Plaintext SSH keys on disk, scatteredDocumentation Index
Fetch the complete documentation index at: https://www.1password.dev/llms.txt
Use this file to discover all available pages before exploring further.
~/.ssh directories, and unsigned Git commits are common sources of credential leaks and supply chain risk. A single private key left in ~/.ssh/id_rsa, copied to a second machine, or forgotten on an old laptop is enough to compromise every host and repository it unlocks. And without commit signing, anyone with push rights can author Git commit that appear to be from you.
1Password eliminates these risks by keeping your SSH keys encrypted and off disk, and by enabling you to sign Git commits without needing a GPG key.
With 1Password for SSH and Git, you can:
- Manage your SSH keys so you can easily generate, import, and store all your SSH keys, and share your public keys with the services, platforms, and people who need them.
- Authenticate SSH and Git connections for your terminal and GUI clients in the same way you unlock your 1Password desktop app, like with Touch ID, Apple Watch, or Linux system authentication.
- Sign Git commits and tags with the SSH keys you’ve stored in 1Password so others can verify your changes are authentic.
- Use multiple Git identities on the same machine for authenticating and signing Git commits over SSH without switching keys in and out of your agent.
- Forward SSH requests and authenticate Git and SSH commands from remote workstations, cloud development environments, and in WSL through the 1Password SSH agent running on your local machine.
- Customize SSH agent behavior to help manage multiple SSH keys so you can make sure the right SSH key is matched to each SSH host.
Manage your SSH keys
Streamline your SSH key management by keeping your public keys, fingerprints, and private keys in 1Password to access anytime you need to use them. 1Password ensures your private keys are secured with end-to-end encryption and are never written to disk.- Generate new SSH keys: Use the apps or 1Password CLI to quickly generate new SSH keys and save them in 1Password, including the public keys, fingerprints, and private keys. Keys saved in 1Password are automatically available to the 1Password SSH agent for authenticating SSH requests.
- Import existing keys: Secure your existing SSH keys by importing them into 1Password, then remove any local copies on your disk. You can use 1Password Developer Watchtower to check your local
~/.sshfolder for SSH keys and to get security alerts and recommendations to improve your SSH key management. - Share public keys: Use 1Password to autofill public keys in your Git or cloud provider accounts. You can also copy or download the public keys and fingerprints from your SSH Key items to share them with the services and people who need them.
1Password supports Ed25519 and RSA keys (2048, 3072, and 4096-bit) in PKCS#1, PKCS#8, and OpenSSH formats.
Manage your SSH keys
Secure your SSH keys in 1Password to access anytime you need them.
Autofill public keys
Use the browser extension to fill your public keys in your Git or cloud platforms.
Developer Watchtower
Check for SSH keys stored on your local disk and remediate any security issues.
Authenticate SSH and Git connections
The 1Password SSH agent runs in the background to handle authentication on behalf of your SSH and Git clients, replacing the standard OpenSSH agent. Instead of loading your private keys into an in-memory agent that any process can use, the 1Password SSH agent security model makes sure your encrypted private keys never leave 1Password and are never used without your consent. Any eligible SSH Key item in your Personal, Private, or Employee vault is automatically available to the agent once it’s turned on. To use it with your SSH and Git clients:- Turn on the 1Password SSH agent in the desktop app.
- Configure your SSH or Git client to use the agent for authentication.
- Run an
sshorgitcommand as usual and authorize the request when 1Password prompts you.
Get started with 1Password for SSH
Set up the SSH agent so you can authenticate your SSH requests from 1Password.
SSH client compatibility
Check which SSH, Git, and SFTP clients are compatible with the 1Password SSH agent.
About the 1Password SSH agent
Learn more about configuration options for the SSH agent and how to make your keys available to use with the agent.
About 1Password SSH agent security
Learn more about the SSH agent authorization model and how 1Password differs from OpenSSH.
Sign Git commits with SSH
Git 2.34 and later supports signing Git commits and tags with SSH keys. Save your signing keys in 1Password to use with Git hosts like GitHub, GitLab, and Bitbucket, which can verify SSH-signed commits.- Configure Git commit signing with SSH globally from the 1Password desktop app.
- Configure multiple commit signing setups by adding the
includeIfdirective to your~/.gitconfigfile to scope configurations to specific directories. - Set up commit signing for a specific repository by copying the commit signing snippet for your SSH key, then pasting it in the repository’s
<git-repo>/.git/configfile. - Set up SSH forwarding to sign commits in cloud development environments and remote workstations.
- Use the 1Password Windows Subsystem for Linux (WSL) integration to sign Git commits from WSL.
