According to https://www.netmeister.org/blog/keychain-passwords.html
Secondly, we are necessarily leaking the newly generated password into
the process table as the shell expands the backticks (more details
here). Sadly, the security(1) utility has no other method of
non-interactively accepting a password but on the command-line[1]. For
this reason, it may be preferable to create the secret using the GUI
application.
Is it possible to programmatically add passwords to the keychain without leaking them to the ps -ef output?
Best Answer
I went ahead and wrote a small command line app to do it for you programmatically, here it is, finally pipe-able console password entry :)
Other options:
If you run
security add-generic-password ... -wthen it will prompt you for your password, you can type it in there, that doesn't leak anything.There are a few hacks to feed the secure prompt, but just using it is OK too (or use the GUI).
In my case (attempting to feed
kinit) it can integrate with the keychain, though still a manual initial entry, built-in.