Skip to main content

SK Blog

Managing SSH Keys with KeePass XC

I just stepped up my security game by injecting my SSH keys into the agent using KeePass XC. This is a quick reference for my future self.
2022-05-01

SSH Keys are ubiquitous while programming, either for secure communication with GitHub and the like, or when logging into remote servers. KeePass XC is the third installment of KeePass that made it onto my system (after KeePass 2 and KeePass X). It’s definitely the best out of the three. For example, it allows managing SSH keys with strong passwords easily - even without keeping them on disk.

Creating a New SSH Key #

Jump into a terminal session and use ssh-keygen as follows:

ssh-keygen -t ed25519 -C "<target name>"

When asked for the password, switch to KeePass and leave the terminal window open.

Importing to KeePass XC #

  1. Open the database and create a new entry.

  2. As the title, I suggest a scheme of [SSH] <tagret name>, so you can easily identify which key is managed by which entry if you need to debug.

  3. Let KeePass XC generate a password for you and use it to finish the key generation process in the terminal.

  4. Add the private key file as an attachment (switch to advanced on the left).

  5. This allows you to select it as the key source after switching to the ssh agent pane on the left. KeePass XC automatically populates the public key field and the comment. I usually don’t bother changing the latter.

  6. Check the two boxes Add key to agent when database is opened/unlocked and Remove key from agent when database is closed/locked. You can also activate Require user confirmation when this key is used for extra security, but make sure you have an ssh-askpass tool installed (see KeePass XC issue 2606).

  7. Save the database entry.

  8. You can now go ahead and delete the public/private key pair on the file system.

Connecting to the Target Platform #

In most cases, the target platform is going to be a code platform such as GitLab or GitHub. Add the newly created key by copying the public key information from the KeePass entry.

Important: Before you can use the key, you need to lock and then unlock the database. Check that the SSH keys are added correctly by running ssh-add -l. This should list the keys coming from KeePass as well as any other keys you’re already using.