User profile for user: SiHancox
SiHancox Author
User level: Level 5
4,953 points

The best way to get Keychains from Old to New Mac.

This is a post from another discussion (so mostly copy and pasted) but thought it correct to start a new one in the hope some experienced Mac users could give me additional advice. I have already received some pointers from John (in the other discussion) on this subject but wondered what others thought regarding benefits and pitfalls of the options available.


https://discussions.apple.com/thread/250282200


I suppose my goal is to have the new Mac as close to "out of the box" as possible after logging into iCloud and allowing Contacts, Calendar, Notes, Safari Bookmarks etc to sync back.


I'm not worried about Mail because I can add my account and import mailboxes, iMessages can start from scratch and I don't employ iCloud for any photo syncing preferring to keep them on external backup drives..


So the only remaining area was Keychains and all those passwords and Secure Notes, which would be a pain to type in again by hand.


With respect to Keychains I feel there are three ways to get them across to the new Mac if I exclude long hand, use Migration and then deal with trying to remove other stuff it also brings over (or just except the other stuff and leave alone), enable iCloud Keychains on old Mac and then let it sync across similar to Contacts or employ an Import method similar to Mail.


Because I've never used iCloud Keychains and I've stayed away from 2FA (that's another story) I'm really not sure about wanting to do that just for a single purpose, so that leaves me with the Import option.


If Keychains allowed Export and Import in a similar manor to Mail it would be a lot easier, but as I understand you can't Export collectively, only single items. The closest method I've read is to copy the "login.keychain" and "login.keychain-db" files over to the new Mac then open Keychain Access and Import that old login keychain. Then from within Keychain Access move the contents from old keychain to new keychain after which the old keychain can be deleted.


That nicely deals with all the Secure Notes but Passwords being under Local Items would still be left and I'm unsure under which Finder keychain db they are stored or even if the same file copy/Import technique could be used. I suppose you could move all the passwords from Local Items to Login (on old Mac) on a temporary basis and once the contents are on the new Mac using the file copy/Import method, move them back again to the new Mac's Local Items.


Anyhow, that's what I'm trying to get straight in my mind at the moment, how to have a new Mac that's as close to "out of the box" with respect to software on it but also to have all my old keychains available.


Any thoughts would be greatly appreciated.

iMac 21.5", macOS 10.14

Posted on Apr 8, 2019 6:28 AM

Reply

Similar questions

7 replies
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,697 points

Apr 8, 2019 7:55 AM in response to SiHancox

I believe Apple would prefer you to use the Migration Assistant which should work but has the consequences you listed.


An alternative method would be to drag the old keychains from a disk copied from the old Mac in to the correct location on the new Mac. In the past this was a fairly simply process but now with Mojave and its extra security measures it is a lot more complex and instead you need to follow these steps.


  1. Boot the new Mac in to Recovery mode
  2. If needed use Disk Utility to mount the encrypted new Mac drive
  3. If needed use Disk Utility to mount the encrypted old Mac drive - if your using Target Disk mode, if your using a copy make sure the copy drive is attached
  4. Launch Terminal whilst still in Recovery mode
  5. Use terminal to copy the Keychain files and folders from the old Mac or copy to the correct location on the new Mac drive, remember you will probably need to use file paths like /Volumes/Macintosh\ HD the copy command is ditto if your not familiar with ditto read the man page before you start
  6. Once copied you then need to change the ownership to match the new computer, sadly you cannot do a more typical chown -R newname /path/to/files/on/new/mac you have to use the numeric identifier e.g. chown -R 503 /path/to/files/on/new/mac
  7. Shutdown, disconnect the old Mac or the copy
  8. Boot new Mac and try it
Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,697 points

Apr 9, 2019 1:39 AM in response to SiHancox

This is an approach we devised internally, I have not seen any articles on this.


If you're not comfortable doing this perhaps sticking with the Migration Assistant would be best, otherwise do you have a local contact who is more familiar with using Terminal?


