Store SSH Keys in Your KeePass Database

Strongbox can now act as an SSH Agent on macOS.

This means you can store your SSH Keys securely within Strongbox and have them available on all of your devices. There is no need to distribute these sensitive items across various machines in various locations. You can also generate new fresh SSH Keys from within Strongbox.

NB: SSH Agent is a Pro feature available for KeePass 2.x databases on macOS only.

What is an SSH Agent?

An SSH Agent is a process that holds and manages sensitive private keys and signs requests on behalf of other processes which need to connect to servers, for example, Github, an SFTP server or any other server you may need to use.

SSH Agent Operation

When an SSH client like git or ssh runs on your machine it needs to authenticate to the remote server. This is usually done via SSH public key authentication. The private key is stored securely inside an SSH agent and the SSH client process asks the SSH agent to sign an authentication request proving to the remote server that you have access to the private key without exposing the private key itself.

Note that the private key never leaves the SSH Agent and neither the remote server nor the requesting process (e.g. ssh or git) has access to the private key.

The Default SSH Agent

Most modern operating systems like Linux or macOS come with a default or built-in SSH Agent. This agent uses files stored on your device to get the private key. This means you copy the private keys around different devices which can become unwieldy and hard to manage.

Strongbox as a Replacement SSH Agent

Strongbox can replace this default SSH Agent implementation using keys stored inside your Strongbox database. It can sign authentication requests on behalf of SSH client processes like git or ssh.

Strongbox Is More Secure

The default macOS SSH Agent allows any process access to any key that has been added to the agent. Strongbox instead asks you to approve access upfront which puts you in the driver’s seat.

When you approve a request to use a key, Strongbox will sign an authorisation request using the correct key allowing the requesting SSH Client to connect to the remote server. The private key never leaves Strongbox.

Strongbox SSH Agent Advantages

  • Strongbox notifies you when a process is trying to use an SSH Key
  • You can see what process and key is being requested and approve or deny the request
  • There is no need to store SSH keys on the file system of any device
  • Your keys are available on any device with Strongbox installed
  • Your private key never leaves Strongbox
  • It’s easy to find and organise keys within the Sidebar (SSH Keys)
  • It’s easy to generate, view, export and add existing SSH Keys

How To Use Strongbox As Your SSH Agent

We have created a detailed guide on how to set up Strongbox as your SSH agent here.

Recommended Posts