Is there a quick and easy way to dump the contents of a MacOS X keychain?

Question

I'm looking for a way to dump (export) the contents of an OS X keychain into a file that I can easily process elsewhere, such as tab-delimited plaintext or something of the sort.

The Keychain Access app does not offer any such functionality, and getting a key's data involves opening each in turn, and having to type in the keychain's password to see the password stored with the key, every time.

After a bit of digging, I found somebody's solution by using AppleScript and the Keychain Scripting app to access keychains (can't link to individual post; scroll down about two thirds to the end of the page):

http://discussions.apple.com/thread.jspa?threadID=1398759

Using Keychain scripting, you can access all data fields of all the keys – including the plaintext password! – and it's fairly easy to dump this data into a text file etc. I've tested it and it works well.

However, this solution still involves having to confirm access to each key by clicking OK on a dialog. This is much better than having to type in the keychain's password every time, but it's still irritating. Furthermore, you have to confirm access twice for each key; once for Script Editor (or the script itself if it's running as an app) and once for Keychain Scripting. So, if you're processing a keychain with 100 keys, you have to manually click OK on 200 dialogs.

I'm now looking for a solution to get around this. I realize that as it's the purpose of keychains to safeguard the sensitive data and prevent precisely the kind of thing I'm trying to do, any such solution would probably involve some kind of hack.

I'd be very interested in your ideas!

Answer 1

Allright, I'm stupid. There's a command-line tool called security that does just this (and lots of other actions on keychains).

An example usage:

security dump-keychain -d login.keychain

This will dump all the data in the login.keychain (the default keychain for a user) as plaintext, including the passwords. You still have to confirm access , but only once for each key, and it's much faster than (and doesn't throw weird errors when trying to access certain fields) using AppleScript. And it's no hack.

Without the -d option, it will dump all the fields except for the password.

The dumped data for a key looks like this (for an internet key; program keys and certificates have other fields, but the format is the same):

keychain: "/Users/<username>/Library/Keychains/login.keychain"
class: "inet"
attributes:
    0x00000007 <blob>="tech.slashdot.org (<username for this web login>)"
    0x00000008 <blob>=<NULL>
    "acct"<blob>="<username for this web login>"
    "atyp"<blob>="form"
    "cdat"<timedate>=0x32303038303432333038323730355A00  "20080423082705Z\000"
    "crtr"<uint32>=<NULL>
    "cusi"<sint32>=<NULL>
    "desc"<blob>="Kennwort des Web-Formulars"
    "icmt"<blob>="default"
    "invi"<sint32>=<NULL>
    "mdat"<timedate>=0x32303038303432333038323730355A00  "20080423082705Z\000"
    "nega"<sint32>=<NULL>
    "path"<blob>=<NULL>
    "port"<uint32>=0x00000000 
    "prot"<blob>=<NULL>
    "ptcl"<uint32>="http"
    "scrp"<sint32>=<NULL>
    "sdmn"<blob>=<NULL>
    "srvr"<blob>="tech.slashdot.org"
    "type"<uint32>=<NULL>
data:
"<the plaintext password for this key>"