud account, so a credential saved on the iPhone is available on the iPad. Apple end-to-end encrypts iCloud Keychain, so the synced item is protected in transit and at rest and tied to the user's account. The benefit, beyond cross-device convenience, is resilience: a synced credential survives the loss, replacement, or transfer of a single device, because it is not bound to that one device. The cost is that the item is no longer confined to a single device, which for most credentials is fine and for the most sensitive material is a decision to weigh.
Sync versus device-only
The choice is convenience and resilience against single-device confinement. The table contrasts them.
| Attribute | Behavior |
|---|---|
| Synchronizable | Syncs across the user's devices via iCloud Keychain |
| Cross-device availability | The credential is on all the user's devices |
| Survives device loss | Yes, because it is not bound to one device |
| Device-only accessibility (ThisDeviceOnly) | Stays on the one device; does not sync |
| Excluded from backups | Yes, with the device-only attributes |
A synchronizable item trades single-device confinement for convenience and resilience, and since iCloud Keychain is end-to-end encrypted, that is appropriate for many credentials. A device-only item, using a ThisDeviceOnly accessibility attribute, never leaves the device it was created on and is excluded from backups, which is the strongest isolation and the right choice for a secret that should never exist anywhere but the one device. The decision is per item, so you can sync the user's login token while keeping a device-bound key local.
How do you decide per item?
Match the attribute to how sensitive the item is and how it is used. For credentials the user reasonably expects across their devices, a login token, a saved password, marking the item synchronizable gives a good experience and resilience, and iCloud Keychain's end-to-end encryption protects it. For the most sensitive material, a key that should be unique to the device, a secret tied to device-specific trust, or anything you do not want leaving the one device, use a device-only accessibility attribute so it does not sync and is not backed up. Consider whether the item should survive a device transfer, which favors syncing, or must be confined, which favors device-only. And remember the choice interacts with backups: device-only items are excluded, which is what you want for the most sensitive secrets. The principle is to decide consciously rather than defaulting, since the attribute determines whether a secret stays on one device or spreads across the user's account.
What to watch out for
The first trap is syncing a secret that should never leave one device, when a device-only accessibility attribute would confine it; choose deliberately per item. The second is assuming everything in the Keychain is device-local, when synchronizable items propagate across the user's devices. The third is forgetting that device-only attributes also keep an item out of backups, which is usually what you want for the most sensitive secrets. A pre-submission scan such as PTKD.com (https://ptkd.com) reads the compiled IPA against OWASP MASVS and assesses how your app uses the Keychain and stores secrets, which complements deciding the right sync and accessibility attributes. The per-item choice you make in your code.
What to take away
- Keychain items can be marked synchronizable to sync across the user's devices via iCloud Keychain, which is convenient and survives device loss but means the item leaves the single device.
- iCloud Keychain is end-to-end encrypted, so syncing is appropriate for many credentials.
- For the most sensitive secrets that must stay on one device, use a device-only accessibility attribute (a ThisDeviceOnly variant), which does not sync and is excluded from backups.
- Decide per item, and use a pre-submission scan such as PTKD.com to assess how your app uses the Keychain and stores secrets.
