security(1) General Commands Manual security(1)

securityCommand line interface to keychains and Security framework

security [-hilqv] [-p prompt] [command] [command_options] [command_args]

A simple command line interface which lets you administer keychains, manipulate keys and certificates, and do just about anything the Security framework is capable of from the command line.

By default security will execute the command supplied and report if anything went wrong.

If the -i or -p options are provided, security will enter interactive mode and allow the user to enter multiple commands on stdin. When EOF is read from stdin security will exit.

Here is a complete list of the options available:

If no arguments are specified, show a list of all commands. If arguments are provided, show usage for each the specified commands. This option is essentially the same as the help command.
Run security in interactive mode. A prompt (security> by default) will be displayed and the user will be able to type commands on stdin until an EOF is encountered.
Before security exits, run
/usr/bin/leaks -nocontext
on itself to see if the command(s) you executed had any leaks.
prompt
This option implies the -i option but changes the default prompt to the argument specified instead.
Will make security less verbose.
Will make security more verbose.

security provides a rich variety of commands (command in the SYNOPSIS), each of which often has a wealth of options, to allow access to the broad functionality provided by the Security framework. However, you don't have to master every detail for security to be useful to you.

Here are brief descriptions of all the security commands:

help
Show all commands, or show usage for a command.
list-keychains
Display or manipulate the keychain search list.
default-keychain
Display or set the default keychain.
login-keychain
Display or set the login keychain.
create-keychain
Create keychains.
delete-keychain
Delete keychains and remove them from the search list.
lock-keychain
Lock the specified keychain.
unlock-keychain
Unlock the specified keychain.
set-keychain-settings
Set settings for a keychain.
set-keychain-password
Set password for a keychain.
show-keychain-info
Show the settings for keychain.
dump-keychain
Dump the contents of one or more keychains.
create-keypair
Create an asymmetric key pair.
add-generic-password
Add a generic password item.
add-internet-password
Add an internet password item.
add-certificates
Add certificates to a keychain.
find-generic-password
Find a generic password item.
delete-generic-password
Delete a generic password item.
set-generic-password-partition-list
Set the partition list of a generic password item.
find-internet-password
Find an internet password item.
delete-internet-password
Delete an internet password item.
set-internet-password-partition-list
Set the partition list of a internet password item.
find-key
Find keys in the keychain
set-key-partition-list
Set the partition list of a key.
find-certificate
Find a certificate item.
find-identity
Find an identity (certificate + private key).
delete-certificate
Delete a certificate from a keychain.
delete-identity
Delete a certificate and its private key from a keychain.
set-identity-preference
Set the preferred identity to use for a service.
get-identity-preference
Get the preferred identity to use for a service.
create-db
Create a db using the DL.
export
Export items from a keychain.
import
Import items into a keychain.
cms
Encode or decode CMS messages.
install-mds
Install (or re-install) the MDS database.
add-trusted-cert
Add trusted certificate(s).
remove-trusted-cert
Remove trusted certificate(s).
dump-trust-settings
Display contents of trust settings.
user-trust-settings-enable
Display or manipulate user-level trust settings.
trust-settings-export
Export trust settings.
trust-settings-import
Import trust settings.
verify-cert
Verify certificate(s).
authorize
Perform authorization operations.
authorizationdb
Make changes to the authorization policy database.
execute-with-privileges
Execute tool with privileges.
leaks
Run /usr/bin/leaks on this process.
smartcards
Enable, disable or list disabled smartcard tokens.
list-smartcards
Display available smartcards.
export-smartcard
Export/display items from a smartcard.
error
Display a descriptive message for the given error code(s).

This section describes the command_options that are available across most security commands.

Show a usage message for the specified command. This option is essentially the same as the help command.

Here (finally) are details on all the security commands and the options each accepts.

When using the leaks command or the -l option it's probably a good idea to set this environment variable before security is started. Doing so will allow leaks to display symbolic backtraces.

~/Library/Preferences/com.apple.security.plist

Property list file containing the current user's default keychain and keychain search list.

/Library/Preferences/com.apple.security.plist

Property list file containing the system default keychain and keychain search list. This is used by processes started at boot time, or those requesting to use the system search domain, such as system daemons.

/Library/Preferences/com.apple.security-common.plist

Property list file containing the common keychain search list, which is appended to every user's search list and to the system search list.

certtool(1), leaks(1), pluginkit(8)

security was first introduced in Mac OS X version 10.3.

security still needs more commands before it can be considered complete. In particular, it should someday supersede both the certtool and systemkeychain commands.

March 15, 2017 Darwin