Keysafe reads and decrypts Apple Keychain files. Use Keysafe to securely access your passwords and credentials without a Mac.
Keysafe is a command line tool. This means it is used from the terminal and may not be suitable for non-technical users.
The latest version of Keysafe is v1.3.0:
- Alpine (
- Debian (
- RPM (
If there are other platforms or architectures you would like to see Keysafe support, please let me know via e-mail email@example.com.
To get started with Miln Keysafe, download and expand the executable file onto your computer.
Keysafe is a single executable file. It does not need to be installed and can be removed by deleting the file.
How to Look Up a Password
keysafe with a Keychain path will read the file and list the encrypted password records. After showing the available records, you can choose to exit immediately or enter the number of the record to decrypt:
./keysafe -path sample.keychain -licence membership.pem - 1: tax office Name: tax office Account: firstname.lastname@example.org - 2: Accounting Access Name: Accounting Access Account: Found 2 encrypted records. Record number 1 or 2 to decrypt (leave blank to exit): 1 Password for Keychain file "sample.keychain": - 1: tax office Creation Date: 03 Apr 22 13:05 +0000 Modification Date: 03 Apr 22 13:05 +0000 Name: tax office Account: email@example.com Service: tax office Secret: Secret Password
A Miln App Membership licence is required to fully decrypt a record. Without a Membership licence, only the first few characters of the decrypted value will be displayed. For short values, no characters will be shown. Below is the same command but without a licence:
./keysafe -path sample.keychain - 1: tax office Name: tax office Account: firstname.lastname@example.org - 2: Accounting Access Name: Accounting Access Account: Found 2 encrypted records. Record number 1 or 2 to decrypt (leave blank to exit): 1 ** A licence is required to fully decrypt. Without a licence, secrets will be redacted. Purchase your licence from https://miln.eu/keysafe Password for Keychain file "sample.keychain": - 1: tax office Creation Date: 03 Apr 22 13:05 +0000 Modification Date: 03 Apr 22 13:05 +0000 Name: tax office Account: email@example.com Service: tax office Secret (redacted/unlicensed): Secr*********
Adding words or phrases to the command will filter the results. If a password record’s name or account contains any of the provided words, it will be listed:
./keysafe -path sample.keychain work ./keysafe -path sample.keychain work tax
In the examples above, the first command will show records containing
work. The second command will show records containing either
tax. The filter is case insensitive; use the filter
WORK will match
Phrases can also be used to filter the records:
./keysafe -path sample.keychain "work tax"
In this example above, the command will show records containing the complete phrase
If a decrypted value contains unprintable values, the output will be
How to Export a Keychain
keysafe with a Keychain path and an export path, will create a compressed archive containing the contents of the Keychain.
./keysafe -path sample.keychain -export sample.tar.gz -licence membership.pem
The archive is a gzip compressed tar file (
.tgz). This widely supported combination of formats can be decompressed using built-in tools on most operating systems:
- On macOS and Windows, double click on the file;
- On the command line use
tar -xjf sample.tar.gz.
The archive contains a set of files and folders, including:
- A file containing the Keychain contents in XML (
xml) format. This is the best format to post process. The XML structure is self documenting with descriptive tag names and deliberately verbose.
json) format suitable for importing into Bitwarden or VaultWarden.
- A directory of X.509 certificate files in their original encoding. Typically Keychain stores certificates in
- A directory of private keys in their original encoding. Each key will be present in two files; a
.binfile and a
.key.binfile. The latter contains only the encoded key from the first file.
The key files may be encrypted. Please contact me if these files are critical to you - and you are able to fund further development.
- A directory of public keys in their original encoding. See the private-key description for their structure.
- A directory of secure notes in multiple formats. Each secure note appears at least once, in the original encoding. Where multiple formats exist in the Keychain, the note will typically be:
Other directories may also be included. The directories above are the most common.
Keysafe can read encrypted passwords and credentials from a Keychain file. To view encrypted information, the Keychain’s password is required. Keysafe does not cirmuvent the security of the Keychain file.
Below are the available options and flags supported by
% ./keysafe -h Usage of ./keysafe: -config string File path to configuration. -export string path to write exported contents as .tar.gz, or hypen (-) to write to standard output (stdout) -h Show this help message and exit. (shorthand) -help Show this help message and exit. -l string Path to licence certificate file (PEM encoded) (shorthand) (default "~/.miln/licence.pem") -legal Show legal notices and exit. -licence string Path to licence certificate file (PEM encoded) (default "~/.miln/licence.pem") -path string path to Keychain file or hypen (-) to read from standard input (stdin) (default "~/Library/Keychains/login.keychain-db") -show-licence Show licence details and exit. -v Show version details and exit. (shorthand) -version Show version details and exit.
The Keychain password may be provided by the environment variable
KEYSAFE_PASSWORD. If this variable is empty, an interactive prompt will be used.
What is Apple’s Keychain?
Keychain is Apple’s technology for storing confidential information on macOS. The files associated with the Keychain are encoded in the Keychain file format. These files typically contain web site passwords, service credentials, and secure notes. A Keychain file can also include certificates and private keys used to encrypt and secure connections.
On macOS, the Keychain is accessible through the Keychain Access application and the
security command line tool. User Keychain files are stored in their
~/Library/Keychains folder. Computer and System scoped Keychain files are found in the
Keysafe is a tool that understands the Keychain file format. It was written to securely access passwords when using non-Apple hardware.
If you need forensic analysis or specialist treatment of Keychain files, please get in touch.
The Keysafe icon contains licensed artwork.
Apple, Mac, and Keychain are trademarks of Apple Inc., registered in the U.S. and other countries and regions.