Last Updated: November 12, 2021
· mroach_

Storing secrets in the macOS keychain

I like to keep all my "dotfiles" on GitHub. Pretty much anything that you'd find around ~/.<tab>. Configuration for zsh, bash, git, vim, tmux, pow, ssh, gpg, all sorts of things like that. Most of it is fine to release to the public but there are a few things that are secrets, like my GitHub token for removing the rate limit needed by Homebrew. So, how do you post configuration publicly while keeping secrets? On macOS this is easy using the Keychain.

The Keychain is where macOS stores things like account passwords and Wi-Fi network keys. It's encrypted and unlocked when you login.

To add an arbitrary string to the Keychain from the terminal, you do do:

security add-generic-password -a "$USER" -s 'Homebrew GitHub Token' -w 'qwerty123'

Where qwerty123 is the actual token you got from GitHub, or whatever you want the secret value to be. The -a argument says "attach to this account".

Then in your .bashrc or .zshrc you can setup the HOMEBREW_GITHUB_API_TOKEN like so:

export HOMEBREW_GITHUB_API_TOKEN=$(security find-generic-password -s 'Homebrew GitHub Token' -w)

The argument in common here is -s which is just the name of the secret. -w tells security just to display the password and no other metadata.

My GitHub repo of configuration files.
I symlink these all to their proper destinations.

2 Responses
Add your response


over 1 year ago ·

Interesting, I'll have to try it.

over 1 year ago ·