Apple Event: May 7th at 7 am PT

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

cannot eject usb stick in os x containing a private keychain containing only user created secure notes

cannot eject usb stick in os x containing a private keychain containing only user created secure notes, because os x claims lots of other apps are using the said private keychain ?

and would love a resolution to this problem as its beginning to wind me up every day, so let me explain my issue:

I have a usb stick I connect to my computers, on this usb stick I have a personal keychain for passwords in secure note items only, starting under snow leopard when I try to eject said usb stick containing my secure note item private keychain, it refuses to claiming my usb stick by x open application which by the looks of it seems only to be those apps with net access ? they are claimed claim to be using the private keychain on my usb stick and refuse to allow me to eject the usb stick.

I have verified which apps with lsof grep, but sadly, it will not go into details as to which keychain secure note item they are claiming use of, it just says they claiming use of that whole keychain on the USB key. Now if I quit all the programs until im running just the finder, I can always eject the USB stick containing the private keychain. But obviously this is a total pain everytime i may need to plug and and unplug this USB stick to have to quit all open applications ?

The thing that is ultra confusing is that the keychain in question on the USB stick only contains secure note items for my private use storing logins and passwords and things, and none of the secure notes can have been setup by the apps themselves, as apps in my understanding would not create secure notes in my private keychain ? but somehow theyre still claiming rights over my private keychain ? I have also tried deleting the keychain from the list and removing references only and quitting keychain. the other apps in question Mail / Google / NetAuthAgent (was doing some screen sharing at the time i tested it) all still think they have dibs rights over my private keychain of secure notes, even though they should be having nothing to do with it ? its one thing for them to store some stuff in the login keychain, but dibs over my private keychain should not be included in that access ?

I think this must be some kind of bug in keychain in snow leopard and later or something because I didnt suffer this in leopard ? its ridiculous for an app to be claiming rights over a keychain theyve never used ? I think apple have simplified this such that all apps claim some kind of right over all keychains that keychain acess knows off regardless of whether they have used that keychain at all, but if that were the case you would have thought removing keychain access's knowledge of my private keychain would resolve the issue but apparently not ?

Message was edited by: ancientscream errata

MacBook Pro, Mac OS X (10.6.8)

Posted on Apr 13, 2013 9:30 AM

36 replies

Apr 13, 2013 1:56 PM in response to ancientscream

That's your problem then. As you have it configured, it will always have open files on it anytime it's mounted. That open file is what is preventing you from easily Ejecting the USB drive, because it's a file that is used by the System, not the User. Anytime you try to eject it, the OS will determine that it is being used by the System, and in essence treat it like it was part of the OS itself, so it will balk at any User-level changes (like ejecting it).

If you change your workflow with this particular Keychain as I suggested a few posts ago, you will eliminate the reason the System wants to keep it mounted.

Apr 13, 2013 1:48 PM in response to ancientscream

true UNIX invention was earlier 1969, CP/M being 1974 but in the 1980's when personal home computing took off outside of academic circles and some companies in the UK, you were more likely to find CP/M on a personal machine than UNIX, hence my use of command lines at that period and thence transitioning to apples desiring never to see command lines again 😉

Apr 13, 2013 1:56 PM in response to gordguide

keychains and keychain access can be used by the user to store they're own information securely, independently of the systems use of it, many guides on the web explain how to do this, and it functioned fine for me for years :

see this tutorial here for example

cheers for all your help and suggestions it really is appreciated, ill keep looking for a solution.

Apr 13, 2013 2:03 PM in response to ancientscream

" ... keychains and keychain access can be used by the user to store they're own information securely, independently of the systems use of it ..."

Of course they can. But not if you deliberately set it up so the System must use it. Which is what you've done. Essentially you've configured it so that if you plug in that USB stick, you are forcing the System to use that file and keep it open.

You probably will have to delete that keychain from your list in Keychain Access (backup!) before the System will stop locking access. Again, you can't get what you want until you set up your use of that Keychain properly. It is your own actions that are causing the problem; you are forcing the System to use that file on the USB drive; it has no choice due to how you've configured access to that particular Keychain.

Apr 13, 2013 2:00 PM in response to gordguide

i have not set it up so the system must use it

Apr 13, 2013 2:06 PM in response to ancientscream

In an earlier post you told me you did, by having the path to that keychain go via a USB drive. What do you expect the OS to do except follow your orders?

Set up the path to that keychain to go via your mounted System Drive (which the OS also will not let you eject and for exactly the same reasons).

Apr 13, 2013 2:51 PM in response to ancientscream

" ... i have not set it up so the system must use it ..."

Yes, you have.

You have set the pathname to the USB disk by "once keychain access program has once opened this keychain it always remembers it's location"

Location = Pathname

So, you have set the pathname in Keychain Access to a USB drive and now wonder why it wants to keep the USB drive mounted?

