Accessing Keychain Access From Terminal - OSX

8 min read Oct 02, 2024
Accessing Keychain Access From Terminal - OSX

The Keychain Access application on macOS provides a secure and centralized location to store sensitive information like passwords, certificates, and keys. While the Keychain Access application offers a user-friendly graphical interface, accessing it from the terminal provides a powerful and efficient alternative, especially for scripting and automating tasks. This article will delve into the methods and commands used to access Keychain Access from the terminal in macOS, exploring the benefits and functionalities offered by this approach.

Accessing Keychain Access from the Terminal

Using the terminal to interact with Keychain Access utilizes the security command, a powerful tool that provides a wide range of functionalities for managing keychain items. This command is essential for scripting, automating tasks, and performing operations on keychain data without relying on the graphical user interface.

Retrieving Keychain Data

Retrieving data from the Keychain Access can be done with the security find-generic-password command. This command searches for items within the keychain that match the specified criteria, such as an account name or a label. To retrieve a password associated with a specific account, the following command can be used:

security find-generic-password -l "Account Name" -a "Account Name" -g -w

This command retrieves the password associated with the account "Account Name". The options used in this command are:

  • -l: Specifies the label of the item to search for.
  • -a: Specifies the account name of the item to search for.
  • -g: Indicates that the command should retrieve the password from the keychain.
  • -w: Indicates that the command should display the password in plain text.

Adding Keychain Items

The security add-generic-password command allows you to add new items to the Keychain Access. This command takes several options, including the account name, label, service, and the actual password to be stored. The following command adds a new password item to the keychain:

security add-generic-password -a "Account Name" -l "Account Label" -s "Service Name" -w "Password"

This command adds a new password entry with the account name "Account Name", label "Account Label", service "Service Name", and the password "Password". The options used are:

  • -a: Specifies the account name of the new item.
  • -l: Specifies the label of the new item.
  • -s: Specifies the service name of the new item.
  • -w: Specifies the password to be stored.

Deleting Keychain Items

The security delete-generic-password command enables the removal of existing Keychain items. This command requires the specification of the account name and label to identify the item to be deleted. The following command removes the password entry associated with the specified account and label:

security delete-generic-password -a "Account Name" -l "Account Label"

This command removes the password entry with the account name "Account Name" and the label "Account Label". The options used are:

  • -a: Specifies the account name of the item to delete.
  • -l: Specifies the label of the item to delete.

List Keychain Items

The security find-generic-password -D command provides a list of all generic password entries in the keychain. This command is useful for viewing the contents of the keychain without retrieving the actual passwords.

security find-generic-password -D

This command displays a list of all generic password entries in the keychain, showing attributes like the account name, label, and service.

Setting Keychain Access Permissions

The security authorizationdb write command enables the setting of permissions for Keychain Access. This command allows you to specify which users or groups can access and modify the keychain.

security authorizationdb write access.control "allow "

This command allows all users to access the keychain. The options used are:

  • access.control: Specifies the type of permission to set.
  • allow: Indicates that the specified users or groups are allowed to access the keychain.

Using Keychain Access with Scripts

Keychain Access can be easily integrated into scripts using the security command. This allows for the automation of tasks such as retrieving passwords, adding new entries, and deleting existing items. For example, the following script retrieves a password from the keychain and then uses it to log into a remote server:

#!/bin/bash

# Retrieve the password for the remote server
password=$(security find-generic-password -l "Remote Server" -a "Remote Server" -g -w)

# Use the password to log into the remote server
ssh [email protected] -p 22 -i /path/to/key -t

This script uses the security command to retrieve the password associated with the remote server, and then utilizes the ssh command to connect to the remote server using the retrieved password.

Conclusion

Accessing Keychain Access from the terminal provides a powerful and flexible way to manage and utilize sensitive information stored within the keychain. The security command offers a wide range of functionalities, allowing for retrieving data, adding new items, deleting existing items, and setting permissions. Integrating Keychain Access with scripts enables the automation of tasks, improving efficiency and reducing manual intervention. By mastering the use of the security command, users can leverage the full potential of Keychain Access from the terminal, streamlining their workflow and enhancing security management.