1Password SSH agent
The 1Password SSH agent uses the SSH keys you have saved in 1Password to seamlessly integrate with your Git and SSH workflows. It authenticates your Git and SSH clients without those clients ever being able to read your private key.
In fact, your private key never even leaves the 1Password app. The SSH agent works with the SSH keys stored in 1Password, but never without your consent. Only SSH clients you explicitly authorize will be able to use your SSH keys until 1Password locks.
Learn how toturn on the 1Password SSH agent andconfigure your SSH clients.
Requirements
- Mac
- Windows
- Linux
- Sign up for 1Password.
- Install and sign in to 1Password for Mac.
- Install the 1Password browser extension (optional).
Required to autofill SSH keys in your browser.
- Sign up for 1Password.
- Install and sign in to 1Password for Windows.
- Install the 1Password browser extension (optional).
Required to autofill SSH keys in your browser.
- Sign up for 1Password.
- Install and sign in to 1Password for Linux.
- Install the 1Password browser extension (optional).
Required to autofill SSH keys in your browser.
The 1Password SSH agent doesn't work withFlatpak or Snap Store installations of 1Password. To use the SSH agent, choose a different method toinstall 1Password for Linux.
For the best experience when using the 1Password SSH agent, you can configureTouch ID,Apple Watch,Windows Hello, orsystem authentication to unlock 1Password and authenticate SSH key requests.
Configuration
By default, the 1Password SSH agent will make everyeligible key in the built-inPersonal,Private, orEmployee vault of your 1Password accounts available to offer to SSH servers. This configuration is automatically set up when youturn on the SSH agent.
If you need to use the SSH agent with keys saved in shared or custom vaults, you can create and customize anSSH agent config file (~/.config/1Password/ssh/agent.toml) to override the default agent configuration.
If you have more than six SSH keys available in the agent, you can edit your SSH config file or useSSH Bookmarks to match your keys to specific hosts. This will help you avoid authentication failures with OpenSSH servers that limit the number of connection attempts. Learn more about theSSH server six-key limit.
Eligible keys
For the 1Password SSH agent to work with your SSH keys, your 1Password SSH key items must meet the following requirements. They must be:
- Generated orimported using the
SSH Keyitem type (which supportsEd25519orRSAkey types). - Stored in the vaultsthe SSH agent is configured to use in 1Password. By default, this is thePersonal,Private, orEmployee vault of any 1Password account you're signed in to.
- Active items (not archived or deleted).
Any key meeting these requirements will automatically be available in the SSH agent for authentication.You will still be required to explicitlyauthorize any request an SSH client makes to use your keys.
To see a list of all keys that the agent has available,set theSSH_AUTH_SOCK environment variable (Mac and Linux only) and run: