Monday, August 26, 2013

The curse of iTunes encrypted iPhone / iOS backups: the password is NOT your device password (and how to recover it from OS X Keychain)

I've often restored iOS devices from encrypted backup, so when I swapped Emily's 20 month old shattered-screen-4S for a $200 refurb [1] I wasn't expecting any restore problems. 

When I got the password prompt I entered the 4 digit lockscreen code for the original phone it and ... iTunes said ...

The password you entered to unlock your iPhone backup was incorrect. Please try again.

My jaw dropped. How could that be? I've done this so many times ... though ... later it occurred to me that I don't usually see that password query. That was later though.

I did a lot of stuff -- though nothing stupid. For example -- I started by taking all my backups offline. That way if I messed something up I wouldn't get my backups confused. During my flails I did run into some odd behaviors with iTunes backup restore that can turn up when you end up with a backup of a device and, somehow, a backup of the same device after it's been wiped. That wasn't the problem though.

The problem was that iTunes encrypted backup passwords are NOT your device password/passcode. I knew this once, but I'd long ago forgotten and, in  serious lapse of procedure, my iTunes encrypted backup password(s) were not in 1Password. [4]

Once I realized my blunder [3] I reread Apple's tech note on iTunes iOS backups and it became clear why I and so many other [3] people go wrong (emphases mine) ...

... If an iOS device is protected with a passcode, iTunes prompts you to enter the passcode when you connect to your computer. Once you successfully enter the passcode, iTunes will recognize that device as authorized and you will not need your passcode to back up or sync ...

... In the iTunes Summary screen, select "Encrypt iPhone backup" if you want to encrypt the information stored on your computer when iTunes makes a backup. Encrypted backups are indicated by a padlock icon, and a password is required to restore the information to iPhone. ... If you use a Mac, when you set a password you can select to store the password in the keychain. With iOS 4 and later, you can transfer the iOS keychain backup to a new device if you encrypt the backup.

The trick, you see, is there are two completely different passwords/passcodes associated with backup/restore of an iOS device and iTunes (more confusing - passcode is a misnomer know that iOS can use alphanumeric screen lock passwords). One belongs to the device, the other to iTunes and a specific device backup. 

Worse, the iTunes password is normally stored in the OS X keychain. So I entered it once several years ago, and I've never seen it since. I suspect I only saw it now because the refurb device I was restoring to had a new serial number -- it didn't match the serial number in the backup folder manifest.plist that's referenced by the OS X iPhone Backup keychain entry. (See [5] for details on how to recover if you don't remember yours and stored it in OS X keychain on initial configuraiton.)

So, really, it's all perfectly understandable. It's not just that my brain is turning to sludge. Now, if you excuse me, I'm going to go whistle by a graveyard ....

- fn - 

[1] I wonder if I'll be able to unlock this refurb in two months. i couldn't find much on the topic other than what I wrote a few months ago.

[2] Since I only bother with encrypted backups so that iTunes will store my iOS keychain I used my longstanding low security junk password. Once it somehow occurred to me that the password was unrelated to any of my device passwords it occurred to me to try it.

[3] Don't think it didn't occur to me that my younger brain would have remembered this.

[4] Unbelievable glitch. I always put passwords in my FileMaker Pro database that I post to 1Password.

[5] Some techniques from Encrypt Backup Password Problem: Apple Support Communities. I was able to verify that the 2nd of these worked perfectly, though by then I knew the password.

On a mac: 1- Make sure you have a previous back-up 2- Make a new back-up of the phone in its current state 3- Go to <username>/Library/Application Support/MobileSync/Backup 4- Find the most recent backup of your phone as well as the one you want to restore to(previous Backup). 5- Open the Manifest.plist file for each 6- Copy the value in BackupKeyBag from the new one to the one you wish to restore to. 7- Save. 8- Restore to the old backup!

or (this is the approach I tested - only works if you chose to save it in keychain)

1. Open my keychain (Applications/Utilities/Keychain 2. Select passwords in the category section on the bottom half of the left-hand pane 3. Scroll down the list of passwords until I found iPhone Backup 4. Right click on iPhone Backup and select "Copy password to Clipboard" 5. Verify my authority to copy the password to the clipboard by responding to the prompt to type my Mac password 6. Paste the password into the iTunes promt (you could also paste the password in a text doc to see what it was)

With Mountain Lion I showed the second of these works, with this variation:

  1. using Keychain Access search on 'iPhone Backup'
  2. Double click to open
  3. Note the Account number shown in this dialog matches the Folder name containing the backup.
  4. Click "show password", enter login credentials when requested, and you can see what it was.
To identify which Account/number folder name was relevant I opened manifest.plist in folders that had the right 'last updated' value and searched for the name of my wife's iPhone.


Unknown said...

how do you solve this from a PC? Its my understanding keychains are only accessible from a MAC. Is this correct? Is there any Windows utility or how would you recommend to tackle this from a PC? thanks

JGF said...

Alas, I've not used iTunes/Windows for about 8 years. Yes, Keychain is Mac specific.