The System is only doing what you've told it to do.

You need to copy the keychain to your system disk, set the pathname to that keychain (or just reboot and it should show up there) and delete the keychain that still has the USB drive as the pathname.

Which is why renaming one of them is a good idea, so you know which is which when it comes time to delete the one with the pathname to the USB drive from the list in Keychain Access.

If you're not forcing the System to use the keychain on the USB drive, it won't stop you from unmounting it.

Really, I can't help you anymore. The solution to your problem has been given. I can't put a gun to your head and make you use it.

Apr 13, 2013 3:22 PM in response to gordguide

Ok I think it will make more sense if i explain how i use this particular keychain and why it is on this USB stick in the first place, it has to be on the USB stick, as I need it be portable as I take the stick with me when I work at clients, and anytime I need one of the 519 encrypted secure note items containing my clients passwords logins etc system details etc, i plug the USB stick into a machine at their office open up the this secure encrypted keychain on the USB stick add or change or view any of the details i need in the secure notes in relation to the client, and when done I delete the reference to this portable keychain ( but not the file obviously) from their "keychain access" program, I then quit keychain and unplug the usb stick(these other machines don't complain), and i can go to any clients and have access to this one centralised encrypted keychain from this USB stick wherever I need, and because its encrypted If i lose the usb key it is to all intents and purposes illegible and secure from the finders prying eyes. this has always worked just fine, it continues to work on most of my clients machines without complaint ie there machines do not attempt to deny the USB sticks ejection, but on my home machine it has for some time started try to deny all attempts to remove the stick unless every program has been quit first, this never used to be a problem, it is not therefore related to the way I have set up the keychain, as it was never an issue till recently.

I did at one point consider using the 1password app on iphone for this task, but there are too many secure note items too convert by hand and 1password can't import a sausage from the keychain access. hence my continued use of the usb stick keychain combo, what would be the best if apple were to write an app that allowed me top open, create and maintain keychains on an iphone directly (probably doable if i Jailbreaked) but im not interested in jailbreaking, and they way apple are headed, dumming things down, restricting the user and create a walled garden for sales, they probalby consider it too much of a security issue and not a prioity to write a keychain access app for iphone ? anyways thats a side issue.

Apr 13, 2013 3:34 PM in response to ancientscream

I understand how you use the USB key and the Keychain on it.

What is the difference between using the USB key on your clients' machines and at home?

Answer: you are logged in to your home machine; on clients' machines you are not. And while logged in, you have set the pathname used by the System to the keychain on the USB drive. You probably have the preferences in Keychain Access to automatically mount the USB Keychain.

Q: When you insert the USB key, and try to use the keychain in Keychain Access to view secure notes, does the System ask you for a password or does it just open?

If it doesn't prompt you for a password, you've set it up to automatically mount and use that USB key, and as a result it refuses to unmount it, which is what it's supposed to do.

Have you been to Keychain Access preferences like I suggested?

The answer had **** well better be yes, or I'm giving up on you altogether.

Apr 13, 2013 3:36 PM in response to gordguide

it always prompts me for a password as I have set it up up to use a seperate password from that of the user password.

Apr 13, 2013 3:41 PM in response to ancientscream

And it's set to lock after how many minutes, and it's set to lock or not when sleeping?

Apr 13, 2013 3:46 PM in response to ancientscream

yes I have checked keychain access preferences I can see nothing that would cause

Really, I can't help you anymore. The solution to your problem has been given. I can't put a gun to your head and make you use it.

I really appreciate your interest and suggestions, I was not expectant of a solution from you, it sounds like this is stressing you out, and its a bit late here also, im gonna mull on the way forward to test it out, ill have to create an other os install leopard etc tomorrow and test on that and my mountain lion machine to see whether the issue is identical, as I suspect not. who knows it may turn out to be a gremlin in this particular install, but well see. cheers

Apr 13, 2013 3:48 PM in response to gordguide

And it's set to lock after how many minutes, and it's set to lock or not when sleeping?

its not set to lock after a timeout or after sleep

Apr 13, 2013 3:53 PM in response to ancientscream

locking or unlocking that particular keychain or even deleting it from keychain access and removing all references to it does not prevent the computer insisting some of the programs are using it and demanding they be quit, even though those programs store nothing in this particular personal non system keychain.

Apr 13, 2013 4:02 PM in response to ancientscream

That's one possible reason why it won't let you unmount it. Put a value in there to lock after so many minutes.

The way it is set now (no timeout) the System will want continuous access to it at any point after you enter the password for it.

You need to forget about which apps are asking access. It's irrelevant. Once you mount the keychain, there will be apps looking for data they need (to, say, access eMail) that is stored in keychains, because that's where they're supposed to look for it. It doesn't matter if they don't find it there.

cannot eject usb stick in os x containing a private keychain containing only user created secure notes