ICloud Keychain

iCloud Keychain is an Apple service that synchronizes Keychain contents across multiple devices from the same owner, using end-to-end encryption. This is visible to the user as synchronization of passwords and credit card numbers saved by Safari, but other "end-to-end encrypted iCloud data" works by saving the encryption keys in iCloud Keychain as well.

Codenames
Many components of iCloud Keychain are actually open source (some unintentionally!) as part of the Security framework source releases.

You will still find a lot of unexplained codenames. This is a high-level overview from a broad look at the code, that may help understand what those names mean, though it still has a lot of speculation and unanswered questions.

In Security-55471, iCloud Keychain was introduced, with SOS (Secure Object Sync). It uses iCloud Key-Value Store (KVS) as the storage/sync backend. There is an XPC service called "CloudKeychainProxy" that acts as a proxy between the keychain daemon (`securityd`) and KVS, because `securityd` can't (rather "couldn't back then") use Objective-C or link to Foundation.

In Security-57336, SOS can communicate over IDS too, and there's a new IDSKeychainSyncingProxy service (later renamed KeychainSyncingOverIDSProxy). This presumably means syncing keychain items by sending end-to-end encrypted push notifications between devices (iMessage uses IDS too) instead of storing items in KVS. This version also added keychain views (see ViewList.list), which apparently splits syncable keychain items into groups with different properties (maybe different top-level keys?).

Security-58286 changed a lot. There is a whole new "syncing system" called CKKS (CloudKit Keychain Syncing). Views can be either synced by SOS or by CKKS. Presumably SOS is considered legacy (there's code to "upgrade from SOS to CKKS"). There are a few new views synced by CKKS, some have self-explanatory names (AutoUnlock and Health) but there's also two called Engram and Manatee (meaning and distinction unknown).

As hints for future research: "Engram" is a private framework that is certainly related; some features like AirTag pairing check "whether manatee is available" and tell the user to enable 2FA if not; ElcomSoft's talk about iMessages in iCloud mentions needing to download data from both Engram and Manatee to get messages.

There's a larger system called Octagon (overall "iCloud Keychain v2" project? or just the new way devices add each other as trusted?), introduced together with CKKS, and a related XPC service called Cuttlefish (TrustedPeersHelper).

Resources

 * Apple Platform Security Guide: iCloud Keychain Security
 * Ivan Krstic's talk at BlackHat USA 2016 (slides) (though he focuses on iCloud Keychain escrow/backup and glosses over syncing)
 * Breaking Apple's iCloud Keychain – ElcomSoft
 * Extracting Messages from iCloud – ElcomSoft