Using Keychain for Secure Text on OS X

I’ve been playing with using the Migration Tool with a TextMate bundle, ForceDotBundle for a bit now (and yes, a full blog post on that bundle is forthcoming).  However, I had one concern with the approach.  Every project I created needed a file, which in turn needed to have the username and password in clear text on the filesystem.  I sometimes juggle a lot of different projects for short periods of time, so the possibility of simply having old passwords scattered around was quite real.  Also, I have this tendency to display code on large monitors in front of people more and more these days, and didn’t want to have passwords just being accidentally revealed.

Solution?  Well, for OS X users there is a great one built right into the OS.  Enter Keychain, a password/secure text management system OS X uses to help securely juggle all those system passwords, certifications, tokens, and notes you want to keep from prying eyes.  While most users are familiar with using this for logging into various applications – you can also utilize Bash to work with it directly.

To add a new password to the Keychain within a script, simply use the add-generic-password command of security:

security add-generic-password -a {Account} -s "Login: {Account}" -w {Password}

Where “Account” would be something to identify the user/project/account (so I use the project name with TextMate), and Password is obviously password.  You can then retrieve it back with find-generic-password:

security find-generic-password -ga {Account}

However, this will return a list of information and we only really need the password.  Via this great TextMate blog post (which is what got the ball rolling on all of this), this shell script will parse the result correctly:

security 2>&1 >/dev/null find-generic-password -ga $1 \
|ruby -e 'print $1 if STDIN.gets =~ /^password: "(.*)"$/'

So to use this with, I hold the Account name instead of the password in the file, and then swap it out for the duration of the build:

shellpassword=$(~/Library/Application\ Support/TextMate/Bundles/ForceDotCom.tmbundle/Tools/ ${password})
sed "s/${password}/${shellpassword}/" >
ant build
sed "s/${shellpassword}/${password}/" >


The actual script is a little more complicated to adjust for using real passwords, making backups and the like.  Now the first time this is run, there will be that modal prompt someone will need to enter the keychain password to get access (otherwise this wouldn’t be terribly secure).  At any time if you want to lock that back down, you can simply run:

security lock-keychain -a

Which will lock Keychain and require someone to enter the password into the prompt again.  Obviously for your enterprise needs, you should be talking to whoever is in charge of your due dillegence and internal security for implementations – but for my laptop, I certainly feel better that I don’t have passwords in a bunch of text files anymore.

While I’m using this for TextMate, it may have other useful implications if you’ve got OS X in your shop.  If you want to see this in action in the TextMate bundle, here’s a video.  Wordpress strips the “jump to time” hash, so if you want to skip ahead fast forward to 1 minute, 35 seconds in:

Enjoy.  As we approach Christmas, hoping to get some more tools and tricks out there for your virtual tree.  As always, you can leave comments and questions in the boxes below, or catch me on twitter @joshbirk.

November 4, 2011

Leave your comments...

Using Keychain for Secure Text on OS X