# Secure CLI Passwords with Keychain Services on Mac OS X## Creating a Passwor

1. # Secure CLI Passwords with Keychain Services on Mac OS X
2.  
3. ## Creating a Password
4.  
5. Dump a password into keychain. I'm using the creator/kind codes "asbl" for Ansible, but you can use any 4 character code. It's useful for doing lookups later.
6.  
7. $ security add-generic-password -a "root" -c "asbl" -C "asbl" -D "Ansible Vault" -s "ansible secrets" -w "secret123password456"
8.  
9. From man security:
10.  
11. -a account Match account string
12. -c creator Match creator (four-character code)
13. -C type Match type (four-character code)
14. -D kind Match kind string
15. -G value Match value string (generic attribute)
16. -j comment Match comment string
17. -l label Match label string
18. -s service Match service string
19.  
20. Note that the "service" shows up as the "where" field in keychain, label "shows" up as "name". Nice work on that UX consistency Apple.
21.  
22. ## Recalling a Password
23.  
24. You can pull out that password by matching on the params you supplied. Going by service name I could do:
25.  
26. $ security find-generic-password -s "ansible secrets" -w
27.  
28. The `-w` option causes only the password to be printed.
29.  
30. It's useful to know that you can specify any combination of parameters when extracting passwords and `security` will take the first match. That's useful if you have multiple gmail accounts. You can specify `-s "GMail"` on both and the `-l "work"` and `-l "home"` on another. When extracting you can get the work one by using `security find-generic-password -l "work" -s "GMail"`.
31.  
32. ## A Note about Ansible
33.  
34. In the case of ansible we need to pass a file, so we can make a simple wrapper script that will "do the right thing" for us and then pass that as the vault-password-file option. Create a script called `vault_from_keychain.sh` and `chmod +x` it, the content should be:
35.  
36. #!/bin/sh
37. exec security find-generic-password -s "hipyard-ansible secrets" -w
38.  
39. Finally, you can use it in ansible as a command line argument:
40.  
41. $ ansible-playbook Hipyardweb.yml -i inventory/production/hosts -t use_secrets --use-password-file vault_from_keychain.sh
42.  
43.  
44. # Using it
45.  
46. I have this in my mutt configuration files to store passwords settings (e.g. mutt)
47.  
48. …
49. set smtp_pass = `security find-generic-password …`
50. …
51.  
52. but you can also use it to pass data as a CLI parameter
53.  
54. $ someapp dosecurething -user="myusername" -password=`security find-generic-password…`
55.  
56. ## Warnings
57.  
58. When passing a password as a CLI parameter it will be visible in the process list. Be careful using this kind of thing in this fasion:
59.  
60. $ bundle exec ruby foo_server.rb --user=foobar --password=`security find-generic-password …`
61.  
62. As your password will appear if somebody runs `ps aux |grep foo_server`
63.  
64. Likewise, you're going to be asked by keychain to allow access to a password item. Once you've allowed a process in iterm to access that password "Always", you're going to allow any future processes to access that item too. Approve `foo.rb` and `bar.rb` will be able to read that item too. You probably want to store any truely secret passwords in a seperate keychain vault that isn't unlocked by default if you want it to be protected from malicious processes running under your user account.