How Does Keychain Access Work?
The simplest way to think about Keychain Access is as database for passwords. Its job is to remember some of the passwords and certificates you use frequently, so that you don't have to. The need for security is obvious, due to the nature of the information being stored.
According to Apple, Keychain Access can also be used for any other "sensitive information" (their wording, not mine), such as credit card numbers, software serial numbers, or PINs for bank accounts. Well, yes, it can be used for information like this, but if you intend to use it this way, make sure you take a few precautions first. More on that later.
Every time you make some kind of secure connection, or use software to send a password from one computer to another, Keychain Access steps in and supplies the password from your keychain, where they are all stored.
You get a default keychain automatically, when you first use your Mac. But it doesn't have to be the only keychain you use. In fact, you're allowed to set up several different ones and can put them to use in different ways.
Just as an example, there's nothing to stop you using the default keychain for day-to-day stuff like website logins and checking email accounts. But you could also create additional keychains; one for all of your work-related connections, another for online banking, and a third for those super-secret credit-card details that you want to keep handy, but away from prying eyes.
Every keychain you set up is a separate file, and each one can be locked and unlocked at different times.
What Does the Keychain Access Utility Do?
If you haven't fired it up already, look in your /Applications/Utilities folder to find the Keychain Access utility.
When you open it, you'll see something like this:
Keychain Access is your central control panel for managing entire keychains, and individual items within them. Frankly, it's not a terribly user-friendly bit of software, with various odd commands hidden in unexpected places among the menus. But once you've gotten used to finding the functions it offers, you might find many of them very useful. It's worth exploring Keychain Access a bit, just to get to know what it can do.
Firstly, you can create new keychains, and control how each one behaves. To change options for one keychain, select it in the keychains list on the left, then click Edit -> "Change settings for Keychain name."
Now you'll see a panel like this:
You can ensure that a keychain is either unlocked most of the time (a fair choice for your day-to-day keychain stuff: website passwords and so on), or locked most of the time (the best choice for your sekrits). This is also the place for looking after .Mac synchronization, if you have a .Mac account. This last feature lets you sync whole keychains between two or more Macs, and can be incredibly useful if you're using Macs in several different places.
As well as changing settings for whole keychains, you can also change settings for every individual keychain item.
Double-click any item in any keychain and you'll see another panel. Here, under the Access Control tab, you can say which applications have permission to access this particular item, and whether or not they have to ask for the keychain password when they do.
As well as passwords, Keychain Access deals with all of your digital certificates. Any certificate files that come into your possession can be imported to Keychain Access just by dragging them in. You can export certificates of your own using the File -> Export command.
When Apple says you can use Keychain Access for storing "sensitive information," it means using the Secure Notes feature.
A secure note is simply text you've entered, or pasted from elsewhere, which cannot be viewed without supplying the right password.