Sign Git commits with SSH
Configure commit signing globally or per-repository and verify signatures.
Sign commits in remote environments
Use SSH agent forwarding to sign commits in a cloud development environment or remote workstation.
Sign commits in WSL
Configure commit signing in WSL using the 1Password SSH agent running on your Windows host.
Use multiple Git identities on the same machine
If you use multiple Git identities on the same machine — for example, separate accounts for work and personal projects — you can configure SSH host aliases for each identity. This tells your SSH clients which key to use when authenticating, and lets you configure each directory to sign commits with the matching key.- Download the SSH public keys from 1Password that you use to authenticate each Git account and save them in your
~/.ssh/directory. - Define SSH host aliases (
Host) for each Git identity in your~/.ssh/configfile and use theIdentityFiledirective to point to the public key you downloaded for each alias, then update the Git remote URL for each Git repository to use the new host alias. - Configure commit signing for your different Git identities by using the
includeIfdirective in your~/.gitconfigfile so each directory uses the matching public signing key.
Download your public keys
Download the public keys from your SSH Key items in 1Password.
Configure SSH host aliases
Define SSH host aliases for each Git identity so the correct SSH keys are used to authenticate your SSH requests.
Forward SSH requests
1Password can help improve your experience when working in remote environments where you need to make SSH requests, like running Git commands and signing commits. Configure your remote host to allow SSH requests to be forwarded to the 1Password SSH agent on your local machine, then authorize those requests with biometrics without your private keys ever leaving the local 1Password process.- CDEs and remote workstations: Use SSH agent forwarding with 1Password on a Mac or Linux machine to forward your local agent to a CDE host or a remote workstation. Use SSH agent forwarding more securely by scoping the
ForwardAgent yesdirective only to a specific host or domain you trust. - Windows Subsystem for Linux (WSL): Use the WSL integration to authenticate SSH and Git commands and sign commits from inside WSL using the 1Password SSH agent running on your Windows host. This integration works with both WSL 1 and WSL 2.
Remote environments
Authenticate SSH and Git requests from within CDEs and remote workstations.
SSH agent forwarding security
Best practices for scoping SSH agent forwarding to trusted hosts.
Forward SSH requests from WSL
Forward SSH and Git requests from WSL to the 1Password SSH agent on your Windows host.
Customize SSH agent behavior
When you attempt to authenticate with a server over SSH, the agent works with your SSH clients to offer your public keys one by one until the server acknowledges one that works. By default, every eligible SSH key in your Personal, Private, or Employee vault is made available to the 1Password SSH agent. OpenSSH servers are configured to have a six-key limit for authentication attempts, which means you could run into authentication failures if you manage more than six SSH keys. To mitigate this issue, you can configure SSH agent behavior so your SSH keys are matched to specific hosts and to control which keys the agent offers to servers and in what order.Match SSH keys with specific hosts
To avoid authentication failures and make sure the correct key is matched to a specific SSH host, you can:- Create SSH Bookmarks in 1Password: SSH Bookmarks are host URLs you can add to your SSH Key items in 1Password that let you connect to SSH hosts directly from 1Password, without manually entering commands in the terminal. You can create a bookmark using the Bookmark option in the SSH agent activity log, or by adding a custom field to an SSH Key item in 1Password. You can also generate an SSH Bookmarks config file (
~/.ssh/1Password/config) that 1Password automatically manages, which can prevent you from running into the six-key server limit. - Configure your SSH config file: Download the public key from your SSH item in 1Password and save it in your
~/.sshdirectory. Then manually edit your~/.ssh/configfile to add aHostblock that setsIdentityFileto the path of your public key. This lets your SSH clients know which key to use when connecting to SSH servers.
SSH Bookmarks
Bookmark hosts in your SSH Key items and launch SSH connections directly from 1Password.
Avoid the six-key limit
Match keys to specific hosts with
IdentityFile or the agent config file.Control the order of keys offered to servers
You can use the 1Password SSH agent config file to give you fine-grained control over which keys the agent offers and in what order. With the agent config file, you can:- Use SSH keys from shared or custom vaults: Choose specific keys, vaults, or accounts to make available to the agent.
- Avoid the six-key server limit: Specify the order the agent uses to offer your keys to SSH servers, to prevent running into the six-key authentication limit on most servers.
- Keep different configurations per machine: Customize how you use the SSH agent on each device. For example, you can configure the agent config file on your work laptop to only surface work keys.
~/.ssh/config) and with SSH Bookmarks.
Create an SSH agent config file
Control which keys the agent offers and in what order.