Accessing Apple's iCloud Synced Passwords Keychain

Some notes on accessing Apple's iCloud Synced Passwords Keychain

(Note: I originally collated/posted a number of the below resources on a comment on Reddit (Ref, before creating this gist to keep better track of them)

Potentially relevant/related:

https://github.com/leolabs/alfred-icloud-passwords
- One option I found, untested/unsure if safe/still works/etc
- Supposedly current issues on Ventura: leolabs/alfred-icloud-passwords#1
https://github.com/neilkimmett/keychain-workflow
- Another option I found, untested/unsure if safe/still works/etc
Older thread about the same issue, though unsure if the methods within it are still relevant: https://www.alfredforum.com/topic/3975-can-alfred-search-the-mac-keychain/page/2/
One of the above linked to this as a potential option, though I haven't tested it yet
- https://ss64.com/osx/security.html
  - https://ss64.com/osx/security-password-mgt.html
    - security find-internet-password -a myaccount -s myservice -g
    - security find-generic-password -a myaccount -s myserver -g
https://apple.stackexchange.com/questions/233078/backup-icloud-keychain/459217#459217
- Backup iCloud Keychain
https://apple.stackexchange.com/questions/238296/dump-icloud-keychain-in-terminal/321649#321649
- This 'Ask Different' StackExchange answer suggests that the iCloud Keychain is stored in a different format to usual, within the ~/Library/Keychains/<UUID> folder
  - Ref 1: https://gist.github.com/rmondello/b933231b1fcc83a7db0b (Exporting (iCloud) Keychain and Safari credentials to a CSV file)
  - Ref 2: https://github.com/lifepillar/CSVKeychain (CSVKeychain AppleScript script)
https://apple.stackexchange.com/questions/168512/restore-an-older-version-of-icloud-keychain/346104#346104
- This 'Ask Different' StackExchange answer seems to confirm that the iCloud Keychain is stored in ~/Library/Keychains/<UUID> folder
https://apple.stackexchange.com/questions/342042/how-can-i-query-the-hardware-uuid-of-a-mac-programmatically-from-a-command-line
- This 'Ask Different' StackExchange answer shows how we can look up our macOS hardware UUID, which just so happens to be the UUID used in the ~/Library/Keychains/<UUID> path
- ioreg -d2 -c IOPlatformExpertDevice | awk -F\" '/IOPlatformUUID/{print $(NF-1)}'
https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/
- While this article is talking about accessing iOS Keychain data, my assumption is that the same sorts of methods may be relevant for accessing the iCloud Synced keychain on macOS; specifically the parts that talk about keychain-2.db
- Apple Keychain Parsing in BlackLight: https://cellebrite.com/en/apple-keychain-parsing-in-cellebrite-inspector/
https://apple.stackexchange.com/questions/137250/export-keychains
- A few methods for accessing data from keychains
https://apple.stackexchange.com/questions/168487/export-icloud-items-from-keychain-to-csv
- Export iCloud items from Keychain to CSV
https://apple.stackexchange.com/questions/220082/move-item-from-icloud-keychain-to-normal-keychain
- Move item from iCloud keychain to normal keychain
https://apple.stackexchange.com/questions/127869/icloud-keychain-view-online
- iCloud Keychain - view online
https://apple.stackexchange.com/questions/415553/icloud-keychain-encryption
- iCloud Keychain encryption
https://apple.stackexchange.com/questions/387416/does-apple-save-a-hashed-version-of-my-device-passwords
- Does Apple save a (hashed) version of my device passwords?

While the following aren't directly relevant, a few other resources I found while looking for a solution myself:

https://eclecticlight.co/2019/09/05/how-to-back-up-your-icloud-keychain/
- Basically suggests that you can force the iCloud Keychain to sync to one of your local keychains (which can then be accessed/backed up/etc) by temporarily disabling iCloud Keychain syncing.

0xdevalias/accessing-apple-icloud-synced-password-keychain.md

Accessing Apple's iCloud Synced Passwords Keychain