| This is different than in prior macOS versions. In prior versions, it was stored in Login keychain, which was not synchronized. Additionally, the items were visible in the security command line tool and in Keychain Access, so you could delete them. The Local Items keychain / iCloud Keychain is a new style keychain that was back ported from iOS. The security and Keychain Access tools have no visibility into it, it's 100% handled by the secd service. Edit: Ah, sorry, you meant in Sierra specifically. Yes. But I'll leave these clarifying details here for posterity :) Edit2: Additional detail - in prior OSes, there was a GUI prompt asking if you wanted to store the passphrase in the keychain. This is gone now. It just does it (unless you preemptively edited the ssh config file to disable keychain storage in advance) Edit3: Can confirm that "ssh-add -K -d" does in fact delete the passphrase from the keychain, even though it may throw an agent error. |
That's not quite true: Keychain Access can write to Local Items keychain, but not everything in Local Items are visible to Keychain Access. Apple changed ssh to store private key passphrases differently than before, in a way that's invisible to Keychain Access. However, you can freely move / copy entries from, say your login keychain, to Local Items with Keychain Access, and vice versa, and they would remain visible.
Fortunately, the Local Items keychain, stored in ~/Library/Keychains/<UUID>/keychain-2.db is just a sqlite3 database, with (presumably) encrypted fields. If you run "ssh -vvv" you can even see the query.
> Edit3: Can confirm that "ssh-add -K -d" does in fact delete the passphrase from the keychain, even though it may throw an agent error.
Huh, I thought I'd tried that before resorting more drastic measures. Or maybe "-d" works but not "-D", hmm or maybe I'd neglected to also pass "-K".