Skip to main content
The 1Password SSH agent uses the SSH keys you have saved in 1Password to seamlessly integrate with your Git and SSH workflows. It authenticates your Git and SSH clients without those clients ever being able to read your private key. In fact, your private key never even leaves the 1Password app. The SSH agent works with the SSH keys stored in 1Password, but never without your consent. Only SSH clients you explicitly authorize will be able to use your SSH keys until 1Password locks. Learn how to turn on the 1Password SSH agent and configure your SSH clients.

Requirements

  1. Sign up for 1Password.
  2. Install and sign in to 1Password for Mac.
  3. Install the 1Password browser extension (optional).
    Required to autofill SSH keys in your browser.
For the best experience when using the 1Password SSH agent, you can configure Touch ID, Apple Watch, Windows Hello, or system authentication to unlock 1Password and authenticate SSH key requests.

Configuration

By default, the 1Password SSH agent will make every eligible key in the built-in Personal, Private, or Employee vault of your 1Password accounts available to offer to SSH servers. This configuration is automatically set up when you turn on the SSH agent. If you need to use the SSH agent with keys saved in shared or custom vaults, you can create and customize an SSH agent config file (~/.config/1Password/ssh/agent.toml) to override the default agent configuration. If you have more than six SSH keys available in the agent, you can edit your SSH config file or use SSH Bookmarks to match your keys to specific hosts. This will help you avoid authentication failures with OpenSSH servers that limit the number of connection attempts. Learn more about the SSH server six-key limit.

Eligible keys

For the 1Password SSH agent to work with your SSH keys, your 1Password SSH key items must meet the following requirements. They must be: Any key meeting these requirements will automatically be available in the SSH agent for authentication. You will still be required to explicitly authorize any request an SSH client makes to use your keys. To see a list of all keys that the agent has available, set the SSH_AUTH_SOCK environment variable (Mac and Linux only) and run: 
ssh-add -l