How to properly backup and restore the System Keychain in OS X

There seems to be some of confusion surrounding how one should properly backup Keychains in OS X. When performing a system reinstall, I would typically backup .keychain files located in /Library/Keychains and ~/Library/Keychains with the intention to simply reimport them. Although I was able to import and unlock the User Keychain, unlocking the System Keychain file after a reinstall always failed.

After some searching, I found this post explaining the some of the technical inner working of the system-level keychain file.

How to backup System.keychain

As the StackExchange post explains:

The system keychain is stored in /Library/Keychains/System.keychain and the key to unlock it is stored in /var/db/SystemKey

When backing up the System Keychain, it is important to also backup the SystemKey file which contains the keys necessary to unlock it.

Use this Terminal command to backup the System Keychain, System Key as well as the Login Keychain:

sudo cp /Library/Keychains/System.keychain /var/db/SystemKey ~/Library/Keychains/login.keychain [BACKUP_PATH]

Replace [BACKUP_PATH] with the path of your backup folder, on an external drive or thumbdrive for instance. Be sure to also backup any other .keychain files which may be located in both locations.

How to import and restore System.keychain

On your new OS X installation, restore the keychain files with these commands:

KEYCHAINS=[BACKUP_PATH]
sudo cp $KEYCHAINS/login.keychain ~/Library/Keychains/login.keychain && sudo cp $KEYCHAINS/System.keychain /Library/Keychains/System.keychain && sudo cp $KEYCHAINS/SystemKey /var/db/SystemKey

Again, replace [BACKUP_PATH] with the location in which you backed up your Keychain files, KEYCHAINS=/Volumes/Thumbdrive/Keychains for instance.

Be aware that this will overwrite your fresh keychains so make sure they don’t contain any passwords you may have saved since re-installing OS X. In effect, this should be preformed immediately after re-installing.

Having copied the System Key, you should now be able to successfully unlock the System Keychain on your new OS X installation.

Leave a comment to let me know if this works for you or if you have a more efficient way of doing this.