Store SSH Keys Securely

May 14 · 3 min read

Let me tell you how you can safely store SSH keys on a local machine, for not having a fear that some application can steal or decrypt them.
This article will be especially useful to those who have not found an elegant solution after the paranoia in 2018 and continue storing keys in $HOME/.ssh.

To solve this problem, I suggest you using KeePassXC, which is one of the best password managers, it is using strong encryption algorithms, and also it have an integrated SSH agent.

This allows you to safely store all the keys directly in the password database and automatically add them to the system when it is opened. Once the base is closed, the use of SSH keys will also be impossible.

First we need to add SSH-agent to autorun at login. For achieve this, open ~/.bashrc in your favorite editor and add to the end:

After that we need to enable support in KeePassXC:

ToolsSettingSSH-agentEnable SSH-agent

Setup is finished, now let’s try to add a new SSH key into KeePassXC:

Click on the key button, then fill in the data:

If the key is password protected, don’t forget to specify the password phrase.

On the Advanced tab, load your id_rsa as an attachment:

On the SSH Agent tab, tick checkboxes:

  • Add key to agent when database is openned/unlocked
  • Remove key from agent when database is closed/locked

Next, choose our key (id_rsa) in the Attachments.
And click the Add to Agent button:

Now when KeePassXC is running, the key will be automatically added to the SSH agent, so you can no longer store it on disk!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade