How to prevent “Local Items” Keychain from locking

bugkeychainSecurity

My "Local Items" keychain keeps locking and I can't figure out how to prevent it from doing so. As near as I can tell it locks when my Mac sleeps (which I want) and also after a very short timeout (which I don't want).

In theory, I ought to be able to select the keychain in Keychain Access and choose "Change Settings…" there, or use security set-keychain-settings in Terminal. But all menu items for the "Local Items" keychain are disabled in Keychain Access, and I can't figure out how to refer to the "Local Items" keychain using security.

Note that this means it is impossible to unlock my "Local Items" keychain from Keychain Access. Moreover, when the keychain is needed (e.g. to login to a website) it is not asked fo: now "allow" dial is presented. As a result the only way to cope with its frequent locking is to periodically and proactively security unlock-keychain (which works without an argument, fortunately, since I don't know how to identify the "Local Items" keychain in the command line)!

How do I prevent by "Local Items" Keychain from locking?

My basic set of keychains as reported in Terminal is

$ security list-keychains
"/Users/Rax/Library/Keychains/login.keychain-db"
"/Library/Keychains/System.keychain"
$ security default-keychain
"/Users/Rax/Library/Keychains/login.keychain-db"
$ security default-keychain -d system
"/Library/Keychains/System.keychain"
$ security default-keychain -d common
"/Library/Keychains/System.keychain"
$ security default-keychain
"/Users/Rax/Library/Keychains/login.keychain-db"
$ security login-keychain
"/Users/Rax/Library/Keychains/login.keychain-db"
$ security show-keychain-info
Keychain "<NULL>" no-timeout
$ security show-keychain-info "/Users/Rax/Library/Keychains/login.keychain-db"
Keychain "/Users/Rax/Library/Keychains/login.keychain-db" no-timeout
$ security show-keychain-info "/Library/Keychains/System.keychain"
Keychain "/Library/Keychains/System.keychain" no-timeout

while the list in Keychain Access looks like this

The "login" keychain remains unlocked and the "System" keychain remains locked; while the "Local Items" Keychain locks as described above.

Output of find ~/Library/Keychains -exec ls -lad {} \;/:

