Exporting iCloud Keychain data

glassbox

I'm planning to move from iCloud keychain to 1Password.

One problem is that, because I have so many passwords in my keychain, it is impossible to manually move the data one by one.

Is there any way I can export iCloud keychain data, then move it to 1Password?

Stephen_C

There is a long thread about this here. You'll probably find particularly helpful posts #20 from AgileBits and #39 from AgileBits.

Stephen

MikeT

Hi @glassbox,

Were you able to figure this out with Stephen's links? You have to use a script to manually export the data from iCloud Keychain and then use 1Password's CSV import feature to import the data.

MrC

FYI: I've created a new Keychain converter module for my reworked conversion scripts (there is now a driver script that supports and uses drop-in modules). I have a few more clean-ups I'd like to do to eliminate some useless entries, but if someone needs to get some conversion / importing done, feel free to ask.

sjk

That sounds awesome, @MrC. Thank you for working on this!

I'll let you know when I'm ready to test it out. :)

glassbox

Wow, @MrC, do you have a tool for importing iCloud keychain data? Where can I find it?

MrC

Hi glassbox,

The tool will convert an exported IOS keychain file. I have not yet written full instructions, but to summarize...

To export, the keychain, use OS X's Terminal app, and enter the command:

security dump-keychain -d login.keychain > ~/Desktop/keychain.txt

You will get many prompts asking your permission - select Allow over and over (and over ...). Alternatively, you can use a user-provided AppleScript to select that button for you.

Once you have that file, you can use my new conversion driver script with the keychain module to perform the conversion and create 1PIF 1Password import file.

Please see this post for brief instructions, replacing in "splashid" with "keychain" where relevant.

You may find some entries after import that might not be useful to you - just delete them. I've had to use some heuristics to determine what should be converted or skipped, based on various aspects of the data. They might be better tuned for user's data - I don't have too many Keychain entries, so my data may not be as rich as yours. Be sure to securely delete the keychain.txt and 1P4_import.1pif files when you are done importing. You can email me at the email address posted at the top of the script if you'd like to follow-up with technical issues so that we don't pollute this thread (too much).

Mark Pfaff

Hey I tried this and it gave me the following error, any thoughts?

MarkP-MBP:downloads markp$ perl convert_to_1p4.pl keychain -v /Users/markp/Desktop/keychain.txt
Use of uninitialized value $_[0] in substitution (s///) at
Converters/Keychain.pm line 81 (#1)
(W uninitialized) An undefined value was used as if it were already
defined. It was interpreted as a "" or a 0, but maybe it was a mistake.
To suppress this warning assign a defined value to your variables.

To help you figure out what was undefined, perl will try to tell you
the name of the variable (if any) that was undefined.  In some cases
it cannot do this, so it also tells you what operation you used the
undefined value in.  Note, however, that perl optimizes your program
anid the operation displayed in the warning may not necessarily appear
literally in your program.  For example, "that $foo" is usually
optimized into "that " . $foo, and the warning will refer to the
concatenation (.) operator, even though there is no . in
your program.

Use of uninitialized value $_[1] in say at Utils/Utils.pm line 32 (#1)
Keychain parse failed near:

MrC

Hi Mark,

Sorry for the troubles. I've just uploaded an update for you to try. You can re-download, and try the new versions.

I haven't seen your case in my data, so was not aware it might happen. I may still be doing something incorrectly but let's see if this works. If there are still problems, we'll work on next steps.

Mark Pfaff

Thanks for the fast response! Did you simply replace the original zip file in the agilebits dropbox folder called _testing? Just want to make sure I got the right version. I got a similar error this time:

MarkP-MBP:convert markp$ perl convert_to_1p4.pl keychain -v /Users/markp/Desktop/keychain.txt
Use of uninitialized value $_[1] in say at Utils/Utils.pm line 32 (#1)
(W uninitialized) An undefined value was used as if it were already
defined. It was interpreted as a "" or a 0, but maybe it was a mistake.
To suppress this warning assign a defined value to your variables.

To help you figure out what was undefined, perl will try to tell you
the name of the variable (if any) that was undefined.  In some cases
it cannot do this, so it also tells you what operation you used the
undefined value in.  Note, however, that perl optimizes your program
anid the operation displayed in the warning may not necessarily appear
literally in your program.  For example, "that $foo" is usually
optimized into "that " . $foo, and the warning will refer to the
concatenation (.) operator, even though there is no . in
your program.

Keychain parse failed near:

MrC

Yes, that's correct.

Which version of OS X are you running?

So we've eliminated the first issue (although I'd still like to get a better handle on why the data in the exported keychain would be missing the data from a certain section - the data section).

The next issue you're seeing is perhaps more telling. Your keychain export does not appear to be in the format the converter is expecting, so it errors out.

If you examine the keychain output file, does it look like a bunch of entries like this:

keychain: "/Users/mrc/Library/Keychains/login.keychain"
class: 0x0000000F
attributes:
    0x00000000 <uint32>=0x0000000F
    0x00000001 <blob>="Apple ID joe@example.com key"
    0x00000002 <blob>=<NULL>
    0x00000003 <uint32>=0x00000001
    0x00000004 <uint32>=0x00000000
    0x00000005 <uint32>=0x00000000
    0x00000006 <blob>=0xFF6B78EABCABCABCABCB977A20CC66AD6AABCABC  "STUFF
    0x00000007 <blob>=<NULL>
    0x00000008 <blob>=0xXXXX  "{aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee}\000"
    0x00000009 <uint32>=0x0000002A  "\000\000\000*"
    0x0000000A <uint32>=0x00000800
    0x0000000B <uint32>=0x00000800
    0x0000000C <blob>=0x0000000000000000
    0x0000000D <blob>=0x0000000000000000
    0x0000000E <uint32>=0x00000000
    0x0000000F <uint32>=0x00000000
    0x00000010 <uint32>=0x00000001
    0x00000011 <uint32>=0x00000000
    0x00000012 <uint32>=0x00000001
    0x00000013 <uint32>=0x00000000
    0x00000014 <uint32>=0x00000001
    0x00000015 <uint32>=0x00000000
    0x00000016 <uint32>=0x00000001
    0x00000017 <uint32>=0x00000000
    0x00000018 <uint32>=0x00000000
    0x00000019 <uint32>=0x00000000
    0x0000001A <uint32>=0x00000000
data:
0x222222211111AAAA "XXXXXXX"

with the sections being bracketed by a line that starts with "keychain:" and ends with a line that starts with "data:" followed by the data on the next line?

We can communicate offline if you'd like whlie we work out the issue. My email address is at the top of the script. Don't post or send me your data.

MrC

Mark and I worked out the issue. His keychain output varied slightly from mine, so I updated the converter to handle the differences (and corrected an issue with insufficient diagnostic output, to help with any future troubleshooting). Mark's help was superb - thanks!

MrC

This post is to document the new and improved version is now generally available and discussed here:

https://discussions.agilebits.com/discussion/30286/mrcs-convert-to-1password-utility/p1