More keychains than meets the eye

How many keychains does your Mac have? It may seem a simple question, but the answer can be surprisingly elusive, and may be a lot larger than you think.

Look in Keychain Access, and you should see at least four listed:

  • login, which is the current user’s login keychain, located at ~/Library/Keychains/login.keychain-db;
  • Local Items, which isn’t related to an identifiable keychain at all;
  • System, which is the System keychain at /Library/Keychains/System.keychain;
  • System Roots, the protected collection of certificates which ships with macOS, at /System/Library/Keychains/SystemRootCertificates.keychain.

I have another couple of keychains too:

  • Adobe.APS, a private app password for Adobe Acrobat Pro CC, kept away from normal keychain folders at ~/Library/Application Support/Adobe/AIR/ELS/com.adobe.formscentral.FormsCentralForAcrobat/PrivateEncryptedDatak;
  • loginMPro, an old migrated keychain from a previous Mac, at ~/Library/Keychains/loginMPro.keychain-db.

Looking in ~/Library/Application Support/Adobe/AIR/ELS, there are several other possible keychains, relating to BBC iPlayer, Zinio Reader, and some Adobe products, although Keychain Access only seems to know about the one I list above.

Turning to ~/Library/Keychains, I have several other keychains which are not reported by Keychain Access, including:

  • metadata.keychain, which I presume relates to macOS metadata, and remains current and active;
  • parallels_shared.keychain, which I presume is private to Parallels Desktop.

But there’s another too: apsd.keychain, which is plain to see in /Library/Keychains, but never listed anywhere, except in the log. If you watch a startup in Sierra’s log (don’t waste your time trying this with High Sierra, as it doesn’t log any of this), these are the approximate times of first opening of each keychain:
00:20.131 0x7fb018f1d730 opened /Library/Keychains/System.keychain: 170992 bytes
00:20.202 0x7f9aa2c0bb40 opened /Library/Keychains/apsd.keychain: 50592 bytes
00:20.202 0x7facca41ee70 opened /System/Library/Keychains/SystemRootCertificates.keychain: 385940 bytes
00:20.212 0x7f9aa2c276b0 created /Library/Keychains/apsd.keychain.sb-d5be7479-gA1KQ5
01:08.671 0x6000000707c0 opened /Users/hoakley/Library/Keychains/login.keychain-db: 1646112 bytes
01:09.251 0x7fee38415460 opened /Users/hoakley/Library/Keychains/loginMPro.keychain-db: 549908 bytes

(given as elapsed time in minutes and seconds after startup, iMac17,1, Sierra 10.12.6).

The apsd named is the Apple Push Service daemon, and its keychain no doubt contains security certificates and other private data to support those services.

Normally, resorting to a command tool gives the most complete and definitive answer. So what does
security list-keychains
say?

It can only find four:

  • ~/Library/Keychains/login.keychain-db
  • ~/Library/Keychains/loginMPro.keychain-db
  • ~/Library/Application Support/Adobe/AIR/ELS/com.adobe.formscentral.FormsCentralForAcrobat/PrivateEncryptedDatak
  • /Library/Keychains/System.keychain

Wouldn’t it be good if there was a tool which actually told me about the keychains which are in use on my Mac, including

  • login at ~/Library/Keychains/login.keychain-db
  • additional personal keychains at ~/Library/Keychains/
  • Local Items wherever that exists
  • System at /Library/Keychains/System.keychain
  • APSD’s at /Library/Keychains/apsd.keychain
  • System Roots at /System/Library/Keychains/SystemRootCertificates.keychain
  • Various app keychains in folders within ~/Library?