Decrypting System.keychain on macOS

macOS stores device and wireless passwords in a special keychain called System.keychain. Decrypting this keychain requires a SystemKey file.

System.keychain is stored at /Library/Keychains/System.keychain. The credentials for the System.keychain are a random value and are not the administrator’s password.

The corresponding SystemKey is stored at /var/db/SystemKey and, by default, is accessibly exclusively by the user root.

Keysafe can access the System.keychain with the following invocation:

keysafe -system-key /var/db/SystemKey -path /Library/Keychains/System.keychain

If an access error is reported (operation not permitted), then the SystemKey file needs to be copied to an alternative location or recovered from a back-up. Use a copy with less restrictive rights for the -system-key flag to fix the access restriction.

The following invocation accesses the System.keychain using a SystemKey file in the Desktop folder:

keysafe -system-key ~/Desktop/SystemKey -path /Library/Keychains/System.keychain