5

An authentication screwup was threatening to delete all of my encrypted data.  I eventually got around it, but on the way, I attempted

sudo security dump-keychain -d (keychain) > (file)

so that I could reload it afterward.

For EVERY item in the keychain I got an authentication popup for my password. It had an "always allow" button, but apparently that means "always allow for that one item."

So, unless there is some other trick, security dump-keychain is completely useless.

If that "other trick" exists, please enlighten me.

Export keychains looks like an answer at first, but after studying it, I see that it only gets the "internet password" subset, not all items.

WGroleau
  • 4,869
  • 7
  • 44
  • 77

1 Answers1

1

Miln Keysafe

I wrote Keysafe to ease the accessing and exporting of Keychain contents:

Keysafe reads and decrypts Apple Keychain files. Use Keysafe to securely access your passwords and credentials without a Mac.

To export all the tables in a keychain file, pass the export flag with a path to the destination archive:

./keysafe -path sample.keychain -export sample.tar.gz

The archive will contain numerous files. Two of those files contain the contents of the Keychain tables in differing formats.

You will need to enter the keychain file's password but only once.

Graham Miln
  • 43,776
  • Since I managed to avoid the deletion, I'll decline to pay the fee, though it is quite reasonably small. Plus, since it comes as an executable, there's no way to determine it's safe to give it access to the data. (I realize one could say the same about Apple's product.) – WGroleau Sep 10 '22 at 16:45
  • If you are unsure of the code signed and Apple notarised executable, you could run it within a network isolated virtual machine or other isolated environment. – Graham Miln Sep 10 '22 at 18:19
  • Didn't realize it was Apple-vetted. But, I don't need it now. Next time… – WGroleau Sep 10 '22 at 18:53