Administer Keychains, keys, certificates and the Security framework.

By default security will execute the command supplied and report if anything went wrong. If the -i or -p options are provided, security will enter interactive mode. When EOF is read from stdin security will exit.

     security [-hilqv] [-p prompt] [command] [command_options] [command_args]

   -h     If no arguments are specified, show a list of all commands.
          If arguments are provided, show usage for each the specified commands.
          This option is essentially the same as the help command.

   -i     Run security in interactive mode.
          A prompt (security> by default) will be displayed and the
          user will be able to type commands on stdin until an EOF is encountered.

   -l     Before security exits, run
             /usr/bin/leaks -nocontext
          on itself to see if the command(s) you executed had any leaks.

   -p prompt
         Implies the -i option but changes the default prompt to the argument specified

   -q    Will make security less verbose.

   -v    Will make security more verbose.

security provides a rich variety of commands , each of which often has a wealth of options, to allow access to the broad functionality provided by the Security framework. However, you don’t have to master every detail for security to be useful to you.

     list-keychains              Display or manipulate the keychain search list.
     default-keychain            Display or set the default keychain.
     login-keychain              Display or set the login keychain.
     create-keychain             Create keychains and add them to the search list.
     delete-keychain             Delete keychains and remove them from the search list.
     lock-keychain               Lock the specified keychain.
     unlock-keychain             Unlock the specified keychain.
     set-keychain-settings       Set settings for a keychain.
     set-keychain-password       Set password for a keychain.
     show-keychain-info          Show the settings for keychain.
     dump-keychain               Dump the contents of one or more keychains.

     create-keypair              Create an asymmetric key pair.
     add-generic-password        Add a generic password item.
     add-internet-password       Add an internet password item.
     add-certificates            Add certificates to a keychain.

     find-generic-password       Find a generic password item.
     delete-generic-password     Delete a generic password item.
     find-internet-password      Find an internet password item.
     delete-internet-password    Delete an internet password item.

     find-certificate            Find a certificate item.
     find-identity               Find an identity (certificate + private key).
     delete-certificate          Delete a certificate from a keychain.

     set-identity-preference     Set the preferred identity to use for a service.
     get-identity-preference     Get the preferred identity to use for a service.

     create-db                   Create a db using the DL.
     export                      Export items from a keychain.
     import                      Import items into a keychain.
     cms                         Encode or decode CMS messages.
     install-mds                 Install (or re-install) the MDS database.

     add-trusted-cert            Add trusted certificate(s).
     remove-trusted-cert         Remove trusted certificate(s).
     verify-cert                 Verify certificate(s).

     dump-trust-settings         Display contents of trust settings.
     user-trust-settings-enable  Display or manipulate user-level trust settings.
     trust-settings-export       Export trust settings.
     trust-settings-import       Import trust settings.

     authorize                   Perform authorization operations.
     authorizationdb             Make changes to the authorization policy database.
     execute-with-privileges     Execute tool with privileges.
     leaks                       Run /usr/bin/leaks on this process.
     error                       Display a descriptive message for the given error code(s).
     help                        Show all commands, or show usage for a command.

Common options:
     Command_options that are available across all security commands.

     -h   Show a usage message for the specified command.
          This option is essentially the same as the help command.

When using the leaks command or the -l option it’s probably a good idea to set this environment variable before security is started. Doing so will allow leaks to display symbolic backtraces.

Property list file containing the current user’s default keychain and keychain search list.


Property list file containing the system default keychain and keychain search list. This is used by processes started at boot time, or those requesting to use the system search domain, such as system daemons.

Property list file containing the common keychain search list, which is appended to every user’s search list and to the system search list.

security was first introduced in macOS version 10.3.

security still needs more commands before it can be considered complete. In particular, it should someday supersede both the certtool and systemkeychain commands.

“The man who looks for security, even in the mind, is like a man who would chop off his limbs in order to have artificial ones which will give him no pain or trouble” ~ Henry Miller (The Rosy Crucifixion I )

Related macOS commands

certtool(1), leaks(1)
tccutil - Manage the privacy database.
HT202303 - iCloud security overview

Copyright © 1999-2024
Some rights reserved