For some time now I’ve been wanting to move away from using Apple products so that I can make a smoother transition to using another primary OS. Most of my reasoning is security and politics but I particularly find security to be a weak player on how keychain access is stored and managed on OS X. There are more than a few articles explaining how Apple fails at security especially with their iCloud services. There are a few roadblocks that stand in the way and one is the massive password/credentials export that needs to happen to make migration a reality. For me using a service for password management is not an idea I’m not fond of as services come and go oftentimes with their own stipulations and drawbacks. I could also save all of my password data in the browser and use that but thats as bad or worse as Apples security practices and though convenient it’s also not a safe solution either and is frequently prone to browser plugin hacks and lackluster security. I wanted something that I could maintain full control over that was battle tested and open source. But that would also transition seamlessly between multiple machines with ease. Enter pass a simple management solution that I found that will do everything that I want. Theres just one roadblock I had to get around to make it work. And that was exporting all of my sensitive data from keychain and getting it into pass in a usable format. There are a few useful guides and scripts on migrating to pass but nothing specifically for OS X users moving off of keychain. So, what’s left for me to do other than write my own? It doesn’t have to be great it just has to work.
The first step was to get all of my data off of keychain but the GUI didn’t want to cooperate and wouldn’t let me export even a single item so back to good ol’ cli to make things happen. Luckily there is the
security command baked into OS X that could do the job which offers some really nice features to interact with pwds and other items in the keychain.
To start the export I entered this command to dump the keychain items into a plaintext file. Which unfortunately brings up a prompt where you have to allow access to each item in the keychain. There are some apple scripts out there that should do the job but they didn’t work from the start for me so I just used automator to create a quick task and click through the prompts.
1 security dump-keychain -d login.keychain > keychain
Now I had all of my passwords out there in plaintext and for each item that was exported I got something like this for each of them.
Thats cool and all but what a crappy format. I needed to convert this format to something a little more tangible for pass to import. I thought CSV would probably be a good format thats widely used and easy to parse so I tracked down a useful script to do just that written in Ruby.
This beautiful thing goes through the keychain items exported from the security dump command and converts that to a new file in csv format. I ran it something like
Finally the moment of truth where we get to import things into pass and shutdown keychain for good. So far I haven’t invested much time into this and thats good because I don’t have time to write a whole library to export/import this stuff. Assuming that the last script was successful in converting these items its time to import them with a simple bash script to parse the csv.
Everything worked out fine even with hacking together a few scripts and I had all of my items in pass in less than a half hour. As a note the conversion didn’t get me anything from keychain except for internet passwords which is all I cared about.