This repo contains scripts to export all your password items and secure notes from Apple's Keychain.app into plain text files in CSV format, merge such files and import them back into a keychain.

No trick or reverse engineering is used: exporting is performed by Apple's security tool, using macOS's assistive support to streamline the process.

Tested in macOS Sierra. Earlier versions of macOS/OS X are not supported.

To import/export password items, open the AppleScript script in Script Editor. The script may be run from source.

Before running the script, go to System Preferences > Security & Privacy > Accessibility, and allow Script Editor to control your computer. This step is required to avoid SecurityAgent to prompt you with a dialog for each item you want to export. It basically allows AppleScript to press the Allow button in such dialogs for you.

You may also build the script into an application if you want. In this case, you must grant the app control of your computer in the same way.

The script makes a backup of the keychain before importing or exporting data. Backups are timestamped and saved into the same folder containing the keychain. In any case, it is a good idea to keep a separate backup, just in case.

When importing items into a keychain, matching items already present in the keychain are overwritten if their timestamps are older than the timestamps of the items being imported. If there are items without timestamps in the CSV file, the script will ask the user what to do with them. Note that this will be asked once and the choice applied to all the items being imported.

Also note that all new or updated items are assigned the current time as their new timestamps. There is no possibility to retain the original timestamps from the CSV file.

Finally, access control lists are not exported.

A Ruby script is provided to merge two CSV files containing password data into one. See ./merge_csv.rb --help for the details.

Not directly. The Local Items keychain, located at ~/Library/Keychain/<UUID>/<name>.db, is a SQLite database containing obfuscated data, so its format is different from the format of a standard keychain. As far as I can see, security cannot dump such keychains, and I do not know of any tool that would do that.

You may proceed as follows:

1. In Keychain.app, create a new keychain: File > New Keychain…
2. Select the Local Items keychain in the sidebar, then select all the items (or the ones you want to export) and copy them by choosing Edit > Copy.
3. Select the keychain created at step one and choose Edit > Paste.

Such process is painful, though, because Keychain.app will keep asking for a password for each item. You may automate such process with a bit of scripting. For your convenience, the script that allows you to fill in the password prompts for you is reported below:

set keychainPassword to "keychain password"

tell application "System Events"
    repeat while exists (processes where name is "SecurityAgent")
        tell process "SecurityAgent"
            set value of text field 1 of window 1 to keychainPassword
            click button "OK" of window 1
        end tell
        delay 0.2
    end repeat
end tell

You may run this directly from Script Editor. A similar approach can be used to export /Library/Keychains/System.keychain.

Note: Keychain.app won't allow you to paste some items (most likely, automatically created by the system, not yours). In such case, the snippet above will produce a script error and Keychain.app will show an error dialog, too. Dismiss both and run the script again. Repeat every time you get an error.

If you want to import the CSV file generated by CSVKeychain into a KeePass 2 database and you are on macOS, you may need to convert it to XML first. For such purpose, add a category column to the CSV file using the included add_category.rb script. Then, use my csv2keepassxml to generate a KeePass 2 XML file.

Copyright (c) 2011–2017, Lifepillar

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.