Administer Keychains, keys, certificates and the Security framework.
By default security will execute the command supplied and report if anything went wrong. If the -i or -p options are provided, security will enter interactive mode. When EOF is read from stdin security will exit.
Syntax security [-hilqv] [-p prompt] [command] [command_options] [command_args] Key -h If no arguments are specified, show a list of all commands. If arguments are provided, show usage for each the specified commands. This option is essentially the same as the help command. -i Run security in interactive mode. A prompt (security> by default) will be displayed and the user will be able to type commands on stdin until an EOF is encountered. -l Before security exits, run /usr/bin/leaks -nocontext on itself to see if the command(s) you executed had any leaks. -p prompt Implies the -i option but changes the default prompt to the argument specified instead. -q Will make security less verbose. -v Will make security more verbose.
security provides a rich variety of commands , each of which often has a wealth of options, to allow access to the broad functionality provided by the Security framework. However, you don't have to master every detail for security to be useful to you.
list-keychains Display or manipulate the keychain search list. default-keychain Display or set the default keychain. login-keychain Display or set the login keychain. create-keychain Create keychains and add them to the search list. delete-keychain Delete keychains and remove them from the search list. lock-keychain Lock the specified keychain. unlock-keychain Unlock the specified keychain. set-keychain-settings Set settings for a keychain. set-keychain-password Set password for a keychain. show-keychain-info Show the settings for keychain. dump-keychain Dump the contents of one or more keychains. create-keypair Create an asymmetric key pair. add-generic-password Add a generic password item. add-internet-password Add an internet password item. add-certificates Add certificates to a keychain. find-generic-password Find a generic password item. delete-generic-password Delete a generic password item. find-internet-password Find an internet password item. delete-internet-password Delete an internet password item. find-certificate Find a certificate item. find-identity Find an identity (certificate + private key). delete-certificate Delete a certificate from a keychain. set-identity-preference Set the preferred identity to use for a service. get-identity-preference Get the preferred identity to use for a service. create-db Create a db using the DL. export Export items from a keychain. import Import items into a keychain. cms Encode or decode CMS messages. install-mds Install (or re-install) the MDS database. add-trusted-cert Add trusted certificate(s). remove-trusted-cert Remove trusted certificate(s). verify-cert Verify certificate(s). dump-trust-settings Display contents of trust settings. user-trust-settings-enable Display or manipulate user-level trust settings. trust-settings-export Export trust settings. trust-settings-import Import trust settings. authorize Perform authorization operations. authorizationdb Make changes to the authorization policy database. execute-with-privileges Execute tool with privileges. leaks Run /usr/bin/leaks on this process. error Display a descriptive message for the given error code(s). help Show all commands, or show usage for a command. Common options: Command_options that are available across all security commands. -h Show a usage message for the specified command. This option is essentially the same as the help command.
When using the leaks command or the -l option it's probably a good idea to set this environment variable before security is started. Doing so will allow leaks to display symbolic backtraces.
Property list file containing the current user's default keychain and keychain search list.
Property list file containing the system default keychain and keychain search list. This is used by processes started at boot time, or those requesting to use the system search domain, such as system daemons.
Property list file containing the common keychain search list, which is appended to every user's search list and to the system search list.
security was first introduced in macOS version 10.3.
security still needs more commands before it can be considered complete. In particular, it should someday supersede both the certtool and systemkeychain commands.
“The man who looks for security, even in the mind, is like a man who would chop off his limbs in order to have artificial ones which will give him no pain or trouble” ~ Henry Miller (The Rosy Crucifixion I )
tccutil - Manage the privacy database.
HT202303 - iCloud security overview