Mac – How to decrypt the system keychain from another mac at the command line

keychainpasswordtime-machine

I just ran into a situation where a user with a Mac that had been hard broken by an interrupted update needed into their Time Machine backup outside of the normal recovery process. Unfortunately, they'd forgotten the password to do this.

I have access to the filesystem on the broken Mac, and needed to recover their Time Machine password as well as anything else in the System keychain.

Difficulty: The system keychain does not use a normal password, it uses random bytes.

How do you decrypt a system keychain?

Best Answer

You need the following things:

One dead Mac with a readable filesystem (called the Source machine from here on)
One new Mac or Linux machine (called the Target machine from here on)
The System.keychain file from the source machine.
- This file is located in either /System/Library/Keychains or /Library/Keychains
The SystemKey file from the source machine. This contains the actual password.
- Located in in /var/db/SystemKey
Internet access on the target machine.

Step 1: Recovering the encryption key for the source keychain

We can't use SystemKey as is - it contains random bytes that can't be entered into a password dialog or command line. Even better, we need 24 bytes out of the middle of the file - after the magic number that indicates a key file, but before the checksum bytes.

The proper command to get the right hex key is:

hexdump -s 8 -n 24 -e '1/1 "%.2x"' /path/to/SystemKey && echo

Explained: Skip the first 8 bytes from the beginning of the file, continue 24 bytes after that, and use the format string to dump the data out on one line (it's a C-style printf string, if you're curious).

The && echo is so we get a single newline afterward so the output doesn't run into the beginning of your shell prompt after the command finishes.

Copy this string aside. This is the decryption key for the keychain.

Step 2: Dump the keychain using the password

We need a third party tool for this. We're going on the assumption that the dead Mac can't be booted in such a way that we can use its Keychain Access app normally.

That tool will be Chainbreaker - a python script. You'll need to install the hexdump library for Python. Run the following commands on the target machine:

sudo pip install hexdump
git clone https://github.com/n0fate/chainbreaker
cd chainbreaker

Now we simply give chainbreaker the key you just found and the file:

python chainbreaker.py -f /path/to/system.keychain -k (the byte string from step 1)

You'll see the plaintext password of everything in the system keychain. For my use case, I wanted the Time Machine password, and this will be represented in the output as a Generic password record named Time Machine. The plaintext password will be below.

Now we can simply use the Finder to open the Time Machine .sparsebundle, give the password we dug out of the keyfile, and continue as usual.

Related Solutions

MacOS – Keychain error -25308 while trying to add drive to Time Machine

I was having this same problem. According to discussion at this thread on Ars Technica, it’s caused by a bug in iStat Server. Are you running this?

I was, and can confirm that the work-around solution posted there of removing iStat Server and deleting the iStat Server entry in /Library/Preferences/com.apple.security.plist has worked for me. The relevant entry looks like this:

<key>DefaultKeychain</key>
<array>
   <dict>
      <key>DbName</key>
      <string>/Library/Application Support/iStat Server/iStatServer.keychain</string>
      <key>GUID</key>
      <string>{87191ca3-0fc9-11d4-849a-000502b52122}</string>
      <key>SubserviceType</key>
      <integer>6</integer>
   </dict>
</array>

Bjango, the developer of iStat Server, has further posted on the Ars Technica thread that a new version of iStat Server is now available. I have not independently verified that this addresses the problem, since the above work-around had already taken care of my issue, but their release notes say simply “Fixed a Keychain issue.” Both the new version and the release notes can easily be found at the iStat Server link above.

Mac – Help! Lost admin password for Mac OS X server 10.9

In conclusion, TimeMachine recovery of the entire system to the status before changing admin password worked well. I recovered the old admin password and it worked for Keychain Access as well.

In details; Just in case the recovery doesn't work and I lose the TimeMachine backups somehow, I copied the TimeMachine backup to another external drive. To do that, however, I needed admin password. So, first I had to reset the admin password.

Note: In my case, the destination for TimeMachine backup was a local partition (probably), so I didn't need network password to access it. If it were in network, for example, you would need password that has been lost at step 8. Then this procedure may not work for you. Before actually try the following steps, it may be good to see if you need password for system recovery, following http://support.apple.com/kb/PH14185 (step 5 in this page is the key), but just cancel when you are asked to choose date and time.

Open the Time Machine pane in System Preferences. Choose Time Machine > Open Time Machine Preferences…
Slide the Time Machine switch to Off.
Restart the Mac with Command + R keys held down to enter Recovery Mode.
In Recovery Mode, launch Terminal.app.
In Terminal.app, type resetpassword.
Choose the admin account and set new password. Verify it.
Warning about Keychain will appear.
Restart. Now you get admin password at the cost of loosing Keychain password. The server won't work properly any longer.
The OS will ask if you want to update Keychain password. Because you don't know the old password. You can't do that. So just choose Continue in the middle.
The system will ask Keychain passwords, but you have to ignore them.
Connect an external drive that is large enough.
If necessary, reformat the drive to Mac OS Extended (Journaled). see http://support.apple.com/kb/ht5096
Click the icon of the new backup drive and choose Get Info from the File menu or press Command-I (⌘-I)
Make sure Ignore ownership on this volume at the bottom of the Sharing & Permissions: section is not checked.
Open a new Finder window. In the Finder sidebar, click the icon of the current backup drive.
Open a new Finder window. In the Finder sidebar, click the icon of the new backup drive.
Drag the folder Backups.backupdb on the current backup drive to the root level of the new backup drive.
Enter an administrator name and password (you needed to reset the admin password for this step), then click OK to start the copying process. This may take some time to complete because all the backups will be copied.
After the copy has completed, you can eject the eternal drive.
Restart the machine with Command and R keys held down to enter Recovery Mode.
In Recovery Mode, Select Restore from a Time Machine Backup, then click Continue.
Select the TimeMachine storage.
Select the date and time of the backup you want to restore, then follow the onscreen instructions.
In my case, I successfully recovered admin password as well as default Keychain password.