Does anyone know about an app that does the same thing as 1Password’s SSH agent? In 1Password I can add all my SSH keys, and setup the ~/.ssh/config file to use the 1Password agent, that way my keys are not in plain text on my hard drive.
I’d like to do the same thing, but with a different app, since I’ve moved all my passwords out to the Apple Passwords app. I know this is niche, but figured if anyone had any ideas it’d be this crowd.
Would it work to use the system ssh agent with passphrases on your keys?
I think you might be looking for GitHub - maxgoedjen/secretive: Store SSH keys in the Secure Enclave
Which gives you the experience of biometric unlock for ssh. But! Keep in mind since the private key is stored in the Secure Enclave, you cannot back them up. So you’d need to have a fallback mechanism for accessing your server if your device breaks.
Strongbox can do this in a Kepass file. I believe KeepassXC can also do it.
+1 Strongbox for the win!
Strongbox as mentioned below. I actually put my Strongbox data on our Synology server and sync all my devices to it when at home.
The system ssh agent would work, if I could store the keys in keychain and not on the filesystem. Right now I don’t believe that’s possible. You can temporarily store the keys in the ssh agent, but as soon as you log out or reboot those keys are gone, and need to be reloaded from the filesystem.
Secretive looks almost perfect, but last time I looked you couldn’t import keys, which, unfortunately, meant I couldn’t use it. Most of my keys come from AWS.
Strongbox is another password manager, right? I’m looking for something that does just the ssh key management.
Seems like the perfect SSH key manager actually doesn’t exist.
Assuming you’re generating ssh keys with a passphrase, you can add the passphrase to the keychain and configure ssh-agent to use the keychain to unlock the sshe keys.
Link to one of many tutorials on how to do this:
I looked into that, but it doesn’t work like I’d hoped. What I’d like to do is not have any ssh keys on my filesystem. This process only works till you log out or reboot, then you have to have the keys in ~/.ssh/ again.
What I’d like is to be able to store the keys themselves in keychain, and delete them from ~/.ssh/. 1Password lets me do this, but it doesn’t look like there’s a dedicated app that does just that.
Interesting, may I ask why? A private ssh key on disk which is secured with a passphrase is fairly secure.
Another option would be to put the ssh keys on a yubikey.
Agreed! Unfortunately I’m responsible for keys that I don’t generate. I’m a devops engineer, so I have an assortment of keys associated with different services in AWS, as well as keys that I’ve generated myself.
For the company keys, if they won’t provide you with a password manager, is there some other secrets manager you could hit to initialize keys in the system agent for your work session, and then clean up? It’d mean a small script, possibly already out there.
Well, looks like I’ll stick with 1Password for the time being. Thanks for your input everyone!