drwxr-xr-x  35 Rax  staff  1120 Aug 18 14:23 /Users/Rax/Library/Keychains
-r--r--r--  1 root  staff  0 Apr 24 15:35 /Users/Rax/Library/Keychains/.glB6156675
-rw-r--r--  1 Rax  staff  2626852 Aug 23  2013 /Users/Rax/Library/Keychains/login.keychain.sb-c5127d9-zr8ipV
-rw-r--r--  1 Rax  staff  0 Feb 11  2008 /Users/Rax/Library/Keychains/.fl62323D2F
-rw-r--r--  1 Rax  staff  2305068 Aug  7  2012 /Users/Rax/Library/Keychains/login.keychain.sb-419e7628-XfWttr
-rw-r--r--  1 Rax  staff  1816092 Aug 12  2013 /Users/Rax/Library/Keychains/login.keychain.sb-bcbce214-XqMDb8
-rw-r--rw-  1 root  staff  22572 May 11 11:39 /Users/Rax/Library/Keychains/parallels_shared.keychain-db
-rw-r--r--  1 Rax  staff  2593480 Jun  7  2013 /Users/Rax/Library/Keychains/login.keychain.sb-2095c4e1-efwkXC
-rw-r--r--@ 1 Rax  staff  10244 Jun  3 14:36 /Users/Rax/Library/Keychains/.DS_Store
-rw-r--r--@ 1 Rax  staff  3694988 Aug 18 14:23 /Users/Rax/Library/Keychains/login.keychain-db
-rw-r--r--  1 Rax  staff  2507028 Oct 22  2013 /Users/Rax/Library/Keychains/login.keychain.sb-54e23350-eVgc4o
-rw-r--r--  1 Rax  staff  2305068 Aug  5  2012 /Users/Rax/Library/Keychains/login.keychain.sb-ac760145-TFyzKv
-rw-r--r--  1 Rax  staff  2294264 Aug  1  2012 /Users/Rax/Library/Keychains/login.keychain.sb-2cf4baf7-aeZlX1
-rw-r--r--  1 Rax  staff  1818456 Aug 13  2013 /Users/Rax/Library/Keychains/login.keychain.sb-a1fce254-cG4137
-rw-r--r--@ 1 Rax  staff  0 Sep 22  2016 /Users/Rax/Library/Keychains/.fl34AC2A0A
-rw-r--r--  1 Rax  staff  132644 Aug 12  2013 /Users/Rax/Library/Keychains/login.keychain.sb-bbace251-nXanZA
-rw-r--r--  1 Rax  staff  0 Apr 24 15:35 /Users/Rax/Library/Keychains/parallels_shared.keychain.prl_lock
-rw-r--r--  1 Rax  staff  2605912 Aug 12  2013 /Users/Rax/Library/Keychains/login.keychain.sb-5fcce214-WmoSug
-rw-------  1 Rax  staff  23136 Sep 21  2016 /Users/Rax/Library/Keychains/metadata.keychain
-rw-------  1 Rax  staff  0 Sep 22  2016 /Users/Rax/Library/Keychains/.flC23220F1
-rw-r--r--  1 Rax  staff  2650236 Oct 21  2013 /Users/Rax/Library/Keychains/login.keychain.sb-52e25380-rVXfEL
-rw-r--r--  1 Rax  staff  1765124 Mar 29  2013 /Users/Rax/Library/Keychains/login.keychain.sb-27a31445-2bhqB9
-rw-r--r--  1 Rax  staff  2605912 Aug 12  2013 /Users/Rax/Library/Keychains/login.keychain.sb-bbace434-J4uOow
-rw-------  1 Rax  staff  70032 Aug 12 14:59 /Users/Rax/Library/Keychains/metadata.keychain-db
-rw-r--r--  1 Rax  staff  132644 Oct 14  2013 /Users/Rax/Library/Keychains/login.keychain.sb-f990005d6-Fhk8Du
-rw-r--r--  1 Rax  staff  1833784 Aug 23  2013 /Users/Rax/Library/Keychains/login.keychain.sb-c31477d9-0PWFuy
-r--r--r--  1 Rax  staff  0 Jun  3 14:30 /Users/Rax/Library/Keychains/.fl45FFD97B
-rw-------  1 Rax  staff  0 Jul 20  2011 /Users/Rax/Library/Keychains/.flER1D1FA9
-rw-r--r--  1 Rax  staff  2653684 Oct  8  2013 /Users/Rax/Library/Keychains/login.keychain.sb-f97005d6-M4MV4G
drwx------  2 Rax  staff  64 Feb  8  2010 /Users/Rax/Library/Keychains/.syncinfo
-rw-r--r--  1 Rax  staff  2650236 Oct 20  2013 /Users/Rax/Library/Keychains/login.keychain.sb-511e4350-kx3hnt
-rw-r--r--@ 1 Rax  staff  3074760 Sep 22  2016 /Users/Rax/Library/Keychains/login.keychain
drwx------  9 Rax  staff  288 Jul 15 10:35 /Users/Rax/Library/Keychains/83...D1
-rw-------  1 Rax  staff  32768 Aug 12 14:18 /Users/Rax/Library/Keychains/83...D1/keychain-2.db-shm
-rw-r--r--@ 1 Rax  staff  6148 Jun  3 14:34 /Users/Rax/Library/Keychains/83...D1/.DS_Store
-rw-------  1 Rax  staff  1306072 Aug 18 14:29 /Users/Rax/Library/Keychains/83...D1/keychain-2.db-wal
-rw-------  1 Rax  staff  1436 Nov 12  2017 /Users/Rax/Library/Keychains/83...D1/user.kb
-rw-------  1 Rax  staff  12443648 Aug 18 11:01 /Users/Rax/Library/Keychains/83...D1/keychain-2.db
-rw-------  1 Rax  staff  47 Sep 23  2015 /Users/Rax/Library/Keychains/83...D1/accountStatus.plist
drwx------  8 Rax  staff  256 Apr 10 12:10 /Users/Rax/Library/Keychains/83...D1/Analytics
-rw-r--r--  1 Rax  staff  45056 Aug  7 09:37 /Users/Rax/Library/Keychains/83...D1/Analytics/sos_analytics.db
-rw-r--r--  1 Rax  staff  1713952 Aug 18 08:32 /Users/Rax/Library/Keychains/83...D1/Analytics/sos_analytics.db-wal
-rw-------  1 Rax  staff  3333112 Aug 18 14:22 /Users/Rax/Library/Keychains/83...D1/Analytics/ckks_analytics.db-wal
-rw-------  1 Rax  staff  606208 Aug 16 20:06 /Users/Rax/Library/Keychains/83...D1/Analytics/ckks_analytics.db
-rw-r--r--  1 Rax  staff  32768 Aug 12 14:21 /Users/Rax/Library/Keychains/83...D1/Analytics/sos_analytics.db-shm
-rw-------  1 Rax  staff  32768 Aug 16 08:15 /Users/Rax/Library/Keychains/83...D1/Analytics/ckks_analytics.db-shm
-rw-r--r--  1 Rax  staff  2360984 Sep 19  2012 /Users/Rax/Library/Keychains/login.keychain.sb-28f4c901-zucwGd

UPDATE: After crashing and force ejecting an external drive, the Local Keychain stopped locking itself, and remained open as expected. Rebooting, however, reverted to the locking behavior described above.

UPDATE: ~~Suddenly this no longer happens.~~ Apple logged me out of my Apple ID and made me go through a new procedure where I used by recovery key, and was asked to provide my machine login info, and my iPhone unlock code? (I was also told that recovery keys were no longer usable, unless I changed setting to enable them, though it's not clear how.) Does Apple now have my machine login info; my iPhone unlock code? In any case, my keychain now stays unlocked.

UPDATE: Never mind, that was only temporary. It still locks (even after updating to Bug Sur).

Best Answer

Warning - there's a chance you'll lose data or a keychain. Please ensure you have a complete backup and can wipe and restore before proceeding.

The security command doesn't list the "Local Items" keychain because it isn't an actual .keychain file. It is, rather, a virtual keychain created from a database (keychain-2.db) and associated index files. Regrettably, it appears either this database or one of its auxiliary files has somehow become corrupted, and is preventing Keychain Access from.. well.. accessing the virtual keychain.

To proceed, navigate to ~/Library/Keychains/ and locate the only folder present with a name that looks like alphabet soup (it's actually an anonymous UUID identifier, comprising 32 hexadecimal characters separated by dashes). Delete it and restart the computer. The directory and its content will be rebuilt during the boot process.

I myself have used this with no negative consequences, discretion dictates the warning to have a backup before implementing this potential solution.

Best Answer

Related Solutions

MacOS – Extract passwords from local items keychain files

Backup of Local Items keychain

Restore of Local Items keychain

MacOS – Cloudd wants to use the “Local items” keychain

Related Question