For what its worth you can find the (normally hidden) User ID of the user account as per - https://support.apple.com/en-gb/HT201548


You want to do this on the new Mac after you create the new user and before you try copying the Keychain and following the rest of the steps. That way you know the value to use as part of the chown command.


In case your not aware chown is the command to change the ownership of files, hence chown.

Reply
User profile for user: SiHancox
SiHancox Author
User level: Level 5
4,953 points

Apr 8, 2019 8:33 AM in response to John Lockwood

So using Finder to move over the existing Keychains folder to allow Keychain Access to import is no longer a possibility due to Mojave security measures.


Must confess your method is so far outside my comfort zone I just don’t believe it would be wise for me to try without further understanding, although 1 to 4 I’m ok with, 5 and 6 will require far more detail for me to be confident.


Only every used Terminal and it’s commands to create a bootable USB Installer drive and that was by following a guide that basically took you by the hand through the whole typing process.


I will have to try and find something similar or read up further on Terminal Copy and Ownership Change commands I’m afraid.

Reply
User profile for user: SiHancox
SiHancox Author
User level: Level 5
4,953 points

Apr 9, 2019 5:04 AM in response to John Lockwood

Thanks again, I understand the principle involved in both moving and changing the ownership with Terminal, and finding the User ID will not be a problem because I've looked under the Advanced Options for User Groups before. I've even used Terminal previously for tasks such as creating a bootable USB Installer or showing Hidden files, but saying that the guides had alway listed out the various command line/file paths that where needed to be typed in.


I've never actually had to sit down and work out how to put a command line together with a file path to get Terminal to execute an instruction, but if your existing Keychain folder on the old Mac is in the standard place under the user Library (as below) wouldn't that line of text be "standard" to get the Keychain folder from old to new Mac (or am I missing something).



Likewise, if the location on the new Mac was the same (I tend to setup all my Mac's with same full and account names and only have one account together with the guest) wouldn't the file path be similar to the above in order to execute an ownership change.


I suppose I'm asking from the above is there any source that would help me put together the Terminal lines to "copy" and then "change ownership" of the Keychain folder.


Or in asking, am I demonstrating a complete lack of understanding and therefore would be wise to avoid the whole process altogether.

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,697 points

Apr 9, 2019 6:27 AM in response to SiHancox

Normally one of the paths would be something like -


/Users/username/Library/Keychains


Because you are booted from a different drive you need to use the special /Volumes prefix and it would then become -


/Volumes/nameofvolume/Users/Library/Keychains


It however becomes more complex if both the new Mac and the old Mac have the same volume name as one would be /Volumes/Macintosh\ HD and the other would be listed as /Volumes/Macintosh\ HD\ 1


Note: the \ is the escape symbol and in this case is 'escaping' the space symbol after it. Another way to 'escape' the space symbol is as follows.


"/Volumes/Macintosh HD" and "/Volumes/Macintosh HD 1"


as the double-speech marks also escape the space symbol.


Whether the new or old drive has the extra number added depends on the order they are mounted, the first one does not have the number, the second (and third) would.


So hypothetically the copy command would be something like


ditto /Volumes/Macintosh\ HD\ 1\Users/olduser/Library/Keychains /Volumes/Macintosh\ HD/Users/newuser/Library/Keychains/

then

chown -R 503 /Volumes/Macintosh\ HD/Users/newuser/Library/Keychains


The source and destination for the ditto command are important to get correct including the last / see this article for an explanation - http://osxdaily.com/2014/06/11/use-ditto-copy-files-directories-mac-command-line/

Reply
User profile for user: SiHancox
SiHancox Author
User level: Level 5
4,953 points

Apr 9, 2019 7:04 AM in response to John Lockwood

Many thanks, this is exactly what I was looking for, I've saved your replies to read at leisure and together with the OSXDaily article I should now be able to make a decent go at it.


I don't intent to upgrade just yet anyway, waiting for Apple to redesign the iMac range first (could still be a long wait) so that should give me plenty of time to digest all of the above plus any further info I manage to find.


Much appreciated.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

The best way to get Keychains from Old to New Mac.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up