launchd job that i use to back up mac os x keychains to an encrypted disk image.

com.elipapa.keychains-backup.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.elipapa.keychain-backup</string>
    <key>OnDemand</key>
    <true/>
    <key>ProgramArguments</key>
    <array>
        <string>/Users/elipapa/Dropbox/OSXdotfiles/keybak/keychains_backup.sh</string>
    </array>
    <key>RunAtLoad</key>
    <false/>
    <key>StandardErrorPath</key>
<string>/Users/elipapa/Library/Logs/elipapa.keychains_backup.err.log</string>
 <key>StandardOutPath</key>
<string>/Users/elipapa/Library/Logs/elipapa.keychains_backup.log</string>
    <key>WatchPaths</key>
    <array>
        <string>/Users/elipapa/Library/Keychains/</string>
    </array>
</dict>
</plist>

keychains_backup.sh

#!/usr/bin/env zsh
## backup all the passwords.

# Passwords are all in the keychain. There are also some tokens in the home directory
# I back them up (nov 2015) in these places:
#   1. Time machine to NAS - when i am home and it happens
#   2. icloud keychain backup (automatic) - every update, just a sync
#   3. borg repo on dropbox - every update,
#                             keeping all the past day, 1 per day of the week, 4 weekly, 6 monthly


# unencrypted rsync copy (This is now taken care of time machine)

# # sync all keychains whenever they change - this is the trigger because it's more frequent
# rsync -av ~/Library/Keychains/ ~/Backup/Keychains/

# # also save ssh keys (counts as keychain doesn't it?) and gnupg key
# rsync -av /Users/elipapa/.ssh ~/Backup/homedir/.ssh
# rsync -av /Users/elipapa/.gnupg ~/Backup/homedir/.gnupg

#  # all local API tokens, variable and paths that are not normally in public repo
# for f in ~/.*.local; do cp $f ~/Backup/homedir/; done



## borg backup setup
## see https://borgbackup.readthedocs.org/en/stable/quickstart.html

REPOSITORY=~/Dropbox/Borgbackups
export BORG_PASSPHRASE="`security find-generic-password -a borg -w`"

echo "=============================" 1>&2
echo `date +%H:%M:%S` 1>&2
echo "Keychain modified. Attempting to run borg backup" 1>&2

# Backup all of /home and /var/www except a few
# excluded directories
borg create --compression zlib --stats -v                            \
    $REPOSITORY::keychains-`date +%Y_%m_%d-%H_%M_%S`    \
    ~/Library/Keychains/login.keychain          \
    ~/.ssh                                   \
    ~/.gnupg                          \
    ~/.gitconfig.local    \
    ~/.zshenv.local   \
    ~/.aws

# Use the `prune` subcommand to maintain 7 daily, 4 weekly and 6 monthly
# archives of THIS machine. --prefix `hostname`- is very important to
# limit prune's operation to this machine's archives and not apply to
# other machine's archives also.
borg prune -v $REPOSITORY --prefix keychains- \
    --keep-daily=7 --keep-weekly=4 --keep-monthly=6 --keep-within 1d

Use this by writing in the shell:

cd ~/Dropbox/OSXdotfiles # i keep a lot of stuff in drobox, ymmv
git clone https://gist.github.com/elipapa/81251ec54f08e86a4819 keybak
ln -s keybak/com.elipapa.keychains-backup.plist ~/Library/LaunchAgents/
launchctl load ~/Library/LaunchAgents/com.elipapa.keychains-backup.plist #make sure you are the same user as the plist file when you run this