Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Export secrets from the Lockdown Mac/iOS two-factor authentication app

I use the Lockdown app to manage my TOTP two-factor authentication on my iPhone, iPad and Mac. While it has a convenient iCloud-based sync functionality to keep all of these devices in sync, it does not have a convenient way to export all the secrets for backup or migration purposes (the iOS app does have a backup feature that will email or print a PDF with a QR code, service name and login for each service, but that's not usable if you are planning on migrating from macOS to Linux as I am).

ldexport is a tool to fix that. It runs on the Mac and exports the app's secrets in either:

  • JSON
  • HTML (suitable for printing as hardcopy backup, e.g. as part of an emergency in-case of file) (although you may want to take precautions in case you are burglarized, e.g. put it in a safe deposit box or leave it with your attorney).


You need Go installed (tested with Go 1.12.7 and 1.15.5):

go install

your $GOPATH/bin will have a single executable ldexport

I have included a binary version (compiled using Go 1.15.5 on 10.14.6 Mojave) for those who don't have Go, but it's not good or safe practice to rely on binary software from some random person on the Internet for such security-critical data...

The checksums are:

fafnir ~/ldexport>gsha1sum ldexport
6ea3a5931cc74ed71a4413da84f92437d9e20154  ldexport
fafnir ~/ldexport>gsha256sum ldexport
1fab84e681886abdda51cd41d24a8e325b07a24399822ceec96d6b97069efc96  ldexport


Usage of ./ldexport:
  -a	also include archived secrets
    	export in HTML format

By default it exports to JSON, but with -html it will output a self-contained single-file HTML to standard output.

It will not export Lockdown's "archived" secrets by default, because presumably you archived them for a reason, but adding the -a flag will also include them.

Sample JSON output

(fake credentials, of course)

    "Service": "Amazon",
    "Login": "",
    "Created": "2015-11-18T19:53:34.969532012Z",
    "Modified": "2015-11-18T19:53:34.969532012Z",
    "URL": "otpauth://totp/",
    "Favorite": true,
    "Archived": false
    "Service": "PayPal",
    "Login": "",
    "Created": "2019-11-25T08:46:57.253684043Z",
    "Modified": "2019-11-25T08:46:57.253684043Z",
    "URL": "otpauth://totp/",
    "Favorite": false,
    "Archived": false
    "Service": "Reddit",
    "Login": "johndoe",
    "Created": "2020-08-07T19:58:37.930042982+01:00",
    "Modified": "2020-08-07T19:58:37.930042982+01:00",
    "URL": "otpauth://totp/Reddit:johndoe?secret=nDTxDMI6bEgVpHWCViZjDFhXKH1bysRa&issuer=Reddit",
    "Favorite": true,
    "Archived": false
    "Service": "GitHub",
    "Login": "",
    "Created": "2016-05-04T19:04:12.495128989+01:00",
    "Modified": "2017-04-04T06:33:10.641680002+01:00",
    "URL": "otpauth://totp/",
    "Favorite": false,
    "Archived": false
    "Service": "Google",
    "Login": "",
    "Created": "2015-11-13T05:06:07.103500008Z",
    "Modified": "2015-11-13T05:06:07.103500008Z",
    "URL": "otpauth://totp/",
    "Favorite": false,
    "Archived": false

Sample HTML output

Sample HTML output

Technical details

The Mac version of Lockdown saves its secrets in a plist file, which in turn contains a nested binary blob of a plist file in Apple's crackpot NSKeyedArchiver format. This code is probably very brittle to future changes in Lockdown's format.



Export secrets from the Lockdown Mac/iOS two-factor authentication app







No releases published


No packages published