I don't find keychain passwords always propagate to all my apple devices so I want to print a list of accounts and passwords for safekeeping. The export list item on the menu is greyed out. The files are binary so they're not easily read with a text editor. What are my options besides making back-up copies of the keychain files which, obviously, will become obsolete next time I add a password?
Thx
Exporting inside Keychain Access is for certificates which isn't what you are looking for.
The keychain cannot be read by other tools because it is encrypted. Applications request access & user interaction is required. I know only of one way to export the items, but it is painful - you have to 'grant access' for every item in your keychain.
It's a command line tool Apple made called 'security'…
In Terminal there is a way to search for a specific item… (this searches for a generic password for the service 'test-test.test.123.com', -g means show the password).
[~]$ security find-generic-password -g -s test-test.test.123.com
keychain: "~/Library/Keychains/login.keychain"
class: "genp"
attributes:
0x00000007 <blob>="test-test.test.123.com"
0x00000008 <blob>=<NULL>
"acct"<blob>="my test"
"cdat"<timedate>=0x32303134303632363030313731375A00 "20140626001717Z\000"
"crtr"<uint32>=<NULL>
"cusi"<sint32>=<NULL>
"desc"<blob>=<NULL>
"gena"<blob>=<NULL>
"icmt"<blob>=<NULL>
"invi"<sint32>=<NULL>
"mdat"<timedate>=0x32303134303632363030313731375A00 "20140626001717Z\000"
"nega"<sint32>=<NULL>
"prot"<blob>=<NULL>
"scrp"<sint32>=<NULL>
"svce"<blob>="test-test.test.123.com"
"type"<uint32>=<NULL>
password: "my test password"
To get all items in one attempt you can use…
security dump-keychain -d ~/Library/login.keychain > ~/Desktop/keychain-dump.txt
That will try to dump every item into a text file on the Desktop. THIS IS CLEARLY A BAD IDEA - plain text passwords are a real security risk. Save this file into an encrypted disk image at the very least!
You will also have to click 'Allow' for every single item, and the format will look like the above.
Are you still interested?
To make the process a little bit easier…
Use Automator make a new workflow, start the dump in Terminal, click Record in Automator, click the first 'allow' dialog. Stop recording in Automator.
Now tweak the playback speed in automator to 10x, Save the workflow, drag the actual workflow file back into Automator so that it calls itself.
Save & run it.
It should now click the buttons for you 🙂
It should look like this.
NOTE: Automator will need to be allowed to record user input. The first time you try to record you must setup Accessibility to allow access for Automator (the dialogs step you through it).
When the last item is processed the Automator job times out & you can continue using your Mac!
Clearly this is a lot of work - if anyone has a better solution I am all ears, I tried Applescript but the command line was many times quicker.
P.S. I also have a shell script that can parse them to a tab separated file - even more steps 🙂
This obviously doens't handle importing back into the keychain, I have no idea how you would merge multiple device keychains either.
I understand if this makes you run away & cry, it's maddening, but it can be exported if you are determined enough.
Exporting inside Keychain Access is for certificates which isn't what you are looking for.
The keychain cannot be read by other tools because it is encrypted. Applications request access & user interaction is required. I know only of one way to export the items, but it is painful - you have to 'grant access' for every item in your keychain.
It's a command line tool Apple made called 'security'…
In Terminal there is a way to search for a specific item… (this searches for a generic password for the service 'test-test.test.123.com', -g means show the password).
[~]$ security find-generic-password -g -s test-test.test.123.com
keychain: "~/Library/Keychains/login.keychain"
class: "genp"
attributes:
0x00000007 <blob>="test-test.test.123.com"
0x00000008 <blob>=<NULL>
"acct"<blob>="my test"
"cdat"<timedate>=0x32303134303632363030313731375A00 "20140626001717Z\000"
"crtr"<uint32>=<NULL>
"cusi"<sint32>=<NULL>
"desc"<blob>=<NULL>
"gena"<blob>=<NULL>
"icmt"<blob>=<NULL>
"invi"<sint32>=<NULL>
"mdat"<timedate>=0x32303134303632363030313731375A00 "20140626001717Z\000"
"nega"<sint32>=<NULL>
"prot"<blob>=<NULL>
"scrp"<sint32>=<NULL>
"svce"<blob>="test-test.test.123.com"
"type"<uint32>=<NULL>
password: "my test password"
To get all items in one attempt you can use…
security dump-keychain -d ~/Library/login.keychain > ~/Desktop/keychain-dump.txt
That will try to dump every item into a text file on the Desktop. THIS IS CLEARLY A BAD IDEA - plain text passwords are a real security risk. Save this file into an encrypted disk image at the very least!
You will also have to click 'Allow' for every single item, and the format will look like the above.
Are you still interested?
To make the process a little bit easier…
Use Automator make a new workflow, start the dump in Terminal, click Record in Automator, click the first 'allow' dialog. Stop recording in Automator.
Now tweak the playback speed in automator to 10x, Save the workflow, drag the actual workflow file back into Automator so that it calls itself.
Save & run it.
It should now click the buttons for you 🙂
It should look like this.
NOTE: Automator will need to be allowed to record user input. The first time you try to record you must setup Accessibility to allow access for Automator (the dialogs step you through it).
When the last item is processed the Automator job times out & you can continue using your Mac!
Clearly this is a lot of work - if anyone has a better solution I am all ears, I tried Applescript but the command line was many times quicker.
P.S. I also have a shell script that can parse them to a tab separated file - even more steps 🙂
This obviously doens't handle importing back into the keychain, I have no idea how you would merge multiple device keychains either.
I understand if this makes you run away & cry, it's maddening, but it can be exported if you are determined enough.
You can also click "Show passwords for selected web sites" in the passwords box (Safari... Preferences... Passwords), highlight a page at a time, and take screenshots. Of course, this method also has security risks.
How can I print a list of my keychain passwords?
