python

Export your OSX Keychain

Jaakko Koistinen

Jaakko Koistinen

2 min read
Export your OSX Keychain
Photo by Aleksandrs Karevs / Unsplash

This post will show you how to 'easily' migrate everything in your 'macOS Keychain Access application' over to a standardized format (CSV) that can be handled in other password managers.

N.B From macOS Monterey and on there is now an export function that does all that is described in this post. This post describes the export process from an old macOS Big Sur installation where support ended November 30, 2023.

Step 1.

Export all passwords/secure notes with:

security dump-keychain -d login.keychain > login.keychain.txt

This needs to be combined with a Apple script to unlock/unencrypt each item in the 'login.keychain'.

To do that keep this script run this script after the first password prompt:

set keychainPassword to "yourpasswordgoeshere"

tell application "System Events"
    repeat while exists (processes where name is "SecurityAgent")
        tell process "SecurityAgent"
            delay 0.1
            try
                set value of text field 1 of window 1 to keychainPassword
                click button "Allow" of window 1
            end try
        end tell
    end repeat
end tell

https://apple.stackexchange.com/questions/137250/export-keychains/137336#137336

Step 2.

Pull out the relevant parts from 'login.keychain.txt', like username/password and stored secure notes.

The 'security dump-keychain' command produces entries like this one below:

keychain: "/Users/username/Library/Keychains/login.keychain-db"
version: 512
class: "inet"
attributes:
    0x00000007 <blob>="10.0.0.1"
    0x00000008 <blob>=<NULL>
    "acct"<blob>="root"
    "atyp"<blob>=<NULL>
    "cdat"<timedate>=0x31303233313131312131353130295A00  "20231021115109Z\000"
    "crtr"<uint32>=<NULL>
    "cusi"<sint32>=<NULL>
    "desc"<blob>="Network Password"
    "icmt"<blob>=<NULL>
    "invi"<sint32>=<NULL>
    "mdat"<timedate>=0x32303133312032313132335130395A00  "20231021115109Z\000"
    "nega"<sint32>=<NULL>
    "path"<blob>=<NULL>
    "port"<uint32>=0x00000000 
    "prot"<blob>=<NULL>
    "ptcl"<uint32>="smb "
    "scrp"<sint32>=<NULL>
    "sdmn"<blob>=<NULL>
    "srvr"<blob>="10.0.0.1"
    "type"<uint32>=<NULL>
data:
"password"

Example entry from login.keychain.txt

This script below, splits the 'login.keychain.txt' file on the word 'keychain:' and creates KeychainItem objects. The init uses regular expressions to create object attributes for the interesting bits and pieces, and has some helper methods to clean up the format the data is stored in ('get_secret' and 'get_secure_note'), and prints it in a CSV format.

Run it with:

python osx_security_dumpkeys.py > output.csv

You now have a much more readable and importable version of your passwords and secure notes.

Read more