Today, I was trying to restore the contents of System keychain in my Mac OS X.
Luckily, I had a copy of the System.keychain file lying around, so I copied it as /tmp/System.keychain and rebooted my computer in single-user mode [1].
In single-user mode:
mv /tmp/System.keychain /Library/Keychains exit
However, I found out that System.keychain was being apparently wiped out during boot: the Keychain application shown it was empty instead of containing the expected entries. Looking at /var/log/system.log I found this intriguing log line:
Jan 10 20:46:12 foo _locationd[86]: Recreating System.keychain because it ca nnot unlock; see /usr/libexec/security-checksystem Jan 10 20:46:12 foo systemkeychain[79]: done file: /var/run/systemkeychaincheck.done
Turns out that /usr/libexec/security-checksystem just dies die with the following error code: CSSMERR_DL_DATASTORE_ALREADY_EXISTS. I couldn’t find any explanation of what it means.
Turns out that /usr/libexec/security-checksystem is just a shell script, and it contains some very interesting lines:
KEYCHAIN=/Library/Keychains/System.keychain KEY=/var/db/SystemKey
So, it seems that the System.keychain file is actually protected (encrypted) using a system key which is stored inside /var/db/SystemKey. Fortunately for me, Mac OS X keeps a copy of both the System.keychain and SystemKey files:
ls /var/db/SystemKey* SystemKey SystemKey.2013-01-10.20:46:12 ...
So, in order to make /usr/libexec/security-checksystem happy, the only thing I had to do is to restore the right SystemKey backup file (which is easily done by looking at the timestamp). After doing this, and also restoring the right version of the System.keychain, I double-checked that /usr/libexec/security-checksystem ran silently. Rebooting the system demonstrated that the System keychain survives the boot process and is not recreated anymore 🙂
[1] To reboot in single-user mode, just hold Command+S during boot.