How to decrypt the system keychain from another mac at the command line

You need the following things:

  • One dead Mac with a readable filesystem (called the Source machine from here on)
  • One new Mac or Linux machine (called the Target machine from here on)

  • The System.keychain file from the source machine.

    • This file is located in either /System/Library/Keychains or /Library/Keychains
  • The SystemKey file from the source machine. This contains the actual password.
    • Located in in /var/db/SystemKey
  • Internet access on the target machine.

Step 1: Recovering the encryption key for the source keychain

We can't use SystemKey as is - it contains random bytes that can't be entered into a password dialog or command line. Even better, we need 24 bytes out of the middle of the file - after the magic number that indicates a key file, but before the checksum bytes.

The proper command to get the right hex key is:

hexdump -s 8 -n 24 -e '1/1 "%.2x"' /path/to/SystemKey && echo

Explained: Skip the first 8 bytes from the beginning of the file, continue 24 bytes after that, and use the format string to dump the data out on one line (it's a C-style printf string, if you're curious).

The && echo is so we get a single newline afterward so the output doesn't run into the beginning of your shell prompt after the command finishes.

Copy this string aside. This is the decryption key for the keychain.

Step 2: Dump the keychain using the password

We need a third party tool for this. We're going on the assumption that the dead Mac can't be booted in such a way that we can use its Keychain Access app normally.

That tool will be Chainbreaker - a python script. You'll need to install the hexdump library for Python. Run the following commands on the target machine:

  • sudo pip install hexdump
  • git clone https://github.com/n0fate/chainbreaker
  • cd chainbreaker

Now we simply give chainbreaker the key you just found and the file:

python chainbreaker.py -f /path/to/system.keychain -k (the byte string from step 1)

You'll see the plaintext password of everything in the system keychain. For my use case, I wanted the Time Machine password, and this will be represented in the output as a Generic password record named Time Machine. The plaintext password will be below.

Now we can simply use the Finder to open the Time Machine .sparsebundle, give the password we dug out of the keyfile, and continue as usual.